Device Compliance - Cannot register devices!

For all of you who are looking to configured Device Compliance with Jamf, here are the detailed steps you need to do. Jamfs KB is lacking and Tech Support for this didn’t help so I am documenting what we did.

Current steps at the time of this writing, Take note of Requirements in each KB:

Jamf KB - https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Device_Compliance.html

Microsoft KB - https://learn.microsoft.com/en-us/mem/intune/protect/device-compliance-partners

*-Note, if you currently have Conditional Access from Jamf connected to Intune, its up to you if you want to disable this prior to configuring Device Compliance. We had this connected but where not utilizing it for anything so we disabled it (incorrectly I might -see correct steps to decommission it below) so we didn’t have to do it later when it gets decommissioned by Jamf (est. mid 2024).

Microsoft KB for Conditional access, see the section for deprovisioning-

https://learn.microsoft.com/en-us/mem/intune/protect/conditional-access-integrate-jamf

This is what was causing us issues with registering with the Company Portal app, which kept failing. Once we were able to get the Conditional Access to show “terminated” in Intune, then we were able to register devices.

• Connect Device Compliance Service from Jamf to Intune. The following Azure Enterprise apps will be created, permissions cannot be edited since its created by Jamf.
  1. Cloud Connector for Device Compliance App
  2. User Registration app for Device Compliance.
• Create Partner Compliance in Intune.
• Confirm the service is connected in both Jamf Device Compliance section and in Intune under Partner Compliance Management.
• (not  100% this is needed but we did it.) Create a Compliance policy in Intune under Device, MacOS, Compliance policies.
• Create a policy to push Self Service app if you don’t have it deployed already.
• Download Company Portal and create Policy to install
• Create policy to Register and add to self-service.
• Create policy from Script below this is to auto run the above policy instead of having the end users navigate to Self Service to run the install.  
• Create Ext Attribute to confirm device is registered. See below for EA
• Create Configuration Profile to have JamfAAD bypass Default Browser to
• Create Configuration Profile to use Azure SSO Plugin -this allows for less actual inputting of username and passwords for mac users.  See below

At the time of this writing we are on Jamf Pro Cloud 10.46.1 and did not have to run a sudo jamf manage prior to enrolling.  Also devices that get enrolled show up in Azure AD devices and show compliant or not compliant.

From Step 8 -Script to auto run self service policy, change policy ID and text to your needs.

#!/bin/bash

# Define Variables

brandIcon="/Library/Application Support/JAMF/Jamf.app/Contents/Resources/AppIcon.icns"

policyID="291"

#get logged in user

loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

answer=$( osascript << EOF

button returned of (display dialog "Please finish setting up your computer by running the Register Mac Device with Azure AD in Self Service. Click OK to get started!" buttons {"OK"} default button 1 with icon POSIX file "$brandIcon")

EOF

)

echo "$answer"

if [[ $answer -eq "OK" ]]; then

  su "$loggedInUser" -c "killall Self\\ Service"

  su "$loggedInUser" -c "open \\"jamfselfservice://content?entity=policy&id=$policyID&action=view\\""

fi

From Step 9- Ext attribute

#!/bin/bash

#get user

loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

#check if wpj private key is present

WPJKey=$(security dump /Users/$loggedInUser/Library/Keychains/login.keychain-db | grep MS-ORGANIZATION-ACCESS)

if [ ! -z "$WPJKey" ]

then

  #WPJ key is present

  #check if jamfAAD plist exists

  plist="/Users/$loggedInUser/Library/Preferences/com.jamf.management.jamfAAD.plist"

  if [ ! -f "$plist" ]; then

    #plist doesn't exist

      echo "<result>WPJ Key present, JamfAAD PLIST missing</result>"

      exit 0

  fi

  #PLIST exists. Check if jamfAAD has acquired AAD ID

  AAD_ID=$(defaults read  /Users/$loggedInUser/Library/Preferences/com.jamf.management.jamfAAD.plist have_an_Azure_id)

  echo "$AAD_ID"

  if [[ $AAD_ID -eq "1" ]]; then

    #jamfAAD ID exists

    echo "<result>Registered</result>"

    exit 0

  fi

  #WPJ is present but no AAD ID acquired:

  echo "<result>WPJ Key Present. AAD ID not acquired</result>"

  exit 0

fi

#no wpj key

echo "<result>Not Registered</result>"

From Step 10- JamfAAD to use Webview Configuration Profile

com.jamf.management.jamfAAD

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

                <key>useWKWebView</key>

                <true/>

                <key>logPII</key>

                <true/>

                <key>tokenRetryCount</key>

                <integer>3</integer>

                <key>tokenRetryWaitTime</key>

                <integer>42</integer>

</dict>

</plist>

From Step 11-Microsoft Enterprise SSO plugin

Payload Type – SSO

Ext. ID - com.microsoft.CompanyPortalMac.ssoextension

Team ID - UBF8T346G9

Sign-on Type- Redirect

URL’s

https://login.microsoftonline.com

https://login.microsoft.com

https://sts.windows.net

https://login.partner.microsoftonline.cn

https://login.chinacloudapi.cn

https://login.microsoftonline.us

https://login-us.microsoftonline.com

Auth Method- Password

Custom Config .plist

{ "AppPrefixAllowList": { "value": "com.microsoft.,com.apple.,com.jamf.,com.jamfsoftware.", "type": "string" }, "browser_sso_interaction_enabled": { "value": 1, "type": "integer" }, "disable_explicit_app_prompt": { "value": 1, "type": "integer" } }

Where do you add the custom configuration plist file? I created a file with the above info then attempted to add this into Jamf 11.0.1 and i get an error Invalid resource file. File cannot be processed.

Hey,

are you using the right file? When coping the Code to an Editor it says by default .xml.
Try to change it to .plist

Greetings

Have a similar issue, we never used JAMF conditional access. Tried to terminate the connection but it just said not connected. Tried to set it up but now the JAMF conditional access page has a big ol' warning on it saying it's deprecated so I can't complete it and Intune is stuck waiting on JAMF approval.

I Ran the command Suso JAMF Manage and then /usr/local/jamf/bin/jamfAAD gatherAADInfo on the Mac but that brings up what appears to be the old Jamf Conditional access window. Not the JAMFAAD message that I can see in the documentation.

As far as I can tell everything is set up correctly, Intune and JAMF both say device compliance is successfully connected. But whenever I launch the register policy from Self-service it launches Company portal, allows me to sign in, then doesn't bring up the JAMFAAD window. After running those commands it brings up the Jamf Conditional access window whenever I run the register computer policy. I reimaged the mac and tried the same steps and it's doing the same thing. 

I've spent a good 6+ hours on this issue with no resolution. Really not as seamless as it should be.

Found a solution for my specific issue and posting in case it helps in the future. The problem was apparently the registration app didn't have a default browser to use but JAMF Support provided an article for how to specify one, after adding the PLIST file it works for me. https://learn.jamf.com/en-US/bundle/technical-articles/page/Troubleshooting_Microsoft_Azure_Login_Using_JamfAAD.html

@Jordan_Mastel 
Would you mind sharing your plist? The article you linked has been retired.