Workaround for Jamf Smart Card Limitation

Jamf Connect is an app that allows administrators to manage authentication by connecting a user's local macOS account to their organization's cloud identity (network account).

Use Jamf Pro to:

1. Deploy the Jamf Connect Application to the Mac Workstation.

2. Deploy the Jamf Connect Configuration Profile to configure IdP Integration and other options.

3. Test IdP authentication to logon to MacOS using a valid IdP user account.

4. Create a new policy to run a script at login time, to disable Jamf Connect login screen and include the user workstation in its scope.

Jamf Pro Workaround

1. Jamf Connect Identity Provider Login Screen

1. The end user enters a valid directory account to login for the first time.

2. Jamf Connect authenticates the user by redirecting the request to the Identity Provider configured in advance (Entra ID, Axiad Cloud, etc.).

2. Jamf Connect Local Account Creation Screen

1. After successful authentication via the Identity Provider, Jamf Connect starts the creation of a local account to mirror the existing directory account.

2. The end user is prompted to provide the password for the local account, which can be the same as the directory account.

3. Jamf Connect First Login with Local Account

1. The local account is created in macOS.

2. The Jamf Pro policy that disables the Jamf Connect screen is executed in the background.

4. MacOS Device Pairing

1. The end user inserts a Yubikey device, which is personalized in advance with a certificate for PIV authentication.

2. MacOS detects the device (and valid certificate), and launches the device pairing wizard, which pops up on the top-right of the screen.

3. Pair the device with the user following the on-screen prompts.
   Once device pairing is complete, macOS is ready for smart card logon

4. Jamf Pro deploys the script that disables the Jamf Connect login screen, to allow for the standard macOS Smart Card Login screen to appear at logon time.