Jamf Connect User Context Filter

If Jamf Connect is used to connect local macOS user accounts to Microsoft Entra ID, this filter can be used to target specific Entra groups in Privilege Manager policies.

Refer to Using User Context Filters to learn more about User Context filters.

Admin Prerequisites

Complete the steps required to integrate privilege-manager with Jamf Pro. Refer to w.Integrating with Jamf.
Complete the steps required to integrate Jamf Connect with Microsoft Entra ID. Refer to Integrating_Jamf_Connect_with_Microsoft_Azure_AD.html.
Compete the necessary configuration options under optional claims (Azure portal). Refer to Configure groups optional claims.

In App Registrations (your Jamf Connect App), go to Manage | Token configuration. Then select Add groups claim and select Group ID for each of the three Customize token properties by type options.

Endpoint User Prerequisites

The macOS Agent uses com.jamf.connect.state.plist to read the group information and compare it to the information in the filter. In order for the group information to be written to the plist, the endpoint user needs to connect to Jamf Connect via the menu bar at least once.

The endpoint user will use the Jamf Connect login window to login with their Entra ID credentials, then click the Jamf Connect menu bar and click Connect to log in.

Creating and Using the Filter

Complete these steps to create a Jamf Connect User Context Filter.

Go to Admin | Filters | Create Filter | macOS Computer Filters | Jamf Connect User Context Filter.
In Settings, add the desired Entra Groups. The filter can be used in application policies in the Inclusions and Exclusions sections.
The Test Jamf Connect User Context Filter Policy shown here demonstrates an Application Justification Message Action if a user opens the Mail application and is a member of any Entra groups selected in the Test Group Filter.