Introduction
This document describes how to set up a Jamf Pro environment, integrate it with a Beyond Identity tenant, create an authentication policy based on the device being managed or unmanaged and test the authentication policy.
Important: If you already have a Jamf environment configured, go directly to this section: Integrate Jamf Pro with Beyond Identity – Jamf Pro Configuration.
Contents
- Configure Jamf Pro
- Integrate Jamf Pro with Beyond Identity – Jamf Pro Configuration
- Integrate Jamf Pro with Beyond Identity – Beyond Identity Configuration
- Push the Beyond Identity Authenticator to Mobile Devices
- Configure the MDM Authentication Policy
- Test the MDM Authentication Policy
- Appendix: How to unenroll computers and devices
Configure Jamf Pro
Set up the Jamf Pro environment
- Access the Jamf Pro environment by logging in to the following link as an administrator:
https://<yourinstancename>.jamfcloud.com
Replace <yourinstancename> with the name of your Jamf Pro instance.
Login using your Jamf Pro admin username and password.
- Create additional users, if required. To create additional users, follow these steps:
https://docs.jamf.com/10.28.0/jamf-pro/administrator-guide/Jamf_Pro_User_Accounts_and_Groups.html
- You can integrate with a third-party identity provider (IdP) to enable single sign-on (SSO) for portions of Jamf Pro. When SSO is configured and enabled, users are automatically redirected to your organization's IdP login page. After authentication, users obtain access to the resource they were attempting to access. To configure SAML, follow these steps:
https://docs.jamf.com/10.28.0/jamf-pro/administrator-guide/Single_Sign-On.html
Prepare for Computer and Device Enrollment
Apple Push Notification Certificate
Creation of an APNs certificate is required for enrollment of iOS devices and macOS devices. This certificate enables secure communication between Jamf Pro and Apple’s servers which support and enable MDM protocols, such as automated deployment of apps, configuration profiles and remote commands.
It’s important to note that this certificate must be renewed annually using the same Apple ID that is used to create the certificate. If for any reason, the original Apple ID cannot be used during the renewal process, all devices will need to be re-enrolled. It may make sense to create an Apple ID solely for this purpose.
Please follow the instructions in the article at the below link to create the APNs certificate, once you’ve identified an appropriate Apple ID to use.
Configure User-initiated Enrollment Settings
While the majority of customer (production) environments utilize Automated enrollment using Apple Business Manager, for the demo environment, you can configure User-initiated enrollment.
Before enrolling devices, the server must be configured to support user-initiated enrollment. Follow the steps below to enable enrollment of both iOS and macOS devices.
- Login to Jamf Pro.
- In the top-right corner of the page, click Settings.
- Click User-Initiated Enrollment.
- Click Edit.
- The default settings for the General and Messaging tabs should be sufficient, but feel free to customize your end-user experience as desired.
- Click Platforms and from the macOS tab, check the box to Enable user-initiated enrollment for computers.
- In the Username field, enter any username for the administrative account that will be associated with the managed device.
Note: Although required, the configuration of this field is only relevant for the use of the Jamf Remote application.
- In the Username field, enter any username for the administrative account that will be associated with the managed device.
- Click the iOS tab and check the box for Enable user-initiated enrollment for institutionally owned iOS devices and personally owned iOS devices.
- Click Save in the bottom-right corner of the page. Your environment is now configured to allow users to enroll devices without the use of Apple Business Manager.
Enroll Computers
- On the test device you intend to deploy the app to, navigate to https://yourInstanceName.jamfcloud.com/enroll
- On the Login screen, enter the credentials for the account used to login to Jamf Pro, then click Log in.
- On the Assign to user screen, click Enroll without entering anything in the text box.
Important: Entering data into the text box will prevent enrollment if no LDAP servers are configured (none are by default).
- You will be presented with the following dialog box.
- Click Continue. This will download a file “CA Certificate.mobileconfig” on your Mac.
- Click on the file “CA Certificate.mobileconfig”. The following dialog is displayed.
- Go to Mac System Preferences > Profiles. You will see the CA Certificate listed there.
- Click on Install.
- Click Install.
The CA Certificate is now installed.
- In your browser, you will be presented with the following dialog box. Click Continue.
This will download a file “enrollmentProfile.mobileconfig” on your Mac.
- Click on the file “enrollmentProfile.mobileconfig”. The following dialog is displayed.
- Go to Mac System Preferences > Profiles. You will see the MDM Profile listed there.
- Click on Install.
- Click Install again.
The MDM Profile is now installed. After the MDM profile has been installed, jamf binary, agents and other management tools will automatically begin installing in the background, please allow a few minutes for this process to complete before attempting to perform management tasks on the device.
- Quit the browser to ensure all Jamf Pro sessions are closed.
More information and screenshots of the end user experience can be found in the Jamf Pro Administrator’s Guide at the following link:
https://www.jamf.com/resources/product-documentation/jamf-pro-administrators-guide/
Enroll Mobile Devices
- On the test device you intend to deploy the app to, navigate to https://yourInstanceName.jamfcloud.com/enroll
- On the Login screen, enter the credentials for the account used to login to Jamf Pro, then tap Log in.
- When prompted to choose between a Personally Owned or Institutionally Owned device, tap Personally Owned and then tap Enroll.
- Tap Continue when prompted to install the CA certificate.
- Tap Allow when prompted to download the configuration profile.
- Tap Close and then close the browser.
- Open the Settings app on the device and tap General, then Profiles.
- Tap the CA Certificate, followed by Install in the top-right corner.
- Follow the on-screen prompts to complete the installation process.
Note: If a warning prompts about the authenticity of the MDM Profile, tap Install. This is expected when Jamf Pro is configured to skip certificate installation during enrollment.
More information and screenshots of the end-user experience can be found in the Jamf Pro Administrator’s Guide at the following link:
https://www.jamf.com/resources/product-documentation/jamf-pro-administrators-guide/
Integrate Jamf Pro with Beyond Identity – Jamf Pro Configuration
- Login to the Jamf Pro Admin Console.
- Go to All Settings > Jamf Pro User Accounts & Groups > + New > Create Standard Account.
- Click Next.
- Under the Account tab, fill in the following information:
-
- Username: bi-api-user
- Privilege Set: Custom
- Access Status: Enabled
- Full Name: API User
- Email Address: <your_email_address>
- Password:
- Verify Password:
- Force user to change password at next login: Leave unchecked
- Under the Privileges tab, fill in the following information
-
- Click on Jamf Pro Server Objects.
- Select READ permissions for all.
- Leave other permissions unchecked.
- Click Save.
Note: You will need the username and password in the next section.
Integrate Jamf Pro with Beyond Identity – Beyond Identity Configuration
- Log into the Beyond Identity Admin console.
- Go to Integrations > Endpoint Management.
3. Click the Edit Configuration icon.
- Enter the following information obtained from Jamf Pro Admin UI.
- API URL: e. g. https://<yourjamfinstance>.jamfcloud.com
- Username: bi-api-user
- Password: <password>
- Click Save Changes.
Push the Beyond Identity Authenticator to Mobile Devices
In order to leverage JAMF mobile attributes in the Beyond Identity policy and determine a managed state, the Beyond Identity Authenticator must be pushed to managed mobile devices with a specific app configuration.
- Go to Devices > Mobile Device Apps > + New.
- Click App Store app or apps purchased in volume.
- Search for and add the Beyond Identity mobile application.
- On the 'New Mobile Device App' page, go to App Configuration and enter the following:
<dict><key>serialNumber</key><string>$SERIALNUMBER</string><key>DeviceUid</key><string>$UDID</string><key>JamfProID</key><string>$JSSID</string></dict>
- Click Save.
Configure the MDM Authentication Policy
- Log into the Beyond Identity Admin console.
- Go to Policy > Edit Policy > Add rule.
- Create a rule to deny authentication if the device is not in a “managed state” as shown below.
- Click Add.
Note: This rule will take effect immediately.
Test the MDM Authentication Policy
- Login to the Beyond Identity Admin console first from a computer that is enrolled in Jamf Pro and then from a computer that is not enrolled in Jamf Pro.
- Confirm that the policy behavior is as expected.
- Check the Events tab to ensure that the correct rule is triggered.
Appendix: How to unenroll computers and devices
- Open the Jamf Pro Admin Console.
- Click on Computers.
- Click on Search.
- Click on your computer (or Devices) listed there.
- Click on Management (in the tab at the top).
- Click on Delete (bottom right).
This will delete your computer (or mobile device) from the Jamf Pro management
You can now go back and check that Beyond Identity detects that the computer (or device) is no longer managed.
Comments
0 comments
Please sign in to leave a comment.