Overview
Jamf Pro is a device management solution for Apple devices within organizations. With Beyond Identity, administrators can restrict access using conditional access policies.
Control device access
The list below shows additional example access management with Jamf Pro and Beyond Identity.
- Ownership types of mobile devices
- Supervision status of devices
- User-approved mobile device management
View the 🔵 Jamf policy attributes table for more.
Prerequisites
To get started with the integration, view the following prerequisites.
Jamf prerequisites
This information contains the requirements for integrating with Beyond Identity.
- Jamf Pro tenant with valid values
- Username
- Password
- Tenant URL
- Must be in this formatting:
https://\{YOUR_JAMF_TENANT_NAME\}.jamfcloud.com
- Must be in this formatting:
Operating system compatibility
The Jamf integration currently supports macOS and iOS only. The list below describes all platform compatibility.
- Windows - ❌ Not Supported
- macOS - ✅ Fully Supported
- Linux - ❌ Not Supported
- iOS - ✅ Fully Supported
- Android - ❌ Not Supported
Steps
Follow the steps in the sections below to complete your integration for Beyond Identity and Jamf.
Legend
The sections below use these two color codings to identify the steps for separate platforms. Use a separate browser window when following instructions for each platform.
🔵 Beyond Identity - Beyond Identity platform tasks are highlighted in blue.
🟠 Jamf - Jamf Pro platform tasks are highlighted in orange.
🟠 Set up initial Jamf Pro environment
This section describes setting up the 🟠 Jamf Pro environment for the first time. If you already have a Jamf environment configured, go directly to Configure Jamf Pro to integrate with Beyond Identity.
Click here to view the steps.
Set up the Jamf Pro environment
- Access the Jamf Pro environment by logging in to the following link as an administrator: https://yourinstancename.jamfcloud.com Replace "yourinstancename" with the name of your Jamf Pro instance. Login using your Jamf Pro admin username and password.
- Create additional users, if required. To create additional users, follow these steps: https://docs.jamf.com/10.28.0/jamf-pro/administrator-guide/Jamf_Pro_User_Accounts_and_Groups.html
- Integrate with a third-party identity provider (IdP) to enable single sign-on (SSO) for portions of Jamf Pro. When SSO is configured and enabled, users are automatically redirected to your organization's IdP login page. After authentication, users obtain access to the resource they were attempting to access. To configure SAML, follow these steps: https://docs.jamf.com/10.28.0/jamf-pro/administrator-guide/Single_Sign-On.html
Prepare for Computer and Device Enrollment
Apple Push Notification Certificate
Creation of an APNs certificate is required for enrollment of iOS devices and macOS devices. This certificate enables secure communication between Jamf Pro and Apple's servers which support and enable MDM protocols, such as automated deployment of apps, configuration profiles and remote commands.
- Please follow the instructions in the article below to create the APNs certificate, once you've identified an appropriate Apple ID to use.
.
Configure User-initiated Enrollment Settings
While the majority of customer (production) environments utilize Automated enrollment using Apple Business Manager, for the demo environment, you can configure User-initiated enrollment.
Before enrolling devices, the server must be configured to support user-initiated enrollment. Follow the steps below to enable enrollment of both iOS and macOS devices.
- Login to Jamf Pro.
- In the top-right corner of the page, click *Settings.
- Click User-Initiated Enrollment.
- Click Edit.
- (Optional) Customize the default settings for the General and Messaging tabs as needed.
- Click Platforms and from the macOS tab, check the box to Enable user-initiated enrollment for computers.
- Enter any username for the administrative account that will be associated with the managed device in the Username field.
- Click the iOS tab and check the box for Enable user-initiated enrollment for institutionally owned iOS devices and personally owned iOS devices.
- Click Save in the bottom-right corner of the page. Your environment is now configured to allow users to enroll devices without the use of Apple Business Manager.
Note: Although required, the configuration of this field is only relevant for the use of the Jamf Remote application.
Enroll Computers
- On the test device you intend to deploy the app to, navigate to https://yourInstanceName.jamfcloud.com/enroll
- Enter the credentials for the account used to log into Jamf Pro on the Login screen, and then click Log in.
- Click Enroll without entering anything in the text box on the Assign to user screen.
- When prompted, click Continue. This will download a file “CA Certificate.mobileconfig” on your Mac.
- Click the file “CA Certificate.mobileconfig”.
- Go to Mac System Preferences > Profiles. You will see the CA Certificate listed there.
- Click Install.
- Click Install again. The CA Certificate is now installed.
- When prompted, click Continue to download the “enrollmentProfile.mobileconfig” on your Mac.
- Click the file “enrollmentProfile.mobileconfig”.
- Go to Mac System Preferences > Profiles. You will see the MDM Profile listed there.
- Click Install.
- Click Install again.
- Quit the browser to ensure all Jamf Pro sessions are closed.
Important: Entering data into the text box will prevent enrollment if no LDAP servers are configured (none are by default).
The MDM Profile is now installed. After the MDM profile has been installed, jamf binary, agents and other management tools will automatically begin installing in the background, please allow a few minutes for this process to complete before attempting to perform management tasks on the device.
More information and screenshots of the end user experience can be found in the Jamf Pro Administrator's Guide at the following link: https://www.jamf.com/resources/product-documentation/jamf-pro-administrators-guide
Enroll Mobile Devices
- On the test device you intend to deploy the app to, navigate to https://yourInstanceName.jamfcloud.com/enroll.
- On the Login screen, enter the credentials for the account used to login to Jamf Pro, then tap Log in.
- When prompted to choose between a Personally Owned or an Institutionally Owned device, tap Personally Owned and then tap Enroll.
- Tap Continue when prompted to install the CA certificate.
- Tap Allow when prompted to download the configuration profile.
- Tap Close and then close the browser.
- Open the Settings app on the device and tap General > Profiles.
- Tap the CA Certificate, and then tap Install in the top-right corner.
- Follow the on-screen prompts to complete the installation process.
Note: If a warning prompts about the authenticity of the MDM Profile, tap Install. This is expected when Jamf Pro is configured to skip certificate installation during enrollment.
More information and screenshots of the end-user experience can be found in the Jamf Pro Administrator's Guide at the following link:
https://www.jamf.com/resources/product-documentation/jamf-pro-administrators-guide/
🟠 Configure Jamf Pro to integrate with Beyond Identity
If you already have Jamf Pro configured, start here to begin the configuration with Beyond Identity.
-
Log into the Jamf Pro Admin Console.
-
Go to All Settings → Jamf Pro User Accounts & Groups → New → Create Standard Account.
-
Click Next.
-
Under the Account tab, fill in the following information:
Option Enter or Select Username bi-api-user Privilege Set Custom Access Status Custom Full Name API User Email Address your_email_address Password your_password Password your_password Verify Password your_password Force user to change password at next login Leave unchecked Note: The Username and Password are required for configuring Beyond Identity.
-
Under the Privileges tab, fill in the following information
- Click Jamf Pro Server Objects.
- Select READ permissions for all.
- Leave other permissions unchecked.
-
Click Save.
🔵 Configure Beyond Identity
After configuring Jamf, add the integration using the 🔵 Beyond Identity console.
- On your Beyond Identity Secure Access console home page under PLATFORM, navigate to Integrations.
- Under Integrations, click Browse Integrations.
- Click Jamf.
- On the Jamf page, click the Add instance button.
- On the Add integration pop up under General, input your information for the Display Name* field. This is required.
- Under the Configure API for Jamf section, paste the values from your Jamf Pro platform of Step 4 in the previous section. Each of these values is required.
- Base URL*
- Username*
- Password*
- Click Save Changes. This prompts the successfully added pop up and returns you to the integration page.
🟠 Push Beyond Identity Platform Authenticator to mobile devices
Leveraging Jamf mobile attributes in the Beyond Identity policy and determining managed states requires the Beyond Identity Platform Authenticator to be pushed to managed mobile devices. These must have the following specific app configuration.
- Navigate to Devices → Mobile Device Apps → + New.
- Click App Store app or apps purchased in volume.
- Search for and add the Beyond Identity mobile application.
- On the New Mobile Device App page, go to App Configuration and input the items below.
serialNumber: $SERIALNUMBER
DeviceUid: $UDID
JamfProID: $JSSID
- Click Save.
🔵 Test MDM authentication policy
- Login to the Beyond Identity Admin console from a computer that is enrolled in Jamf Pro.
- On a computer that is not enrolled in Jamf Pro, begin logging into Beyond Identity.
- Confirm that the policy behavior is as expected.
- Click Events in the navigation bar to confirm the correct rule is triggered.
🔵 Jamf policy attributes
With this integration, you can create policies to allow or deny authentication using Beyond Identity. The attributes in the table below are available by default.
| Attribute | Type | Usage | Description |
|---|---|---|---|
| Connection Available | boolean | policy | Checks whether the connection to CrowdStrike is available. |
| Computer Serial Number | string | policy | Serial number of the computer. |
| Computer Managed by Jamf | boolean | policy | Verifies that the computer is managed by Jamf. |
| Computer is Supervised | boolean | policy | Verifies that the computer is supervised. Supervision gives your organization more control over the devices you own, allowing restrictions such as disabling AirDrop or Apple Music, or placing the device in Single App Mode. It also provides additional device configurations and features, so you can do things like silently install apps and filter web usage using a global proxy, to ensure that users' web traffic stays within the organization's guidelines. |
| MDM Capable | boolean | policy | Verifies whether the computer has the MDM profile installed. |
| User Approved MDM | boolean | policy | Verifies that Jamf management has been approved by the user. User approved MDM (UAMDM) grants mobile device management (MDM) software additional privileges beyond what is allowed for macOS MDM enrollments that have not been user approved. |
| Boot Partition Filevault State | enum | policy | FileVault state of the macOS boot partition. |
| Computer Model | string | policy | Model of the computer. |
| Processor Architecture | string | policy | Architecture of the processor on the computer. |
| Computer MAC Address | string | policy | MAC address of the computer. |
| OS Filevault Status | enum | policy | FileVault state of the macOS OS partition. |
| SIP Status | enum | policy | Describes the status of System Integrity Protection (SIP). |
| Gatekeeper Status | enum | policy | Describes the Gatekeeper state. |
| Automatic Login Disabled | boolean | policy | Verifies that Automatic Login is disabled. |
| Remote Desktop Enabled | boolean | policy | Verifies that Remote Desktop is enabled. |
| Activation Lock Enabled | boolean | policy | Verifies that Activation Lock is enabled. With Activation Lock, the Apple ID password or device passcode is required before anyone can turn off Find My, erase your Mac, or reactivate and use your Mac. |
| Secure Boot Level | enum | policy | Describes the Secure Boot state of the computer. |
| External Boot Level | enum | policy | Describes the External Boot configuration. |
| Recovery Lock Enabled | boolean | policy | Verifies that a password is required to enter recovery mode. |
| Application Level Firewall Enabled | boolean | policy | Verifies that the Application Level Firewall (ALF) is enabled. |
| Computer Username | string | policy | Username of the user assigned to the computer in Jamf. |
| Device Type | string | policy | Device type, e.g. iOS. |
| Mobile Device Managed by Jamf | boolean | policy | Verifies that the mobile device is managed by Jamf. |
| Software Update Device ID | string | policy | Software update device ID. |
| Mobile Device IP Address | string | policy | Last identified public IP address of the mobile device. |
| Mobile Device is Supervised | boolean | policy | Verifies that the mobile device is supervised. Provides additional control and configuration options for organizational devices. |
| Device Ownership Type | string | policy | Describes the ownership type of the mobile device. |
| UDID | string | policy | Unique device identifier for the mobile device. |
| Mobile Device Serial Number | string | policy | The serial number of the mobile device. |
| Mobile Device Model | string | policy | Model of the mobile device. |
| Mobile Device Model Identifier | string | policy | Device model identifier of the mobile device. |
| Mobile Device Model Number | string | policy | Device model number of the mobile device. |
| Mobile Wi-Fi MAC Address | string | policy | MAC address of the mobile device's wireless network interface, used for connecting to Wi-Fi networks. |
| Data Protection Enabled | boolean | policy | Indicates if data protection is enabled on the mobile device. |
| Block Level Encryption Capable | boolean | policy | Verifies that the mobile device is block level encryption capable. |
| File Level Encryption Capable | boolean | policy | Verifies that the mobile device is file level encryption capable. |
| Passcode Present | boolean | policy | Verifies that a passcode is present on the mobile device. |
| Passcode Compliant | boolean | policy | Verifies that the passcode set on the mobile device is compliant with passcode complexity requirements. |
| Jailbreak Detected | boolean | policy | Describes whether or not a jailbreak is detected on the mobile device. Jailbreaking is the process of exploiting the flaws of a locked-down electronic device to install software other than what the manufacturer has made available for that device. |
| Lost Mode Enabled | boolean | policy | Describes whether or not Lost Mode is enabled. Lost Mode is a feature that allows you to lock a mobile device and track the device's location. |
| Mobile Username | string | policy | Username of the user assigned to the mobile device in Jamf. |
Additional Jamf information
This section covers details from Jamf for your integration.
Jamf device directory matching
This integration uses Apple Unique Device Identifier (UDID), a 24-character string assigned to all modern Apple devices. Beyond Identity does not use serial numbers to match devices to records.
Managed configurations for mobile devices
The Beyond Identity Platform Authenticator requires managed configurations for mobile devices. To map device information to the correct user and device population within Jamf Pro, managed configurations must be assigned. Mobile devices may be missing from Beyond Identity if they are not assigned with managed configurations. Confirm the accepted enrollment types can support managed applications for your organization. Not all MDM enrollment types are compatible with managed configurations.
Jamf Pro integration compatibility
The Beyond Identity Platform Authenticator app must be installed from managed channels, such as through Self Service or pushed to the device by Jamf Pro directly. Installations from the Apple App Store are not compatible with the integration as they do not include managed configurations.