Jamf Integration

Last updated on May 14, 2024

This guide will walk you through setting up a Jamf Pro integration with Beyond Identity.

Benefits of integrating Jamf with Beyond Identity

Ensure devices are found within Jamf Pro

Prevent unmanaged devices from accessing sensitive resources by leveraging Jamf Pro within Beyond Identity. Administrators are empowered to create policies using attributes such as:

• Device Ownership Type
• Supervision status
• User Approved MDM
• and many more

Ensure specific controls are configured correctly

It's not enough to simply know a device exists in the Jamf Pro device directory, it's just as important to ensure that the device is functional and configured correctly. This integration provides deep visibility into the security configuration of monitored devices, exposing the following attributes and more:

• FileVault Status
• Secure Boot Status
• SIP Status
• Firewall Status
• Remote Login Enabled/Disabled

Prerequisites

To ensure a smooth integration process, please confirm the availability of the following prerequisites and requirements.

OS Support on Beyond Identity

The Jamf Pro integration currently supports MacOS and iOS.

Platform	Supported
Windows	❌
MacOS	✅
Linux	❌
iOS	✅
Android	❌

✅ Fully Supported

〰️ Under Development / Limited Support

❌ Not Supported

License Requirements for Jamf Pro

This integration provides support for Jamf Pro. A valid Jamf Pro tenant is required.

Authentication Requirements

The Jamf Pro integration requires a valid username, password, and tenant URL. The tenant URL must be supplied in the form https://<yourinstancename>.jamfcloud.com, where yourinstancename is the name of your Jamf tenant.

---

Legend

In the following sections, a color-coded indicator has been added to a heading to help identify whether the steps should be performed in Beyond Identity or a different application.

🔵 Beyond Identity: Actions to be performed in the Beyond Identity platform are highlighted in blue.

🟠 Jamf Pro: Actions to be performed in the Jamf Pro platform are highlighted in orange.

---

🟠 Step 1 - Set up the Jamf Pro environment for first use

This section describes how to set up the Jamf environment for the first time.

If you already have a Jamf environment configured, skip this section and go directly to Step 2 - Configure Jamf Pro to work with Beyond Identity.

Click here to view the steps.

Set up the Jamf Pro environment

1. Access the Jamf Pro environment by logging in to the following link as an administrator: https://yourinstancename.jamfcloud.com Replace "yourinstancename" with the name of your Jamf Pro instance. Login using your Jamf Pro admin username and password.
2. Create additional users, if required. To create additional users, follow these steps: https://docs.jamf.com/10.28.0/jamf-pro/administrator-guide/Jamf_Pro_User_Accounts_and_Groups.html
3. You can integrate with a third-party identity provider (IdP) to enable single sign-on (SSO) for portions of Jamf Pro. When SSO is configured and enabled, users are automatically redirected to your organization's IdP login page. After authentication, users obtain access to the resource they were attempting to access. To configure SAML, follow these steps: https://docs.jamf.com/10.28.0/jamf-pro/administrator-guide/Single_Sign-On.html

Prepare for Computer and Device Enrollment

Apple Push Notification Certificate

Creation of an APNs certificate is required for enrollment of iOS devices and macOS devices. This certificate enables secure communication between Jamf Pro and Apple’s servers which support and enable MDM protocols, such as automated deployment of apps, configuration profiles and remote commands.

• Please follow the instructions in the article below to create the APNs certificate, once you’ve identified an appropriate Apple ID to use.

https://www.jamf.com/jamf-nation/articles/111/generating-and-renewing-an-apple-push-notification-service-apns-certificate

.

Configure User-initiated Enrollment Settings

While the majority of customer (production) environments utilize Automated enrollment using Apple Business Manager, for the demo environment, you can configure User-initiated enrollment.

 

Before enrolling devices, the server must be configured to support user-initiated enrollment. Follow the steps below to enable enrollment of both iOS and macOS devices.

1. Login to Jamf Pro.
2. In the top-right corner of the page, click *Settings.
3. Click User-Initiated Enrollment.
4. Click Edit.
5. (Optional) Customize the default settings for the General and Messaging tabs as needed.
6. Click Platforms and from the macOS tab, check the box to Enable user-initiated enrollment for computers.
7. Enter any username for the administrative account that will be associated with the managed device in the Username field.

Note: Although required, the configuration of this field is only relevant for the use of the Jamf Remote application.

8. Click the iOS tab and check the box for Enable user-initiated enrollment for institutionally owned iOS devices and personally owned iOS devices.
9. Click Save in the bottom-right corner of the page. Your environment is now configured to allow users to enroll devices without the use of Apple Business Manager.

Enroll Computers

1. On the test device you intend to deploy the app to, navigate to https://yourInstanceName.jamfcloud.com/enroll
2. Enter the credentials for the account used to log into Jamf Pro on the Login screen, and then click Log in.
3. Click Enroll without entering anything in the text box on the Assign to user screen.

Important: Entering data into the text box will prevent enrollment if no LDAP servers are configured (none are by default).

4. When prompted, click Continue. This will download a file “CA Certificate.mobileconfig” on your Mac.
5. Click the file “CA Certificate.mobileconfig”.
6. Go to Mac System Preferences > Profiles. You will see the CA Certificate listed there.
7. Click Install.
8. Click Install again. The CA Certificate is now installed.
9. When prompted, click Continue to download the “enrollmentProfile.mobileconfig” on your Mac.
10. Click the file “enrollmentProfile.mobileconfig”.
11. Go to Mac System Preferences > Profiles. You will see the MDM Profile listed there.
12. Click Install.
13. Click Install again.

The MDM Profile is now installed. After the MDM profile has been installed, jamf binary, agents and other management tools will automatically begin installing in the background, please allow a few minutes for this process to complete before attempting to perform management tasks on the device.

14. Quit the browser to ensure all Jamf Pro sessions are closed.

More information and screenshots of the end user experience can be found in the Jamf Pro Administrator’s Guide at the following link: https://www.jamf.com/resources/product-documentation/jamf-pro-administrators-guide

Enroll Mobile Devices

1. On the test device you intend to deploy the app to, navigate to https://yourInstanceName.jamfcloud.com/enroll.
2. On the Login screen, enter the credentials for the account used to login to Jamf Pro, then tap Log in.
3. When prompted to choose between a Personally Owned or an Institutionally Owned device, tap Personally Owned and then tap Enroll.
4. Tap Continue when prompted to install the CA certificate.
5. Tap Allow when prompted to download the configuration profile.
6. Tap Close and then close the browser.
7. Open the Settings app on the device and tap General > Profiles.
8. Tap the CA Certificate, and then tap Install in the top-right corner.
9. Follow the on-screen prompts to complete the installation process.

Note: If a warning prompts about the authenticity of the MDM Profile, tap Install. This is expected when Jamf Pro is configured to skip certificate installation during enrollment.

More information and screenshots of the end-user experience can be found in the Jamf Pro Administrator’s Guide at the following link:

https://www.jamf.com/resources/product-documentation/jamf-pro-administrators-guide/

🟠 Step 2 - Configure Jamf Pro to work with Beyond Identity

If you already have Jamf Pro configured, start here to begin the configuration with Beyond Identity.

1. Log into the Jamf Pro Admin Console.

2. Go to All Settings > Jamf Pro User Accounts & Groups > New > Create Standard Account.

3. Click Next.

4. Under the Account tab, fill in the following information:

   Option	Enter or Select
   Username	bi-api-user
   Privilege Set	Custom
   Access Status	Custom
   Full Name	API User
   Email Address	your_email_address
   Password	your_password
   Password	your_password
   Verify Password	your_password
   Force user to change password at next login	Leave unchecked

   Note: You will need the username and password in the next section.

5. Under the Privileges tab, fill in the following information

   1. Click Jamf Pro Server Objects.

   2. Select READ permissions for all.

   3. Leave other permissions unchecked.

6. Click Save.

🔵 Step 3 - Integrate Jamf Pro with Beyond Identity

Add the Jamf Pro integration

Click here to view the steps.

1. Go to Tools > Integrations Catalog in the Beyond Identity Admin console.
2. Click the All Integrations tab and then click the Jamf tile.
3. Click Add instance.
4. Complete the following entries in the Add integration - Jamf dialog.
• Display Name: Enter "Jamf Integration" or another name you want to display on the Installed Integrations page.
• Description: Optionally enter a description.
• Provide the Base URL, Username, and Password you entered in the previous section.
5. Click Add instance. You'll be returned to the Installed Integrations page with the Jamf integration displayed.

Click below to interact with the video

🔵 Jamf policy attributes

You can create policies that allow or deny authentication. The attributes below are available by default. For more information about policies, see Policy

Attribute	Source	Description
Connection is	Jamf Pro API	Checks whether the device is connected to Jamf.
Computer Managed State is	Jamf Pro API	Checks whether the device is managed by Jamf.
Mobile Device Managed State is	Jamf Pro API	Checks whether the mobile device is managed by Jamf.

If the computer or mobile device is "Not Managed," your rule can deny authentication. If you've purchased Device360, you can simulate the policy to see

Note: This rule will take effect immediately.

🟠 Step 4 - Push the Beyond Identity Authenticator to Mobile Devices

To leverage JAMF mobile attributes in the Beyond Identity policy and determine a managed state, the Beyond Identity Authenticator must be pushed to managed mobile devices with a specific app configuration.

1. Go to Devices > Mobile Device Apps > + New.

2. Click App Store app or apps purchased in volume.

3. Search for and add the Beyond Identity mobile application.

4. On the 'New Mobile Device App' page, go to App Configuration and enter the following:

   serialNumber$SERIALNUMBERDeviceUid$UDIDJamfProID$JSSID

5. Click Save.

🔵 Step 5 - Test the MDM Authentication Policy

1. Login to the Beyond Identity Admin console first from a computer that is enrolled in Jamf Pro and then from a computer that is not enrolled in Jamf Pro.

2. Confirm that the policy behavior is as expected.

3. Click Events in the nav bar to ensure that the correct rule is triggered.

🔵 Frequently Asked Questions

How are devices matched to the Jamf Pro device directory?

This integration leverages the Apple Unique Device Identifier (UDID). The UDID is a 24-character string assigned to all modern Apple devices. We do not use the serial number to match devices to records.

What rate limits apply to this integration?

No explicit rate limits are set for Jamf Pro.

Why aren't my iOS devices being found?

There are several reasons why an iOS device may fail to be found by Beyond Identity when it exists in the Jamf Pro device directory.

iOS devices require a managed configuration to be provided in order to map device information into the Beyond Identity Platform Authenticator. The managed configuration must be assigned to the correct user and device population within Jamf Pro.

Certain MDM enrollment types are incompatible with managed configurations. Ensure your accepted enrollment types fully support managed applications.

For Jamf Pro integration compatibility, the cannot be Beyond Identity Platform Authenticator app cannot be installed directly from the Apple App Store, but instead must be installed from a managed channel such as Self Service or be pushed to the device from Jamf Pro. Installations from the App Store will not include the managed configuration.