Skip to main content
Question

Cannot Register Macs with Entra Using Standard Account

  • September 19, 2024
  • 8 replies
  • 71 views
kiltedtenor
Forum|alt.badge.img+7

I've run into an issue with using Company Portal to register Macs in Entra for compliance purposes. It SEEMS to be a permissions issue. My admin account can register them, but my Joe Schmoe user account with no privileges can't. What I can't wring out of Microsoft or Jamf is what type of permissions my normal account might need to perform this action. We use Intune, not Jamf, for our mobile device management and we have Windows machines there as well. I can register or enroll all of those devices just fine, in testing. And my Admin account works just fine. Shows the device, compliance syncs over. All the fun bells and whistles. But with my regular account, I get this incredibly generic error when trying to even sign into Company Portal from the Self Service registration workflow... 

Anyone have any ideas what permissions/privileges our standard accounts might need to register Macs in Entra for compliance?

    8 replies

    A
    Forum|alt.badge.img+13
    • andrew_nicholas
    • Honored Contributor
    • September 19, 2024

    How many devices do you have registered to your regular account, and are other users getting this same issue or just you? I can get this from time to time if I have been lax about clearing out test device records and I reach the enrollment quota on my primary account. 

    kiltedtenor
    Forum|alt.badge.img+7
    • kiltedtenor
    • Author
    • Contributor
    • September 19, 2024

    How many devices do you have registered to your regular account, and are other users getting this same issue or just you? I can get this from time to time if I have been lax about clearing out test device records and I reach the enrollment quota on my primary account. 


    Good thought and thanks for chiming in so quickly, but I did clear out devices, worried about this exact issue first. Our org also has set a manual limit to, like, 100 devices or something, so, SO FAR it's not a device limit issue. But that's absolutely a good place to start, thank you!

    kiltedtenor
    Forum|alt.badge.img+7
    • kiltedtenor
    • Author
    • Contributor
    • September 19, 2024

    How many devices do you have registered to your regular account, and are other users getting this same issue or just you? I can get this from time to time if I have been lax about clearing out test device records and I reach the enrollment quota on my primary account. 


    Also, to answer the rest of your question, yes. It's universal across the folks I have testing in IT at least. Our standard account is unable to get past that error and our Admin accounts work perfectly. 

    AntMac
    Forum|alt.badge.img+10
    • AntMac
    • Valued Contributor
    • September 23, 2024

    Hi there 
    This is always a hard one as everyone has slight variations in their company config. From a permission perspective we really did not have to do anything special with our users. Just adjust a few scopes and tweak a few CAs.      

    A few questions, for the other accounts you are trying to register with. 
    Are the users in scope for device compliance on your Compliance Partner in Intune? 
    Do you have any Conditional Access policies that may block a standard user from reaching "User Registration App for Device Compliance" in Azure/Entra? 
    Are the devices in scope for Device compliance? 

    A
    Forum|alt.badge.img+3
    • arfan_ali
    • New Contributor
    • October 2, 2024

    Confirm the user you are doing the registration under is in the right Azure groups that's scoped on your Jamf Partner Device connector.

    Shyamsundar
    Forum|alt.badge.img+13
    • Shyamsundar
    • Jamf Heroes
    • October 8, 2024

    Please ensure that users are not scoped to both the Partner Device Management and Partner Compliance management modules. Users should be scoped to either of these modules.

    kiltedtenor
    Forum|alt.badge.img+7
    • kiltedtenor
    • Author
    • Contributor
    • October 9, 2024

    Hi there 
    This is always a hard one as everyone has slight variations in their company config. From a permission perspective we really did not have to do anything special with our users. Just adjust a few scopes and tweak a few CAs.      

    A few questions, for the other accounts you are trying to register with. 
    Are the users in scope for device compliance on your Compliance Partner in Intune? 
    Do you have any Conditional Access policies that may block a standard user from reaching "User Registration App for Device Compliance" in Azure/Entra? 
    Are the devices in scope for Device compliance? 


    Thanks for the response, yes to the first and last questions and I have our security guys taking a look at the middle question. 

    kiltedtenor
    Forum|alt.badge.img+7
    • kiltedtenor
    • Author
    • Contributor
    • October 9, 2024

    Confirm the user you are doing the registration under is in the right Azure groups that's scoped on your Jamf Partner Device connector.


    Yep, we have it scoped to our equivalent of an "active employees" group in AD. And I'm definitely a member of that group as scoping things to that group has workedd in the past, but it was worth checking.

    Terms & ConditionsCookie settingsAccessibility statement