Overview
Jamf Pro is a device management solution for Apple devices within organizations. With Beyond Identity, administrators can restrict access using conditional access policies.
Control device access
The list below shows additional example access management with Jamf Pro and Beyond Identity.
- Ownership types of mobile devices
- Supervision status of devices
- User-approved mobile device management
View the 🔵 Jamf policy attributes table for more.
Prerequisites
To get started with the integration, view the following prerequisites.
Jamf prerequisites
This information contains the requirements for integrating with Beyond Identity.
- Jamf Pro tenant with valid values
- Username
- Password
- Tenant URL
- Must be in this formatting:
https://\{YOUR_JAMF_TENANT_NAME\}.jamfcloud.com
- Must be in this formatting:
Operating system compatibility
The Jamf integration currently supports macOS and iOS only. The list below describes all platform compatibility.
- Windows - ❌ Not Supported
- macOS - ✅ Fully Supported
- Linux - ❌ Not Supported
- iOS - ✅ Fully Supported
- Android - ❌ Not Supported
Steps
Follow the steps in the sections below to complete your integration for Beyond Identity and Jamf.
Legend
The sections below use these two color codings to identify the steps for separate platforms. Use a separate browser window when following instructions for each platform.
🔵 Beyond Identity - Beyond Identity platform tasks are highlighted in blue.
🟠 Jamf - Jamf Pro platform tasks are highlighted in orange.
🟠 Set up initial Jamf Pro environment
This section describes setting up the 🟠 Jamf Pro environment for the first time. If you already have a Jamf environment configured, go directly to Configure Jamf Pro to integrate with Beyond Identity.
Click here to view the steps.
Set up the Jamf Pro environment
- Access the Jamf Pro environment by logging in to the following link as an administrator: https://yourinstancename.jamfcloud.com Replace "yourinstancename" with the name of your Jamf Pro instance. Login using your Jamf Pro admin username and password.
- Create additional users, if required. To create additional users, follow these steps: https://docs.jamf.com/10.28.0/jamf-pro/administrator-guide/Jamf_Pro_User_Accounts_and_Groups.html
- Integrate with a third-party identity provider (IdP) to enable single sign-on (SSO) for portions of Jamf Pro. When SSO is configured and enabled, users are automatically redirected to your organization's IdP login page. After authentication, users obtain access to the resource they were attempting to access. To configure SAML, follow these steps: https://docs.jamf.com/10.28.0/jamf-pro/administrator-guide/Single_Sign-On.html
Prepare for Computer and Device Enrollment
Apple Push Notification Certificate
Creation of an APNs certificate is required for enrollment of iOS devices and macOS devices. This certificate enables secure communication between Jamf Pro and Apple's servers which support and enable MDM protocols, such as automated deployment of apps, configuration profiles and remote commands.
- Please follow the instructions in the article below to create the APNs certificate, once you've identified an appropriate Apple ID to use.
.
Configure User-initiated Enrollment Settings
While the majority of customer (production) environments utilize Automated enrollment using Apple Business Manager, for the demo environment, you can configure User-initiated enrollment.
Before enrolling devices, the server must be configured to support user-initiated enrollment. Follow the steps below to enable enrollment of both iOS and macOS devices.
- Login to Jamf Pro.
- In the top-right corner of the page, click *Settings.
- Click User-Initiated Enrollment.
- Click Edit.
- (Optional) Customize the default settings for the General and Messaging tabs as needed.
- Click Platforms and from the macOS tab, check the box to Enable user-initiated enrollment for computers.
- Enter any username for the administrative account that will be associated with the managed device in the Username field.
- Click the iOS tab and check the box for Enable user-initiated enrollment for institutionally owned iOS devices and personally owned iOS devices.
- Click Save in the bottom-right corner of the page. Your environment is now configured to allow users to enroll devices without the use of Apple Business Manager.
Note: Although required, the configuration of this field is only relevant for the use of the Jamf Remote application.
Enroll Computers
- On the test device you intend to deploy the app to, navigate to https://yourInstanceName.jamfcloud.com/enroll
- Enter the credentials for the account used to log into Jamf Pro on the Login screen, and then click Log in.
- Click Enroll without entering anything in the text box on the Assign to user screen.
- When prompted, click Continue. This will download a file “CA Certificate.mobileconfig” on your Mac.
- Click the file “CA Certificate.mobileconfig”.
- Go to Mac System Preferences > Profiles. You will see the CA Certificate listed there.
- Click Install.
- Click Install again. The CA Certificate is now installed.
- When prompted, click Continue to download the “enrollmentProfile.mobileconfig” on your Mac.
- Click the file “enrollmentProfile.mobileconfig”.
- Go to Mac System Preferences > Profiles. You will see the MDM Profile listed there.
- Click Install.
- Click Install again.
- Quit the browser to ensure all Jamf Pro sessions are closed.
Important: Entering data into the text box will prevent enrollment if no LDAP servers are configured (none are by default).
The MDM Profile is now installed. After the MDM profile has been installed, jamf binary, agents and other management tools will automatically begin installing in the background, please allow a few minutes for this process to complete before attempting to perform management tasks on the device.
More information and screenshots of the end user experience can be found in the Jamf Pro Administrator's Guide at the following link: https://www.jamf.com/resources/product-documentation/jamf-pro-administrators-guide
Enroll Mobile Devices
- On the test device you intend to deploy the app to, navigate to https://yourInstanceName.jamfcloud.com/enroll.
- On the Login screen, enter the credentials for the account used to login to Jamf Pro, then tap Log in.
- When prompted to choose between a Personally Owned or an Institutionally Owned device, tap Personally Owned and then tap Enroll.
- Tap Continue when prompted to install the CA certificate.
- Tap Allow when prompted to download the configuration profile.
- Tap Close and then close the browser.
- Open the Settings app on the device and tap General > Profiles.
- Tap the CA Certificate, and then tap Install in the top-right corner.
- Follow the on-screen prompts to complete the installation process.
Note: If a warning prompts about the authenticity of the MDM Profile, tap Install. This is expected when Jamf Pro is configured to skip certificate installation during enrollment.
More information and screenshots of the end-user experience can be found in the Jamf Pro Administrator's Guide at the following link:
https://www.jamf.com/resources/product-documentation/jamf-pro-administrators-guide/
🟠 Configure Jamf Pro to integrate with Beyond Identity
If you already have Jamf Pro configured, start here to begin the configuration with Beyond Identity.
-
Log into the Jamf Pro Admin Console.
-
Go to All Settings → Jamf Pro User Accounts & Groups → New → Create Standard Account.
-
Click Next.
-
Under the Account tab, fill in the following information:
Option Enter or Select Username bi-api-user Privilege Set Custom Access Status Custom Full Name API User Email Address your_email_address Password your_password Password your_password Verify Password your_password Force user to change password at next login Leave unchecked Note: The Username and Password are required for configuring Beyond Identity.
-
Under the Privileges tab, fill in the following information
- Click Jamf Pro Server Objects.
- Select READ permissions for all.
- Leave other permissions unchecked.
-
Click Save.