Duo Access Gateway

Duo Access Gateway (DAG), our on-premises SSO product, layers Duo's strong authentication and flexible policy engine on top of Jamf Pro logins using the Security Assertion Markup Language (SAML) 2.0 authentication standard. Duo Access Gateway authenticates your users using existing on-premises or cloud-based directory credentials and prompts for two-factor authentication before permitting access to Jamf Pro.

Duo Access Gateway is included in the Duo Beyond, Duo Access, and Duo MFA plans, which also include the ability to define policies that enforce unique controls for each individual SSO application. For example, you can require that Salesforce users complete two-factor authentication at every login, but only once every seven days when accessing Jamf Pro. Duo checks the user, device, and network against an application's policy before allowing access to the application.

For instructions on setting up Jamf Pro with the DAG, see https://duo.com/docs/jamf-jss

Duo Trusted Endpoints

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the presence of a Duo device certificate on that endpoint. You can monitor access to your applications from devices with and without the Duo certificate, and optionally block access from devices without the Duo certificate.

Before enabling the Trusted Endpoints policy on your applications, you'll need to deploy the Duo device certificate to your managed devices using Jamf Pro. This guide walks you through using Jamf Pro to distribute a certificate enrollment script to your managed devices.