Friday Notebook, February 1: Jamf Connect Azure AD password sync; audit your Apple enterprise apps

Also: Jamf growth; mobile SSO; Chrome extensions; cloud gaming; Windows Sandbox; VDI performance; Mosyle; iOS 12.2; and more!

This is our weekly log of desktop virtualization, enterprise mobility, and end user computing news.

Our blog posts

Jon Towles: Mobile SSO: “It works on PC” just isn’t good enough. Jon Towles explains how to make seamless SSO work on iOS and shares a few thoughts on his favorite identity platforms.

Kyle: Google’s proposed Chrome extension API changes have developers riled up. Under the guise of improving UX and privacy, Google’s proposed API changes could break ad blockers and other Chrome extensions.

Jack: VDI Like a Pro team announces VDI Performance survey results. Evidently, just because your desktop is in the cloud doesn’t mean it will always perform at its best.

Jack: Cloud game streaming (like VDI for gaming) is coming—Time to re-apply all the lessons we learned. Will it work and bring a form of remote computing to the masses? Who knows! But we can anticipate some of the questions that will come up.

Kyle: Run potentially sketchy apps in the Windows Sandbox. Install questionable or untrusted apps and open suspicious attachments in Microsoft’s new virtualized container: Windows Sandbox.

Industry news

Apple temporarily revoked the Developer Enterprise Program certificates for Facebook and for Google this week. Both companies (here and here) were using enterprise certificates to get around Apple’s App Store review process and distribute aggressive market research / spying apps to consumers. (Facebook’s was install a root certificate-aggressive.) This is clearly prohibited, hence the revocations. Apple said:

“We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.”

The revocations also shut down all of Facebook and Google’s other internal apps. Every other company with enterprise-signed apps is probably thinking about auditing their usage and going over the license agreement right about now. As Colm Warner wrote just last week, if you can make public distribution work for your internal apps, it’ll help you avoid all sorts of headaches.

Jamf announced growth figures for 2018: They gained 7,100 customers in 2018, for a total of 20,000. They were at just under 6,000 customers less than four years ago. Impressive, and a sign of a very significant trend towards Macs in the enterprise.

Last December, we wrote about upcoming changes to the iOS MDM enrollment process, which will add a few manual steps for BYOD or non-DEP devices. Now the word (via the MaaS360 blog) is that these changes are coming in iOS 12.2. Furthermore, after users download an MDM profile, they’ll only have eight minutes to install it.

This week, we learned about Mosyle, a newer Apple-centric MDM startup that just got a $16 million A round. (Via VentureBeat.) They’re two years old and, apparently, they already have a good start with education. They’re pitching themselves as a cheap and easy MDM offering and they want to come into the enterprise. They’ll be facing a lot of competition, so best of luck!

Following last week’s IGEL Disrupt Munich news, and ahead of next week’s Disrupt conference in the US, IGEL announced support for IGEL OS to run on several models of LG thin clients. I’ll be at IGEL’s show next week, and will follow up with more color on what they’re been up to.

More notes

iOS 12.2 is bringing slightly better support for progressive web apps. Kyle explained what progressive web apps are last year; I still don’t see them ever being huge, but it’s nice to see the progress.

What’s new for Citrix Workspace in January.

Feature Spotlight: Jamf Connect and Azure AD integration

Last week, Jamf announced a deeper integration—now including password syncing—between Jamf Connect and Azure AD. Jamf Connect (NoMAD Pro prior to its acquisition by Jamf) is a tool for managing local macOS user accounts and connecting them to cloud identities.

Back at JNUC, I sat down with NoMAD creator Joel Rennich to learn how Jamf Connect works. He explained to me that Jamf Connect couldn’t “see” a user’s Azure AD password, since the SAML authentication happens in a web view, so Jamf Connect didn’t attempt to keep the local account password in sync with Azure AD.

With last week’s announcement about password syncing, I wanted to learn what was different, so I chatted with Joel again.

I’m fine with keeping separate passwords. Think about it this way: you don’t unlock your phone with your AD password, so why not have your Mac be that way, too? But of course most customers and users are accustomed to a single password for their machines and user accounts.

So now Jamf Connect will capture the password during device enrollment. (For more on Connect and the enrollment process, head back to my previous post.) First, the user will authenticate to Azure AD, and then Connect will pop up another window and ask the user to enter their password again. Using a SAML parameter, Connect will check it against Azure AD, and then set it as the password when it creates the local account, and put it in the keychain.

Then, on an ongoing basis, Jamf Connect Verify will make sure that the local account password is in sync by validating it against Azure AD with the same SAML parameter. If it fails, then Verify can prompt the user to update the local password.

There are plenty more items on the roadmap for Jamf Connect, and one of the things that they want to figure out support for hardware token (such as Yubikey) logins on the local Mac account, so there would be no need to worry about syncing at all

Also, remember that Jamf Connect is available independently of Jamf Pro, so you can use it with any MDM that supports macOS. As more companies get into both Mac management and cloud identity, this is definitely a product to check out.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.