Passport

Learn how to configure and deploy the Passport library item.

Before you begin, review Passport Deployment Considerations.

Be sure your OpenID Connect (OIDC) application is configured with your compatible identity provider (IdP). You will need your identity provider URL and the OIDC application ID to configure Passport. For more information on how to configure specific identity providers, see the following support articles:

Okta
Azure AD
OneLogin

Add a Passport Library Item

  1. Navigate to Library in the left-hand navigation bar.
  2. Select Add New in the upper right-hand corner.
  3. Scroll to Enrollment configurations and select Passport.
  4. Click Add & Configure.

    Select Passport
  5. Add a descriptive title.
  6. Assign the Passport library item to a Blueprint.
  7. At minimum, configure the Authentication configuration section by entering the appropriate identity provider URL and OIDC application ID.
  8. Configure the User provisioning, Access, Login window, and Help window sections to fit your environment. (For details, see below.)
  9. Click Save.

    Passprt Basic Configuration@2x edited

Authentication Configuration

In the Identity provider URL section, enter the IdP's OIDC well-known configuration endpoint. For Application ID, enter the ID of the OIDC app you created earlier.

You will not be able to save the Passport library item without entering an identity provider URL and application ID.

  1. Identity provider URL
    1. The OIDC well-known configuration URL for your identity provider. For example:
      1. Okta:
        https://<subdomain>.okta.com/.well-known/openid-configuration
      2. OneLogin:
        https://<subdomain>.onelogin.com/oidc/2/.well-known/openid-configuration
      3. Azure AD:
        https://login.microsoftonline.com/<tenent_ID>/v2.0/.well-known/openid-configuration
  2. Application ID
    1. The client ID of the OIDC application configured in the identity provider's platform. 
  3. Client secret
    1. Optional. This may be required if your IdP does not support Proof Key for Code Exchange (PKCE).

    Passport Authentication configuration@2x edited

User Provisioning

Configure the user-provisioning settings you want to be applied when a user first logs in to the Mac. You can set the default account type and what to do when there is an existing account.

  1. User account type
    When new user accounts are created, they can be Administrator (default), Standard, or Specified per identity provider group

    If you specify account type based on IdP group membership, make sure the group listed in Kandji matches the group in your IdP. If a user is designated as an administrator in one group and as a standard user in another, that user's account type will be Administrator.
  2. Ask to merge with a local user
    When a new user logs in to the Mac, they can be offered the option of merging with an existing account. This option will only be shown once per user on the Mac.
    1. Never. When a user logs in using their IdP credentials, Passport will create a new user account on the Mac, regardless of existing accounts. This is the default setting.
    2. If a local username matches. When a user logs in to the Mac using their IdP credentials, Passport will automatically find the Mac account with a matching username and prompt the user to migrate it. The user will not have the option to migrate another account.
    3. Always. When a user logs in to the Mac using their IdP credentials, Passport will prompt the user to select an existing local Mac account they want to migrate. This is a good option if you are unsure that your users' IdP account names match their Mac account names. When Always is selected you will see two additional options.
      1. Migrate existing account only prevents the user from creating a new Mac account. They will only have the option to migrate an existing account.
      2. Exclude local users allows you to list Mac accounts that you do not want the user to migrate. A common use case is preventing the user from being prompted to migrate an IT admin or service account.

    Passport User Provisioning 2@2x edited

Access

Configure which users have access to log into the Mac, and FileVault's automatic login behavior.

  1. Local user access
    1. Allow all local users to log in allows all local users to log in to the Mac at the Passport login window. If the Mac is connected to a network and can reach the IdP, Passport will check the user's credentials against the IdP. If the Mac is not connected to a network, the user will be able to log in with their local Mac account credentials. This is the default setting.
    2. Allow local administrators to log in allows only local administrator users to log in to the Mac at the Passport login window.
    3. Specify which local users can log in allow only users you specify to log in to the Mac at the Passport login window.
  2. Automatic FileVault Login
    1. By default Allow automatic FileVault login is disabled. This ensures the user is presented with the Passport login window when they turn on their Mac. The user will need to log in at the FileVault login window and again at the Passport login window.
    2. If Allow automatic FileVault login is enabled, users will log in only at the FileVault login window, but they will not see the Passport login window unless they log out. The FileVault login window does not check credentials against an IdP.
  3. Store user password
    1. Securely store password: Stores the user's IdP credentials in a dedicated keychain on their Mac to aid in password changes. When the user changes their password with their IdP and then logs in to the Mac, they will need only to enter their new credentials; Passport will silently update the Mac password. If a user is already logged in to the Mac and they change their password with their IdP, Passport will prompt them to update their Mac password, but they will need to enter their previous one.
    2. Do not store password: Requires the user to enter their old and new passwords on the Mac anytime they update their IdP password.

    Passport Access Configuration@2x edited

Customize Login Window

You can customize the Passport login window for your users. Click Customize to reveal the Customize login window drawer with the following options:

  1. Branding
    1. Display logo
    2. Customize Desktop picture
  2. Menu bar (defaults to enabled)
    The default setting will display the Wi-Fi menu, allowing users to connect to Wi-Fi at the Passport login window if they aren't already connected.
  3. Banners (defaults to Use system settings)
    1. Lock message
    2. Policy banner
  4. Power controls (defaults to display all power controls)
    1. Shutdown button
    2. Restart button
    3. Sleep button
  5. Username and Password
    1. Customize username label: Enter a custom label for the username field to help users know which credentials to enter at the Passport login window.
    2. Include password reset URL: Provide users with a URL where they can reset and update their IdP password.

Pasport Login Window v2@2x edited

Customize Help Window

In the bottom left of the Passport login window, users can click the Help icon to display a Help window. You can customize that Help window. Click Customize to reveal the Customize Help window drawer with the following options:

  1. Support tab
    1. The Support tab allows you to enter a custom header and body text. This is a great place to explain the Passport login window, how to contact the help desk or get support.
  2. Device info tab
    1. Device information is great for troubleshooting and determining what Mac a user is working on. You can enable:
      1. Serial number
      2. IP address
      3. Hostname
      4. macOS version
      5. Model information
  3. About
    1. Displays the version of Passport running on the Mac. 

    Passport Customize Help Window@2x edited