16 Sep Hold on to your glasses, it’s about to get nerdy!
Previously in the Educator…We wrote about how you could use Jamf Pro to manage your Apple estate, and the various options for hosting – on premise, or in public or private cloud. Well… things have moved on a fair bit since then, so this time we’re diving into the depths of wrangling centralised logins on Mac, handling shared iPads and something brand spanking new that allows you to have users log in to an iPad! Yeah, we didn’t think that would ever happen either. Read on…
Log in to your Mac using Azure AD – yep, it’s a thing.
So here’s something that the internet hive-mind reported for years would never be able to work; as the Azure AD “bind” component is part of the core Windows 10 operating system, the question of whether a Mac would ever be able to be bound to Azure AD was punted off into oblivion by many well-known commentators on both Windows and Apple infrastructure. However, following Jamf’s acquisition of Orchard and Grove (the guys behind the wonderful software NoMAD – if you haven’t heard of it, look it up… it’s great), Jamf Connect has been released. Jamf Connect inserts a new layer in front of the Mac login window that allows you to use cloudbased identity providers (such as Azure AD, Google Cloud, Okta and more) to sign on and sync user accounts with your Mac. Aptly, these products are called Jamf Connect Sign on and Jamf Connect Sync. Description of how it works coming right up…
For the purposes of simplicity, we’re going to assume that the cloud-based identity provider in question is Azure AD and the user experience is with a brand new out-of-box Mac, with a Device Enrollment-capable (formerly DEP) Mobile Device Management system in play within the organisation. It’s absolutely possible for this to be set up with in-situ Macs (and actually, using any MDM) and we’ll cover this later – but for now, picture this:
A user (based anywhere in the world) receives a brand-new Mac still in the shrink wrap. They open the Mac and turn it on for the first time. The Mac then asks for a couple of things – namely location, language and network connectivity – and following this, prompts the user that the Mac is under the management of their organisation (yes, for those of you in the know… this is the Device Enrollment process and will need a Device Enrollment-capable MDM). They’re taken through a couple of clicky-button steps for the Mac to enrol in MDM, depending on what has been set up, and then presented with a Jamf Connect login window. This window contains the well-known Microsoft sign-in screen, and the user is prompted to enter their Azure AD credentials… they sign in, enter their password again for confirmation and are then logged in to their Mac, ready for use and configured contextually to the Azure AD group(s) they are a member of.
From this point, the local account on the Mac will sync with the Azure AD credentials (so password resets etc. fall in line) and user or group-specific settings can be applied and maintained (again, provided you have an MDM capable of doing this). That’s it.
No, really… That’s it.
If you already have a Mac set up with preconfigured user accounts, not a problem – on first login via Jamf Connect, the user will be prompted to select an existing local account to tie the Azure AD login to. Provided they can remember the password to their local account, they simply need to enter this and Jamf Connect will apply its magic to tie the local account to the Azure AD account. From thereon in, the user can sign in with either their old local or Azure AD credentials, but the actual account on the Mac will be the same. Pretty neat, right? Well this is not the only neat thing in this article, so onward!
Setup and Reset
Two features combined in to one solution came with the update to Jamf Pro nearly a year ago. As updates-that-nobody-notices-but-area- really-good-thing go, this is a goodun’… Put simply, a user can be handed an iPad from a pool and be immediately prompted to select the use case – Jamf Pro will then be utilised to immediately provision the device specifically for the selected use case.
So, for example, selecting maths would install only the required apps for a maths lesson, and apply contextual profile apps and settings such as allowing use of the camera to take pictures of project work. When the user is finished, they simply tap the big red “reset” button and the device is immediately wiped and ready again for use case selection.
Of course there is more to it than that, but it really is that simple for the user which means less IT involvement, which means more time spent doing something important… such as fixing a problem or putting something in place that delivers a valuable outcome. Setting this up in the first place will take some thought, but the process is easy to follow because of Jamf. The main decision is how you want each use case to be provisioned and the settings you want to be applied for each.
“Log in” to iPads using Azure AD. Wait… what?!
Well… this is another one of those we-neverthought-it-would-be-possible-but-now-it-is topics. Jamf Connect for iOS was announced at the Jamf Nation Roadshow event in London in May – based on the above, you can probably guess where we’re going with this. Disclaimer: This was a technology preview, so the usual “subject to change” notice applies here… but this is what we saw with our own eyes at the event.
Ahem – Jamf connect for iOS allows users to actually log in to an iOS device, with an actual account that does actual things!
In reality, this is extremely close to a Jamf Setup experience, just with the use-case selection screen being driven by the user’s account in Azure AD (or, again, any other supported Identity Provider but yeah, Microsoft Gold partner over here!). For example, if a user is only a member of one group in Azure AD, once they’ve signed in, the iPad will automatically configure itself based on the MDM settings for membership of that group.
If the user is a member of multiple groups, they will be presented with a selection screen to choose the use case… just like Jamf Setup.
Configuring iOS devices based on user instead of serial number. No way!
This is amazingly useful for a couple of reasons. Firstly, it means that your iOS MDM configuration can be user-centric as opposed to device-centric. How freaking awesome is that? Remember having to add tons of serial numbers to specific groups in Jamf Pro? The devices can now be configured on the basis of the group(s) the logged in user is a member of, as opposed to configuration having to be specific to batches of serial numbers. Pretty crazy, right?
So, the above makes your configuration much, much easier. Now… what about those dreaded hand-out days where you have to make sure the right user has the right device? Again… gone. The users simply need to log in to any device enrolled in MDM, and regardless of serial number the device will be provisioned correctly (obviously this behaviour needs to be set up in MDM first, but you get the point).
For shared device environments, combine the above with Jamf Reset and you have yourself an auto-provisioning, auto-resetting iOS environment with a configuration that is completely contextual to the user logging in.
…but wait… there’s more!
In addition, due to Azure AD’s logging capabilities, you can actually track who “logged in” to which device, and when. Seems like a small thing, but in a shared device environment this is an incredibly useful feature for more reasons than we can count.
After providing a seamless technological working environment it would be nice to think that it is appreciated. It probably won’t be, but don’t take offence – technology users nowadays are so used to consumer ecosystems just working seamlessly, it becomes a point of pain when they don’t. Kids as young as 5 can all pick up technology devices and use them.
Nothing new there. The scary part is the way they can make YouTube appear on the TV via a tablet or tell you how they bought 200 fluffy kittens for Roblox. So, the next generation expect things to just work and you’ll not get a badge or recognition… So here, have one from us:
Right. That’s enough for one update. If you’re still reading, firstly – congratulations – and secondly, if you’re interested in hearing how to apply the above to your environment, please get in contact with your Account Manager who will happily arrange a conversation!
By James Dancer, Technical Director & Keith Martin, Technical Sales Manager