Bring Your Macs into Entra ID with Jamf Connect

Updated 19/10/2023

With many organisations and businesses now retiring their expensive on-premise Active Directory hardware and moving to a cloud-first Entra (formerly Azure) environment, or seriously making plans to do so in the near future, the big question we’re often asked by both customers and prospects is, “Where does this leave our growing Mac fleet?”. Given that Entra ID has no compatibility with Macs and traditionally binding them to an on-premise AD can cause major headaches of its own, IT admins and business managers across the land are now facing major problems and sleepless nights. Throw in the global challenges facing IT, including the permanent increase of remote/hybrid working, and it can lead to a real headache.

Thankfully, there is a neat solution to both of these significant challenges in the form of Jamf Connect - a piece of software that fully integrates your Macs with your Entra ID tenant, all without any binding. Rather than simply offering a bullet-point list of its features, we’d like to take you through how it effectively solves four real-world key problems facing organisations today:

Problem 1: Entra ID + Macs

As we’ve covered, Microsoft’s Entra ID (formerly Azure Active Directory), by itself currently has zero support for Macs which, given their well-documented rise in both the Enterprise and Educational sectors, presents IT admins with a quite serious and immediate problem. After all, it’s the very backbone of many organisations’ digital infrastructure and security policies!

Fortunately, Jamf Connect fully supports Entra ID and allows users to simply sign in to their Mac using their existing Microsoft credentials. It even provides ongoing password sync, so if their Microsoft account password changes then it’ll immediately reflect that on their Mac, too! Having just one set of credentials to remember for both your Microsoft account and your local Mac account massively streamlines things for both IT admins and end-users, as well as decreasing user downtime from a forgotten computer password.

Problem 2: Security

With MacBook Airs and Pros being some of the most popular (and portable) laptops ever made, endpoint security has become a headline necessity over the past few years. Many IT admins need to ensure that FileVault data encryption is active immediately after set-up, and multi-factor authentication (MFA) offers additional protection but isn’t available within macOS for local accounts.

Jamf Connect saves the day once again, as not only can FileVault be automatically enabled for network users but MFA can also be required for local account log-in (if this is set in your Entra ID). Furthermore, any password policies you’ve set within Entra ID are forcibly honoured for the local Mac account via Jamf Connect, so you can be assured that your devices are secured with IT-compliant passwords and MFA. This is, of course, in addition to the leading hardware encryption supported by T2-enabled Macs. Your IT admins won’t have had such a good night’s sleep in years!

Finally, you can even configure Jamf Connect to automatically create either Administrator or Standard local Mac accounts based on that account’s Role within your Entra ID tenant. This means that end-users cannot do things like install rogue software, set up new printers or otherwise change things that may compromise their work or your security. Another handy use-case is the ability to quickly create spontaneous Admin-level local accounts if IT ever do need to take control of a user’s Mac to fix a problem remotely and then remove them, eliminating the chance of those credentials ever falling into the wrong hands. No organisation wants a skeleton key approach to their Admin accounts and, with Jamf Connect, avoiding that possibility is easier than ever.

Problem 3: Mobile Users + AD Bind

The past 18 months have seen sweeping workflow changes and a huge rise in working from home (did you know that #WFH was one of Twitter’s top trends of 2020-21?). IT admins have therefore had to thoroughly embrace zero-touch deployment methodologies, where factory-sealed Macs are shipped directly to the user and remote MDM configuration sets them up automatically. Without a complex VPN setup, binding to an on-premise AD in this scenario would be impossible and thus prevent users from accessing the apps and resources they need for work.

As no binding takes place, Jamf Connect is fully-functional wherever the user has an Internet connection (and will still allow them to log in even when they don’t) and this lends itself perfectly to the new normal of working away from the office - or indeed from anywhere! For the ultimate in slick convenience, an MDM such as Jamf Pro can even be set to bypass the local admin account creation during a Macs' initial setup and instead have Connect simply prompt the user to sign in with their Entra ID account details. No muss, no fuss.

Problem 4: Password Resets

Keychain sync issues for mobile account users, caused while having to change their easily-forgettable local account password while off-site, cause significant downtime for users and a potential loss of their saved Keychain passwords if they cannot remember their former log-in password (as their Keychain will still be tied to that old password). Jamf themselves conducted some global research and found that a staggering 31% of all IT support requests were for password resets! The costs, in terms of lost productivity, reduced user morale and IT maintenance are both high and avoidable.

Using Jamf Connect, ongoing password sync with your Entra ID ensures that users will never again have to choose between accessing their Mac and waving goodbye to their stored passwords for all the websites and services they rely on day-to-day.

Our Final Thoughts

As we’ve discussed, Jamf Connect is a vital lifeline for any organisation using Entra ID. While we’ve focussed on that specifically in this post, it’s also compatible with a variety of other cloud-based identity providers (IdPs) such as Okta, OneLogin, PingFederate and Google Cloud Identity. These IdPs also support the full range of Connect’s features and offer the same benefits to your organisation. The best part is that Connect is fully compatible with any MDM solution, not just Jamf’s offerings, and in fact doesn’t even require one to function. That said, an MDM should absolutely be in place for any Mac fleet within an organisation.

To find out how KRCS can help take your Macs into the cloud-based world of today, give us a call on 0115 985 1797 or email us at info@krcs.co.uk and one of our friendly team will be glad to assist based on your specific needs and set-up.