@bouvet if Safari is the default browser the end user would not be re-prompted unless the AAD session ends and MSAL (the auth. binary inside of jamfAAD) needs to interact with the end user to start a new session. This would be if the password has changed (AAD ends the sessions for a re-auth. then), if the end user hits the global time out for all sessions (14 days is default, but an org. can change that in AAD), if the end users macOS keychain was deleted, or if the Revoke all sessions action it taken on the AAD portal for a given user.

@piotrr an update on a workaround for right now. For those orgs. that are Edge mandated we have a workaround while we work on this with Microsoft.

If you roll back to v90.0.816.66 (last version of v90 ) the ASWebAuth. goes to Safari as needed. This could be a workaround for the time being. The Microsoft CDN location to get this from safely can be found here.

@bryce, Thank you that's a sweet idea but Edge v90 (and Chrome v90) had a bug with Dynamics 365 interaction that can cause tens of thousands of sign-in events per user per day.

Besides, Edge v90 would just update back to v91 as soon as the user restarts the browser, unless I force that in yet another policy, wouldn't it?

I'm sorry to say we may have to accept Safari as the default browser until Edge v92. At least it will only affect clicks from other apps.

@davidjess This is the first I've seen of jamfaad clean. Reading the Help, it seems JamfAAD clean does many of the tasks listed under "Cause 6" in Microsoft's troubleshooting article for MEM/Intune integration problems here :
https://docs.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-jamf#cause-6

So far I've been doing this mostly manually, but it looks like jamfaad clean could be incorporated into a the first two rows of instructions: There's should be no point running jamfaad at all after jamf removeframework.

So we're also getting hit by this now

keep getting a "jamfaad wants to use microsoftonline.com to sign in" prompt which is really hard to ignore (it takes you away from full screen windows).
 
Following the steps gets me to a chrome window with the following question "Are you trying to sign in to Cloud Connector user registration app?"
 
Attempting to click continue results in nothing happening.  Looking in the developer tools for errors I am seeing this error "Failed to launch 'jamfaad://aadtokenrequest/?code=<REDACTED> because the scheme does not have a registered handler".

@bryce and I have been working with Google for a few days now and there is a potential fix that is currently implemented in Chrome Canary version 93.0.4543.0.

If you have the time, could you
1. Download Chrome Canary from here, https://www.google.com/chrome/canary/
2. Make it the default browser
3. Log out/in or restart
4. Then attempt the Intune registration

The webauth should go through Chrome Canary but it should work fine, I've tried it with some VMs and physical machines and it has been working really well. Let me know how it goes. Thanks.

How soon would this hit Microsoft Edge beta?

@Cayde-6 no idea just yet but normal cadence is 6 weeks for Edge Beta. Will reply here as soon as I hear anything about timeline.

Try running this
/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfAAD.app/Contents/MacOS/JamfAAD -verbose gatherAADInfo -disable-cache-read

sorry duplicate post

sorry duplicate post

Hey @blockcham,

I've tested this on two of my machines 10.15.7 and 11.2.3 and was successful. I even skipped step 3 as an additional test run and still worked.

Hopefully Googs pushes whatever change in this Canary build to a production build soon and Edge gets the fix too.

Thank you man.

Hi @bryce,

Any updates or news with this issue? Seems like in my small environment everyone is starting to get this, we even had issue after setting Safari as default where it would open a page in Safari, the user enters the creds then it brings them to an "Get App" button which when clicked downloads a blank txt file. What we had to do was to run the jamfaad clean, change default browser again to safari, remove company portal and reinstall from Microsoft site, do a restart then run the reg again using the command then it works fine.

Just wanted to know if something new is coming or i will just need to do this for all of them.

Thanks

As a temporary workaround this seems to work for us in place of the normal device registration policy.
- It backs up both info.plists
- Writes the preference to the Info.plists
- Performs device registration
- Restores the plists

#!/bin/bash

consoleUser=$(/usr/bin/stat -f%Su /dev/console)



if [ "$consoleUser" == "root" ] || [ "$consoleUser" == "_mbsetupuser" ] || [ "$consoleUser" == "temp" ]; then

    echo "Current User is $consoleUser exiting "

    exit 0

fi



##Kill jamfAAD if running and probably frozen

pkill -9 jamfAAD



if [ -d "/Applications/Google Chrome.app" ]; then

    echo "Found Google Chrome"

    cp /Applications/Google Chrome.app/Contents/Info.plist /tmp/ChromeInfo.plist

    /usr/libexec/PlistBuddy -c "set :ASWebAuthenticationSessionWebBrowserSupportCapabilities:IsSupported false" /Applications/Google Chrome.app/Contents/Info.plist

        killall cfprefsd

        killall Google Chrome

fi



if [ -d "/Applications/Microsoft Edge.app" ]; then

    echo "Found Microsoft Edge"

    cp /Applications/Microsoft Edge.app/Contents/Info.plist /tmp/EdgeInfo.plist

    /usr/libexec/PlistBuddy -c "set :ASWebAuthenticationSessionWebBrowserSupportCapabilities:IsSupported false" /Applications/Microsoft Edge.app/Contents/Info.plist

    killall cfprefsd

    killall Microsoft Edge

fi



sudo -u ${consoleUser} /usr/local/jamf/bin/jamfAAD registerWithIntune



if [ -d "/Applications/Google Chrome.app" ]; then

    echo "Found Google Chrome"

    cp /tmp/ChromeInfo.plist   /Applications/Google Chrome.app/Contents/Info.plist

        killall cfprefsd

        killall Google Chrome

fi



if [ -d "/Applications/Microsoft Edge.app" ]; then

    echo "Found Microsoft Edge"

    cp /tmp/EdgeInfo.plist  /Applications/Microsoft Edge.app/Contents/Info.plist

    killall cfprefsd

    killall Microsoft Edge

fi

@asidhu , @Levi_ all my eyes are on v92 of Chrome right now which is slated for July 20
https://www.chromestatus.com/features/schedule
we'll see how it goes once that is released.

@asidhu sorry I have been eye watering-ly busy, but yes @blockcham has it right. Keep your eye peeled for the July 20 drop. The fact that it work in Chrome and Edge Canary this early point to a good next step but I would not recommend pushing that the devices in production now per Google and MSFTs guidance on that.

Fun stuff.

So we have been instructing our users to have Safari set as the default browser during enrollment which seemed to have worked for awhile. However, many of these users have switched back to Chrome or Edge after the process and just recently started seeing the prompts again after changing their password.  Once they switched back to Safari as the default they weren't getting the prompts any longer.   Is this in line with what several of you are seeing as well?  

yesterday MS released 91.0.864.71 version for Edge, works fine, but is this the latest version that supports setting the keys? I am asking for scoping purposes, creating a smart group  for this version and above as previous versions of Edge crashed if Info.plist was edited. 

@bryce @FritzsCorner @asidhu @Levi_  I just updated to Chrome v92 and was able to successfully register with Intune perfect as intended.  Could others give it a try and let me know how it goes?  I'd like to report the results back to Google, thanks.

@Cayde-6 Looks like the Edge release schedule is a few days behind Chrome's, it appears slated for the "Week of 22-Jul-2021"
https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-release-schedule

Chromev91  and  v92 both are breaking after a reboot if Info.plist is edited with ASWebAuth IsSupported key set to False (No), have to set it back to Yes.

Also on setting the value to False, Desktop firewall prompts!!.

I have to set the key back to Yes to make chrome work again, same has been the experience with Edge v91.

just running these:

#Set Chrome to not take over ASWebAuth:

/usr/libexec/PlistBuddy -c "set :ASWebAuthenticationSessionWebBrowserSupportCapabilities:IsSupported false" /Applications/Google\\ Chrome.app/Contents/Info.plist
#Set Edge to not take over ASWebAuth:

/usr/libexec/PlistBuddy -c "set :ASWebAuthenticationSessionWebBrowserSupportCapabilities:IsSupported false" /Applications/Microsoft\\ Edge.app/Contents/Info.plist

Hey Blockcham,

I've run this on both my test machines and it appeared to have gone through, I am still giving Azure some time to update if the registration was successful, as you know Azure takes time..I'll post back with what I get. I haven't made any modifications to the .plists either. 

One strange thing that I always see happen though no matter the browser is that when you complete the sign-in through the company portal two login windows will launch for Chrome, Safari, Edge. Am I the only one seeing the two login windows launch every time?

Edit: Fastest update here, it did register successfully with the latest version of Chrome.

Azure can take some time, we’re experiencing that for a few users as well. 

As for the two windows showing up I’m experiencing that as well. This only happens if Chrome is not opened. If you have Chrome opened and then attempt a registration only one window will show. I’ll report this up to Google. 

For others that have experienced the three windows that show up if Chrome is closed like @Levi_ and I, the Google team has filed it as a bug and should be resolved in v93.  @bryce simply put, v92 should resolve this thread and v93 should resolve the issue with the three windows showing up.