Jamf and Intune coexistence

Try this dynamic membership query 

 (device.managementType -eq "MDM")

device.managementType equals "MDM"  only for the intune managed devices. 

Would device management type still be MDM for a personally owned device if it's not actually managed by Intune?  The personally owned devices aren't enrolled in Intune, they just use Application Protection Policies (MAM not MDM)

I am guessing no one has found a solution to this?

We have shared devices with Jamf and are looking to roll out app protection policies to all users. Jamf devices are not recognized in intune so we cant exclude these devices from the app protection policy that targets all unmanaged ios devices.

@SteveS I've made some progress.  For each Mobile Device App in Jamf that is also managed with MAM in Intune, i can add this to the App Config:

<dict>
<key>IntuneMAMUPN</key>
<string>$EMAIL</string>
</dict>

That will make Intune think it is a managed device.  I can then go to Intune and exclude managed devices from the MAM policy.  This seems to work, but i haven't tried it for every app.

You know that feeling when you scour the internet and you find that one response where someone casually mentions the exact solution you're trying to implement. 

This is that moment Jason. 

So I actually already have this value pushed with Outlook as part of the larger app config we push to manage autologin and various other things but we still can't seem to get the devices to reflect 'managed' within intune.

Is the trick that 'every' MS app needs to have the KVP 'IntuneMAMUPN' and string $EMAIL added? 

Exact same use case - we just want to differentiate 3rd party MDM (JAMF) managed vs BYOD - from a MAM perspective.

So the intunemam key worked when app protection policies were deployed managed app vs managed device. That setting is no longer used and you should switch to all devices and use a filter. But there is no filter for this. 

So have you found a way to maintain two different app protection policies through a filter or KVP? 

I don’t have a need for changing conditional access I just need to have a slightly more lax app protection policy on fully MDM managed devices vs unmanaged BYOD.

HI @Maxb , yes i did.  In Intune i created a filter (Home > Apps > Filters) for iOS BYOD devices.  I use "(app.deviceManagementType -eq "Unmanaged")" as the syntax for that.  Then i add that filter to the scope for all of my MAM BYOD policies.  This ensures they only apply to BYOD type devices.  

Then in Jamf i go to App Configuration for the managed apps i had overlapping Intune policies for and add the "IntuneMAMUPN" key.  This marks it as managed.  When a user opens one of those apps Intune won't apply the MAM policy because the filter excludes it as it only applies to unmanaged devices

That's very helpful thank you.

So our 365 admins aren't seeing any of our devices showing as 'managed' in intune today and we are pushing the KVP for 'IntuneMAMUPN' and string $EMAIL with our Outlook for iOS app config - I'm not sure we have a 'managed' app policy created today and I'm curious if maybe that needs to be created before 'managed' devices appear within Intune perhaps? Or where can we view the 'managed' status of a device to confirm the KVP is working as intended. I really appreciate you taking the time to help me out.

Hello Steve, I work with Max. So are you saying we CANNOT use a app protection policy with a filter as that no longer works? Does a managed device configuration policy with a filter work? I just know the config policies dont have all the specific app settings we want to control/limit. Just trying to understand what DOES work and what our options are. If we cannot get filters to work we will need to try and do the compliance partner setup within Intune and I heard that is hit or miss as well. 

Also for what its worth, @SteveS or @Jason11 do you have the devices show up in Intune because of a partner connection between JamF and Intune or are you bypassing it by using this KVP (kev value pair) and the filters? I only say this because if I setup a managed device filter or policy I dont see anything as we dont have the devices showing/enrolled in Intune.

Ok. so this is what we are doing as well. We have the app protection policy setup and filtered just like you and our system has the same config values as well. We are not seeing the personal devices filtered out on the company device policy and vice versa. they are all being applied to the same policy. Have you found a workaround or confirmed how to get this to work or thats what you are still trying to figure out as well? @SteveS 

Hi! Has a setting been resolved by either Microsoft or Jamf to resolve this issue? I’m working through the same personal vs corporate app protection policy headache.