Home > Jamf Pro > Blocking account logins to the ?failover login page on Jamf Pro

Blocking account logins to the ?failover login page on Jamf Pro

As part of Jamf Pro’s single-sign on (SSO) logins, there’s an option to bypass the SSO login using the following URL:

https://your.jamf.pro.server.here:8443/?failover

Screen Shot 2021 05 21 at 11 02 14 AM

This URL is designed to let you bypass the SSO login page and take you to Jamf Pro’s own login, so that if your SSO provider is having a bad day, you can still log into your Jamf Pro server.

For those wanting to make sure that that their folks are only using SSO for logins, this can seem like a security hole. Fortunately, there’s a way to plug it. For more details, please see below the jump.

If you want to block access to the failover login for a specific user or a group, here’s how to do this:

  1. Go to Settings: System Settings: Jamf Pro User Accounts & Groups
  2. Identify the user or group where you want to block their ability to login using the the failover URL.
  3. Go to Jamf Pro Server Actions and locate the Sso Settings checkboxes.
  4. Uncheck the Update checkbox for the Jamf Pro Server Actions: Sso Settings.
  5. Save changes.

Screen Shot 2021 05 21 at 11 36 58 AM

This change will do two things:

  1. Prevent that account from being able to edit the Single Sign On settings in Settings: System Settings.
  2. Remove that account’s ability to log in to the Jamf Pro server using the the ?failover login page.

Screen Shot 2021 05 21 at 11 46 18 AM

Once the change is made, you should be able to test by trying to log into the Jamf Pro server with an affected account using the ?failover login page. If all goes well, access should be blocked.

Screen Shot 2021 05 21 at 11 10 22 AM

Categories: Jamf Pro
  1. Fernando
    May 22, 2021 at 10:45 pm

    Thanks for the info though the more sure fire way to ensure folks with Jamf web console access use SSO only is to not give them the password to their local Jamf account.

    This prevents not just access via the failover URL but also restricts them from using the Jamf API.

    If the password is not known to them (in my case even as the admin even I don’t know their local Jamf password since I didn’t write it down after their account was created) then they can’t use anything but SSO.

    For User-Initiated Enrollments and the Self Service I enabled SSO so they can use that there as well.

    Only drawback is that if you enable “Require Authentication” for PreStage enrollments then they would need to know the password to their account. I make up for this by using a special Jamf local account created for them that has no privs but works fine at the Setup Assistant to enroll machines into our Jamf Cloud instance.

    All other users in the organization with no Jamf web console access can just use their regular LDAP credentials to enroll since we have our Jamf instance connected to our AD via the Jamf LDAP Proxy.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: