Setting up Jamf Account SSO – The Complete Guide

Introduction: You reached out regarding how to enable advanced features in Jamf Pro, such as Blueprints. To utilize these capabilities, you first need to transition your authentication management from local users to a centralized, OIDC-based SSO via your Jamf Account.

Why is this needed and how does it work? (The Logic)

Historically, each Jamf product (like Jamf Pro) managed its users separately or connected directly to your Identity Provider (IdP) using SAML. Today, Jamf is moving towards a more modern, secure, and unified model based on OIDC (OpenID Connect).

In this new model, your Jamf Account acts as the central "Identity Broker." Instead of your Jamf Pro server talking directly to your IdP (such as Microsoft Entra ID or Okta), you connect your IdP just once to your Jamf Account. Subsequently, Jamf Pro (and other Jamf products) simply "trust" your Jamf Account.

This method (Federated Authentication) provides a true Single Sign-On (SSO) experience across all Jamf services and is a prerequisite for using modern tools like Blueprints that rely on this infrastructure.

High-Level Steps

The process is divided into a few main phases. You don't need to be an identity expert, but you will need administrative access to both your Identity Provider's portal and Jamf Pro.

  • Step 1: Create an OIDC Application in your IdP (Okta / Entra ID)

    In this step, you will create a new application within your Identity Provider. By the end of this process, you will generate three crucial pieces of information to copy into Jamf: Client ID, Client Secret, and the Issuer URL.

    Read the official guide for various Identity Providers

  • Step 2: Add an SSO Connection in Jamf Account

    Log in to your Jamf Account portal, navigate to the SSO settings, and input the credentials (Client ID, Secret, Issuer URL) generated in the previous step. This officially links your Jamf environment to your organization's IdP.

    Full guide on adding an SSO connection

  • Step 3: Enable OIDC inside Jamf Pro

    Now that the foundation is ready, go into Jamf Pro itself (Settings > System Settings > Single Sign-On) and switch the authentication method to use OIDC via Jamf Account.

    Guide to enabling OIDC in Jamf Pro

Further Reading & Video Tutorial

We highly recommend watching the following tutorial video from the JNUC conference. It explains the entire process clearly from start to finish. This is the best resource for a visual, click-by-click understanding of the setup:

* For additional technical background regarding this implementation, check out this Jamf Blog post: Implementing OIDC-based Single Sign-On.