Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

What is JAMF Connect ?

JAMF Connect is a software product that allows us to use the UT Campus Single Sign-on system to authenticate a users login credentials on computers running macOS.  The UT Campus Single Sign-on system currently leverages Microsoft Azure Active Directory and Duo to do this.  JAMF Connect allows us to authenticate a users credentials regardless of whether they are on campus or off, all that is needed is an internet connection.

Understanding the impact of FileVault in macOS on provisioning machines with JAMF Connect installed

By Texas state law, all state-owned computers must either us encryption to protect user data stored on the device, or the computer must be configured so that it does not retain any user data.

Filevault in macOS is the Apple implementation of encryption on the data storage in a computer, very similar to Bitlocker on Microsoft Windows based computers.  When FileVault is enabled it requires that credentials be used to allow the encrypted information on a data storage device to be unlocked and read, without those proper credentials the data on the drive is unreadable.

When a computer is powered up Apple uses a firmware based boot loader to authenticate a known user on the computer and permits the data storage to be unlocked, and allow the loading of macOS. If the person attempting to use a computer is unknown they will be unable to unlock the data storage on the device and therefore unable to use it.

When a computer is provisioned for use, the first user account on a device is established with special permissions that give that user account immediate access to the machine when FileVault is enabled.

When using JAMF Connect on a computer one of the benefits is that the successfully authenticated user is automatically granted access to FileVault. Previously this had to be done by a system administrator manually or remotely by script.

NOTE: When delivering a LAITS provisioned FileVault enabled device it will be necessary to login with the first user account, boot macOS, and then logout in order to enable JAMF Connect to be used by the new user.

Our Faculty and Staff implementation of JAMF Connect

If on campus our LAITS Faculty and Staff implementation of JAMF Connect leverages a configuration profile which uses a resource EID to connect to the UTEXAS wifi for WiFi that allows the machine to connect to the UTEXAS wireless SSID in order to facilitate the new user authenticating with JAMF Connect and setting up their user account on the computer.  Once the deployment is complete that configuration profile is removed when is it removed/what's the trigger??? from the device and is no longer needed as the user will be added to the approved FileVault users list.

If setting up users away from campus, the user blah blah and the above profile will be removed blah blah blah.

New machines that use a wired Ethernet connection for internet connectivity will simple ignore the WiFi profile as it is not needed.

Our Research implementation of JAMF Connect

Our LAITS Research implementation of JAMF Connect leverages a configuration profile for WiFi that allows the machine to connect to the UTEXAS-IOT wireless SSID Need more information here... we use ISORA to set up a group blah blah blah so the machien is automatically connected to the IOT wifi blah blah blah in order to facilitate the new user authenticating with JAMF Connect and setting up their user account on the computer.  Once the login is completed the WiFi connection to the UTEXAS-IOT SSID is dropped and the machine joins the UTEXAS SSID by authenticating with their personal credentials????.  The first time a user logs in they will be asked for their credentials to join the UTEXAS SSID, subsequent logins will automatically swap over with no prompting.

New machines that use an Ethernet connection for internet connectivity will simple ignore the WiFi profile as it is not needed.

Our Student Lab and Classroom implementation of JAMF Connect

NOTE: These machines do not have FileVault enabled and therefore macOS boots immediately to the JAMF Connect login window.  We use a user profile policy that runs at every reboot?  at a specific time?? to ensure these devices do not retain user data.

Our LAITS Student Lab and Classroom implementation of JAMF Connect leverages a configuration profile for WiFi that allows the machine to connect to the UTEXAS-IOT wireless SSID in order to facilitate the new user authenticating with JAMF Connect and setting up their user account on the computer.  Once the login is completed the WiFi connection to the UTEXAS-IOT SSID is dropped and the machine joins the UTEXAS SSID.  Since we use a user profile policy to ensure these devices do not retain user data, users will be asked for their credentials to join the UTEXAS SSID, on EVERY login. For this reason we highly recommend these machines use Ethernet for connectivity whenever possible. Make changes to this paragraph that follows updated changes in paragraph above.

New machines that use an Ethernet connection for internet connectivity will simple ignore the WiFi profile as it is not needed.

  • No labels

Confluence Documentation | Web Privacy Policy | Web Accessibility