JAMF Connect - Understanding the LAITS Implementation
- Susan Abrams
What is JAMF Connect ?
JAMF Connect is a software product that enables the use of the UT Campus Single Sign-On (SSO) system to authenticate a users login credentials on computers running macOS. The UT Campus Single Sign-on system currently leverages Microsoft Azure Active Directory and Duo for authentication. With JAMF Connect, users can authenticate their credentials from any location, whether on campus or off, as long as they have an internet connection.
Understanding the impact of FileVault in macOS on provisioning machines with JAMF Connect installed
Info: According to Texas state law, all state-owned computers must either be encrypted to protect user data stored on the device or be configured to ensure no user data is retained.
FileVault in macOS is Apple's encryption solution for data storage in a computer, similar to BitLocker on Microsoft Windows computers. When FileVault is enabled, credentials are required to unlock and read the encrypted data on the storage device. Without the correct credentials, the data remains unreadable.
When a computer is powered up, Apple uses a firmware-based boot loader to authenticate a known user and unlock the data storage, allowing macOS to load. If an unknown person attempts to use the computer, they will be unable to unlock the data storage and, therefore, unable to use the device.
When a computer is provisioned for use, the first user account created on the device is given special permissions, allowing that user account immediate access to the machine when FileVault is enabled.
One of the benefits of using JAMF Connect on a computer is that it automatically grants FileVault access to successfully authenticated users. Previously, this process had to be performed manually by a system administrator or remotely via a script.
Note: When delivering a LAITS-provisioned, FileVault-enabled device, it will be necessary to log in with the deploy user account, boot macOS, and then log out to enable JAMF Connect for the new user. On single-user computers, the deploy user account is removed once the new user's account is created.
Off Campus - Internet Considerations
Although not exhaustive, LAITS has tested numerous off-campus WiFi connections, both protected and public, and found that all tested connections worked properly with the WiFi connectivity interface in the JAMF Connect login application.
On Campus - Faculty and Staff Implementation of JAMF Connect
On campus, our LAITS Faculty and Staff implementation uses the utguest wireless SSID to provide temporary internet access, allowing the first user to authenticate and establish their account on the machine. Once the user account is created, the computer disconnects from the utguest SSID and prompts the user to join the utexas SSID, which is more appropriate and grants access to UT faculty/staff network resources.
New machines using a wired Ethernet connection for internet access do not need to use WiFi connectivity.
On Campus - Research Implementation of JAMF Connect
On campus, our LAITS Research implementation leverages a WiFi configuration profile that connects the machine to the utexas-iot wireless SSID. This setup requires additional steps in the XMP Network Portal, including identifying the computer in ISORA and setting up a group Pre-Shared Key for authenticating to the utexas-iot wireless SSID. Once configured, the machine will use the utexas-iot wireless SSID whenever a WiFi connection is needed.
New machines using a wired Ethernet connection for internet access do not need to use WiFi connectivity.
On Campus - Student Lab and Classroom Implementation of JAMF Connect
Note: These machines do not have FileVault enabled, so macOS boots directly to the JAMF Connect login window. LAITS employs a user profile policy that runs at the login window and is triggered when the previous user logs out, ensuring these devices do not retain user data.
On campus, our LAITS Student Lab and Classroom implementation leverages a WiFi configuration profile that connects the machine to the utexas-iot wireless SSID. This setup requires additional steps in the XMP Network Portal, including identifying the computer in ISORA and setting up a group Pre-Shared Key for authenticating to the utexas-iot wireless SSID. Once configured, the machine will use the utexas-iot wireless SSID whenever a WiFi connection is needed.
New machines using a wired Ethernet connection for internet access do not need to use WiFi connectivity.