You can configure Jamf Connect by setting preference keys.
Preference keys allow for full manipulation of Jamf Connect Login’s features. You can set preferences with any of the following methods:
-
Use Jamf Connect Configuration to create and test a configuration profile.
For more information, see Jamf Connect Configuration. -
Manually create a configuration profile with a text editor.
-
Set preferences with the defaults write command.
Note: The defaults command will not show preferences set by an MDM solution.
Jamf Connect Login preference keys must be written in the following location:
/Library/Preferences/com.jamf.connect.login.plist
Jamf Connect Login does not create this PLIST file. You must create it manually.
If using Jamf Pro, you must sign the configuration profile before uploading. For more information, see the Deploying Custom Configuration Profiles with Jamf Pro Knowledge Base article.
The following tables contain all the preference key-value pairs that can be set with Jamf Connect Login.
Note: Example key-values, where applicable, match the default Jamf Connect setting. Boolean key-values that are not configured default to false unless stated otherwise, and key-values that configure text show the default text in the app.
Required Settings
| Keys | Description | Example |
| OIDCProvider | Specifies IBM Cloud Identity as your IdP | <key>OIDCProvider</key> <string>IBMCI</string> |
| OIDCRedirectURI | The redirect URI used by your Jamf Connect app in your IBM Cloud Identity. "https://127.0.0.1/jamfconnect" is recommended by default, but any valid URI value may be used as long as the configured value in IBM Cloud Identity matches the value in your Jamf Connect Login configuration profile. | <key>OIDCRedirectURI</key> <string>https://127.0.0.1/jamfconnect</string> |
| OIDCClientID | The Client ID of the app in your IdP used to authenticate the user. | <key>OIDCClientID</key> <string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string> |
| OIDCTenant | Specifies the Tenant ID for your organization that's used for authentication. | <key>OIDCTenant</key> <string>c27d1b33-59b3-4ab2-a5c9-23jf0093</string> |
Account Creation Settings
| Key | Description | Example |
| CreateAdminUser | Create Admin Users If set to true, all users are created as local admins when on the computer. Note: This key only creates users as local admins and does not enforce local account status after user creation. If user roles are configured in your IdP and specified with the OIDCAdmin preference key, local user accounts may change during the next log in. | <key>CreateAdminUser</key> <false/> |
| DemobilizeUsers | Demobilize Accounts Determines if any existing Active Directory mobile accounts are "demobilized", which is the process of converting a mobile account into a local account. Demobilization also removes the network authentication authority from the account. Once demobilized, you can unbind the Mac from Active Directory. Important: If you unbind from Active Directory before demobilization, demobilization may fail if a user's Active Directory password and IdP password do not match and Jamf Connect Login is configured to sync the passwords during account creation. Make sure you demobilize accounts before unbinding from Active Directory and that the Active Directory domain is reachable during account creation with Jamf Connect. | <key>DemobilizeUsers</key> <false/> |
| DenyLocal | Require Network Authentication Determines if users can bypass network authentication and use the Local Auth button at the login window. If set to true, the Local Auth button is not available, and user must authenticate to their network. If set to false, the Local Auth button is available, and users can choose to authenticate locally. | <key>DenyLocal</key> <false/> |
| DenyLocalExcluded | Users with local authentication privileges Specifies which users can still locally authenticate if DenyLocal is set to true | <key>DenyLocalExcluded</key> <array> <string>user-one</string> <string>user-two</string> <string>user-three</string> <string>user-four</string> </array> |
| LicenseFile | License File The contents of a .jamfconnectlicense file encoded in Base64 data format. Note: Maintaining your license key in a separate configuration profile provided by your account manager is recommended. | <key>LicenseFile</key> <data>encoded-license-content</data> |
| LocalFallback | Allow Local Fallback This key is used with DenyLocal to force authentication to the IdP first, but then fallback to local authentication if a network connection is unavailable. | <key>LocalFallback</key> <false/> |
| Migrate | Connect existing local accounts to a network account You can allow local accounts to be migrated to network accounts. This is typically used when a local user account was already created on the computer, but you want the account to have the same username and password as the user’s network account. Jamf Connect Login does this by forcing the user to sign in with their IdP, and then attempts to match the user with an existing local account. Consider the following user migration scenarios:
Additionally, IdPs can migrate users from local accounts to accounts associated with network identity. With the Migrate and DenyLocal preference keys, all subsequent sign-ins will be authenticated to your IdP, and then the system verifies if the user record has an IdPUser attribute. If this attribute cannot be verified, the user will be asked to select a local account to associate with the user’s network account. If the local account shortname does not match the network shortname, the network name will be added as an alias to the account so the user will be able to use either one. This also keeps the home folder path and other elements of the user record the same. Note: For every successful network authentication of a user, the user’s record will be updated with the “NetworkSignIn” attribute. If the user was only authenticated locally, this attribute will not be updated. | <key>Migrate</key> <false/> |
| MigrateUsersHide | Local accounts prohibited from network account connection Specifies which local accounts are excluded from the migration pull-down menu | <key>MigrateUsersHide</key> <array> <string>admin</string> <string>ladmin</string> </array> |
| RightsTmpCache | Local accounts prohibited from network account connection When using the AuthUI rule, determines if the token cache is set to /tmp/cachedata | <key>RightsTmpCache</key> <false/> |
| UIDTool | Use a Custom UID Tool Specifies a path to a UID tool that allows you to set a local user account's UID to a custom value during account creation. This can be used to match a local user account's UID with a user's LDAP UID attribute. Your UID tool must be an executable script. | <key>UIDTool</key> <string>/Users/Shared/UIDTool</string> |
OpenID Connect Settings
| Key | Description | Example |
| OIDCNewPassword | If set to true, this key prompts users to create a new password for their new local account. If set to false, this key prompts users to re-enter their network password, which also becomes the local account password. This ensures a user's network and local password are synced during user creation. Note: This key is set to true by default. | <key>OIDCNewPassword</key> <true/> |
| OIDCAdmin | Specifies which user groups become local admins during account creation. You can specify one user group as a string or multiple user groups in an array of strings. Note: By default, Jamf Connect Login reads the "groups" attribute in a user's ID token to determine if they become a local admin. To use a different attribute to determine user creation, see the OIDCAdminAttribute preference key. | <key>OIDCAdmin</key> <string>role</string> or <key>OIDCAdmin</key> <array> <string>role-one</string> <string>role-two</string> <string>role-three</string> <string>role-four</string> </array> |
| OIDCAdminAttribute | Specifies what attribute stored in an ID token is used to determine if a user is created as a standard or admin local user. By default, Jamf Connect Login will read the "groups" attribute for any values specified with the OIDCAdmin preference key. | <key>OIDCAdminAttribute</key> <string>insert-attribute</string> |
| OIDCClientSecret | The client secret used by Jamf Connect Login and your IdP. | <key>OIDCClientSecret</key> <string>insert-client-secret-here</string> |
OIDCDefaultLocal | When set to true, Jamf Connect Login will use local authentication by default rather than cloud authentication, which ensures users can always log in without a network connection. | <key>OIDCDefaultLocal</key> <false/> |
| OIDCIgnoreAdmin | When set to true, Jamf Connect Login will ignore any roles that exist in your IdP. This key ensures local user accounts maintain their current status as either an admin or standard account. When set to false or unspecified, Jamf Connect Login will read the OIDCAdmin key for configured roles and will change a local user account status based on any roles in your IdP. | <key>OIDCIgnoreAdmin</key> <false/> |
| OIDCRedirectURI | The redirect URI used by your Jamf Connect app in your IdP. "https://127.0.0.1/jamfconnect" is recommended by default, but any URI value may be used as long as the configured value in IdP matches the value in your Jamf Connect Login configuration profile. | <key>OIDCRedirectURI</key> <string>https://127.0.0.1/jamfconnect</string> |
| OIDCTenant | Specifies the Tenant ID for your organization that's used for authentication. | <key>OIDCTenant</key> <string>c27d1b33-59b3-4ab2-a5c9-23jf0093</string> |
| OIDCDiscoveryURL | Your IdP's OpenID metadata document that stores OpenID configuration information. This value appears in the following format: "https://domain.url.com/.well-known/openid-configuration" Note: This key is required if the OIDCProvider key is set to "Custom". | <key>OIDCDiscoveryURL</key> <string>https://identity-provider-example-address.com/.well-known/openid-configuration</string> |
| OIDCIgnoreCookies | Ignores any cookies stored by the loginwindow | <key>OIDCIgnoreCookies</key> <false/> |
| OIDCScopes | Specifies custom scopes, which return additional claims in a user’s ID token during authorization. Standard scopes included openid, profile, and offline_access. This key should be configured as a string with space-separated values. | <key>OIDCScopes</key> <string>openid profile</string> |
| OIDCIDTokenPath | Specifies the file path that can be used to store a user’s formatted ID token. | <key>OIDCIDTokenPath</key> <string>/tmp/token</string> |
| OIDCIDTokenPathRaw | Specifies the file path that can be used to store a user’s raw ID token. | <key>OIDCIDTokenPathRaw</key> <string>/tmp/token-raw</string> |
Pluggable Authentication Module (PAM) Settings
| Key | Description | Example |
| AuthUIOIDCProvider | Identity Provider (PAM) Specifies the identity provider to use for authentication via the Pluggable Authentication Module (PAM) | <key>AuthUIOIDCProvider</key> <string>insert-identity-provider</string> |
| AuthUIOIDCClientID | Client ID (PAM) The client ID of the created Jamf Connect app in your identity provider used for authentication via PAM | <key>AuthUIOIDCClientID</key> <string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string> |
| AuthUIOIDCRedirectURI | Redirect URI (PAM) The redirect URI used by the created Jamf Connect app in your identity provider | <key>AuthUIOIDCRedirectURI</key> <string>https://127.0.0.1/jamfconnect</string> |
| AuthUIOIDCTenant | Tenant ID (PAM) The tenant in your identity provider used for authentication via PAM Note: If Okta is your IdP, this key is required. | <key>AuthUIOIDCTenant</key> <string>dev-123456</string> |
| AuthUIOIDCClientSecret | Client Secret (PAM) The client secret of your Jamf Connect app in your IdP. This value is only known by Jamf Connect and your IdP. | <key>AuthUIOIDCClientSecret</key> <string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string> |
Messaging and Appearance Settings
| Key | Description | Example |
| BackgroundImage | Background Image Path to a locally stored image to use as a background for the login window | <key>BackgroundImage</key> <string>/usr/local/shared/background.jpg</string> |
| BackgroundImageAlpha | Background Image Alpha Value The alpha value of the vibrancy layer blur above the background image as an Int from 0-10, representing the alpha value in 10% increments (e.g., a value of 8 would configure the vibrancy layer blur to be 80% alpha) Note: Target computers must be running macOS 10.13.x. | <key>BackgroundImageAlpha</key> <integer>10</integer> |
| LoginLogo | Login Logo Path to a locally stored image to use as a logo during password validation or local password creation Note: A 250 x 250 pixel image is recommended. | <key>LoginLogo</key> <string>/usr/local/images/logo.png</string> |
Help Settings
| Key | Description | Example |
| AllowNetwork Selection | Allow Network Selection When set to true, this preference key allows users to configure and confirm their network connection preferences from the login window. To access this feature when enabled, users can click Network Connection in the bottom-right corner of the login window. Note: To ensure the security of computers, users cannot select an open Wi-Fi network at the login window. | <key>AllowNetworkSelection</key> <false/> |
| HelpURL | Help URL Specify a URL to display at the login window that directs user's to a resource for onboarding or enrollment help. | <key>HelpURL</key> <string>yourcompany.help.com</string> |
| HelpURLLogo | Help Icon Add a custom image to use as a clickable logo for the Help URL. Note: The HelpURL key must be specified. | <key>HelpURLLogo</key> <string>/usr/local/shared/helplogo.png</string> |
| LocalHelpFile | Backup Help File A path to a local file that users can access by clicking the "Help" button in the Jamf Connect Login window. This file is only displayed if the computer cannot connect to the internet and access the URL specified with the HelpURL key. Note: Supported file types include PDF and HTML. | <key>LocalHelpFile</key> <string>/usr/local/shared/JamfConnectHelp.pdf</string> |
FileVault Settings
If enabling FileVault on computers with Jamf Connect, see the Using FileVault with Jamf Connect Knowledge Base article.
| Key | Description | Example |
| EnableFDE | Enable FileVault If set to true, FileVault will be enabled for the first user that logs in to a computer. | <key>EnableFDE</key> <false/> |
| EnableFDERecoveryKey | Save FileVault Recovery Key If set to true, Jamf Connect will store the FileVault recovery key to /var/db/NoMADFDE unless otherwise specified. | <key>EnableFDERecoveryKey</key> <false/> |
| EnableFDERecoveryKeyPath | Set Recovery Key Filepath Specifies a custom file path for the FileVault recovery key | <key>EnableFDERecoveryKeyPath</key> <string>/usr/local/filevault</string> |
EULA Settings
Note: The EULA mechanism must be enabled before configuring EULA preferences. To add the EULA mechanism to Jamf Connect Login, see End User License Agreement.
| Key | Description | Example |
| EULAPath | Audit Filepath Specifies the file path to a directory where user’s end acceptance of a EULA is stored as log files. | <key>EULAPath</key> <string>/usr/local/shared/EULA.txt</string> |
| EULAText | EULA Text Text used for the EULA | <key>EULAText</key> <string>Insert EULA text here</string> |
| EULATitle | EULA Text Title of the EULA text | <key>EULATitle</key> <string>User Agreement</string> |
| EULASubTitle | EULA Subtitle Subtitle of the EULA text | <key>EULASubTitle</key <string>Terms and Conditions</string> |
Script Settings
Note: The RunScript mechanism must be enabled before configuring script preferences. To add the RunScript mechanism to Jamf Connect Login, see Login Script.
| Key | Description | Example |
| ScriptArgs | Script Arguments The arguments used with a specified script run by the RunScript mechanism Note: The ScriptPath key must bey specified. | <key>ScriptArgs</key> <array> <string>-v</string> <string>-user</string> </array> |
| ScriptPath | Script Path Specifies the path to the script or other executable run by the RunScript mechanism. Only one script can be used with Jamf Connect Login at any time. | <key>ScriptPath</key> <string>/usr/local/bin/login</string> |
For related information about Jamf Connect Login, see the following sections of this guide:
-
Integrating with IBM Cloud Identity
Learn how to integrate Jamf Connect Login with IBM Cloud Identity. -
Jamf Connect Login User ExperienceLearn about the general user experience when using Jamf Connect Login.
