Skip navigation
Documentation

Duo Trusted Endpoints - Jamf Pro Managed Devices

Last Updated: December 15th, 2023
macOS Certificate Users: Changes required to support macOS 12.3

The macOS 12.3 update removes Python, which was a required dependency for the certificate enrollment script prior to April 7, 2022. After updating a macOS client to 12.3, Jamf policies using the Duo Python script fail to perform new certificate issuance and existing certificate renewals.

To address this, either migrate to Jamf with Duo Desktop or download the replacement Duo certificate shell script from the Duo Admin Panel and use it to update your Jamf script policies.

Certificate-based Trusted Endpoint verification for Jamf will reach end-of-life in a future release. Migrate existing Jamf Certificate Deployment management integrations to Jamf with Duo Desktop. Learn more about the end-of-life timeline and migration options in the Duo Trusted Endpoints Certificate Migration Guide.

Overview

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the presence of Duo Desktop or a Duo device certificate on that endpoint. You can monitor access to your applications from trusted and untrusted devices, and optionally block access from unmanaged, untrusted devices.

Trusted Endpoints is part of the Duo Essentials, Duo Advantage, and Duo Premier plans.

Before enabling the Trusted Endpoints policy on your applications, you'll need to establish API access from Duo to Jamf, then deploy Duo Mobile to your managed iOS devices, or deploy Duo Desktop to Windows and macOS managed systems.

This guide walks you through Jamf configuration for macOS endpoint clients and iOS mobile devices.

Mobile Trusted Endpoints and Verified Duo Push: Trusted endpoint verification of iOS devices with Duo Mobile uses the standard Duo Push approval process and will not prompt for a Duo Push verification code, even if the effective authentication methods policy for the user and application has "Verified Duo Push" enabled.

Requirements

Ensure you have the following access and privileges:

  • Access to the Duo Admin Panel as an administrator with the Owner, Administrator, or Application Manager administrative roles.
  • Access to the Jamf Pro Dashboard as an administrator with the rights to create roles, accounts, certificate authorities, and device profiles, and to create new policies and apply them to user targets.

Duo's trusted endpoints solution supports both Jamf Cloud and on-premises Jamf Pro deployments.

Create a Jamf API User

Create a read-only API user in Jamf for Duo to obtain managed macOS and iOS endpoint information. Determine whether you plan to create a standard (local) account or an account from your LDAP directory before you begin. You must have previously configured LDAP directory services in Jamf in order to create a new LDAP account.

You only need to create one Jamf API user for Duo to use with iOS and macOS.

  1. Log in to Jamf Pro as an administrator and click the Setting icon in the top-right.

  2. Click System Settings then click Jamf Pro User Accounts & Groups.

  3. Click New. Select Create Standard Account or Add LDAP Account as desired, and then click Next.

  4. If you chose to create a standard account:

    1. Enter a username for the new account on the "New Account" page.
    2. Set the "Access Level" to Full Access.
    3. Set the "Privilege Set" to Auditor.
    4. Enter and verify a password for the new user. You will need to provide this to Duo. Do not force a password change.
    5. Click Save.
  5. If you chose to create an LDAP account:

    1. Enter the LDAP username in the "Search Users" field of the "Search LDAP Directory Service" page and click Next..
    2. If the search found the correct user, click the Add button to the right of the LDAP user's information in the search results.
    3. On the "New Account" page, set the "Access Level" to Full Access.
    4. Set the "Privilege Set" to Auditor.
    5. Click Save.

Jamf with Duo Desktop

This integration relies on having Duo Desktop present on your Jamf-managed endpoints. When users authenticate to applications protected with Duo's browser-based prompt, Duo matches the device identifiers reported by Duo Desktop with managed device information obtained from Jamf in a nightly sync via read-only API access (note this sync can't be manually initiated or rescheduled at this time).

Prerequisites

  • The minimum recommended Jamf version for this integration is 10.28. Jamf versions prior to 10.28 may encounter errors during the nightly sync process with Duo.

  • Deploy Duo Desktop to your Jamf-managed endpoints. Refer to the Duo Desktop documentation to learn about different options for deploying the application.

    Note that you do not need to configure a Duo Desktop policy in order to use Jamf with Duo Desktop.

Create the Jamf Pro with Duo Desktop Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
  2. If this is your first management integration, click the Get started button at the bottom of the Trusted Endpoints introduction page. If you're adding another management integration, click the Add Integration button you see at the top of the page instead.
  3. On the "Add Management Tools Integration" page, locate Jamf Pro in the list of "Device Management Tools" and click the Add this integration selector.
  4. Choose macOS from the "Recommended" options, and then click the Add button.

The new Jamf Pro with Duo Desktop integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Please note that this integration requires Duo Desktop to be installed on the device to be considered trusted.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Jamf Pro with Duo Desktop management integration page to complete the configuration steps.

Enter the Jamf User Information in Duo

Enter the Jamf Pro user credentials in Duo to perform the device information sync.

  1. On the Jamf Pro with Duo Desktop management integration page in the Duo Admin Panel, scroll down to the "2. Provide account credentials" section.

  2. Enter the username for the Jamf Pro standard or LDAP user you created into the "Jamf Pro account username" field.

  3. Enter the password for the Jamf Pro standard or LDAP user in the "Jamf Pro account password" field. If you added an LDAP account, the password is the user's LDAP directory password.

  4. Enter your Jamf Pro domain in the last field on the page. This is the same as the URL at which you access your Jamf Pro account. For example, if you access Jamf Pro at https://acmecorp.jamfcloud.com, then you'd enter acmecorp.jamfcloud.com as the domain name, without the "https://" prefix.

  5. Click the Test Configuration button to verify your setup. If you do not receive a "Configuration Successful!" message, double-check that you provided the right account and domain information.

  6. If testing your configuration was successful, click Save & Configure.

At this point the configured integration is disabled and applies to no users until you finish your deployment.

Verify macOS Device Information with Search

After you configure the connection between Jamf and Duo you can verify that a given device's information is being pulled into Duo by searching for the device identifier from the Duo Admin Panel. See Search for Device Identifiers to learn how.

iOS Configuration

This integration relies on having the Duo Mobile app present and activated on your Jamf-managed iOS endpoints. When users authenticate to applications protected with Duo's browser-based prompt, Duo matches the device identifiers reported by the Duo Mobile app with managed device information obtained from Jamf in a nightly sync via read-only API access (note this sync can't be manually initiated or rescheduled at this time).

Create the Jamf Pro with App Config Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
  2. If this is your first management integration, click the Get started button at the bottom of the Trusted Endpoints introduction page. If you're adding another management integration, click the Add Integration button you see at the top of the page instead.
  3. On the "Add Management Tools Integration" page, locate Jamf Pro in the list of "Device Management Tools" and click the Add this integration selector.
  4. Choose iOS from the "Recommended" options, and then click the Add button.

The new Jamf Pro with App Config integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Please note that this integration takes advantage of managed app configuration and therefore Duo Mobile must be installed by your MDM for the device to be considered trusted.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Jamf Pro with App Config management integration page to complete the configuration steps.

Enter the Jamf User Information in Duo

Enter the Jamf Pro user credentials in Duo to perform the device information sync.

  1. On the Jamf Pro with App Config management integration page in the Duo Admin Panel, scroll down to the "2. Provide account credentials" section.

  2. Enter the username for the Jamf Pro standard or LDAP user you created into the "Jamf Pro account username" field.

  3. Enter the password for the Jamf Pro standard or LDAP user in the "Jamf Pro account password" field. If you added an LDAP account, the password is the user's LDAP directory password.

  4. Enter your Jamf Pro domain in the last field on the page. This is the same as the URL at which you access your Jamf Pro account. For example, if you access Jamf Pro at https://acmecorp.jamfcloud.com, then you'd enter acmecorp.jamfcloud.com as the domain name, without the "https://" prefix.

  5. Click the Test Configuration button to verify your setup. If you do not receive a "Configuration Successful!" message, double-check that you provided the right account and domain information.

  6. If testing your configuration was successful, click Save & Configure.

Configure Duo Mobile Management in Jamf

Jamf will need to manage the Duo Mobile app on users' iOS devices. By having Jamf manage the Duo Mobile , Jamf will be able to provide Duo with additional attributes from the iPhones and iPads to verify the device’s information.

  1. Under the "Devices" section of Jamf Pro, select Mobile Device Apps.

  2. On the "Mobile Device Apps" page, select + New.

  3. In the "Choose an App Type" window, select App Store App.

  4. Search for Duo Mobile and when found add Duo Mobile for iOS.

  5. On the "New Mobile Device App" page's "General" tab, check the Enabled box and configure the following options:

    • Enable Schedule Jamf Pro to automatically check the App Store for app updates and set a sync time.
    • Enable Automatically Force App Updates.
    • Enable Make app managed when possible.
    • Enable Make app managed if currently installed as unmanaged.
    • Enable Remove app when MDM profile is removed.
  6. Click the "Scope" tab and select All Mobile Devices under "Targets and Target Mobile Devices".

  7. Click the "App Configuration" tab.

  8. Return to your Jamf Pro with App Config management integration page in the Duo Admin Panel and copy the AppConfig XML provided in step 4.7. Paste this into the Preferences field on the "App Configuration" tab.

  9. Click Save.

At this point the configured integration is disabled and applies to no users until you finish your deployment.

Verify iOS Device Information with Search

After you configure the connection between Jamf and Duo you can verify that a given device's information is being pulled into Duo by searching for the device identifier from the Duo Admin Panel. See Search for Device Identifiers to learn how.

Finish Trusted Endpoints Deployment

Once your managed computers have Duo Desktop installed, you can update the Trusted Endpoints policy to start checking for management status as users authenticate to Duo-protected services and applications.

When your trusted endpoints policy is applied to your Duo applications, return to the Jamf Pro with Duo Desktop management integration in the Admin Panel. The "Change Integration Status" section of the page shows the current integration status (disabled by default after creation). You can choose to either activate this management integration only for members of a specified test group or groups, or activate for all users.

Enable Trusted Endpoints Management Integration

The Device Insight and Endpoints pages in the Duo Admin Panel show trusted and untrusted access device status.

As more of your devices have Duo Desktop installed you can change the integration activation to apply to all users (if you just targeted test groups before), adjust your trusted endpoints policy to expand the target group, apply it to additional protected services, or start blocking access to applications from devices that do not pass the managed endpoint check. See the Trusted Endpoints documentation for more information.

Removing the Jamf Pro Management Integration

Deleting a trusted endpoints management tool integration from the Duo Admin Panel immediately prevents identification of Jamf-managed devices using Duo Desktop. Be sure to unassign your trusted endpoints policy from all applications or remove the "Trusted Endpoints" configuration item from your global policy before deleting an existing Jamf Pro integration from "Trusted Endpoints Configuration".

If you also have a Jamf Pro certificate-based management integration system configured, deleting the Jamf Pro with Duo Desktop integration does not invalidate any certificates issued by the other Jamf integration.

Leaving the policy settings in place after deleting a management tools integration may inadvertently block user access to applications.

Jamf Certificate Deployment

This guide walks you through using Jamf Pro to distribute a certificate enrollment script to your managed devices. Before enabling the Trusted Endpoints policy on your applications, you'll need to deploy the Duo device certificate to your managed devices.

End of Life Information

New Jamf certificate deployment management integrations may no longer be created as of April 2021. Consider migrating your certificate-based Jamf integration to Jamf with Duo Desktop. Use of the Duo Desktop for trust attestation provides several advantages over the use of device certificates:

  • It provides a more accurate assessment of your Jamf-managed devices, and removes concerns about long-lived certificates present on devices no longer managed by your organization.
  • It extends support to Firefox users. Trusted Endpoint certificate detection only works with Chrome, Edge, Safari, and Internet Explorer (depending on the management system).
  • Improves trust detection for web browsers and thick client applications.

These instructions remain available for customers who created these integrations before April 2021 and may need to reconfigure them. Duo continues to support existing Jamf certificate deployments and will do so until the integration reaches end-of-life status in a future update.

Import the Duo Deployment Script to Jamf

Duo provides you with a certificate enrollment script you can import to a Jamf Pro policy. This script installs the Duo device certificate on targeted systems. The Duo script also configures Safari and Google Chrome browsers to automatically select Duo's device certificate during the authentication process.

To create the Duo policy in Jamf Pro:

  1. Log on to the Jamf Pro dashboard as an administrator and navigate to ComputersManagement Settings.

  2. Click the Scripts icon under Computer Management, and then click the + New button on the "Scripts" page.

  3. Enter the following information on the General options tab:

    Display Name Enter a descriptive name for the new script, like "Duo Enrollment Script".
    Category (Optional) Categorize the script if you wish.
    Information (Optional) Enter identifying information about the Duo script.
    Notes (Optional) Enter notes about the Duo script.
    Jamf Script General Options
  4. Click the Script tab in Jamf Pro.

  5. Switch to your Duo Admin Panel browser window, open to the "Jamf Pro" management tools integration. Choose one of the certificate lifetime options:

    1 year certificates These certificates expire one year from issuance. This is the best option for most Duo deployments.
    7 days certificates These certificates expire one week (seven days) from issuance. Select this option when you have users who need certificates reissued more frequently than the one year default. For example, you have virtual desktop users whose VDI endpoints are redeployed periodically, or a group of contractors who aren't expected to use the same workstations for a year.
    Jamf Script in Duo Admin Panel

    Click the Copy Script to Clipboard button in the "Copy the Jamf Enrollment Script" section of the page (step 1).

  6. Return to the Jamf Pro dashboard and paste the Duo script you just copied from the Admin Panel into the Script Contents box.

    Jamf Script Contents
  7. Click the Save button once you paste the Duo script contents. The script doesn't require any changes to "Options" or "Limitations".

  8. Click the Done button.

Add the Duo Script to a Jamf Computer Policy and Apply to Clients

To add the new Duo script to a new or existing computer policy:

  1. Navigate to ComputersPolicies in the Jamf Pro console. Click the + New button (or click on an existing policy and click the Edit button, then skip to step 3 below).

  2. To begin creating a new policy, enter the following information on the General options tab:

    Display Name Enter a descriptive name for the new policy, like "Duo Certificate Policy".
    Enabled Leave this option checked.
    Trigger Choose the options that make sense for your environment. We recommend Login and Recurring Check-in at minimum.
    Execution Frequency This policy should run again periodically to ensure timely renewal of the client's Duo certificate. We recommend Once every day as the minimum frequency.
    Jamf Policy General Options
  3. Click the Scripts item on the left, and then click the Configure button on the "Configure Scripts" page.

  4. Locate the Duo enrollment script you imported earlier in the list of scripts and click the Add button next to it. It is not necessary to change the script priority or add any parameters.

    Jamf Policy Script
  5. If you created a new policy, then you need to apply it to target systems. Click the Scope tab.

  6. Determine whether you want to target all computers or just a subset with the Target Computers drop-down menu.

  7. If you selected Specific Computers in the previous step, click the Add button and then select your desired target computers or computer groups by clicking the Add button next to their names. Click the Done button after you've selected all the targets.

    Jamf Policy Scope
  8. Click the Save button at the bottom of the page once you've added the script and defined the scope.

  9. To see the status of this policy on the dashboard, check the Show in JSS Dashboard option on the far right of the policy editor. Click the Done button at the bottom of the page.

Verify Your Setup

macOS with Duo Desktop

When macOS users access Duo-protected resources, the installed Duo Desktop provides device information to Duo. If the information from the device matches the information synced from Jamf, Duo grants access to the trusted device.

iOS App Config

iOS users see a device trust dialog when authenticating to a protected resource via the Duo Prompt.

iOS Trusted Endpoint Inline Verification - Step 1

Duo uses the information synced from Jamf to perform a permissions check to verify device information.

iOS Trusted Endpoint Verification - Step 2

If Duo successfully verifies the device information, and the user has Duo Mobile activated for Duo Push, then the user receives a login request on their phone. Approving the request grants access to the protected application.

iOS Trusted Endpoint Verification - Step 3

After approving the Duo authentication request on iOS, users tap the top-left of the Duo Mobile app to return to the application and complete login. The "Second Factor" logged for these approvals is shown as "Duo Mobile Inline Auth" in the Duo authentication log.

iOS Trusted Endpoint Verification - Step 4

If the user does not have Duo Mobile activated for push, or does not approve the Duo request before it times out, the user returns to the Duo Prompt, where they may select from the available factors to complete 2FA.

macOS with Certificates

Monitor the status of your legacy Duo certificate policy by returning to the Jamf Pro dashboard periodically.

Jamf Dashboard

You can use the this command from a Terminal window on a target device to force a policy update:

sudo jamf policy

To confirm that your Jamf Pro policy worked, you can open the macOS Keychain Access application on a computer that successfully processed the Duo Jamf policy and make sure the Duo Device Authentication certificate is present in the "duo-auth" keychain.

Jamf macOS Certificate Verification

Finish Trusted Endpoints Deployment

Once your managed computers start receiving the Duo certificate you can configure the Trusted Endpoints policy to start checking for the certificate as users authenticate to Duo-protected services and applications.

Return to the Jamf Pro management integration in the Duo Admin Panel and click the Activate button at the bottom of the page so that the Device Insight and Endpoints pages in the Duo Admin Panel show trusted and untrusted access device status.

The Device Insight and Endpoints pages in the Duo Admin Panel show trusted and untrusted access device status.

As more of your devices receive the Duo certificate you can change the integration activation to apply to all users (if you just targeted test groups before), adjust your trusted endpoints policy to expand the target group, apply it to additional protected services, or start blocking access to applications from devices that do not have the Duo certificate. See the Trusted Endpoints documentation for more information.

Search for Device Identifiers

If you configured Duo Desktop for macOS or Duo Mobile for iOS with App Config to determine device trust, you may want to search for specific device identifiers to verify that the identifier information for a given trusted device exists in Duo. This can be useful to verify a device you expect to be trusted was imported from Jamf into Duo.

To search for a device identifier in Duo:

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.

  2. Locate the Jamf with Duo Desktop or Jamf with App Config device management integration you want to search for a device identifier in the list and click on it to view its details.

  3. In the Check if devices have synced section, enter the identifier for the device you want to check and click Search.

  4. A message appears indicating if the device identifier was either found or not found. If the device identifier is not found, check your Jamf API configuration and wait 24 hours.

Use these instructions to find the device identifier to search in Jamf.

  1. Log in to the Jamf administration website, navigate to ComputersSearch Inventory, and select a device to view.
  2. Select Hardware.
  3. The "UDID" is the device identifier. Copy this value and use it to perform the search in Duo.

Removing the Jamf Pro Management Integration

Deleting a trusted endpoints management tool integration from the Duo Admin Panel immediately invalidates issued Duo device authentication certificates. Be sure to unassign your trusted endpoints policy from all applications or remove the "Trusted Endpoints" configuration item from your global policy before deleting an existing Jamf Pro integration from "Trusted Endpoints Configuration". You should also disable your Duo policy in Jamf.

Leaving the policy settings in place after deleting a management tools integration may inadvertently block user access to applications.

Troubleshooting

Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.