Hello everyone,
We are currently facing an issue with Jamf Connect where some users keep receiving the notification:
"Registration required - Register with your Microsoft Entra password on your Mac."
Our Setup:
- Jamf Connect installed manually on affected devices
- Devices manually registered in Company Portal
- MacOS 15.3.1
- Latest version of Jamf Connect & Company Portal
- Devices appear as compliant in MS Entra
- Devices in Jamf Managed &Supervised
uniqueIdentifier" : "97BD-IUHGLD-LIUGHW7G-.....ETC."
- FileVault 2 Partition Encryption State:Encrypted
Troubleshooting Steps Taken:
- Verified compliance status in MS Entra
- Deleted the device from MS Entra and re-registered
- Cleared keychain entry:
- Ran a script to reset Entra registration, which:
- Quits Company Portal
- Deletes related preference files and saved states
- Removes keychain entries and identity preferences
- Deletes the MS-ORGANIZATION-ACCESS certificate
- Reinstalls Company Portal
- After a Mac restart, users go through the registration process again, but the notification reappears after a few hours.
Has anyone encountered this issue before?
- Is there an additional cache, token, or certificate that should be removed?
- Could Conditional Access policies or Jamf Connect settings be causing this loop?
Any insights or suggestions would be greatly appreciated!
Thanks in advance!
#!/bin/bash
##############################################################################################################
# Reset Entra ID Registration
#
#
#
#----------------------------------------------
# Vers. 2.0, 08.07.2024
#----------------------------------------------
#
##############################################################################################################
# Variables
# $4 Custom Trigger für Jamf Policy "Install Company Portal"
jamfTrigger1="main_companyportal"
#jamfTrigger2="intune_Register"
# Get the username of the currently logged in user
loggedInUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }')
# Get the user's home directory
homeDir=$(dscl . read /Users/$loggedInUser NFSHomeDirectory | awk '/\\/Users/{print $2}')
#--------------------------------------------------------------------------------------------------------------
if [ $(pgrep "Company Portal") != "" ]]; then
echo "Quitting Company Portal"
killall "Company Portal"
fi
fileArray=(
"/Applications/Company Portal.app/"
"${homeDir}/Library/Application Support/com.microsoft.CompanyPortal.usercontext.info"
"${homeDir}/Library/Application Support/com.jamfsoftware.selfservice.mac"
"${homeDir}/Library/Saved Application State/com.jamfsoftware.selfservice.mac.savedState"
"${homeDir}/Library/Saved Application State/com.jamf.management.jamfAAD.savedState/"
"${homeDir}/Library/Saved Application State/com.microsoft.CompanyPortal.savedState"
"${homeDir}/Library/Preferences/com.microsoft.CompanyPortal.plist"
"${homeDir}/Library/Preferences/com.jamfsoftware.management.jamfAAD.plist"
"${homeDir}/Library/Cookies/com.microsoft.CompanyPortal.binarycookies"
"${homeDir}/Library/Cookies/com.jamf.management.jamfAAD.binarycookies"
)
for i in "${fileArrayy@]}"; do
if [ -e $i ]]; then
echo "Deleting file $i"
rm -rf "$i"
fi
done
passwordItemAccountsArray=(
'com.microsoft.workplacejoin.thumbprint'
'com.microsoft.workplacejoin.registeredUserPrincipalName'
'com.microsoft.workplacejoin.deviceName'
'com.microsoft.workplacejoin.thumbprint'
'com.microsoft.workplacejoin.deviceOSVersion'
'com.microsoft.workplacejoin.discoveryHint'
)
for i in "${passwordItemAccountsArrayy@]}"; do
itemCheck=$(/usr/bin/security find-generic-password -a $i | grep svce) #> /dev/null 2>&1)
if [ "$itemCheck" != "" ]]; then
echo "Deleting Password Item $i"
/usr/bin/security delete-generic-password -a $i ${homeDir}/Library/Keychains/login.keychain-db > /dev/null 2>&1
fi
done
# There may be more than one of 'com.microsoft.workplacejoin.devicePatchAttemptTimestamp' so using a while loop to get them all
devicePatchAttemptTimestamp=$(/usr/bin/security find-generic-password -a 'com.microsoft.workplacejoin.devicePatchAttemptTimestamp' | grep svce)
while [ $devicePatchAttemptTimestamp != "" ]]; do
/usr/bin/security delete-generic-password -a 'com.microsoft.workplacejoin.devicePatchAttemptTimestamp' ${homeDir}/Library/Keychains/login.keychain-db > /dev/null 2>&1
devicePatchAttemptTimestamp=$(/usr/bin/security find-generic-password -a 'com.microsoft.workplacejoin.devicePatchAttemptTimestamp' | grep svce)
done
identityPrefArray=(
'com.jamf.management.jamfAAD'
'com.microsoft.CompanyPortal'
'com.microsoft.CompanyPortal.HockeySDK'
'enterpriseregistration.windows.net'
'https://device.login.microsoftonline.com'
'https://device.login.microsoftonline.com/'
'https://enterpriseregistration.windows.net'
'https://enterpriseregistration.windows.net/'
)
for i in "${identityPrefArrayy@]}"; do
itemCheck=$(/usr/bin/security find-generic-password -l $i | grep svce)
if [ $itemCheck != "" ]]; then
echo "Deleting Identity Preference $i"
/usr/bin/security delete-generic-password -l $i ${homeDir}/Library/Keychains/login.keychain-db > /dev/null 2>&1
fi
done
certCheck=$(/usr/bin/security find-certificate -a -Z | grep -B 9 "MS-ORGANIZATION-ACCESS" | grep "SHA-1" | awk '{print $3}')
if [ $certCheck != "" ]]; then
echo "Deleting $certCheck"
/usr/bin/security delete-identity -Z "$certCheck" -t ${homeDir}/Library/Keychains/login.keychain-db > /dev/null 2>&1
fi
# Install Company Portal
/usr/local/bin/jamf policy -event $jamfTrigger1