Tutorial: Azure Active Directory SSO integration with Jamf Pro
In this tutorial, you'll learn how to integrate Jamf Pro with Azure Active Directory (Azure AD). When you integrate Jamf Pro with Azure AD, you can:
- Use Azure AD to control who has access to Jamf Pro.
- Automatically sign in your users to Jamf Pro with their Azure AD accounts.
- Manage your accounts in one central location: the Azure portal.
To get started, you need the following items:
- An Azure AD subscription. If you don't have a subscription, you can get a free account.
- A Jamf Pro subscription that's single sign-on (SSO) enabled.
In this tutorial, you configure and test Azure AD SSO in a test environment.
- Jamf Pro supports SP-initiated and IdP-initiated SSO.
Add Jamf Pro from the gallery
To configure the integration of Jamf Pro into Azure AD, you need to add Jamf Pro from the gallery to your list of managed SaaS apps.
- Sign in to the Azure portal by using either a work or school account or your personal Microsoft account.
- In the left pane, select the Azure Active Directory service.
- Go to Enterprise Applications, and then select All Applications.
- To add a new application, select New application.
- In the Add from the gallery section, enter Jamf Pro in the search box.
- Select Jamf Pro from results panel, and then add the app. Wait a few seconds while the app is added to your tenant.
Configure and test SSO in Azure AD for Jamf Pro
Configure and test Azure AD SSO with Jamf Pro by using a test user called B.Simon. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Jamf Pro.
In this section, you configure and test Azure AD SSO with Jamf Pro.
- Configure SSO in Azure AD so that your users can use this feature.
- Configure SSO in Jamf Pro to configure the SSO settings on the application side.
- Create a Jamf Pro test user to have a counterpart of B.Simon in Jamf Pro that's linked to the Azure AD representation of the user.
- Test the SSO configuration to verify that the configuration works.
Configure SSO in Azure AD
In this section, you enable Azure AD SSO in the Azure portal.
In the Azure portal, on the Jamf Pro application integration page, find the Manage section and select Single Sign-On.
On the Select a Single Sign-On Method page, select SAML.
On the Set up Single Sign-On with SAML page, select the pencil icon for Basic SAML Configuration to edit the settings.
On the Basic SAML Configuration section, if you want to configure the application in IdP-initiated mode, enter the values for the following fields:
a. In the Identifier text box, enter a URL that uses the following formula:
b. In the Reply URL text box, enter a URL that uses the following formula:
Select Set additional URLs. If you want to configure the application in SP-initiated mode, in the Sign-on URL text box, enter a URL that uses the following formula:
These values aren't real. Update these values with the actual identifier, reply URL, and sign-on URL. You'll get the actual identifier value from the Single Sign-On section in Jamf Pro portal, which is explained later in the tutorial. You can extract the actual subdomain value from the identifier value and use that subdomain information as your sign-on URL and reply URL. You can also refer to the formulas shown in the Basic SAML Configuration section in the Azure portal.
On the Set up Single Sign-On with SAML page, go to the SAML Signing Certificate section, select the copy button to copy App Federation Metadata URL, and then save it to your computer.
Create an Azure AD test user
In this section, you create a test user in the Azure portal called B.Simon.
- In the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
- Select New user at the top of the screen.
- In the User properties, follow these steps:
- In the Name field, enter
- In the User name field, enter [name]@[companydomain].[extension]. For example,
- Select the Show password check box, and then write down the value that's displayed in the Password box.
- Select Create.
- In the Name field, enter
Assign the Azure AD test user
In this section, you grant B.Simon access to Jamf Pro.
- In the Azure portal, select Enterprise Applications, and then select All applications.
- In the applications list, select Jamf Pro.
- In the app's overview page, find the Manage section and select Users and groups.
- Select Add user, then select Users and groups in the Add Assignment dialog box.
- In the Users and groups dialog box, select B.Simon from the Users list, and then select the Select button at the bottom of the screen.
- If you are expecting a role to be assigned to the users, you can select it from the Select a role dropdown. If no role has been set up for this app, you see "Default Access" role selected.
- In the Add Assignment dialog box, select the Assign button.
Configure SSO in Jamf Pro
To automate the configuration within Jamf Pro, install the My Apps Secure Sign-in browser extension by selecting Install the extension.
After adding the extension to the browser, select Set up Jamf Pro. When the Jamf Pro application opens, provide the administrator credentials to sign in. The browser extension will automatically configure the application and automate steps 3 through 7.
To set up Jamf Pro manually, open a new web browser window and sign in to your Jamf Pro company site as an administrator. Then, take the following steps.
Select the Settings icon from the upper-right corner of the page.
Select Single Sign-On.
On the Single Sign-On page, take the following steps.
a. Select Edit.
b. Select the Enable Single Sign-On Authentication check box.
c. Select Azure as an option from the Identity Provider drop-down menu.
d. Copy the ENTITY ID value and paste it into the Identifier (Entity ID) field in the Basic SAML Configuration section in the Azure portal.
Use the value in the
<SUBDOMAIN>field to complete the sign-on URL and reply URL in the Basic SAML Configuration section in the Azure portal.
e. Select Metadata URL from the Identity Provider Metadata Source drop-down menu. In the field that appears, paste the App Federation Metadata Url value that you've copied from the Azure portal.
f. (Optional) Edit the token expiration value or select "Disable SAML token expiration".
On the same page, scroll down to the User Mapping section. Then, take the following steps.
a. Select the NameID option for Identity Provider User Mapping. By default, this option is set to NameID, but you can define a custom attribute.
b. Select Email for Jamf Pro User Mapping. Jamf Pro maps SAML attributes sent by the IdP first by users and then by groups. When a user tries to access Jamf Pro, Jamf Pro gets information about the user from the Identity Provider and matches it against all Jamf Pro user accounts. If the incoming user account isn't found, then Jamf Pro attempts to match it by group name.
c. Paste the value
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsin the IDENTITY PROVIDER GROUP ATTRIBUTE NAME field.
d. On the same page, scroll down to the Security section and select Allow users to bypass the Single Sign-On authentication. As a result, users won't be redirected to the Identity Provider sign-in page for authentication and can sign in to Jamf Pro directly instead. When a user tries to access Jamf Pro via the Identity Provider, IdP-initiated SSO authentication and authorization occurs.
e. Select Save.
Create a Jamf Pro test user
In order for Azure AD users to sign in to Jamf Pro, they must be provisioned in to Jamf Pro. Provisioning in Jamf Pro is a manual task.
To provision a user account, take the following steps:
Sign in to your Jamf Pro company site as an administrator.
Select the Settings icon in the upper-right corner of the page.
Select Jamf Pro User Accounts & Groups.
Select Create Standard Account.
On the New Account dialog box, perform the following steps:
a. In the USERNAME field, enter
Britta Simon, the full name of the test user.
b. Select the options for ACCESS LEVEL, PRIVILEGE SET, and ACCESS STATUS that are in accordance with your organization.
c. In the FULL NAME field, enter
d. In the EMAIL ADDRESS field, enter the email address of Britta Simon's account.
e. In the PASSWORD field, enter the user's password.
f. In the VERIFY PASSWORD field, enter the user's password again.
g. Select Save.
Test the SSO configuration
In this section, you test your Azure AD single sign-on configuration with following options.
Click on Test this application in Azure portal. This will redirect to Jamf Pro Sign on URL where you can initiate the login flow.
Go to Jamf Pro Sign-on URL directly and initiate the login flow from there.
- Click on Test this application in Azure portal and you should be automatically signed in to the Jamf Pro for which you set up the SSO
You can also use Microsoft My Apps to test the application in any mode. When you click the Jamf Pro tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Jamf Pro for which you set up the SSO. For more information about the My Apps, see Introduction to the My Apps.
Once you configure Jamf Pro you can enforce Session Control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session Control extends from Conditional Access. Learn how to enforce session control with Microsoft Cloud App Security.