Jamf Integration Kit

Adding Jamf security posture results to your authentication policy

By modifying your PingFederate authentication policy to include the isManaged or isMDMCapable results from Jamf Pro, you can dynamically control access to resources based on the device’s security posture.

About this task

These steps are designed to help you add to an existing authentication policy. For general information about configuring authentication policies, see Authentication API in the PingFederate documentation.

Steps

  1. In the PingFederate administrative console, go to the Policies tab.

    Choose from:

    • For PingFederate 10.1 or later: go to Authentication → Policies → Policies.

    • For PingFederate 10.0 or earlier: go to Identity Provider → Authentication Policies → Policies.

  2. Select the IdP Authentication Policies check box.

  3. Open an existing authentication policy, or click Add Policy. See Defining authentication policies in the PingFederate documentation.

  4. In the Policy area, from the Select list, select a Jamf IdP Adapter instance.

    Adding the to the authentication policy
  5. Map the attribute that contains the device identifier (shown here as SerialNumber) from your X.509 Certificate IdP Adapter instance into the Jamf IdP Adapter instance.

    Passing the user ID from the first-factor authentication adapter to the
    1. Under the Jamf IdP Adapter instance, click Options.

    2. On the Options dialog, from the Source list, select your X.509 Certificate IdP Adapter instance.

    3. From the Attribute list, select attribute that matches the Device Identifier that you selected in your adapter configuration. Click Done.

  6. Define policy paths based on the security posture attribute isCompliant.

    Branching the authentication policy based on the device’s security posture
    1. Under the Jamf IdP Adapter instance, click Rules.

    2. On the Rules dialog, in the Attribute Name list, select isCompliant.

    3. In the Condition list, select equal to.

    4. In the Value field, enter true or false.

    5. In the Result field, enter a name. This appears as a new policy path that branches from the authentication source.

    6. Optional: Repeat steps a-e for isMDMCapable or any attributes that you mapped in the Jamf API Attribute Mappings table in the adapter configuration.

    7. Optional: Clear the Default to success check box to ensure the authentication flow follows one of the paths that you defined.

    8. Click Done.

  7. Configure each of the authentication paths.

    The complete authentication policy
  8. Click Done.

  9. In the Policies window, click Save.