Let’s Get Conditional - UPN Pre-fill and jamfAAD
This is the fourth of a multi-part series about the macOS Intune and Azure AD integration for inventory data and Conditional Access with Jamf Pro.
The topic of this post is explaining the UPN pre-fill feature of the jamfAAD binary on macOS devices.
TL;DR: Jamf Pro 10.14.x and up out of the box will pre-fill the UPN of an end user during jamfAAD sign-in prompt. This causes home realm discovery to not take place for federated accounts.
The jamfAAD pre-fill feature introduced in Jamf Pro 10.14.0 can cause an issue with the authentication for those organizations that use Active Directory Federation Services (ADFS) to authenticate to Azure AD.
The reason this happens is because the entry of the username/UPN in the jamfAAD sign-in window does not perform home realm discovery in the underlying ADAL code performing the authentication. The end user filling the user field out and then clicking next or doing a tab complete causes the home realm discovery to happen and then redirect the user the ADFS sign-in window. If that home realm discovery does not take place the authentication will attempt in the non-federated sign-in fashion and fail.
An example of the failed authentication. It will say the password is wrong when it is in fact correct, but the ADFS page was not used so the sign-in is rejected.
A quick workaround is to click the “Sign in with another account“ as that will kick off the home realm discovery.
In Unififed System Logs entries that show the prompt and end user closing the window after the password confusion are good indicators of this:
info 2020-02-12 07:40:01.248774 -0600 JamfAAD ADAL 2.7.12 Mac 10.15.2 [2020-02-12 13:40:01 - UID-XXX-XXXX-XX] -webAuthDidCancel
default 2020-02-12 07:40:01.255797 -0600 JamfAAD The user has cancelled the authorization.
To resolve this issue if your organization uses ADFS, upgrade to Jamf Pro 10.17.0 or later and deploy the configuration profile as detailed in this KB. Doing so will activate a listener in the jamfAAD code for a setting to be read to not auto fill the user field so that the end user can do so and home realm discovery can take place. After the profile is in place reboot, or relaunch jamfAAD.