@eric_benfer You can ignore the lack of trust for that certificate. While your Mac may not trust it, the Device Compliance integration with Azure AD/Intune does.
@eric_benfer You can ignore the lack of trust for that certificate. While your Mac may not trust it, the Device Compliance integration with Azure AD/Intune does.
That is what Microsoft also told us. Although that does not give me a warm and fuzzy feeling.
Every PKI bone in my body wants to fix this. I guess I will have to go against my instincts.
Thanks for confirming @sdagley
We have registered our Mac fleet in Azure AD and they show up as "Compliant" .. when turn on the compliance policy from Intune and people try to access our company resources they get error messages like this one :


if they use incongnito mode in Chrome for example they get a window to select certificate then they have to enter their login password and hit "always allow" to be able to login successfully to their email for example.
is that the normal behaviour? i'm definitely missing something here so any tips?
We have registered our Mac fleet in Azure AD and they show up as "Compliant" .. when turn on the compliance policy from Intune and people try to access our company resources they get error messages like this one :


if they use incongnito mode in Chrome for example they get a window to select certificate then they have to enter their login password and hit "always allow" to be able to login successfully to their email for example.
is that the normal behaviour? i'm definitely missing something here so any tips?
@MacJunior When you say "We have registered our Mac fleet in Azure AD..." does that mean you used a Jamf Pro policy with the Microsoft Device Compliance payload to trigger the enrollment process via the Company Portal app? During that enrollment your users should have gone through the process of always allowing access to the certificate installed during enrollment.
Jamf revised their technical paper of the Device Compliance integration yesterday, and it does clarify some areas that weren't clear in older docs, so it might be helpful to review: https://learn.jamf.com/bundle/technical-paper-microsoft-intune-current/page/Device_Compliance_with_Microsoft_Intune_and_Jamf_Pro.html
yeah that explains why a small amount of users are getting blocked while the majority are working fine with 0 issues .. thanks for highlighting this point
I have now the second device that becomes "Not compliant" out of no where ! but it's still a member of the compliance criteria smart group that I created, the interesting part is that under the MDM part it says "none" anyone experience such a weird behaviour?
I have now the second device that becomes "Not compliant" out of no where ! but it's still a member of the compliance criteria smart group that I created, the interesting part is that under the MDM part it says "none" anyone experience such a weird behaviour?
Yes I am having the same issue.
Raised with JAMF do you have a fix yet?
Yes I am having the same issue.
Raised with JAMF do you have a fix yet?
Not yet, last thing they adviced is to re-do the integration between Jamf & Entra.
will keep you posted
Not yet, last thing they adviced is to re-do the integration between Jamf & Entra.
will keep you posted
For anyone running into the problem with Device Compliance enrollment breaking after the JSS 10.50 update PI113193 is the Product Issue ID that's been assigned for it. You should probably contact your Customer Success rep if you've been impacted.
I have now the second device that becomes "Not compliant" out of no where ! but it's still a member of the compliance criteria smart group that I created, the interesting part is that under the MDM part it says "none" anyone experience such a weird behaviour?
Did you ever get a resolution to this issue? I just had lot devices have the same falling out.
@eric_benfer You can ignore the lack of trust for that certificate. While your Mac may not trust it, the Device Compliance integration with Azure AD/Intune does.
Hello,
May I ask a question Jamf Pro and having these devices appear within Microsoft Entra?