Overview
It is possible to link your datajar.mobi / Jamf Service Provider Plan instance to your Microsoft Entra ID over SSO. This allows SSO user authentication during enrolment using Enrolment Customisation (macOS 10.15+) and the Self Service app, as well as assignment of devices and integrations into Apple School/Business Manager.
Using SSO during enrolment allows you to require your users to use MFA when they authenticate.
Requirements / Dependancies
A Directory Services connection to Azure AD is strongly recommended to work along side the SSO integration. Please ensure the steps in the following article are completed beforehand: Connecting datajar.mobi to Entra ID as a Cloud Identity Provider
Technical Details
- Follow the steps in the following article, up to but not including "Configure SSO in Jamf Pro": https://docs.microsoft.com/en-gb/azure/active-directory/saas-apps/jamfprosamlconnector-tutorial
- A dataJAR engineer will provide you with the "Identifier" and "Reply" URLs.
- Please provide the "App Federation Metadata" URL to the engineer.
- Ensue the Jamf Pro Entra ID app is assigned to the users/groups for those people who will be using Macs in your environment.
- (Entra ID only environments or Hybrid AD environments where short usernames match the prefix their Entra ID User Principal Name) Add a claim to the Jamf Pro Entra ID app to provide the "mailNickName" attribute (see Customize SAML token claims - Microsoft Entra for more information)
- (Hybrid AD environments where AD usernames are different from the local part of their Entra ID usernames/User Principal Names) Add a claim to the Jamf Pro Entra ID app to provide the "onPremisesSamAccountName" attribute (see Customize SAML token claims - Microsoft Entra for more information)
Need further support?
Automate. Simplify. Succeed. If you still require assistance with us or have any further questions, please raise a ticket with our support team.
Alternatively, please see our frequently updated knowledge base articles for reference.