Hello all!

A brand new child on the town: Jamf Liberate!


Jamf Liberate is a cell instrument app that permits a consumer to free up their Mac with a cell instrument with out the usage of a password. With Jamf Liberate, customers whole a setup procedure to create or generate identification credentials(certificates) on their instrument, which is then used to pair and identify consider with a Mac. As soon as the setup is whole, customers can simply use the app as an alternative authentication way within the following situations:

– Unlocking a Mac

– Activates to modify settings in Device Personal tastes

– Instructions completed with root privileges with the sudo command

IT directors can use Jamf Professional to configure authentication settings by the use of controlled app configuration, and deploy the app to customers of their organisation.

Let’s check it out!

I’ll suppose that you have already got Jamf Attach (Login) configured in a elementary setup. If now not I extremely suggest accomplish that ahead of making an attempt to deploy and check Jamf Liberate. The Jamf Attach circle of relatives of gear and contours are really nice in my view, however the configuration can every so often be a little overwhelming for those who set it up for the primary time. Each the configuration of the config profile / plist, in addition to the iDP aspect of items, require an excessively exact config. First of all including too many options, together with including Jamf Liberate, could make issues unnecessarily complicated to troubleshoot. Fundamentals first!

That mentioned, I began with a operating setup for each Jamf Attach Login 2.x and Jamf Attach Menu Bar App and the very first thing to deploy and configure Jamf Liberate was once so as to add the further redirect URI in my present Azure app: jamfunlock://callback/auth

Subsequent, I created the extra configuration profile to allow Jamf Liberate within the menu bar app. I didn’t upload the keys to my present menu bar config profile to have extra flexibility in disabling it when wanted:

<?xml model="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist model="1.0">

The desire area for this profile could also be com.jamf.join like our standard Menu Bar App plist. Like I mentioned, I most well-liked to make use of a separate plist to allow Jamf Liberate, but when you wish to have, you’ll be able to upload this key on your present JC profile:

That’s desirous about enabling Jamf Liberate within the Menu Bar app! What do we’d like subsequent?

  • Deploy Jamf Attach 2.4
  • Configure and deploy the iOS Jamf Liberate app

Deploying Jamf Attach 2.4 (which incorporates the Jamf Liberate characteristic) is not anything greater than importing our new model on your distribution level, and replace it by the use of a coverage, or manually set up it for trying out.

The iOS Jamf Liberate app must be put in by the use of MDM with app configuration: https://doctors.jamf.com/jamf-connect/documentation/Configuring_and_Deploying_Jamf_Apps.html

In Jamf Professional I had my Jamf Liberate app added as a result of I added some licenses by the use of VPP in Apple Industry Supervisor, and the one factor left to configure all of the setup was once to select the deployment sort (set up mechanically in my case) and setup the app configuration. Different settings are as you wish to have/want however the app must be deployed by the use of MDM and come with app configuration:

For the app configuration you principally simplest want the dictionary underneath, however within the above screenshot I added my tenant ID as neatly as a result of I used to be troubleshooting some tenant problems. You most often would now not want this, except you could have extra tenants in use on your setting.

For com.jamf.config.idp.oidc.client-id you want to position the app ID of the Jamf Attach OIDC app you could have configured in Azure, similar to you could have it within the Jamf Attach Login and Menu Bar.

Be aware: By way of default this setup configures the Liberate capability in a pin-less manner. Which means unlocking or authenticating within the Mac will simplest require the iOS app to be opened and use both FaceID or the iOS passcode to grant get admission to. 

On the time of writing the documentation states that "Require PIN Authentication" defaults to true, but it surely in fact defaults to False. I'm going to get that corrected. Extra about this underneath.

If you wish to implement FaceID for use the next key may well be added to the app config:


Up to now for the setup! Let’s check!

In spite of everything the above I’ve the iOS app on my check instrument:

And Jamf Attach Menu Bar with Liberate capability added:

The final a part of the mixing is to allow the Liberate capability through pairing the iOS instrument.

Very first thing to do is to click on on ‘pair new instrument’ on which you’ll be offered through a QR code you want to scan with the iOS app:

At this level you want to move during the technique of scanning the QR code and following the stairs within the iOS app. You’ll get some popups requesting get admission to to community, digital camera, Bluetooth, and so forth. The ones want to be granted for the pairing to paintings! Moreover FaceID can be utilized as neatly. That is then again simplest to authenticate into the iOS app as a substitute of the usage of the iPhone passcode.