That is going to be an excessively fast put up as I simply wish to spotlight and explain one thing. This being the brand new characteristic which has been added to Jamf Attach Login in view of ways the password validation by the use of ROPG is finished throughout account advent or next logins.
Beginning with Jamf Attach Login 2.5 (for Google iDP) and a couple of.6 for (Azure iDP) a brand new key has been added to the to be had personal tastes: OIDCUsePassthroughAuth.
This with the next unlock notes: https://medical doctors.jamf.com/jamf-connect/documentation/Release_History.html
This permits Jamf Attach to finish community and native authentication with out prompting customers to re-enter a password. All through native account advent, this guarantees that the community password is routinely used because the native password.
Previous to this new key the account advent or next login with Jamf Attach would most often appear to be this:
First authentication accomplished during the iDP webapp:
After that, relying your ROPG settings (OIDCNewPassword) you possibly can both see a request to re-enter the password (should you set OIDCNewPassword to false)…
… or make a selection a brand new password (should you set OIDCNewPassword to true)…:
Now, with the brand new OIDCUsePassthroughAuth key you’ll configure Jamf Attach Login in some way that the tip consumer simplest must authenticate 1x, during the OIDC webapp.
The best way this works is that the authentication is now securely ‘handed thru’ to the Jamf Attach Login mechs operating within the background. This for account advent in addition to next logins.
Notice: for this to paintings for account advent the OIDCNewPassword key must be set to false. If now not set, this secret is set to true via default. If now not set to false the tip consumer will probably be asked to make a selection a password throughout account advent, which is able to impede this OIDCUsePassthroughAuth to paintings.
To allow this selection, the one factor you want to do is so as to add this explicit key to the Jamf Attach Login plist and re-push the profile, in addition to replace Jamf Attach to two.5/2.6 relying the iDP you utilize:
<key>OIDCUsePassthroughAuth</key> <true/> <key>OIDCNewPassword</key> <false/>
This complements the consumer enjoy keeping off the want to authenticate 2x for each login. Alternatively, some issues nonetheless want to be taken into consideration in view of FileVault.
I’ve mentioned this behaviour right here: https://travellingtechguy.weblog/?p=4119&preview=true#understanding-authentication-flow-with-jamf-connect-and-filevault
Should you do set DisableFDEAutoLogin in macOS or the DenyLocal key in Jamf Attach Login, customers will nonetheless want to authenticate two times after a reboot. That is then again now not associated with the brand new characteristic mentioned on this put up, however purely associated with the authentication movement to free up FileVault.
One very last thing I’d like to spotlight right here, in view of keeping off any confusion, is the truth that this new Passthrough Authentication in Jamf Attach Login has not anything to do with the identical capability in Azure for hybrid tenants:
For hybrid environments with each an on-prem AD and an Azure AD connected in combination, you’ll have more than one configurations in view of the hyperlink between them and the way in which customers are signing in:
- Federation (ADFS)
- Passthrough Authentication
- Further sync choices like ‘Password Hash Sync’
Even supposing the speculation at the back of the Passthrough Authentication from Azure to on-prem AD, is very similar to the way in which Jamf Attach Login now will get the credentials entered within the webapp, that is totally break free the Passthrough Autentication between Azure and on-prem AD.
Passthrough Authentication in Jamf Attach Login does NOT require the Azure Tenant to have Passthrough Authentication to on-prem AD enabled.
Now, I’ve now not for my part examined this with an ADFS-federated tenant but. Alternatively, I’ve noticed stories that it unusually labored. Particularly for environments with AllowCloudPasswordValidation enabled I don’t see a explanation why it might now not paintings, however with natural federation I didn’t check but both. Alternatively, you probably have WIA (Home windows Built-in Authentication) configured for your setting, the passthrough auth in Jamf Attach Login does now not paintings (anticipated).
That’s it! As all the time, should you preferred the put up, hit the like button, inform your pals about it and go away a remark down underneath!
Apple ecosystem fanatic, geek, tech device freak, Belgian dwelling within the Netherlands
Senior Undertaking Give a boost to Engineer | Jamf