It is possible to link your Jamf Pro / datajar.mobi instance to your Azure AD over SSO. This allows SSO user authentication during enrolment using Enrolment Customisation (macOS 10.15+), assignment of devices and integrations into Apple School/Business Manager.
Using SSO during enrolment allows you to require your users to use MFA when they authenticate.
Requirements / Dependancies
An LDAP/S connection to Azure AD is required to work along side the SSO integration. Please ensure the steps in the following article are completed beforehand: Requirements for connecting Jamf Pro to Azure AD over LDAPS
Technical Details
- Follow the steps in the following article, up to but not including "Configure SSO in Jamf Pro":
- A dataJAR engineer will provide you with the "Identifier" and "Reply" URLs.
- Please provide the "App Federation Metadata" URL to the engineer.
- Ensue the Jamf Pro Azure app is assigned to the users/groups for those people who will be using Macs in your environment.
- Add an application-specific claim to the Jamf Pro app to create a custom attribute that will provide the user's shortname. This will be used by Jamf Pro to look up additional attributes over LDAP/S:
- Follow the steps in the following article, but use the details below: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization#adding-application-specific-claims
- Claim name: sAMAccountName
- Claim Source: Transformation
- Transformation: ExtractMailPrefix()
- Parameter 1: user.userprincipalname
- Follow the steps in the following article, but use the details below: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization#adding-application-specific-claims