Jamf and azure ad pro#
After the token is granted, Jamf Pro queries the directory data via the Microsoft Graph API. When the administrator initializes the directory lookup, Jamf Pro requests an access token from Azure using the Client Credentials Flow. The following diagram shows the typical flow for directory data lookups: When the connection to Azure is enabled, Jamf Pro can query the directory information from Azure. When initializing the Partner Device Management or Partner Compliance Management integration, Jamf Pro or the Cloud Connector will query to discover service endpoints. update_device_attributes - Allows Jamf Pro to send inventory data to Microsoft Endpoint Manager through the Partner Device Management API.Īllows the user to perform service discovery.
Jamf and azure ad registration#
This is necessary for registration workflows.
The following set of permissions is required for the application: To create the connection, the following set of permissions is required for the Jamf Pro application: Jamf Pro will always attempt to negotiate the highest protocol first. The TLS version used for securing data in transit is 1.2 or higher with Perfect Forward Security (PFS). This approach ensures Jamf Pro limits the usage of Azure's tenant data only to the allowed client/application. If there are no issues in the data set, the configuration is saved. After Jamf Pro receives the set of data from the Cloud Connector Web application, it verifies the received authorization code.
Jamf and azure ad code#
This code is passed with the tenant identifier back to Jamf Pro. As a result, Azure responds with an authorization code. The following diagram shows the typical Jamf Pro and Azure AD IdP integration:Īfter receiving the consent, the Cloud Connector Web application performs authorization of a given client identifier and the received tenant identifier against Azure's authorization endpoint. Jamf Pro cannot write data back to Azure AD. When Jamf Pro is performing lookups in Azure AD, it is in a read-only state. After the application is added, the session is terminated. This means is that the application in Azure AD does not need to be manually created. After successful authentication, an application for Jamf Pro is automatically added in Azure AD to use the Graph API. When setting up the Graph API connection between Jamf Pro and Azure AD, Global Administrator user privileges are required to authenticate. No actions other than reading data are performed in Azure. Together with the consent granted by the administrator via the Cloud Connector, this ensures the directory data are automatically passed and used in the directory workflows in Jamf Pro. When working with directory-related workflows (e.g., adding scope limitations and exclusions), Azure AD cloud identity items are listed under the LDAP headings.Īzure AD as a cloud IdP integration uses Microsoft Graph API and connections to the domain. Accounts and groups added in Jamf Pro must be the standard type. User groups added in Jamf Pro have the same name as groups configured in Azure. You need Global Administrator Azure AD privileges to manage consent requested by the Jamf Pro Azure AD Connector app. Your Jamf Pro instance needs to be hosted in Jamf Cloud. When integrating Jamf Pro with Azure AD, consider the following: Performing user membership lookups and use them to map privileges to relevant accounts in Jamf ProĬonfiguring user authentication and scoping Look up all users and groups for inventory purposes Integrating Jamf Pro with Azure AD as a cloud identity provider allows for the following LDAP workflows without the need to configure Azure AD Domain Services:
0 kommentar(er)
