MacOS Devices are starting to shown up in MS Intune

The devices appearing in Microsoft Intune is expected behavior when using MS Defender for Endpoint and/or Company Portal with Jamf Pro Device Compliance. Here's why:

Root Cause:

When macOS devices onboard to Microsoft Defender for Endpoint (MDE), Microsoft automatically creates device records in Intune through a feature called "Security Settings Management." These devices appear in Intune labeled as managed by "MDE" (not "Intune"), even though they're actually managed by Jamf Pro.

Additionally, when users authenticate with Company Portal for SSO Extension, the device gets registered in Entra ID, which also creates a corresponding record in Intune.

Why only some devices appear:

Devices appear in Intune when:

1. They've completed MDE onboarding in the Defender portal
2. A user has signed into Company Portal on the device

If some devices haven't completed either of these steps, they won't appear in Intune yet. This explains why devices with "exact same configurations" may show different visibility — it depends on when each device completed the MDE onboarding or Company Portal sign-in.

This is not a problem — the devices are still managed by Jamf Pro via MDM. The Intune records are simply for compliance data flow and security policy delivery from MDE.

References:

• Security Settings Management for MDE - Microsoft Learn
• Device Compliance with Microsoft Entra and Jamf Pro

Hi and thank you for your answer

regarding your answer: The devices appearing in Microsoft Intune is expected behavior when using MS Defender for Endpoint and/or Company Portal with Jamf Pro Device Compliance. → this is expected behaviour since when?

We are using both, Defender and Device Compliance since multiple years. I remember that sooner i was trying to configure for example some conditional access or other settings in intune but this was never possible, because no one device where showing up there. Only intune enrolled MDM macbooks where showing there.

 

Devices appear in Intune when:

1. They've completed MDE onboarding in the Defender portal
2. A user has signed into Company Portal on the device

Both of these are done. Defender onboarding is done automatically while enrolling the device for the user.

Device Compliance is the first step we do with the user, when he sets up his macbook. 

For me this is not a problem, that the macbooks are now in intune. Hopefully sometime there will be more possibilities to configure settings for jamf managed devices in intune. I only need to understand why not all of our devices are there. Even when Defender is onboarded correct and the device is registered correct in entra for device compliance and shown in entra as compliant.

Good follow-up question. Let me clarify with proper sources:

Since when?

According to Microsoft documentation:

1. July 2023 - September 25, 2023: Security Settings Management (SSM) ran an opt-in public preview with new device enrollment behavior
2. September 25, 2023: The public preview behavior became generally available and now applies to all tenants
3. November 7, 2023: Full GA rollout for Windows, macOS, and Linux

For macOS specifically, SSM requires MDE agent version 101.23052.0004 or later (released mid-2023).

Sources:

• Microsoft Learn - Security Settings Management: "From July 2023 to September 25, 2023, security settings management ran an opt-in public preview... Starting on September 25, 2023, the public preview behavior became generally available."
• Jeffrey Appel Blog - MDE Security Settings Management: "Since 7 November the new security settings management feature is generally available for all customers."

Why your devices started appearing around July 2024:

If you didn't opt-in to the preview and your MDE agents updated to 101.23052.0004+ sometime in 2024, that's when the synthetic registration would have triggered for those devices.

Why NOT all devices are showing up:

Check the MDE agent version on missing devices:

mdatp version

Devices with agent versions older than 101.23052.0004 won't trigger the Intune registration.

mdatp version

So my thoughts and combinations was right :) thank you for the clarification.
So we had a few days ago some issues with Defender exclusions on the devices. Defender devices are managed via json in jamf pro with all settings we use. Then someone opened a ticket in our helpdesk that the exclusions are no more working and also no visible. So i started to search and found out, that someone from my colleagues (i think) enabled in Defender the “Enforcment Scope” to macbooks. If not, MS did it automatically. 

After disabling the Enforcement Scope i was able to set everything for defender via json like before.
I also tried directly to set all the settings in Defender Portal directly, but unfortunately the Device Control Features are not available in the defender portal.
I like the idea to set the defender configurations in defender portal directly but not like the idea to have multiple places for configurations for one application and i not tested how the behaviour will be, when i got 2 defender plists. I think it will working because defender accepts two of them.

But coming back to my main question here. 
So to ensure that all devices will be in intune i have to:

• onboard all devices in MS Defender and manage them via Defender portal (managed_by: MDE in mdatp health)
• re-register the devices in compliance through the user itself via policy on device
  • because this looks to me to be the only possiblity why not all devices shown up in intune after the MDE managed by was enabled