Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

JAMF Pro Integration

Mist Access Assurance allows you to integrate natively into JAMF Pro Endpoint Management platform for checking managed endpoint compliance state.

JAMF evaluates JAMF managed devices (MacBook, iPad, iPhone and other iOS devices) for compliance. Evaluation is done using Smart Computer Groups for MACbooks and Smart Device Groups for iPads and iOS devices for presence of antivirus, firewall status, software version, and so on. Mist Access Assurance obtains the compliance state of the devices and leverages that state in authentication policy rules to perform posture assessment.

Figure 1: JAMF Evaluation of Managed Devices JAMF Evaluation of Managed Devices

JAMF Device Data Retrieval

Mist Access Assurance retrieves JAMF managed device data in the following manner:

  • Access Assurance uses API-based polling mechanism toward JAMF every two hours for every managed client that has been previously authenticated. Compliance states information is cached for fast retrieval.

  • Information retrieval is performed out-of-band, that is, after the authentication process to avoid any additional delays. After initial device onboarding, information is updated every two hours.

  • In case device compliance status changes, then Mist Access Assurance automatically trigger a Change Of Authorization to re-run the policy and apply respective action.

  • Juniper Mist access points (APs), which connect JAMF managed devices to the wireless network, must have firmware version 0.14 or higher.

Mist Access Assurance uses the following information during client authentication to match a client with a device record in JAMF:

  • Non-randomized MAC address—This method can be used with EAP-TTLS or EAP-TLS authentication. Client MAC device is matched with a device MAC present in JAMF. For wireless profile, make sure MAC randomization or rotation is disabled.
    Note:

    iOS devices do not have native Ethernet NIC, so this method is only useful with iOS devices that are connected through wireless.

  • JAMF Device UDID encoded in SAN:DNS certificate attribute. Figure 2 shows location of UDID in configuration profile.
    Figure 2: Locating Unique Device ID Locating Unique Device ID

Create Client ID and Secret on the JAMF Pro

For integration with JAMF Pro, you need client ID and secret.
  1. In the JAMF Pro dashboard navigate to Settings > API roles and clients.
  2. Create a role for Mist Access Assurance connector and assign the permissions.
    Figure 3: Configuring API Roles and Clients Configuring API Roles and Clients
    Assign the following read-only permissions:
    • Read Computer Check-In
    • Read Mobile Devices
    • Read Computers
    • Read Mobile Device Inventory Collection
    • Read Static User Groups
    • Read Static Computer Groups
    • Read Mobile Device Self Service
    • Read Conditional Access
    • Read Smart Computer Groups
    • Read Computer Inventory Collection
    • Read Smart Mobile Device Groups
    • Read Smart User Groups
    • Read User
    • Read Webhooks
  3. Navigate to API Clients tab, and add a new client.
    Figure 4: Configure New API Client Configure New API Client
    Select the API role created in the previous step and set access token refresh time (example 24 hrs). Then click Enable/disable API Client to toggle it to Enable API Client.
  4. Save the details and click Generate client secret on the next page.
    Figure 5: Generate Client Secret Generate Client Secret

    The client secret is generated.

  5. Copy both Client ID and Secret and save it in safe place to retrieve later.
    Figure 6: Client Secret Details Client Secret Details

Link JAMF Pro Account to Mist Access Assurance

  1. Juniper Mist dashboard, navigate to Organization > Access > Identity Providers.
  2. In the Identity Providers page, scroll down to Linked Account section and click Link Account to select JAMF Pro.
    Figure 7: Linking to JAMF Pro Account Linking to JAMF Pro Account
  3. In the Link Account pop-up window, enter the details. Figure 8 shows a sample of link account details.
    Figure 8: Details for Linking JAMF Pro Details for Linking JAMF Pro
    • Instance URL—JAMF Pro instance URL. Example: https://<yourjamfurl>.com.

      Remove any trailing / in the Instance URL field.

    • Client ID—Client ID generated while creating Client ID and Secret on the JAMF Pro dashboard.
    • Client Secret—Client secret generated while creating Client ID and Secret on the JAMF Pro dashboard.
    • Smart Group Name—Smart group name to match against. JAMF Pro allows you to create groups for managed computers, mobile devices, or users. Smart Groups (both computer and mobile device smart groups) offer dynamic rule based matching, which allows you to set policies such as running software, OS versions of your managed devices. In case a client is found in JAMF and is part of selected Smart Group then it is considered as MDM compliant.

After linking is complete, you can see last sync status and time as shown in Figure 9.

Figure 9: JAMP Pro Sync Status JAMP Pro Sync Status

Verification

On the Juniper Mist portal, navigate to Monitoring > Insights > Client Events to see the information. Under Client Insights, you can see MDM lookups are performed for iOS managed devices as shown in Figure 10.

Figure 10: MDM Lookup Details MDM Lookup Details

Note that during initial MDM lookup for a new client, lookup is performed post initial authentication. After MDM state changes, Mist Access Assurance initiates CoA to re-authenticate the client and apply the correct policy. Upon subsequent authentications, NAC uses MDM cache which is updated periodically to reflect any changes for every 2 hours. Figure 11 shows a sample of compliance status change.

Figure 11: MDM Lookup Details- MDM Status Change MDM Lookup Details- MDM Status Change