Identity Settings Explained
Let's take a deeper dive into the Identity settings available on the policy integration panel. Identity works with Okta, Azure, and Google on OS X Mojave (10.14) devices and up.
Identity Provider
This option allows an admin to pick the desired identity provider that end users will authenticate against. This also determines which identity provider settings become available to you.
Block Setup Assistant While Service Is Getting Configured
This setting makes sure that when we are deploying Identity via Automated Device Enrollment (ADE), the deployment complies with the Await Device Configured option in ADE. This will hold the end user on the enrollment screen until Identity has been fully deployed. This prevents the end-user from reaching the login window before Addigy Identity is deployed and ready to handle their authentication.
Create Users As Administrators
This setting determines if the users created via the just-in-time user account creation are administrators or standard users. In some cases, the user on the machine will be allowed to be an admin on his own machine and this flag lets you manage that case. In other cases, we want every user who logs into have limited permission and we can achieve that by leaving this option off. If we have a mixed batch where some users should be admin and other standard users, we recommend leaving this option off and elevating privileges via other Addigy functionality such as scripts, alerts with automatic remediation and Maintenance.
Allow Local Credentials At The Addigy Identity Login Window
This setting allows users and administrators to be able to login to the machine without having to authenticate against their identity provider. In scenarios where there is no internet connection on the machine, the user will not be able to authenticate against their identity provider which may render them locked out if they are not able to log into his already created local account. It is important to note that bypassing identity provider means bypassing password syncing and password policies. For strictly managed machines, it may be required to leave this option off.
Allow Users To Sync Identity Accounts With Local User Accounts
This setting allows the ability to sync an identity provider (IdP) email from your Okta, Azure, and Google environments to an already existing local account on the device. This helps when deploying Identity to devices that are already provisioned and have existing users. When the user logins in with their identity provider email for the first time, they will be prompted to select an already existing local account to sync to or to create a new local account. When choosing an already existing local account, the user will be asked to validate the local account credentials.
Allow Users To Leave Addigy Identity And Revert To Local macOS Login
This setting allows the end-user to do a one time revert back to the native macOS login window from the Identity login window. In the case, where the user may run into issues authenticating with their credentials and need access to the native macOS functionality.