Tutorial: Azure Active Directory SSO integration with Jamf Pro

In this tutorial, you'll learn how to integrate Jamf Pro with Azure Active Directory (Azure AD). When you integrate Jamf Pro with Azure AD, you can:

  • Use Azure AD to control who has access to Jamf Pro.
  • Automatically sign in your users to Jamf Pro with their Azure AD accounts.
  • Manage your accounts in one central location: the Azure portal.

Prerequisites

To get started, you need the following items:

  • An Azure AD subscription. If you don't have a subscription, you can get a free account.
  • A Jamf Pro subscription that's single sign-on (SSO) enabled.

Scenario description

In this tutorial, you configure and test Azure AD SSO in a test environment.

  • Jamf Pro supports SP-initiated and IdP-initiated SSO.

To configure the integration of Jamf Pro into Azure AD, you need to add Jamf Pro from the gallery to your list of managed SaaS apps.

  1. Sign in to the Azure portal by using either a work or school account or your personal Microsoft account.
  2. In the left pane, select the Azure Active Directory service.
  3. Go to Enterprise Applications, and then select All Applications.
  4. To add a new application, select New application.
  5. In the Add from the gallery section, enter Jamf Pro in the search box.
  6. Select Jamf Pro from results panel, and then add the app. Wait a few seconds while the app is added to your tenant.

Configure and test SSO in Azure AD for Jamf Pro

Configure and test Azure AD SSO with Jamf Pro by using a test user called B.Simon. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Jamf Pro.

In this section, you configure and test Azure AD SSO with Jamf Pro.

  1. Configure SSO in Azure AD so that your users can use this feature.
    1. Create an Azure AD test user to test Azure AD SSO with the B.Simon account.
    2. Assign the Azure AD test user so that B.Simon can use SSO in Azure AD.
  2. Configure SSO in Jamf Pro to configure the SSO settings on the application side.
    1. Create a Jamf Pro test user to have a counterpart of B.Simon in Jamf Pro that's linked to the Azure AD representation of the user.
  3. Test the SSO configuration to verify that the configuration works.

Configure SSO in Azure AD

In this section, you enable Azure AD SSO in the Azure portal.

  1. In the Azure portal, on the Jamf Pro application integration page, find the Manage section and select Single Sign-On.

  2. On the Select a Single Sign-On Method page, select SAML.

  3. On the Set up Single Sign-On with SAML page, select the pencil icon for Basic SAML Configuration to edit the settings.

    Edit the Basic SAML Configuration page.

  4. On the Basic SAML Configuration section, if you want to configure the application in IdP-initiated mode, enter the values for the following fields:

    a. In the Identifier text box, enter a URL that uses the following formula: https://<subdomain>.jamfcloud.com/saml/metadata

    b. In the Reply URL text box, enter a URL that uses the following formula: https://<subdomain>.jamfcloud.com/saml/SSO

  5. Select Set additional URLs. If you want to configure the application in SP-initiated mode, in the Sign-on URL text box, enter a URL that uses the following formula: https://<subdomain>.jamfcloud.com

    Note

    These values aren't real. Update these values with the actual identifier, reply URL, and sign-on URL. You'll get the actual identifier value from the Single Sign-On section in Jamf Pro portal, which is explained later in the tutorial. You can extract the actual subdomain value from the identifier value and use that subdomain information as your sign-on URL and reply URL. You can also refer to the formulas shown in the Basic SAML Configuration section in the Azure portal.

  6. On the Set up Single Sign-On with SAML page, go to the SAML Signing Certificate section, select the copy button to copy App Federation Metadata URL, and then save it to your computer.

    The SAML Signing Certificate download link

Create an Azure AD test user

In this section, you create a test user in the Azure portal called B.Simon.

  1. In the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
  2. Select New user at the top of the screen.
  3. In the User properties, follow these steps:
    1. In the Name field, enter B.Simon.
    2. In the User name field, enter [name]@[companydomain].[extension]. For example, B.Simon@contoso.com.
    3. Select the Show password check box, and then write down the value that's displayed in the Password box.
    4. Select Create.

Assign the Azure AD test user

In this section, you grant B.Simon access to Jamf Pro.

  1. In the Azure portal, select Enterprise Applications, and then select All applications.
  2. In the applications list, select Jamf Pro.
  3. In the app's overview page, find the Manage section and select Users and groups.
  4. Select Add user, then select Users and groups in the Add Assignment dialog box.
  5. In the Users and groups dialog box, select B.Simon from the Users list, and then select the Select button at the bottom of the screen.
  6. If you are expecting a role to be assigned to the users, you can select it from the Select a role dropdown. If no role has been set up for this app, you see "Default Access" role selected.
  7. In the Add Assignment dialog box, select the Assign button.

Configure SSO in Jamf Pro

  1. To automate the configuration within Jamf Pro, install the My Apps Secure Sign-in browser extension by selecting Install the extension.

    My Apps Secure Sign-in browser extension page

  2. After adding the extension to the browser, select Set up Jamf Pro. When the Jamf Pro application opens, provide the administrator credentials to sign in. The browser extension will automatically configure the application and automate steps 3 through 7.

    Setup configuration page in Jamf Pro

  3. To set up Jamf Pro manually, open a new web browser window and sign in to your Jamf Pro company site as an administrator. Then, take the following steps.

  4. Select the Settings icon from the upper-right corner of the page.

    Select the settings icon in Jamf Pro

  5. Select Single Sign-On.

    Select Single Sign-On in Jamf Pro

  6. On the Single Sign-On page, take the following steps.

    The Single Sign-On page in Jamf Pro

    a. Select Edit.

    b. Select the Enable Single Sign-On Authentication check box.

    c. Select Azure as an option from the Identity Provider drop-down menu.

    d. Copy the ENTITY ID value and paste it into the Identifier (Entity ID) field in the Basic SAML Configuration section in the Azure portal.

    Note

    Use the value in the <SUBDOMAIN> field to complete the sign-on URL and reply URL in the Basic SAML Configuration section in the Azure portal.

    e. Select Metadata URL from the Identity Provider Metadata Source drop-down menu. In the field that appears, paste the App Federation Metadata Url value that you've copied from the Azure portal.

    f. (Optional) Edit the token expiration value or select "Disable SAML token expiration".

  7. On the same page, scroll down to the User Mapping section. Then, take the following steps.

    The User Mapping section of the Single Sign-On page in Jamf Pro.

    a. Select the NameID option for Identity Provider User Mapping. By default, this option is set to NameID, but you can define a custom attribute.

    b. Select Email for Jamf Pro User Mapping. Jamf Pro maps SAML attributes sent by the IdP first by users and then by groups. When a user tries to access Jamf Pro, Jamf Pro gets information about the user from the Identity Provider and matches it against all Jamf Pro user accounts. If the incoming user account isn't found, then Jamf Pro attempts to match it by group name.

    c. Paste the value http://schemas.microsoft.com/ws/2008/06/identity/claims/groups in the IDENTITY PROVIDER GROUP ATTRIBUTE NAME field.

    d. On the same page, scroll down to the Security section and select Allow users to bypass the Single Sign-On authentication. As a result, users won't be redirected to the Identity Provider sign-in page for authentication and can sign in to Jamf Pro directly instead. When a user tries to access Jamf Pro via the Identity Provider, IdP-initiated SSO authentication and authorization occurs.

    e. Select Save.

Create a Jamf Pro test user

In order for Azure AD users to sign in to Jamf Pro, they must be provisioned in to Jamf Pro. Provisioning in Jamf Pro is a manual task.

To provision a user account, take the following steps:

  1. Sign in to your Jamf Pro company site as an administrator.

  2. Select the Settings icon in the upper-right corner of the page.

    The settings icon in Jamf Pro

  3. Select Jamf Pro User Accounts & Groups.

    The Jamf Pro User Accounts & Groups icon in Jamf Pro settings

  4. Select New.

    Jamf Pro User Accounts & Groups system settings page

  5. Select Create Standard Account.

    The Create Standard Account option in the Jamf Pro User Accounts & Groups page

  6. On the New Account dialog box, perform the following steps:

    New account setup options in Jamf Pro system settings

    a. In the USERNAME field, enter Britta Simon, the full name of the test user.

    b. Select the options for ACCESS LEVEL, PRIVILEGE SET, and ACCESS STATUS that are in accordance with your organization.

    c. In the FULL NAME field, enter Britta Simon.

    d. In the EMAIL ADDRESS field, enter the email address of Britta Simon's account.

    e. In the PASSWORD field, enter the user's password.

    f. In the VERIFY PASSWORD field, enter the user's password again.

    g. Select Save.

Test the SSO configuration

In this section, you test your Azure AD single sign-on configuration with following options.

SP initiated:

  • Click on Test this application in Azure portal. This will redirect to Jamf Pro Sign on URL where you can initiate the login flow.

  • Go to Jamf Pro Sign-on URL directly and initiate the login flow from there.

IDP initiated:

  • Click on Test this application in Azure portal and you should be automatically signed in to the Jamf Pro for which you set up the SSO

You can also use Microsoft My Apps to test the application in any mode. When you click the Jamf Pro tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Jamf Pro for which you set up the SSO. For more information about the My Apps, see Introduction to the My Apps.

Next steps

Once you configure Jamf Pro you can enforce Session Control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session Control extends from Conditional Access. Learn how to enforce session control with Microsoft Cloud App Security.