Identity Settings Explained
Let's take a deeper dive into the Identity settings available on the policy integration panel. Identity works with Okta, Azure, and Google. on OS X Mojave (10.14) devices and up.
Identity Provider
This option allows an admin to pick the desired identity provider that end users will authenticate against. This also determines which identity provider settings become available to you.
Block Setup Assistant While Service Is Getting Configured
This setting makes sure that when we are deploying Identity via Automated Device Enrollment (ADE), the deployment complies with the Await Device Configured option in ADE. This will hold the end user on the enrollment screen until Identity has been fully deployed. This prevents the end-user from reaching the login window before Addigy Identity is deployed and ready to handle their authentication.
Video: Addigy Truly Touchless Deployment
Create Users As Administrators
This setting determines if the users created via the just-in-time user account creation are administrators or standard users. In some cases, the user on the machine will be allowed to be an admin on his own machine and this flag lets you manage that case. In other cases, we want every user who logs into have limited permission and we can achieve that by leaving this option off. If we have a mixed batch where some users should be admin and other standard users, we recommend leaving this option off and elevating privileges via other Addigy functionality such as scripts, alerts with automatic remediation and Maintenance.
Allow Local Credentials At The Addigy Identity Login Window
This setting allows users and administrators to be able to login to the machine without having to authenticate against their identity provider. In scenarios where there is no internet connection on the machine, the user will not be able to authenticate against their identity provider which may render them locked out if they are not able to log into his already created local account. It is important to note that bypassing identity provider means bypassing password syncing and password policies. For strictly managed machines, it may be required to leave this option off.
Allow Users To Sync Identity Accounts With Local User Accounts
This setting allows the ability to sync an identity provider (IdP) email from your Okta, Azure, and Google environments to an already existing local account on the device. This helps when deploying Identity to devices that are already provisioned and have existing users. When the user logins in with their identity provider email for the first time, they will be prompted to select an already existing local account to sync to or to create a new local account. When choosing an already existing local account, the user will be asked to validate the local account credentials.
Allow Users To Leave Addigy Identity And Revert To Local macOS Login
This setting allows the end-user to do a one time revert back to the native macOS login window from the Identity login window. In the case, where the user may run into issues authenticating with their credentials and need access to the native macOS functionality.
Identity Provider-Specific Settings
Okta
Domain
By passing the domain of the identity provider organization, Identity can begin to authenticate users against this domain using https. The response to this authentication gives us the required user information to generate the local user account. Addigy never stores any passwords. You can find the Okta domain on your Okta account URL. Do not include the https://
Azure
Tenant ID
The tenant ID is used to link Identity to the Azure Active Directory associated with your organization. You find this information after creating an App under your Azure Active Directory.
Client ID
The client ID references the application within your Azure Active Directory we should access for Authentication purposes.
Client Secret
The client secret is a secret string that the application uses to prove its identity when requesting a token. It also can be referred to as an application password. This can be found on the Certificate & Secrets section of App Registrations.
For more information on how to configure your Azure Active Directory App, check out this knowledge base: