![]() ![]() Perhaps you want to make sure that your Jamf admins authenticate once a day - then you might set the sign-in frequency to be 8 hours, so that the session is expired once every working day. ![]() Lastly, Session controls allow us to customise characteristics of the log-in session 5. Using grants as well as the assignments mentioned above, we could for example only require MFA if the user account is suspected to have been compromised, or we could require that a device is compliant in Azure to access a resource if the device being used is not logging in from a known or trusted location. Grants allow us to configure whether the login attempt passes, or whether we maybe set an additional requirement to log in (e.g. The access controls category configures what we do when the above conditions are met (or not). If you wanted to, you could configure MFA to only be enabled if the sign-in is not coming from your office IP address, for example. The “Conditions” configuration also determines whether it kicks in for specific situations, such as if a user is logging in from outside the corporate network, or if Azure has determined that there is a high probability a user account has been compromised 4. You can even set it to force MFA for all apps, but if you’d done that you probably wouldn’t be reading this. In our case, the users for which it applies would be your Jamf admins (who are perhaps members of the group we created earlier), and the application it applies for is Jamf Pro. The assignments category basically sets up when the policy applies: for which users or apps it applies 3. I’ll run through these so that you can understand what we’re looking at here: Now that you’re in the policy creation window, you’ll notice that there are a load of different configuration options. Then, you can click "New Policy> Create new policy". In the Conditional Access pane, make sure you've selected "Policies" on the left. On the left, you'll now see "Conditional Access", which is where you want to go. On the left hand side, scroll down to the “Security” section, and click it. Log into Azure, and head on over to Azure Active Directory. This basically tells Azure that it should only let you log in provided you meet the specified conditions, which in our case will be that you use MFA. To actually enforce MFA at the Jamf Pro SSO page, you’ll need to set a Conditional Access policy for the Jamf app registration. Setting up the MFA Conditional Access policy one for people who need read-only access to Jamf, for instance), but for the purposes of this tutorial I’ve only made one for admins. You could even have multiple security groups (e.g. If you’ve got both of these set up, you should also make sure you have an AAD Security Group that contains anyone you want to be an administrator. Jamf doesn’t support logging in to Jamf with AAD credentials without SSO if you’ve enabled MFA in Azure as of 10.33 2. SSO is a requirement, especially if you want to be able to access the Jamf console with your AAD credentials. You don’t need AAD as an IdP, but it makes role assignments a little easier and a little clearer for you. You will also need SSO for Jamf Pro configured with Azure, and it’s also not a bad idea to have AAD configured as your Identity Provider as well. I used a Premium P2 license for this writeup, but you can follow this guide with AAD Premium P1 if you have that. Azure AD Free does not include Conditional Access. Requirementsįirst things first, your Azure tenant will need to be licensed with an Azure AD Premium license 1. I was looking into how this works, and decided to write up what I found out. Because Jamf is so powerful in terms of the management actions it can perform on your devices, it’s probably not a bad idea to reduce the chances of a malicious actor getting into the management console. Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.If you’re using Jamf with Azure Active Directory Single Sign-On, it might be good for your security posture to enable Multi-Factor Authentication for your Jamf admins. Hotjar sets this cookie when a user recording starts and when data is sent through the WebSocket. Hotjar sets this cookie when a Recording starts and is read when the recording module is initialized, to see if the user is already in a recording in a particular session. It stores the true/false value, indicating whether it was the first time Hotjar saw this user. Hotjar sets this cookie to identify a new user’s first session. Google Analytics sets this cookie for user behaviour tracking. Google Analytics sets this cookie to store and count page views. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc. ![]() Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.Īnalytical cookies are used to understand how visitors interact with the website. ![]()
0 Comments
Leave a Reply. |