We use Jamf Pro Cloud to manage our Mac fleet but would like to hybrid join our Macs to Intune as a method to control who can use Office 365. I see that Conditional access is being Deprecated. Can I accomplish this with just using Device Compliance? I keep getting Notifications in endpoint stating that an Intune update is coming concerning Intune device compliance. I’m new to Azure / Intune so I apologize for my ignorance on that side.
Solved
Best way to bind Macs to Intune for Office 365 Access?
+7Best answer by stevewood
There's no such thing as a hybrid join on Mac. An Apple device can have one MDM profile on it at a time, so if you are managing with Jamf Pro you would be unable to join to Intune.
Device Compliance sends a compliant signal to Azure (Entra) based on a Smart Group in Jamf Pro. If a device falls into the Smart Group, it is compliant. If it falls out, it is not compliant.
The devices will show up under Devices in Azure AD (Entra AD) and their compliant status will be visible there. You can then utilize the Conditional Access blade in Azure to set a policy for access to O365 properties.
Hopefully that makes sense. Some links:
https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Device_Compliance.html
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/overview
+35There's no such thing as a hybrid join on Mac. An Apple device can have one MDM profile on it at a time, so if you are managing with Jamf Pro you would be unable to join to Intune.
Device Compliance sends a compliant signal to Azure (Entra) based on a Smart Group in Jamf Pro. If a device falls into the Smart Group, it is compliant. If it falls out, it is not compliant.
The devices will show up under Devices in Azure AD (Entra AD) and their compliant status will be visible there. You can then utilize the Conditional Access blade in Azure to set a policy for access to O365 properties.
Hopefully that makes sense. Some links:
https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Device_Compliance.html
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/overview
+25@bern In addition to the information that @stevewood provided, make sure that the Azure AD credentials you are using to set up the Device Compliance integration have the Global Administrator permission. That little tidbit seems to be missing in the Jamf docs, and without it you won't get past the "Need admin approval" screen when signing in to Azure AD/Intune.
+35@bern In addition to the information that @stevewood provided, make sure that the Azure AD credentials you are using to set up the Device Compliance integration have the Global Administrator permission. That little tidbit seems to be missing in the Jamf docs, and without it you won't get past the "Need admin approval" screen when signing in to Azure AD/Intune.
Good callout on that! I'll put a ticket in to get that documentation updated to indicate Global Admin privs are necessary. I could've sworn we already made that change.
+25Good callout on that! I'll put a ticket in to get that documentation updated to indicate Global Admin privs are necessary. I could've sworn we already made that change.
It is called out in the old MS docs on Conditional Access integration (https://learn.microsoft.com/en-us/mem/intune/protect/conditional-access-jamf-cloud-connector), but I didn't find it in any of the Jamf Device Compliance configuration docs.
+7Everyone else commenting has given you great tidbits on how to handle the conditional access pieces. The one thing that is worth adding in is that "binding" in the traditional "joining devices to Active Directory" sense is dead. It was never a great experience with on-premise Active Directory and it's not really something you can do with Azure AD/Entra ID either. If controlling identity as a means of controlling access to the Mac is important to you, you'll want to use JAMF Connect in conjunction with Azure AD/Entra ID.
+7Thank you guys for your guidance and sharing your experiences. Diving into Entra ID really makes me appreciate the Jamf experience that much more!
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.