• Home
• App Integrations
• MFA Integrations
• (2FA/MFA) for Jamf Connect

How to Enable Two-Factor Authentication (2FA/MFA) for Jamf Connect?

---

Jamf Connect 2FA (Two-Factor Authentication) or Multi-Factor Authentication (MFA) is an additional layer of security in which a user or an organizational employee have to provide two factors to gain access to the Jamf Connect account. With Jamf Connect TFA being enabled, anyone trying to login to your Jamf Connect account from an unrecognized computer/device must provide additional authorization. Authentication starts with a user submitting his traditional username and password. Once the user successfully gets authenticated with the 1st step verification, configured 2FA (OTP over SMS, Push Notifications, YubiKey, TOTP, Google Authenticator etc) method prompts for 2nd-step verification. After successfully authenticating with both of the steps a user is granted with the access to the Jamf Connect account. This extra layer prevents the unauthorized person from accessing the resources even if cyber attackers get to know your credentials.

miniorange provides 15+ authentication methods and solutions for various use cases. It allows users and organizations to set up certain authentication and settings which includes password restrictions, restricting sign-in methods, as well as other security settings. miniorange also makes way for authentication apps that support Time-Based One-Time Password (TOTP) Google Authenticator, Microsoft Authenticator, Authy 2-Factor authentication app and our own miniorange Authenticator app.

Prerequisites for enabling MFA on regular mac login:

• JAMF Connect Login
• JAMF Connect Configuration

Follow the Step-by-Step Guide for setting up MFA with JAMF connect configuration.

1. Configure Jamf Connect in miniOrange

• Login into miniOrange Admin Console.
• Go to Apps and click on Add Application button.



• Select OAuth/Openid as application type from All Apps dropdown.



• Search for Jamf Connect in the list, if you don't find Jamf Connect in the list then, search for OAuth2/OpenID Connect and you can set up your application via OAuth2/OpenID Connect.



• In the Basic tab, enter the following details:

Basic Tabs	Description
Display Name	Enter the Display Name (i.e., the name for this application).
Redirect URL	Copy the Redirect-URL from Jamf Connect Application. You will get this URL when you create an application in the Jamf Connect admin console.
Client ID	You can find Client ID by clicking the icon as shown below.
Client Secret	You can find Client Secret by clicking the icon as shown below.
Description (Optional)	Add a description if required.
Upload App Logo (Optional)	Upload an app logo (Optional). The app will be shown in the end-user dashboard with the logo that you configure here.




• Click on Save.
• You will be redirected to the Policies section.



• Click on the Assign group button. A new Configure Group Assignment Modal will open.
  • Assign Group: Select the groups you want to link with the application. You can select up to 20 groups at a time.
  
  
  
  • If you need to create new group. Click on Add New Group button.
  • Enter the Group name and click on Create Group.
  
  
  
  • Click on Next.
  • Assign Policies: Add the required policies to the selected groups. Enter the following details:
  • First Factor: Select the login method from the dropdown.
  • If you select Password as the login method, you can enable 2-Factor Authentication (MFA) and Adaptive Authentication, if needed.
  • If you select Password-less as login method, you can enable 2-Factor Authentication (MFA) if needed.



• Click on Save. Policies will be created for all the selected groups.
• You will see the policy listed once it’s successfully added.



• You can go to the Advanced tab to change other settings, such as the expiry time for Access, JWT, and Refresh tokens.
1. Access Token Expiry: For how long the provided access token should be valid from creation. [In Hours] A new access token has to be generated after the expiry.
2. JWT Token Expiry: For how long the generated JWT token should be valid. [ In Hours ]
3. Refresh Token Expiry:For how long the generated refresh token should be valid. [In Days] You will have to generate a new refresh token after the mentioned no. of days.



• Switch to the Login options tab.

  Primary Identity Provider	Select the default ID source from the dropdown for the application. If not selected, users will see the default login screen and can choose their own IDP. [Choose miniOrange in this case.]
  SSO FLows	Select the desired SSO flow from the dropdown, such as miniOrange as IDP, miniOrange as Broker, or miniOrange as Broker with Discovery Flow.
  Show on Enduser Dashboard	Enable this option if you want to show this app in the end-user dashboard.
  Force Authentication	If you enable this option, users will have to log in every time, even if their session already exists.
  Allowed Logout URIs	Click the Allowed Logout URIs link to add a list of post-logout redirect URIs. Users will be redirected to one of these URIs after a successful logout from miniOrange.
  Single Logout Enabled	Enable this option to send logout requests to other applications when logging out from this app.
  Sign in URL	You can include user attributes in the sign-in URL using placeholders like {{username}}, {{primaryEmail}}, {{customAttribute1}}, etc. These placeholders will be dynamically replaced with the actual user values during the IdP-initiated SSO flow. You can generate url using following attributes: username, primaryEmail, alternateEmail, fname, lname, primaryPhone and customAttribute1. The url could be like this login.com/{{username}}/?primaryEmail={{primaryEmail}} Query Parameter Format: https://<sso-url>>?username={{username}} https://<sso-url>>?username={{username}}&email={{primaryEmail}} Path Parameter Format: https://<sso-url>>/{{customAttribute1}}/{{customAttribute2}}/?username={{username}}

• Getting Required App Details / Updating App Information:
• You can edit Application by using the following steps:
• Go to the Apps.
• From the list of configured apps, locate the app you created. Click the ( ⋮ ) icon next to the app and select the Edit option.



• Click the OAuth Endpoints section in Actions menu for your app to get the Authorization, Token and User Info Endpoints.




OAuth Endpoints:

Authorization Endpoint:	https://login.xecurify.com/moas/idp/openidsso (Note: Use this endpoint only if you want to use miniorange as oauth identity server.) https://login.xecurify.com/moas/broker/login/oauth/260174 (Note: Use this endpoint only if you are configuring any Identity Provider in Identity Providers Menu and not using miniorange as IDP.)
Token Endpoint:	https://login.xecurify.com/moas/rest/oauth/token
User Info Endpoint:	https://login.xecurify.com/moas/rest/oauth/getuserinfo
Introspection Endpoint:	https://login.xecurify.com/moas/rest/oauth/introspect
Revoke Endpoint:	https://login.xecurify.com/moas/rest/oauth/revoke
OpenID Single Logout Endpoint:	https://login.xecurify.com/moas/idp/oidc/logout?post_logout_redirect_uri=






OAuth Scopes

email :	View email address of the user
profile :	View profile attributes of the user account
openid :	Retrieve JWT token for OpenID Connect




• Click on Save.

2. Configure JAMF connect

• Open JAMF Connect application in the Applications for creating a configuration profile (A configuration profile contains details of your identity provider from where your user authentication needs to be done)
• Choose Custom in the identity provider and paste the OIDC ID we got from the miniOrange settings.
• Enter the same value in the ROPG cliend ID.
• Enter the Client Secret we got from miniOrange.
• Enter the Discovery URL in the Discovery URL field.
• In the Redirect URL field enter https://127.0.0.1/jamfconnect



• Do not enter any values in the Scopes.
• In the Login tab, enable the Allow local authentication if a network unavailable, this will give you the local authentication option in case if the IDP is not reachable.



Test the configuration with the top right button if everything is working fine then save these configuration with mobileconfig extension. This configuration profile can be pushed in the machines in which you want to add the mfa/sso.

3. Install the configuration file and enable OIDC login:

• Open the configuration file you created with the above steps.
• Install the file by giving the permissions




• Once the installation is done open the terminal.
• Go to /Library/Security/SecurityAgentPlugins/JamfConnectLogin.bundle/Contents/MacOS/ location for enabling the OIDC authentication with the regular authentication.
• Run the command authchanger -OIDC

4. Test the configuration:

• Logout and try to login again it will open a window like below which will forward you for authentication with miniOrange.
• Enter the IDP credentials to login.

Remove the OIDC authentication (If Required):

• Additional Steps are provided if the OIDC authentication needs to be Removed or Disabled.
• To diable the OIDC authentication and re-enable the local authentication go to /Library/Security/SecurityAgentPlugins/JamfConnectLogin.bundle/Contents/MacOS/
• Run the below command authchanger -reset

External References

• Looking for Jamf Connect SSO solution
• Jamf Connect admin console
• Why and how do you use multi-factor authentication?
• Explore multi-factor authentication MAC Solution