Skip to main content
Solved

Jamf - Intune - Azure - Device Compliance Certificate untrusted

  • July 18, 2023
  • 12 replies
  • 92 views
E
Forum|alt.badge.img+15

We are using Jamf Device Compliance with InTune.

Following this tech paper we have it working fairly well. Technical Paper: Integrating with Microsoft Intune to Enforce Compliance on Mac Computers Managed by Jamf Pro 10.43.0 or Later

When the end user goes through computer registration and JamfAAD opens they are prompted to "Always Allow" "Microsoft Workplace Join Key". This is expected and documented here. (Although it would be great to have a smoother workflow)
Our issue is the certificate in the login keychain for Device Compliance is not trusted for some reason. (See attached image)

The cert seems to be issued by "MS-Organization-Access" I don't have that CA and our Azure folks don't seem to know about it either.

Thoughts?

Eric

 

 

 

Best answer by sdagley

@eric_benfer You can ignore the lack of trust for that certificate. While your Mac may not trust it, the Device Compliance integration with Azure AD/Intune does.

    12 replies

    sdagley
    Forum|alt.badge.img+25
    • sdagley
    • Jamf Heroes
    • Answer
    • July 19, 2023

    @eric_benfer You can ignore the lack of trust for that certificate. While your Mac may not trust it, the Device Compliance integration with Azure AD/Intune does.

    E
    E
    Forum|alt.badge.img+15
    • eric_benfer
    • Author
    • Valued Contributor
    • July 19, 2023

    @eric_benfer You can ignore the lack of trust for that certificate. While your Mac may not trust it, the Device Compliance integration with Azure AD/Intune does.


    That is what Microsoft also told us. Although that does not give me a warm and fuzzy feeling.

    Every PKI bone in my body wants to fix this. I guess I will have to go against my instincts.

    Thanks for confirming @sdagley

     

    MacJunior
    Forum|alt.badge.img+9
    • MacJunior
    • Valued Contributor
    • September 7, 2023

    We have registered our Mac fleet in Azure AD and they show up as "Compliant" .. when turn on the compliance policy from Intune and people try to access our company resources they get error messages like this one : 

     

    if they use incongnito mode in Chrome for example they get a window to select certificate then they have to enter their login password and hit "always allow" to be able to login successfully to their email for example.

    is that the normal behaviour? i'm definitely missing something here so any tips?

     

    sdagley
    Forum|alt.badge.img+25
    • sdagley
    • Jamf Heroes
    • September 7, 2023

    We have registered our Mac fleet in Azure AD and they show up as "Compliant" .. when turn on the compliance policy from Intune and people try to access our company resources they get error messages like this one : 

     

    if they use incongnito mode in Chrome for example they get a window to select certificate then they have to enter their login password and hit "always allow" to be able to login successfully to their email for example.

    is that the normal behaviour? i'm definitely missing something here so any tips?

     


    @MacJunior When you say "We have registered our Mac fleet in Azure AD..." does that mean you used a Jamf Pro policy with the Microsoft Device Compliance payload to trigger the enrollment process via the Company Portal app? During that enrollment your users should have gone through the process of always allowing access to the certificate installed during enrollment.

    Jamf revised their technical paper of the Device Compliance integration yesterday, and it does clarify some areas that weren't clear in older docs, so it might be helpful to review: https://learn.jamf.com/bundle/technical-paper-microsoft-intune-current/page/Device_Compliance_with_Microsoft_Intune_and_Jamf_Pro.html

     

    MacJunior
    MacJunior
    Forum|alt.badge.img+9
    • MacJunior
    • Valued Contributor
    • September 8, 2023

    yeah that explains why a small amount of users are getting blocked while the majority are working fine with 0 issues .. thanks for highlighting this point  

    MacJunior
    Forum|alt.badge.img+9
    • MacJunior
    • Valued Contributor
    • September 14, 2023

    I have now the second device that becomes "Not compliant" out of no where ! but it's still a member of the compliance criteria smart group that  I created, the interesting part is that under the MDM part it says "none"  anyone experience such a weird behaviour?

    K
    Forum|alt.badge.img+3
    • KS-Floww
    • New Contributor
    • September 29, 2023

    I have now the second device that becomes "Not compliant" out of no where ! but it's still a member of the compliance criteria smart group that  I created, the interesting part is that under the MDM part it says "none"  anyone experience such a weird behaviour?


    Yes I am having the same issue.

    Raised with JAMF do you have a fix yet?

    MacJunior
    Forum|alt.badge.img+9
    • MacJunior
    • Valued Contributor
    • October 2, 2023

    Yes I am having the same issue.

    Raised with JAMF do you have a fix yet?


    Not yet, last thing they adviced is to re-do the integration between Jamf & Entra.

    will keep you posted

    sdagley
    Forum|alt.badge.img+25
    • sdagley
    • Jamf Heroes
    • October 2, 2023

    Not yet, last thing they adviced is to re-do the integration between Jamf & Entra.

    will keep you posted


    For anyone running into the problem with Device Compliance enrollment breaking after the JSS 10.50 update PI113193 is the Product Issue ID that's been assigned for it. You should probably contact your Customer Success rep if you've been impacted.

    JM12
    Forum|alt.badge.img+1
    • JM12
    • New Contributor
    • October 22, 2023

    I have now the second device that becomes "Not compliant" out of no where ! but it's still a member of the compliance criteria smart group that  I created, the interesting part is that under the MDM part it says "none"  anyone experience such a weird behaviour?


    Did you ever get a resolution to this issue? I just had lot devices have the same falling out.

    K
    Forum|alt.badge.img+3
    • KS-Floww
    • New Contributor
    • October 30, 2023

    11.01 upgrade should fix 

    K
    Forum|alt.badge.img+3
    • K_SB
    • New Contributor
    • December 20, 2023

    @eric_benfer You can ignore the lack of trust for that certificate. While your Mac may not trust it, the Device Compliance integration with Azure AD/Intune does.


    Hello,

     

    May I ask a question Jamf Pro and having these devices appear within Microsoft Entra? 

    Terms & ConditionsCookie settingsAccessibility statement