Introduction: You reached out regarding how to enable advanced features in Jamf Pro, such as Blueprints. To utilize these capabilities, you first need to transition your authentication management from local users to a centralized, OIDC-based SSO via your Jamf Account.

Why is this needed and how does it work? (The Logic)

Historically, each Jamf product (like Jamf Pro) managed its users separately or connected directly to your Identity Provider (IdP) using SAML. Today, Jamf is moving towards a more modern, secure, and unified model based on OIDC (OpenID Connect).

In this new model, your Jamf Account acts as the central "Identity Broker." Instead of your Jamf Pro server talking directly to your IdP (such as Microsoft Entra ID or Okta), you connect your IdP just once to your Jamf Account. Subsequently, Jamf Pro (and other Jamf products) simply "trust" your Jamf Account.

This method (Federated Authentication) provides a true Single Sign-On (SSO) experience across all Jamf services and is a prerequisite for using modern tools like Blueprints that rely on this infrastructure.

High-Level Steps

The process is divided into a few main phases. You don't need to be an identity expert, but you will need administrative access to both your Identity Provider's portal and Jamf Pro.

  • Step 1: Create an OIDC Application in your IdP (Okta / Entra ID)

    In this step, you will create a new application within your Identity Provider. By the end of this process, you will generate three crucial pieces of information to copy into Jamf: Client ID, Client Secret, and the Issuer URL.

    Read the official guide for various Identity Providers

  • Step 2: Add an SSO Connection in Jamf Account

    Log in to your Jamf Account portal, navigate to the SSO settings, and input the credentials (Client ID, Secret, Issuer URL) generated in the previous step. This officially links your Jamf environment to your organization's IdP.

    Full guide on adding an SSO connection

  • Step 3: Enable OIDC inside Jamf Pro

    Now that the foundation is ready, go into Jamf Pro itself (Settings > System Settings > Single Sign-On) and switch the authentication method to use OIDC via Jamf Account.

    Guide to enabling OIDC in Jamf Pro

  • Step 4: Adding OIDC Users to Jamf Pro

    Once the SSO connection is active, you need to define which users (or groups) from your Identity Provider are authorized to log in.

    Go to Jamf Pro (under Settings > System Settings > Jamf Pro User Accounts & Groups) and create a new user or group. This method grants them access exclusively to Jamf Pro, without providing access to the Jamf Account portal.

    ⚠️ Crucial Notes:
    • Username: Must exactly match the user's identifier in your Identity Provider (usually their Email / UPN).
    • Password & Failover: Although daily authentication is handled by the IdP, it is highly recommended to set a strong password. This password allows emergency local access (Failover) if the SSO connection is down, by navigating to your failover URL (e.g., https://your-server.jamfcloud.com/?failover).

    ? Advanced Note: There is an alternative way to manage access centrally by adding a user within the Jamf Account portal under "Users" and assigning Jamf Pro privileges from there. Please note that this method will also grant the user access to the Jamf Account portal.

    Guide to creating Jamf Pro Users

Further Reading & Video Tutorial

We highly recommend watching the following tutorial video from the JNUC conference. It explains the entire process clearly from start to finish. This is the best resource for a visual, click-by-click understanding of the setup:

* For additional technical background regarding this implementation, check out this Jamf Blog post: Implementing OIDC-based Single Sign-On.