Hi,
I registered a few devices via Self Service and the Device Compliance to our Azure AD. The registration process is fine and the devices show up after 2-3 min in Azure, but it takes many hours or a day that the device is marked as compliant? There is just "N/A".
As long as the status isn't marked as compliant the user can't access apps which are restricted to company devices that must be compliant.
Does somebody have the same issues?
I think it is not related to AzureAD because Jamf checks the compliance criteria by itself and send it to AAD.
The devices are listed in the Smart Group with the compliance criteria's.
Best regards,
Jonny
Update:
As you can see in the following image, the device was not updated until the next day.
The screenshot is from the AAD Audit Log.
First the device is marked as "managed" and on the next day as "compliant".
I've not seen that on my tests, I believe I've heard from Jamf colleagues that compliance is re-assessed after a device unlock or the daily inventory update
Hey,
Thanks for your reply. Yes, if I registered my own Device it was marked as compliant within minutes in AAD. So I'm wondering why this is happening now.
This workflow would be pretty "inelegant" if we tell new colleagues that they have to wait hours or a day after registration to use their new IPhones. The IPhones were in use after registration.
Any ideas how to trigger the compliance update or maybe a workaround?
@jonn1e
I cannot remember where I read about it however there are 2 events that trigger a device compliance check
1). After each device unlock (IE from a locked screen to unlock and access to the homescreen)
2). After the daily inventory scan
Hm so it seems like a bug? At least for 1).
Today we registered a few more devices and none of them getting marked as compliant and they are in use which means they will get unlocked many times a day. Maybe I should raise a support ticket.
Has anyone found a solution to this as I'm having a similar issue.
I'm still investigating with Jamf Support. Will give you an update as soon as possible.
Hi, i am experiencing a similar behavior with my devices. Did you find a solution with Jamf Support?
Still corresponding with Jamf Support. We're watiting for the next devices for enrollment, then we can generate a debug log file.
After spending time with both Jamf and Microsoft Support we finally traced our issue to conditional access policies within Azure blocking "Cloud Connector for Device Compliance". By excluding this within Conditional Access we were able to get devices registering as compliant.
After spending time with both Jamf and Microsoft Support we finally traced our issue to conditional access policies within Azure blocking "Cloud Connector for Device Compliance". By excluding this within Conditional Access we were able to get devices registering as compliant.
Hey @petew ,
Thanks for sharing this helpful information with us! 🙂
From which conditional acces enforcement did you exclude the App? MFA, Compliance Status or just from everything?
Hi There, appreciate this is a bit of an old post, but im encountering the same issue? Does anyone else have any suggestions? - To confirm, exactly the same issue raised in this post, user registers device, but does not turn compliant until the next day
Hi There, appreciate this is a bit of an old post, but im encountering the same issue? Does anyone else have any suggestions? - To confirm, exactly the same issue raised in this post, user registers device, but does not turn compliant until the next day
I'm having a very similar issue, but it's gone a step further. I set everything up as per the docs, it worked about three times without too much of a delay—great, I thought. Now I've gone backwards, all test devices marked as non-compliant and now can't get them compliant again for love nor money.
Things seem to be breaking down at the Compliance Partner / Cloud Connector for Device Compliance level in Azure AD...even though it tells me it's synced successfully, it never marks the devices as compliant.
Did you have any joy with a resolution? Maybe it will shed some light on my issue :-)
I'm having a very similar issue, but it's gone a step further. I set everything up as per the docs, it worked about three times without too much of a delay—great, I thought. Now I've gone backwards, all test devices marked as non-compliant and now can't get them compliant again for love nor money.
Things seem to be breaking down at the Compliance Partner / Cloud Connector for Device Compliance level in Azure AD...even though it tells me it's synced successfully, it never marks the devices as compliant.
Did you have any joy with a resolution? Maybe it will shed some light on my issue :-)
@jimmyroot
I'm not sure what solved my problems with the sync but for now it works fine, except the update of the device status like used iOS version.
But maybe it's a good idea to wait for 10.43.0 -> regarding the beta announcement Jamf will improve the "Device Compliance integration with Microsoft Endpoint Manager".
@jimmyroot
I'm not sure what solved my problems with the sync but for now it works fine, except the update of the device status like used iOS version.
But maybe it's a good idea to wait for 10.43.0 -> regarding the beta announcement Jamf will improve the "Device Compliance integration with Microsoft Endpoint Manager".
Thanks for the reply my friend.
Yesterday some of the aforementioned devices were eventually marked compliant...but no joy with the others. I ended up de-registering them all from Azure AD, was careful to through and wipe out any old records from AAD/Intune, then re-registering from iOS Self Service → Authenticator.
After that, they were all marked compliant within 10 minutes...so not sure what caused the initial delay. Thinking either stale records in AAD that I hadn't checked previously, or one of the other fixes mentioned above.
Either way, thanks for drawing attention to the upcoming 10.43.0 beta, it's clearly something that is on the Jamf radar, so to speak 👀
