Skip to main content

So i have Jamf and intune talking fine the app ID is all good and all says its fine.



I can enrol from self service and the Mac shows in Azure as registered but then it never seems to talk to InTune to pass on the computer details and become compliant.



Is anyone else having trouble with this? I use version 1.5 of company portal but have had this issue since version 1.1. It worked once for one device but now its fully broken and nothing enrols correctly.



Any help would be amazing as even Microsoft have no idea and the case is still ongoing.

You can kick this sync off by running company Portal from applications after it has been registered. This will send the compliance info to Intune.

@prbsparx Hey, hope you're doing well. Heartbeat is to let Intune know that Jamf Pro is alive and operating. In response, Jamf Pro gets information about any failures with inventory, etc. It's decoupled from the registration. If you register a device, it should get reflected in Intune right away (within minutes).



One testing trick ... you can change the computer name and run a recon so that Jamf receives inventory from a device that is "different." When the inventory is different, Jamf Pro will communicate that change right away to Intune so that compliance can be reevaluated.

@kericson Company Portal isn't fully loading for me. I think this is because we disabled the ability for Macs to enroll in Intune. We were hoping it would prevent users from enrolling using Company Portal when opened outside of Self Service. Disabling the enrollment in Intune also seems to make it where when the Office apps say "you need to enroll" it actually redirects the user to Casper Suite instead of to "download company portal and register with Intune"



@joe.bloom Doing great, thanks for the quick comment on this one. I will play with that on another computer. Ok, the heartbeat makes sense. I'm seeing the same issue as @lindell whenever I register the device I'm testing with. I'll submit a ticket to my Jamf Buddy shortly.



It would be great to have more detailed documentation about the InTune integration:
1. What settings should we be using in Intune?
2. How do we make it where if a computer isn't registered the "register your computer" links in Office apps redirect to the Casper Suite DeviceRegistration page. (https://jss.domain.com:port/DeviceRegistration.html)
3. "Azure Active Directory ID" attribute in Computer > Local User Accounts - what do the different values mean and how can we troubleshoot?



In other words - the documentation on the Intune integration is rather lacking.

Hi, I am having a same issue with different condition. 



ash-3.2$ sudo /Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfAAD.app/Contents/MacOS/JamfAAD gatherAADInfo -disable-cache-read -verbose

 verbose: Requesting Azure tenant info from jamf daemon

 verbose: Requesting device ID from Azure tenant xxxxx.onmicrosoft.com

xxxxxxxxxxx: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx. Resource value from request: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx. Resource app ID: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx. List of valid resources from app registration: 00000002-0000-0000-c000-000000000000.

Trace ID: 

Correlation ID: 

Timestamp: 2018-10-19 08:50:23Z

bash-3.2$

@dan-snelson i have observed so much inconsisteny in intune and jamf integration .sometime it works and sometime doesnt.



What is the exact process need to follow for registrion and intune setup

@rastogisagar You probably want to start with:
Integrating with Microsoft Intune to Enforce Compliance on Macs Managed by Jamf Pro.

@dan-snelson its already in place but the challenge is its not consistent

@rastogisagar Ah; two words: Bummer city.



I recommend engaging Jamf support.

Hi,



What for us increased 100% enrollment consistency was going into Azure AD to;
Azure AD -> Mobility ( MDM and MAM ) -> Configure Microsoft Intune -> Scope it to users/groups with users that are going to be enrolled.



This has increased from like 3/10 successful enrolments to 10/10 successful enrollments, Inventory data submitted in Intune within 1 minute.



We discovered this by setting this option for Windows 10 devices, and voila the macOS devices magically started enrolling.



@txhaflaire Are you talking for jamf and intune integration

@rastogisagar yes, conditional access intergration.

@txhaflaire gotca. Can you have complete walkthrough for jamf and intune integaration in a simpler way and how it should configure from mac client machine

@rastogisagar Here is a 3-part guide how to set it up, except the Intune configure i posted earlier about.



Jamf Pro and Microsoft EMS better together – part 1
Jamf Pro and Microsoft EMS better together – part 2
Jamf Pro and Microsoft EMS better together – part 3

we just set up with 10.6 and now upgraded to 10.7.1 in cloud, and the steps are I believe now different using NativeOSConnector in intune. we finally got it working, steps are different and now each user has an azure ID under users in JAMF, per user not device registration. we found references all over describing different ways of doing his and some are the older 1st method introduced end of 2017 when this function became available and then they changed it in I believe June 2018. would really love to see docs updated properly as I see many have issues with setup, and even having a MS Senior engineer on the phone, they were not even aware of the new setup steps. I am very nervous this function will break if/when they change the way this works again which I have heard, and then having clients become out of compliance and no one knowing how this is truly to be setup properly. Yes it works, but for now, who knows for how long. Better clearer and correct documentation is needed by both parties, we should not be the ones doing trial and error to see if we can get this to work, only to find out months later it stops working and no one told us why nor do they have a clue on the changes needed.

We also started with JAMF/Intune integration and have already registered some Macs successfully.
Unfortunately we often see now the following compliance error: "A password is required"



As this is a very generic error, we still do not know, which rule is affected by this.
We checked our configured compliance rule in Intune (only disk encryption and a strong password policy), but these clients have all this applied.
In the local company portal diagnostic log, we only see this entry (part of a very long line):
"NoncompliantRules": "[[SettingID": "Device_Password_Required", "ExpectedValue": "True"



So, it seems it's a device password and not an account password, which is not compliant. But what device password? There's only a firmware password and this is already set on all of our clients (we checked it). And in our Intune compliance rule, a Firmware/BIOS password is NOT required.



Intune gives no more info about these clients.



Is JAMF sending this information to the Intune server or the Company Portal app on the client? I thought, Intune will get the compliance state of the client from JAMF server only, so when there's something broken on the JAMF server, it will send false data to the Intune server?
Has anybody seen this error on Mac clients? Where to look for more info?
(We already removed these computer names from Intune and AzureAD, cleaned the local company portal plist/settings and tried to re-register, but with the same error.)

Im having similar issues. for 4 days my system enrolled just fine. now they stopped. I can kick off the self service policy just fine after installing company portal 1.10. enroll into Azure AD. but the second part when the JamfAAD kicks off it times out saying it cant reach our Azure tenant so it only half enrolls.



The JSS test and heartbeat work fine. There is no network barrier we can find between the two systems. so far MS has been less than helpful and im working with Tier4 support at jamf as they have ever seen the issue.

@Matt.Ellis Sure that your users are allowed to enroll into Intune?
Make sure that users/groups are in belowed

@txhaflaire Are you saying that my users should be listed under the Groups section? for them to be able to regisgter there devices with azure ad?

@Matt.Ellis create a Azure AD group, assign the test users to that group. Alloe that group in the supplied screenshot and check if they are enrolling in Intune.

Regarding our weird "Device Password required" non-compliance error, we think we found the reason for it!



All of these computers had one thing in common: They had an AutoLogin entry (user adobeinstall) in the com.apple.loginwindow.plist



After removing this entry with the following command and sending a recon, most of these devices (not all) changed to compliant state immediately:
defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser



These users were not affected by this AutoLogin setting, as we have set AutoLogin to off and on most of these computers, even the temporary user "adobeInstall" does not exist anymore.)



But it seems the Company Portal/Intune compliance check does read this AutoLogin entry and will give a wrong error.

We're using JAMF Pro 10.9 and with the new "Intune inventory data sent" button, we now have some more info for troubleshooting.



But what we are really missing, is the current compliance state of a Intune registered Mac. As our team has no access to the Intune administrator console, we have no information, which of our managed Macs are successfully registered in Intune (compliant) and which are not or have issues with the compliance check.
I guess, JAMF Pro only sends the inventory attributes to the Intune server, which then calculates the compliance state. But it would be great, if JAMF Pro in return gets the Intune compliance state (and maybe some more log information about the compliance check itself).

Basically Intune rely on information that send from Jamf to Intune.
This said it means if you know what components (Firewall, SIP, Password) are checked by Intune then you can create reports on how many devices fail overall or on a specific topic.
This is how we did it.



We have a EA that reports if you have a single AAD ID, multiple or none to check overall registration status and we have Smart Groups with Policies that can fix Compliance Issues.

Configuring the MDM user scope is not needed. We have the settings set to None, and it works anyway. Reason is that the Machines is not enrolling in Intune. They are registered in Azure AD only. The Intune part is managed by the App that were created during setup. That app is the gateway in to Intune.

@maik.sanftenberg Are you willing to share the EA for the AAD registration?

@txhaflaire Sure, we look into com.microsoft.CompanyPortal.usercontext.info



#!/bin/bash

loggedInUser=python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'

AADUNIQUEID="$(grep UniqueId /Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortal.usercontext.info | awk -F""" '{print $2}')"

if [[ "${AADUNIQUEID}" == "" ]] ;
then
/bin/echo "<result>None</result>"
else
/bin/echo "<result>${AADUNIQUEID}</result>"
fi

exit 0


If you have registered the device more then one time, the ${AADUNIQUEID} turns into Multiple.

Reply


Terms & ConditionsCookie settings