Jamf Pro Documentation 11.22.0

Enrollment Single Sign-on (SSO)

Save PDF

Expand All

Enrollment Single Sign-on (SSO)

Save PDF

Expand All

Version:
Use up/down arrow keys to navigate, Esc to collapse.
Last UpdatedJun 24, 2025
3 minute read

Environments with a Bring Your Own Device (BYOD) program using supported identity providers can configure an Enrollment single sign-on (SSO) workflow to enhance the account-driven User Enrollment experience.

With Enrollment SSO, the account-driven User Enrollment experience now includes the installation of an authentication app, which will facilitate enrollment into Jamf Pro. Once the user is enrolled in Jamf Pro, the authentication app remains installed as a managed app to provide additional authentications.

Note:

Enrollment SSO with Jamf Pro currently only supports Okta.

Configuring Enrollment SSO with Okta Verify

Using Okta Verify as an Enrollment SSO app with Jamf Pro requires the configuration of multiple items within Jamf Pro, including Single Sign-On settings, a managed app configuration for the Okta Verify app, and a configuration profile with a Single Sign-on Extension payload configured.

Requirements

Okta as an identity provider
Okta FastPass authentication enabled for your Jamf Pro app in the Okta dashboard. For details, see Okta FastPass from Okta.

Note:

End users will be guided to set up and register within the Okta Verify app if they select the Sign in with Okta FastPass option when authenticating with Jamf Pro during enrollment. If the user signs in to Okta without selecting Okta FastPass, the Okta Verify app can be set up by the user later, after the device enrolls with Jamf Pro.

In Jamf Pro, click Settings in the sidebar.
In the System section, click Single sign-on .
Select the Enable Single Sign-On for Account-Driven Enrollment checkbox.
Enter the host URL found in your Okta dashboard in the URL field.
Enter the Management Hint found in your Okta dashboard in the Management Hint field.
(Optional) Specify a user group.
Click Save .
In Jamf Pro, click Devices in the sidebar.
Click Mobile Device Apps in the sidebar.
Click New.
Select App Store app or apps purchased in volume and click Next.
Do one of the following:
- To add the app by browsing the App Store or apps purchased in volume, enter Okta Verify, choose an App Store country and click Next. Then click Add.
- To add the app by uploading a VPP code spreadsheet, click Choose File and upload the Excel spreadsheet (.xls) that contains VPP codes for the app.
- To add the app by manually entering information about it, click Enter Manually.
Use the General tab to configure basic settings for the app and select "Install Automatically" from the Distribution Method pop-up menu.
Click the App Configuration tab. Copy and paste the following PLIST into the Preferences field.
```
<dict> <key>managementHint</key> <string>your-secret-key-here</string> </dict>
```
Note:
Replace your-secret-key-here with the secret key found in your Okta dashboard after enabling Okta FastPass.
Click the Scope tab and configure the scope of the app.
Click Save .
Click Configuration Profiles in the sidebar, and then click New.
Use the General payload to configure basic settings for the profile.
Use the Single Sign-On Extensions payload to configure settings for the profile as follows:
1. Click Add.
2. Entercom.okta.mobile.auth-service-extensionin the Extension Identifier field.
3. EnterOkta Devicein the Realm field.
4. Enter your host URL in the Hosts field. For example, myorganization.okta.com.
5. In the Custom Configuration setting section, upload a PLIST that contains the following:
```
<?xml version="1.0" encoding="UTF-8"?> <plist> <dict>	<key>managementHint</key>	<string>your-secret-key-here</string> </dict> </plist>
```
  Note:
  Replace your-secret-key-here with the secret key found in your Okta dashboard after enabling Okta FastPass.
Click the Scope tab and configure the scope of the profile.
Click Save .

You may encounter errors if Okta Verify is already installed on end user devices when attempting to deploy Enrollment SSO. If you do, follow these steps to remediate:

On the end user device, open the Okta Verify app and manually delete any existing accounts. Then, delete the Okta Verify app. Navigate to Settings > General > VPN & Device Management and attempt the Enrollment SSO workflow again. Okta Verify should re-install automatically, and you can re-add the removed accounts.

Jamf Pro Documentation 11.22.0