Hello all!
A brand new child on the town: Jamf Liberate!
https://doctors.jamf.com/jamf-connect/documentation/Jamf_Unlock.html
Jamf Liberate is a cell instrument app that permits a consumer to free up their Mac with a cell instrument with out the usage of a password. With Jamf Liberate, customers whole a setup procedure to create or generate identification credentials(certificates) on their instrument, which is then used to pair and identify consider with a Mac. As soon as the setup is whole, customers can simply use the app as an alternative authentication way within the following situations:
– Unlocking a Mac
– Activates to modify settings in Device Personal tastes
– Instructions completed with root privileges with the
sudo
commandIT directors can use Jamf Professional to configure authentication settings by the use of controlled app configuration, and deploy the app to customers of their organisation.
Let’s check it out!
I’ll suppose that you have already got Jamf Attach (Login) configured in a elementary setup. If now not I extremely suggest accomplish that ahead of making an attempt to deploy and check Jamf Liberate. The Jamf Attach circle of relatives of gear and contours are really nice in my view, however the configuration can every so often be a little overwhelming for those who set it up for the primary time. Each the configuration of the config profile / plist, in addition to the iDP aspect of items, require an excessively exact config. First of all including too many options, together with including Jamf Liberate, could make issues unnecessarily complicated to troubleshoot. Fundamentals first!
That mentioned, I began with a operating setup for each Jamf Attach Login 2.x and Jamf Attach Menu Bar App and the very first thing to deploy and configure Jamf Liberate was once so as to add the further redirect URI in my present Azure app: jamfunlock://callback/auth

Subsequent, I created the extra configuration profile to allow Jamf Liberate within the menu bar app. I didn’t upload the keys to my present menu bar config profile to have extra flexibility in disabling it when wanted:

<?xml model="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist model="1.0">
<dict>
<key>Liberate</key>
<dict>
<key>EnableUnlock</key>
<true/>
<key>RequirePIN</key>
<true/>
</dict>
</dict>
</plist>
The desire area for this profile could also be com.jamf.join like our standard Menu Bar App plist. Like I mentioned, I most well-liked to make use of a separate plist to allow Jamf Liberate, but when you wish to have, you’ll be able to upload this key on your present JC profile:

That’s desirous about enabling Jamf Liberate within the Menu Bar app! What do we’d like subsequent?
- Deploy Jamf Attach 2.4
- Configure and deploy the iOS Jamf Liberate app
Deploying Jamf Attach 2.4 (which incorporates the Jamf Liberate characteristic) is not anything greater than importing our new model on your distribution level, and replace it by the use of a coverage, or manually set up it for trying out.
The iOS Jamf Liberate app must be put in by the use of MDM with app configuration: https://doctors.jamf.com/jamf-connect/documentation/Configuring_and_Deploying_Jamf_Apps.html
In Jamf Professional I had my Jamf Liberate app added as a result of I added some licenses by the use of VPP in Apple Industry Supervisor, and the one factor left to configure all of the setup was once to select the deployment sort (set up mechanically in my case) and setup the app configuration. Different settings are as you wish to have/want however the app must be deployed by the use of MDM and come with app configuration:


For the app configuration you principally simplest want the dictionary underneath, however within the above screenshot I added my tenant ID as neatly as a result of I used to be troubleshooting some tenant problems. You most often would now not want this, except you could have extra tenants in use on your setting.
For com.jamf.config.idp.oidc.client-id you want to position the app ID of the Jamf Attach OIDC app you could have configured in Azure, similar to you could have it within the Jamf Attach Login and Menu Bar.
<dict>
<key>com.jamf.config.idp.oidc.supplier</key>
<string>Azure</string>
<key>com.jamf.config.idp.oidc.client-id</key>
<string>abcd65c-52fe-4b63-8dde-d658abc0aee8</string>
<key>com.jamf.config.idp.oidc.redirect-uri</key>
<string>jamfunlock://callback/auth</string>
</dict>
Be aware: By way of default this setup configures the Liberate capability in a pin-less manner. Which means unlocking or authenticating within the Mac will simplest require the iOS app to be opened and use both FaceID or the iOS passcode to grant get admission to. On the time of writing the documentation states that "Require PIN Authentication" defaults to true, but it surely in fact defaults to False. I'm going to get that corrected. Extra about this underneath.
If you wish to implement FaceID for use the next key may well be added to the app config:
<key>com.jamf.config.biometrics.required</key>
<true/>
Up to now for the setup! Let’s check!
In spite of everything the above I’ve the iOS app on my check instrument:

And Jamf Attach Menu Bar with Liberate capability added:

The final a part of the mixing is to allow the Liberate capability through pairing the iOS instrument.

Very first thing to do is to click on on ‘pair new instrument’ on which you’ll be offered through a QR code you want to scan with the iOS app:

At this level you want to move during the technique of scanning the QR code and following the stairs within the iOS app. You’ll get some popups requesting get admission to to community, digital camera, Bluetooth, and so forth. The ones want to be granted for the pairing to paintings! Moreover FaceID can be utilized as neatly. That is then again simplest to authenticate into the iOS app as a substitute of the usage of the iPhone passcode.
At this level you will have the underneath in each the iOS because the Jamf Attach Menu Bar app.
NOTE: Be certain that each 'Allow Liberate' (JC Menu Bar App) and 'Permit Unlocking" (iOS app) are enabled !


If all went neatly, you will have to now be precipitated to go into a PIN each time you want to free up your Mac, Authenticate in Terminal or Liberate some Device Personal tastes. Alternatively, as in default config above, no PIN is needed. Simply hit input or click on ‘free up’.



Clicking free up or hitting input will have to cause a notification (if enabled) at the iOS instrument. Liberate the iOS app with both FaceID or passcode and Jamf Liberate will ship an authentication to the Mac.

Now, as I mentioned, the app defaults to PIN-LESS as a substitute of requiring a PIN. So as to require the consumer to go into a PIN code at the Mac we want to tweak the App configuration of the iOS app:

To require a PIN, the app configuration would then seem like this:

<dict>
<key>com.jamf.config.idp.oidc.supplier</key>
<string>Azure</string>
<key>com.jamf.config.idp.oidc.client-id</key>
<string>1d884884-12fd-4fba-9bec-71548a60aa76</string>
<key>com.jamf.config.idp.oidc.tenant</key>
<string>af72a024-546b-4622-80f1-fd66bf369fcc</string>
<key>com.jamf.config.idp.oidc.redirect-uri</key>
<string>jamfunlock://callback/auth</string>
<key>com.jamf.config.pin.required</key>
<true/>
<key>com.jamf.config.pin.sort</key>
<string>rotating</string>
</dict>
Be aware: When converting the app config you want to redeploy the app to get them carried out.
Now, after we do have the PIN requirement configured as according to above, you’ll see that iOS now presentations a rotating key, similar to every other MFA app:

Now each time you want to authenticate at the Mac, the PIN these days displayed at the iOS app must be entered, as an example:

Carried out! That’s it principally! General now not in reality a lot to configure if you have already got the elemental Jamf Attach stuff in position. If now not, it is going to take you a little longer, however like I discussed above I’d suggest to get the Menu Bar App operating first in a elementary setup, and upload free up afterwards.
The one factor I’ve spotted is that every so often the ‘Allow Liberate’ settings on macOS didn’t in reality practice right away to the Mac even if it was once enabled and I used to be simply precipitated with standard authentication activates. Alternatively, doing the have you ever attempted turning it off and on once more means fastened that.
General somewhat directly ahead deployment and it really works neatly! I find it irresistible!
That’s it! As at all times, for those who preferred the submit, hit the like button, inform your mates about it and go away a remark down underneath!
Brgds,
TTG

Apple ecosystem fanatic, geek, tech device freak, Belgian residing within the Netherlands
Senior Undertaking Give a boost to Engineer | Jamf
https://macbookblackfriday.com/