Zero Sign-on from desktops managed by Jamf and SCCM

The FIDO2 Zero Sign-on solution allows you to provide a password less log in experience from your Jamf/SCCM managed desktops.

Use cases

The following use cases are supported for passwordless log in:

  • Log in to cloud services from desktops managed by Jamf/SCCM on the desktop.

    Users are automatically authenticated using macOS TouchID if the device supports TouchID. Entering their username and password is not required.

    This use case does not require that you also have Ivanti Neurons for MDM deployment.
    This configuration is optional and if turned off by default.

  • Log in to cloud services from desktops managed by Jamf/SCCM using push notifications.

    Users are prompted to allow the access from a push notification sent to a managed or Auth-only mobile device. Entering their username and password is not required.

    This use case requires that you also have Ivanti Neurons for MDM deployment.

  • Log in to a desktop using push notifications.

    Users are prompted to allow the access from a push notification sent to a managed or Auth-only mobile device. Entering their username and password is not required.

    This use case requires that you also have Ivanti Neurons for MDM deployment.

Authentication flow from desktops

Figure 1. Authentication flow from managed desktops

1. User requests access to a cloud service from a Jamf /SCCM desktop.
2. The cloud service redirects user to the configured identity provider (IdP)to authenticate. Since Ivanti Access is the configured IdP, the request is redirected to Ivanti Access.
3. Ivanti Access generates a new SAML response to redirect to the original SP. The original SP obtains the user identity from the SAML response and presents the personalized screen to the user.

Required components

  • Authenticate for macOS
  • FIDO2 Ivanti Neurons for MDM instance (Access in the EAP cluster with configured SP+IdP federated pairs)
  • Ivanti Neurons for MDM deployment if push notifications to Ivanti managed device is needed.

Supported devices

  • macOS devices managed by Jamf/SCCM

Supported browsers

  • macOS: Safari, Chrome