Voted and I hope it gets enough votes to be changed.

Previously i was just advising users to change the default browser to safari as a workaround and now i have one user, who has Safari set as default browser but jamfaad just wont work and keeps on going up until get the app -.-. How do i get this working? This is so annoying.

We are also seeing this in Safari as well.  Perhaps the new version Safari resolves the pop up.  
Jamf Support instructed me to set Chrome V92 and above as default. Log out and log back in and register again.  
Jamf/MS are working on the issue. 

Let's see how this unfolds.

This particular mac has the latest Safari and also Chrome v94, nothing worked but i will give it one more try.

If it means anything I am now receiving the Jamf AAD pop ups on my iMac with the latest Safari and latest Chrome installs.  I was hoping the latest Safari was going to resolve the issue with, but no.

Has anyone seen any change with the Intune integration at all? As of right now, my Intune registration has to fail three times, Once when you launch from Self Service, Second when you authenticate during the first browser launch and third after you attempt to approve the connector. This is with Safari every time, Chrome is hit or miss, and Edge is a no-go. 

Hello @Levi_

Honestly I do not know what's going on with Jamf AAD/InTune.  MS and Apple have not fixed the issue yet and Jamf does not have any update on the issue (relying on MS and Apple).  

One Mac may require Authentication using Safari 2 times but the next Mac may need to use Chrome. Very inconsistent.  Our C-Levels are noticing the pop up. Which isn't good for Jamf Pro.

One process we have started is

• Remove device from Intune
• Re register device

There is also a script floating around on the web which removes all the files/keychain entries the Compliance installs in the Mac.  I figured it cannot hurt to run this as well.  

My reference was this great site:  https://www.macbuddy.info/blog/lets-get-conditional-unconditional-love

Cheers,

 .a

Hey together, 

Has somebody already some experience with JamfAAD and MacOS 12 ? Did the upgrade to Monterey fixed the issue? 

I'm still struggling with some device which will loose their compliance every few weeks and looking for a little bit of hope with the next major upgrade.

Or much better someone from the Jamf staff team could give us statement regarding this issue.

Cheers,

Jonny

Apparently it's purely a MS issue which they have publicly announced it was their issue.  Now of course I don't have a URL to back up my claim.  I can only say I was on call with Apple who mentioned this during the discussion.   It does cripple our end users.  Of course its fixed in Monterey.  I have not had the issue yet.

Hi @pueo 

Thanks for you reply! 

When you say it's a MS issue, why was it fixed by Apple with Monterey? 

Just want to be sure the issue is fixed. My colleagues are really annoyed. 

An Alternative to the Jamf Intune Integration (No ... - Jamf Nation Community - 252229

Good question..

Here is the Apple Enterprise Support Answer from a few months ago. (I submitted a ticket about Jamf AAD)

macOS 12 Monterey has a fix which will allow legacy software that uses this method to keep working. The permanent solution is for developers to adjust their software to properly handle these authentication flows through the WKNavigationDelegate’s NSURLAuthenticationChallenge handling. See the documentation for details on this https://developer.apple.com/documentation/webkit/wknavigationdelegate?language=objc. They should adopt - webView:didReceiveAuthenticationChallenge:completionHandler:, responding with a credential that contains an identity if the challenge.protectionSpace.authenticationMethod is "client cert auth.” If they adopt this approach, it will work on all supported macOS releases.

So Monterey has coded their os to work around the issue.  Apple has not released the fix for macOS lower than Monterey.  As we all know Apple is all about going forwards.

A.

If this really works as it says then you are golden @bwoods   Thank you. I will ask my team if we can consider looking into this.

One less step for users. I will admin the entire Intone (MEM) registration is clunky and not very User friendly. 

a.

Curious if you have implemented this in your environment? Does this remove the need for device registration via company portal and the cloud connector in jamf? 

@pueo 

Many thanks for your reply and forwarding the technical deep dive from Apple. This will help to calm down my colleagues. 🤐

Sadfully that this must happen by Jamf customers and not by Jamf staff itself.

Maybe I'll have a look at the solution below to get a better user experience.  

@bmack99  I have implemented this in my production environment. As I mentioned in the post, you no longer have to register a device with the company portal app. You just need to deploy your MCAS cert. This also gives you full control of device compliance. You can hop over to the # jamf-intune-integration Slack channel for more information.

Thanks, I’m assuming that’s a channel in the macadmins slack?

Yes sir, #jamf-intune-integration is a MacAdmins Slack channel.

After the first SignIn at the Company Portal app it seems like that the registration process stucks at the second signin popup with login.microsoftonline.com? You can click several times at the SignIn button but nothing happens. There are some little dots which are travelling from right to left, so it seems like the system is wating for something. 

If you close the whole "login.microsoftonline.com" window and try it a second time via self service the users certificate will be shown and the registration process will be finished. Again this isn't a proper user experience? 

Does somebody faced the same issues?

Tested several times with fresh installed MacOS 12.1 M1 Pro, Safari Browser and different users. 

What a piece of crap. Fix this JAMF. We've only been asking for a year.

I have received this a few times before as well.  We have a few different ways to resolve the continual issue of Jamf AAD. It really comes down to 'some time a fix works and other times you need to try another way'. I am starting lean towards using the Jamf WPJ script jamf-wpj-clean-up which I have received from Jamf Support @mojo21221 has also mentioned the use of it.
I thought it was a bit extreme but when all the other solutions fail, why not try this one. 
@bwoods link to the MCAS User Cert option has been approved for our environment. I will be looking into this in 2022.

This is what I consider normal behavior using Safari at this point. If you use Chrome instead of Safari the registration should go straight through as you would expect of a working product however has a major flaw and your users are going to curse you over. If you use Chrome as the default browser, the Jamf AAD registration will hound them each and every day to login. 

This whole experience is ridiculous. I have to exclude a key group of users from this because it will bring negativity from C-Level. Jamf has given us excuses and left us to scream into the void.

Us: Jamf please help this isn't working right. Safari requires multiple registrations, Chrome asks for login each day and edge flat out doesn't work. 
Jamf: We are aware of these issues and reported these bugs to Google and MS. 
one eternity later
No change. Jamf Connect has received some updates though.

For us, I have started running first-registrations (and re-registrations) through Safari as the default browser, but just like jonn1e the first attempt fails with a hanged Azure login window and we have to force quit JamfAAD. The second attempt asks for client certificate and continues, apparently successful. There are no duplicate ID's created either when we do this, so that's ..okay? 

Well I say it completes, but yesterday a brand new mos 11.3 Air M1 2020 apparently didn't register with MEM even though the JamfAAD registration went through, so the registration is (perceived as?) buggy and unreliable and when trying to guide users through the process, I must give them the impression I don't l know what I'm doing. I don't don't mind that personally, but it can undermine the trust in the competency of the IT department or their suppliers.