Jamf / Entra Device Compliance - Weird behaviour with MDM Authority

Hi Nina

We are in exactly the same situation. Everything has worked fine. 

Check the PI PI113193

https://account.jamf.com/products/jamf-pro/known-issues

We have already an open case at jamf support and wating for some solution. 

I have almost spent the entire last week for searching the issue, because we had a few new employees they started and almost all of them was registered first successfully and then lost the connection.

So our MacBooks are loosing the MS Workplace Joinkey and when checking the ~/Library/Preferences/com.jamf.management.jamfAAD.plist file, we see an successfull tokentimestamp but the have_an_Azure_id changed to false.

<key>LoginKeychainEmpty</key>
<true/>
<key>have_an_Azure_id</key>
<true/>
<key>last_aad_token_timestamp</key>
<real>1696928734.5948009</real>

So i recommend to open also a case in jamf support.

BR

J

Thanks for the additional input and the info about the ticket! 

I deleted one of the affected macs from the Entra / Azure Portal and flushed the successful enrollment. The device was then added to Entra again and apparently the bind is now back. It didn't work before, when I just flushed the Policy but the left device in Entra.

I will check if this approach helps or not. If this comes back, I will open a ticket as well! 

Best,

Nina

I have done the same and a lot of other tries. Last friday I have done the enrollment with all affected users myself (remote). Deleting everything from device, reinstall company portal, deleting device in entra. Checking the logs, done the registration myself with each of the user. Everything was fine til monday morning :)

All of the macbooks i've done at friday hast lost again the connection to entra.

So, jamf support was asking if we are using sso extension and if we have an endpoint protection installed. 
Both i can answer with = yes.

SSO Extension is configured and we use the MS Defender.

I am sure jamf or MS will find the issue. Its really not sure, that this is a jamf issue.

Oh welp. Thanks for the additional input. Then I guess I'll just open a ticket right away. 

We also have the SSO Extension and an endpoint protection in place. But we're using Sophos Endpoint right now.

Glad to hear they're working on it though :( 
(Btw, I like that this became a chat between a cat and a dog. :D) 

I thought the same for the dog and cat. But i can also switch to a dog.
I have enough of dog pictures for my dog.
So hopefully MS or jamf will find here some solution!

I had the same issue, some devices were showing up as "not compliant" in Azure and MDM is "Non" .. when I tried to delete the records of those Macs from Azure and re-register them again it worked but some one the Macs showed up all of a sudden again as "Not compliant" ..  I did the re-integration with MS Azure and so far it works well and hopefully it will continue like that.

Hi @MacJunior roughly how long is so far? Days, weeks, months? Very interested! Thx!

So far, it helped for me to delete the devices from azure and reenroll them... I wonder how long it will last though. 

I will keep your solution in mind though! Thanks for telling me about it! 

I did open a support case with jamf but so far it seems like I am not affected by this bug or the logs I provided were not helpful. 🙊

it's been like 3 weeks since we did the re-integration and so far haven't seen any Macs showing up as "not compliant" or the MDM field is "None".

I opened up a ticket with Jamf support and provided some logs as they asked and it doesn't seem we're affected by PI113193 so I would say try to re-integrate if the issue shows up again.

I rolled out to 90 machines and had this issue on around 10 of them. On some, doing the Company portal registration again helped, on others I had to erase every trace of Company Portal, Workspace Join Keys and most things under point six here - and then re-run the registration procedure from Self Service. 

I've also had one computer - luckily one of my lab computers - be completely registered and compliant in Jamf and Azure, but the computer itself not recognizing that it actually is. Hm. That's a device I have been testing SSOe on... 

Hello,

May I ask a question Jamf Pro and having these devices appear within Microsoft Entra?