Multifactor Authentication
- Last UpdatedSep 9, 2024
- 4 minute read
Jamf Connect can enforce multifactor authentication (MFA) using your cloud identity provider (IdP). Depending on your IdP and the type of authentication used, Jamf Connect will handle MFA in one of the following ways:
- OpenID Connect—
Jamf Connect will indirectly display any MFA challenges within a web view. The entire MFA experience is configured within your IdP's settings.
- Okta Authentication API—
Jamf Connect presents Okta MFA challenges within the Jamf Connect UI. Some additional messaging can be customized via Jamf Connect settings to help users complete an MFA challenge.
Keep the following in mind when enabling MFA with Jamf Connect:
Whether MFA should be enabled at the organization, app, or user level varies by IdP and environment.
If configuring MFA with a third party mobile device app, make sure the app is distributed to users before or alongside Jamf Connect.
To ensure MFA is enforced at the login window, make sure you enable the Require Network Authentication (
DenyLocal) setting in your login window configuration profile. Enabling the Allow Local Fallback (LocalFallback) setting and configuring Users with local authentication privileges (DenyLocalExcluded) to ensure users can log in without a network connection is recommended.
Jamf Connect does not currently support hardware-based security keys at the macOS Login Window. Examples of these keys include Personal Identity Verification (PIV), Common Access Card (CAC), and security keys (e.g. Yubikey) in FIDO2, U2F, or smart card mode.
The following table includes links to MFA documentation and general guidance for each IdP supported by Jamf Connect.
Identity Provider | MFA Documentation |
|---|---|
Entra ID | You may need to configure the Password Verification Success Codes setting for both the Jamf Connect login window and Self Service+ to ensure password verification and syncing is successful. For more information, see Authentication Settings. For more information about MFA with Entra ID, see the How it works: Microsoft Entra multifactor authentication documentation from Microsoft. |
IBM Security Verify | |
Google Cloud | See Protect your business with 2-Step Verification (Cloud Identity Help). |
Okta | Supported MFA options include the following:
Important: When a user is required to complete the Okta Verify number challenge, the Okta Authentication API does not send an error response or message when the incorrect number is selected. Make sure to instruct users to manually click Cancel and retry Okta authentication when an incorrect number is selected. For more information about MFA with Okta, see the following Okta documentation: |
OneLogin | You may need to configure the Password Verification Success Codes setting for both the Jamf login window and Self Service+ to ensure password verification and syncing is successful. For more information, see Authentication Settings. For more information about MFA with OneLogin, see this Multi-Factor Authentication (onelogin) Knowledge Base article from OneLogin. |
PingFederate | See the Defining authentication policies documentation from Ping Identity. |
The Jamf Connect login window also supports the use of Client Certificate Authentication for MFA. This feature serves as an optional layer of authentication, where the identity provider requires the user to present a client certificate. If more than one client certificate is available on the computer, the user will be prompted to pick from the available certificates.
To use Client Certificate Authentication with your IdP, admins will need to deploy a client certificate and private key pair to the system keychain. The private key will need access to all apps or the JCDaemon app located at /Library/Application Support/JamfConnect/JCDaemon.app.
The Jamf Connect login window supports offline multifactor authentication (MFA), which allows users to log in to their computer with a time-based one-time password through an authentication app without needing a connection to an identity provider. Users can access their computers securely without an internet connection with the use of this feature.
A supported authentication app, such as Google Authenticator or Okta Verify.
A computer with macOS 13.x or later.
In Jamf Connect Configuration, navigate to the Login page. Under the Authentication section, enable Offline MFA. Your configuration profile can then be saved and exported to your organization's MDM solution for deployment. For more information, see Configuration Methods for Jamf Connect.
Users can then enroll by selecting OTP Settings in the menu bar for Self Service+ and following the on-screen prompts.
OfflineMFAReminder) setting to schedule a recurring notification that reminds users who have MFA enabled, but have not set up offline MFA, to register their device for offline MFA.The Offline MFA Reminder (OfflineMFAReminder) setting is available for configuration with Self Service+.
When offline MFA enrollment completes, a new multifactor code from Jamf Connect will display in the user's authentication app. This code should only be used when attempting to log in while offline. Additionally, the user's enrollment status is written to the com.jamf.connect.state preference domain. Enrollment status is not written if enrollment is canceled or failed.
Offline multifactor authentication also provides a temporary backup code in the app upon successful enrollment. This backup code can be used to authenticate without your authentication device. When the backup code is used, your existing authentication device will be removed and a new device will need to be enrolled.
Offline multifactor authentication can be modified or removed via a command in Terminal. Enter /Applications/Jamf\ Connect.app/Contents/MacOS/jamfconnect_tool offline-mfa offline-mfa --help into Terminal for more information.