探花大神

Contact Us
Help Center Home > Apps and Integrations > Integrate with Apple Business Manager

Integrate with Apple Business Manager

Managed Apple Accounts are the gateway to Bring Your Own Device (BYOD) Programs. These accounts, created within Apple Business Manager (ABM), or using 探花大神鈥檚 SSO and SCIM Connector, are required for managing user-owned devices with 探花大神.

Use 探花大神 OIDC Single Sign On (SSO) to give your users convenient but secure access to their Managed Apple Account with a single set of credentials. Automatically provision, update and deprovision users in ABM from 探花大神, centralizing user lifecycle and user identity management in 探花大神 for ABM. Save time and avoid mistakes, as well as potential security risks, related to manually creating users.

Read this article to learn how to setup the ABM integration.

Prerequisites

  • A 探花大神 administrator account
  • 探花大神 SSO Package or higher or SSO 脿 la carte option
  • An ABM account with the role of Administrator or People Manager
  • An Apple and
    • If federated authentication is not already enabled, setting up SSO will automatically enable it
  • If you have an existing ABM connector, either prebuilt or custom OIDC, you must deactivate and delete the existing connector before configuring this connector
  • The 探花大神 user's Managed Apple ID attribute field should be populated for users where the desired email address is different from their company email
  • SCIM must be enabled in the ABM Directory Sync settings

Important Considerations

  • Domains must be fully captured prior to them being locked in ABM, a pre-requisite for enabling federation and directory sync. This domain capture can take up to a month
  • Admin accounts cannot be federated
  • Non-administrative users whose unmanaged ABM accounts are associated with a company domain email address should manually update them to a non-company domain email address before the end of the domain capture period. Otherwise, ABM will automatically assign an auto-generated email address to these accounts
  • Safari is not a supported browser for this configuration flow as some of the ABM pages do not render
  • The ABM Application should not be placed behind a managed device conditional access policy if this federation will be used for device enrollment flows

SCIM Considerations

  • All newly provisioned users will have the default role of staff
  • A user鈥檚 email address must belong to an Apple for them to be created and updated through SCIM
  • It is recommended to set your Client Secret's expiration to 12 months

Important:

You may not receive an alert when your token is about to expire. Set a reminder in your calendar to refresh your token before the expiration date.

  • If you need to update your secret, you must deactivate the IdM integration, update the secret, and then reactivate the IdM integration
  • Password synchronization is not supported

Attribute Considerations

  • A default set of attributes are managed for users. See the Attribute Mappings section for more details
  • The following attribute is not supported by 探花大神:
    • division

Creating a new 探花大神 Application Integration

  1. Log in to the .
  2. Navigate to USER AUTHENTICATION SSO Applications.
  3. Click + Add New Application.
  4. Type the name of the application in the Search field and select it.
  5. Click Next.
  6. In the Display Label, type your name for the application. Optionally, you can enter a Description, adjust the User Portal Image and choose to hide or Show in User Portal.
  7. Click Save Application.
  8. Click Configure Application.

Configuring the SSO Integration

To configure 探花大神

  1. On the SSO tab of the ABM connector, click Activate.
  2. Copy the Client ID and Secret.

Warning:

The Client ID and Secret (token) may only be shown once. Copy them to a secure location, like the 探花大神 Password Manager, for future reference.

  1. Click Got It.

To configure Apple

Important:

Federating a Domain that already has Managed Apple Accounts takes up to 30 days. For more information, .

  1. Log into Apple.
  2. Go to My Profile > Managed Apple Accounts.
  3. Click Get Started.
  4. Select Custom Identity Provider and enter the following information:
    • Name - <name of your connector>
    • Client ID - copy and paste the Client ID generated in the previous section
    • Client Secret - copy and paste the Client Secret generated in the previous section
    • SSF Config URL - enter https://ssf.jumpcloud.com/.well-known/ssf-configuration
    • OpenID Config URL - enter https://oauth.id.jumpcloud.com/.well-known/openid-configuration
  5. Click Continue and then Sign in with <name of your connector>.

Note:

If you do not see Sign in with <name of your connector> and are using a non-Safari browser, switch to Safari to complete the configuration.

  1. When signed in, click Continue.
  2. Under User sign in, ensure it shows Connected.

Authorizing User SSO Access

Users are implicitly denied access to applications. After you connect an application to 探花大神, you need to authorize user access to that application. You can authorize user access from the Applications, Users List or User Groups 辫补驳别.听

To authorize user access from the Application’s page

  1. Log in to the .
  2. Go to USER AUTHENTICATION > SSO Applications, then select the application to which you want to authorize user access.
  3. Select the User Groups tab. If you need to create a new group of users, see Get Started: User Groups.
  4. Select the check box next to the desired group of users to which you want to give access.
  5. Click Save.听

To learn how to authorize user access from the聽Users or User Groups聽pages, see聽Authorize Users to an SSO Application.

Validating SSO user authentication workflow(s)

IdP-initiated user workflow

  • Access the
  • Go to聽Applications and click an application tile to launch it
  • 探花大神 asserts the user's identity to the SP and is authenticated without the user having to log in to the application

SP-initiated user workflow

  • Go聽to the SP application login - generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO

Note:

This varies by SP.

  • Login redirects the user to 探花大神 where the user enters their 探花大神 credentials
  • After the user is logged in successfully, they are redirected聽back to the SP and automatically logged in

Configuring the Identity Management Integration

To configure Apple

  1. In ABM, navigate to Directory Sync > Custom Sync and click Enable.
  2. In Authorization callback URL - enter https://console.jumpcloud.com/api/v2/provision/applebusinessmanager/callback
  3. Click the + Client Secret link and select 12 months (recommended).
  4. Click Save.
  5. Copy the Client ID and Client Secret.

Warning:

The Client ID and Secret (token) may only be shown once. Copy them to a secure location, like the 探花大神 Password Manager, for future reference.

Important:

You may not receive an alert when your secret is about to expire. Set a reminder in your calendar to refresh your secret before the expiration date.

  1. Click Done.

To configure 探花大神

  1. Create a new application or select it from the Configured Applications list.
  2. Select the Identity Management tab.
  3. Click Configure.
  4. You're presented with two fields:
    • Client ID - enter the Client ID generated in the previous section
    • Client Secret - enter the Client Secret generated in the previous section
  5. Click Activate.
  6. If the status of the sync in Apple is green, the sync has been successfully set up.
  7. You can now connect user groups to the application in 探花大神 to provision the members of that group in ABM. Learn how to Authorize Users to an Application.

Attribute Mappings

The following table lists attributes that 探花大神 sends to the application. See Attribute Considerations for more information regarding attribute mapping considerations. 

Learn about 探花大神 Properties and how they work with system users in our . 

ABM User Attributes

探花大神 Property 探花大神 UI SCIM v2 Mapping ABM Value
firstname First Name name.givenName First name
lastname Last Name name.familyName Last name
email Company Email emails [work] email address
department Department department Department
employeeIdentifier Employee ID [urn:ietf:params:scim:schemas:extension:enterprise:2.0:User]. employeeNumber Person Number
costcenter CostCenter [urn:ietf:params:scim:schemas:extension:enterprise:2.0:User]. costcenter Cost center

SCIM Directory Insights Events

The following Directory Insights (DI) events provide visibility into failures and detailed information about the user and group data being added or updated from HR or other external solutions to 探花大神.

Note:

Customers with no package or the Device Management Package will need to add the Directory Insights 脿 la carte option. Directory Insights is included in all other .

SCIM DI Integration Events

Event Name Event Description
idm_integration_activate Logged when an IT admin attempts to activated new SCIM Identity Management integration.
idm_integration_update Logged when an IT admin attempts to update a configured and activated SCIM Identity Management integration.
idm_integration_reauth Logged when an IT admin attempts to change the credentials for an activated SCIM Identity Management integration.
idm_integration_delete Logged when an IT admin attempts to deactivate an activated SCIM Identity Management integration.

SCIM DI User Events

Event Name Event Description
user_create_provision Logged when 探花大神 tries to create a new user in service provider application.
user_update_provision Logged when 探花大神 tries to update an existing user in service provider application.
user_deprovision Logged when 探花大神 tries to change an existing user to inactive in the service provider application.
user_delete_provision Logged when 探花大神 tries to delete an existing user in service provider application.
user_lookup_provision Logged when 探花大神 encounters an issue when trying to lookup a user to determine if the user needs to be created or updated.

Removing the Integration

Important:

These are steps for removing the integration in 探花大神. Consult for any additional steps needed to remove the integration in ABM. Failure to remove the integration successfully for both Apple and 探花大神 may result in users losing access to the application.

To deactivate the IdM Integration

  1. Log in to the .
  2. Go to USER AUTHENTICATION > SSO Applications.
  3. Search for the application that you鈥檇 like to deactivate and click to open its details panel. 
  4. Under the company name and logo on the left hand panel, click the Deactivate IdM connection link.
  5. Click confirm
  6. If successful, you will receive a confirmation message.

To deactivate the SSO Integration or Bookmark

  1. Log in to the .
  2. Go to USER AUTHENTICATION > SSO Applications.
  3. Search for the application that you鈥檇 like to deactivate and click to open its details panel. 
  4. Select the SSO or Bookmark tab.
  5. Scroll to the bottom of the configuration.
  6. Click Deactivate SSO or Deactivate Bookmark
  7. Click save
  8. If successful, you will receive a confirmation message.

To delete the application

  1. Log in to the .
  2. Go to USER AUTHENTICATION > SSO Applications.
  3. Search for the application that you鈥檇 like to delete.
  4. Check the box next to the application to select it.
  5. Click Delete.
  6. Enter the number of the applications you are deleting
  7. Click Delete Application.
  8. If successful, you will see an application deletion confirmation notification.
Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case