Passport

By Corey Willis

Learn how to configure and deploy the Passport Library Item.

Before you begin, review Passport Deployment Considerations.


Be sure your OpenID Connect (OIDC) application is configured with your compatible identity provider (IdP). You will need your identity provider URL and the OIDC application ID to configure Passport. For more information on how to configure specific identity providers, see the following support articles:


Microsoft Azure
Okta

OneLogin

Add a Passport Library Item

  1. In the left navigation bar, navigate to Library.
  2. In the upper right corner, click Add New.
  3. Scroll to Enrollment configurations and select Passport.
  4. Click Add & Configure.

    nPhaKGELGdxca3pwikkhnQCmOfptvEpfOg
  5. Add a descriptive title.
  6. Click Select Blueprint and assign one or more Blueprints that will use this Library Item.

    rMcL9eaMqa0zxJyNcbw0QTr8iIav9ez8AQ
  7. Configure the Authentication configuration, User provisioning, Access, Login window, and Help window sections to fit your environment. (For details, see below.)
  8. Click Save.

Authentication Configuration

The way you configure the Passport Library Item depends on whether your IdP requires users to provide multi-factor authentication (MFA).

You will configure Passport to use one of the following authentication modes:

  • Mac Login (default): Presents username and password fields to the user; looks like the first iteration of Passport, which did not support MFA.
  • Web Login: Presents a web view of your IdP's login fields, to support users by providing an additional factor of authentication; additionally, displays a Local Login button. If you set your Identity provider to be OneLogin or Other, you must configure an additional app, as outlined later in this article.

In Web Login authentication mode, if users click the Local Login button, Passport removes the web view window and displays username and password fields, as well as a Web Login button so users can return to the Web Login mode.

If you configured a Passport Library Item with the first iteration of Passport (before Passport supported MFA) then that Passport Library Item's Authentication Mode is automatically configured for Mac Login.
You will not be able to save the Passport Library Item without entering values in both the Identity provider URL and Client ID (Password Sync) fields.


  1. In the Settings section, in the Authentication configuration section, click Identity provider URL and select your IdP.

    V0yYXqUtYQ19ysJonw13ayFVuYBmdLeyCg
  2. Enter the appropriate values in the Identity provider URL and Client ID (Password Sync) fields.

    The following details vary, depending on the IdP you selected in the previous step: the link to the appropriate support article, suggested values for these two fields, and helper text displayed on the right side of the Authentication configuration section.

    In the Identity provider URL field, enter the IdP's OIDC well-known configuration endpoint. As displayed to the right of the Identity provider URL field, common formats include:

    Microsoft Azure:
    https://´╗┐login.microsoftonline.com/<tenant_ID>/v2.0/.well-known/openid-configuration
    Okta:
    https://<subdomain>.okta.com/.well-known/openid-configuration
    OneLogin:
    https://<subdomain>.onelogin.com/oidc/2/.well-known/openid-configuration

    In the Client ID (Password Sync) field, enter the client ID of the OIDC application configured in the identity provider's platform.

    FIfQ7SL9MBJi7YecmI9L4Ik04ywddpWXRw
  3. Select the Authentication mode. If you have multifactor authentication (MFA) policies configured with your IdP, select Web Login to enforce them.

    KJD5XISEytdK13K_Hh3KNHwt6SNfkQv06w
  4. If you selected Mac Login and your IdP app is configured with a client secret, enter it in the Client secret (optional) field.

    If you are using Microsoft Azure, the Client Secret is the Client Secret Value, not the Client Secret ID. Using the Client Secret ID will result in login errors.


    7IwkX8k_dOKAe7zxhPJYoH8MswVPspnnIw
  5. If you selected Web Login, the Library Item displays different options for different IdPs. If you selected Microsoft Azure or Okta in the Identity provider field, enter the redirect URI in the Redirect URI field.

    41WA30XoWdeBHOO6B10rgpSBxtPeFw2IjQ If you selected OneLogin in the Identity provider field, you must configure a second OneLogin application that uses the POST authentication method, then enter the information from the second OneLogin application in the Client ID (Web Authentication), Redirect URI, and Client secret fields.

    6FRsDx2cjIWMzvAOpckUUZR-oKWGsAufpg If you selected Other in the Identity provider field, you must configure a second OIDC application that uses the authorization code grant, then enter the appropriate information from the second OIDC application in the Client ID (Web Authentication) and Redirect URI fields. Additionally, if the second OIDC application uses a client secret, enter it in the Client secret (optional) field.

    Cqoebim4tj2nJ8ozvUOOSAnoEMsfQpbtCQ

User Provisioning

Configure the user provisioning settings you want to be applied when a user first logs in to the Mac. You can set the default account type and what to do when there is an existing account.

  1. User account type When new user accounts are created, they can be Administrator (default), Standard, or Specify per identity provider group
    1. If you select Specify per identity provider groupto configure the new account type based on IdP group membership:
      1. Make sure the group in the Identity provider group field in Kandji matches the group in your IdP (for Microsoft Azure, based on Microsoft's recommendations, use the Azure group ObjectID instead of the Azure group name).
      2. If a user is designated as an administrator in one group and as a standard user in another, that user's account type will be Administrator.
      3. Passport checks the user's group membership every time the user logs in. Passport updates the user's account type if you make a group membership change or a configuration change that would cause a user to:
        • change from a standard account to an administrator account
        • change from an administrator account to a standard account (this change forces the user to restart their Mac in order to demote the user account and ensure that the change is in effect)
  2. Ask to merge with a local user When a new user logs in to the Mac, they can be offered the option of merging with an existing account. This option will only be shown once per user on the Mac.
    1. Never. When a user logs in using their IdP credentials, Passport will create a new user account on the Mac, regardless of existing accounts. This is the default setting.
    2. If a local username matches. When a user logs in to the Mac using their IdP credentials, Passport will automatically find the Mac account with a matching username and prompt the user to migrate it. The user will not have the option to migrate another account.
    3. Always. When a user logs in to the Mac using their IdP credentials, Passport will prompt the user to select an existing local Mac account they want to migrate. This is a good option if you are unsure whether or not your users' IdP account names match their Mac account names. When Always is selected you will see two additional options:
      1. Migrate existing account only prevents the user from creating a new Mac account; they will only have the option to migrate an existing account.
      2. Exclude local users allows you to list Mac accounts that you do not want the user to migrate. A common use case is preventing the user from being prompted to migrate an IT admin or service account.

sMRk-6p4gqM3KBmldsnmJCaAOaaeAbRa7g

Access

Configure which users have access to log into the Mac and FileVault's automatic login behavior.

  1. Local user access
    1. Allow all local users to log in allows all local users to log in to the Mac at the Passport login window. If the Mac is connected to a network and can reach the IdP, Passport will check the user's credentials against the IdP. If the Mac is not connected to a network, the user will be able to log in with their local Mac account credentials. This is the default setting.
    2. Allow local administrators to log in allows only local administrator users to log in to the Mac at the Passport login window.
    3. Specify which local users can log in allows only users you specify to log in to the Mac at the Passport login window.
  2. Automatic FileVault Login
    1. By default Allow automatic FileVault login is disabled. This ensures that the user is presented with the Passport login window when they turn on their Mac. The user will need to log in at the FileVault login window and again at the Passport login window.
    2. If Allow automatic FileVault login is enabledusers will log in only at the FileVault login window, but they will not see the Passport login window unless they log out. The FileVault login window does not check credentials against an IdP.
  3. Store user password
    1. Securely store password: Stores the user's IdP credentials in a dedicated keychain on their Mac to aid in password changes. When the user changes their password with their IdP and then logs in to the Mac, they will need only to enter their new credentials; Passport will silently update the Mac password. If a user is already logged in to the Mac and they change their password with their IdP, Passport will prompt them to update their Mac password, but they will need to enter their previous one.
    2. Do not store password: Requires the user to enter their old and new passwords on the Mac anytime they update their IdP password.

YLWRijVw958rbHPYkgSdHNL91Tz20QiTJw

Customize Login Window

You can customize the Passport login window for your users. Click Customize to reveal the Customize login window drawer with the following options:

  1. Branding
    1. Display logo If you configure your Passport Library Item to use the Web Login authentication mode, Passport displays the web view window instead of the logo. If the user clicks the Local Login button, Passport displays the logo along with username and password fields, instead of the web view window.
    2. Customize Desktop picture
  2. Menu bar (defaults to enabled) The default setting will display the Wi-Fi menu, allowing users to connect to Wi-Fi at the Passport login window if they aren't already connected.
  3. Banners (defaults to Use system settings)
    1. Lock message
    2. Policy banner
  4. Power controls (defaults to display all power controls)
    1. Shutdown button
    2. Restart button
    3. Sleep button
  5. Username and Password
    1. Customize username label: Enter a custom label for the username field to help users know which credentials to enter at the Passport login window.
    2. Include password reset URL: Provide users with a URL where they can reset and update their IdP password.

Vzgz1Ipiz55Y7Jul0GpO5DxhhvqF_bLMaQ

Customize Help Window

In the bottom left of the Passport login window, users can click the Help icon to display a Help window. You can customize that Help window. Click Customize to reveal the Customize Help window drawer with the following options:

  1. Support tab
    1. The Support tab allows you to enter a custom header and body text. This is a great place to explain the Passport login window and how to contact the help desk or get support.
  2. Device info tab
    1. Device information is great for troubleshooting and determining what Mac a user is working on. You can enable:
      1. Serial number
      2. IP address
      3. Hostname
      4. macOS version
      5. Model information
  3. About
    1. Displays the version of Passport running on the Mac.

KT6LxijyMdaSxVydIroo6cxaqs7wvCQYaA