Skip to main content

Hi there. We’re looking at moving to PSSO, where we currently have Jamf Device Compliance on prod Macs, but have run into a wall.

MDM=Jamf, IdP=Entra ID, PSSO profile uses Secure Enclave Key as the auth method because we have Jamf Connect managing accounts and password sync and understand that they can be complementary.

On new builds when we deploy the PSSO profile before registering with Intune/Company Portal/Entra ID via our normal Jamf-driven Device Compliance workflow, it registers cleanly, works as expected, and CA permits access to protected data and apps, so it’s successfully replacing Device Compliance.On prod devices already registered with Device Compliance, with Entra ID device records, WPJ keys in keychain and the rest, when we deploy PSSO after, it initiates the registration, accepts the user credentials, creates a duplicate stub record in Entra ID, but at the last step where it would require MFA and then pop up the dialog prompting to allow CP Passkeys in System Settings, instead it gets the “Registration Failed, try again later” dialog, and duly re-prompts for registration later but never succeeds (creating a new stub record with each attempt).

Has anyone encountered this issue and come up with a solution that allows registrratuin without compliance workflow rollback (manual unenrollments or wholesale deletions), or has a script or other method to remotely deploy a rollback of the device compliance registration that clears the deck for PSSO?

Try this script to clean the Registration

#!/bin/bash
#macOS WPJ and jamfAAD item clean up
#By Bryce Carlson - 3/2/2021
#
#This script will remove the Workplace Join items made by Company Portal durring a device registration. It will also clear the jamfAAD items from the gatherAADInfo command run after a sucessful WPJ
#Clearing this data will allow for a re-registration devices side.
#
#NOTE: THIS SCRIPT WILL NOT CLEAR AZURE AD RECORDS (those are created by Company Portal). IT MAY CLEAR MEM RECORDS IF A JAMFAAD GATHER AAD INFO COMMAND RUNS AFTER THIS AS THE AAD ID IS NOW MISSING. THIS WILL RESULT IN A DEACTIVATION OF THE DEVICE RECORD SENT FROM JAMF PRO TO AAD (AND AAD TO MEM).
#
#variable to run as current user
currentuser=`stat -f "%Su" /dev/console`
#
#variable for current logged in user AAD ID cert. and WPJ key 
AAD_ID=$(su "$currentuser" -c "security find-certificate -a -Z | grep -B 9 "MS-ORGANIZATION-ACCESS" | awk '/\"alis\"<blob>=\"/ {print $NF}' | sed 's/  \"alis\"<blob>=\"//;s/.$//'")
#CERT_BY_SHA=$(su "$currentuser" -c "security find-certificate -a -Z | grep -B 9 "MS-ORGANIZATION-ACCESS" | grep "SHA-1" | awk '{print $3}'")
#
echo "Removing keychain password items for jamfAAD"
#jamfAAD items
su "$currentuser" -c "security delete-generic-password -l 'com.jamf.management.jamfAAD'"
rm -rf /Users/"$currentuser"/Library/Saved\ Application\ State/com.jamfsoftware.selfservice.mac.savedState
rm -r /Users/"$currentuser"/Library/Cookes/com.jamf.management.jamfAAD.binarycookies
rm -rf /Users/"$currentuser"/Library/Saved\ Application\ State/com.jamf.management.jamfAAD.savedState
su "$currentuser" -c "/Library/Application\ Support/JAMF/Jamf.app/Contents/MacOS/JamfAAD.app/Contents/MacOS/JamfAAD clean"
#
echo "Removing keychain password items for Company Portal app (v2.6 and higher with new com.microsoft.CompanyPortalMac bundle ID)"
#Company Portal app items
rm -r /Users/"$currentuser"/Library/Cookies/com.microsoft.CompanyPortalMac.binarycookies
rm -rf /Users/"$currentuser"/Library/Saved\ Application\ State/com.microsoft.CompanyPortalMac.savedState
rm -r /Users/"$currentuser"/Library/Preferences/com.microsoft.CompanyPortalMac.plist
rm -r /Library/Preferences/com.microsoft.CompanyPortalMac.plist
rm -rf /Users/"$currentuser"/Library/Application\ Support/com.microsoft.CompanyPortalMac
rm -rf /Users/"$currentuser"/Library/Application\ Support/com.microsoft.CompanyPortalMac.usercontext.info
su "$currentuser" -c "security delete-generic-password -l 'com.microsoft.CompanyPortal'"
su "$currentuser" -c "security delete-generic-password -l 'com.microsoft.CompanyPortalMac'"
su "$currentuser" -c "security delete-generic-password -l 'com.microsoft.CompanyPortal.HockeySDK'"
su "$currentuser" -c "security delete-generic-password -l 'com.microsoft.adalcache'"
su "$currentuser" -c "security delete-generic-password -l 'enterpriseregistration.windows.net'"
su "$currentuser" -c "security delete-generic-password -l 'https://device.login.microsoftonline.com'"
su "$currentuser" -c "security delete-generic-password -l 'https://device.login.microsoftonline.com/' "
su "$currentuser" -c "security delete-generic-password -l 'https://enterpriseregistration.windows.net' "
su "$currentuser" -c "security delete-generic-password -l 'https://enterpriseregistration.windows.net/' "
su "$currentuser" -c "security delete-generic-password -a 'com.microsoft.workplacejoin.thumbprint' "
su "$currentuser" -c "security delete-generic-password -a 'com.microsoft.workplacejoin.registeredUserPrincipalName' "
#
echo "Removing WPJ for Device AAD ID $AAD_ID for $currentuser"
su "$currentuser" -c "security delete-identity -c $AAD_ID"
#echo "Removing WPJ for Device AAD ID $AAD_ID for $currentuser from SHA hash $CERT_BY_HASH"
#
echo "Please REBOOT this macOS device to re-load the login.keychain and re-run the Azure Registration via Self Service AFTER you ensure device removal from AAD and MEM server side."
exit 0

 

Thank you, ​@Shyamsundar, but I had already tried that script and it would seem to be out of date. Since Jamf moved to the new Device Compliance mechanism, Jamf.app no longer contains JamfAAD.app, which is replaced with Jamf Conditional Access.app, which doesn’t have an equivalent clean option. This script removes some of the keychain entries associated with the device compliance registration, but not all. Some identity preferences associated with device.login.microsoftonline.com and enterpriseregistration.windows.net, some application passwords associated with com.microsoft.workplacejoin.* accounts, and an Internet password named “Jamf Conditional Access Account” all remain and I don’t know whether those items are relevant to the failure. I think I might just need a more modern version of this cleanup script, but haven’t been able to put it together myself.

For anyone following this, I’ve had a breakthrough, seemingly! Will do wider testing this week, but initial results are very promising. I’m now able to deploy the same PSSO configuration profile to devices already registered in Entra ID via Device Compliance as I do to unregistered ones and it now converts or replaces the existing record cleanly, changing the status to Entra ID joined and retaining compliant status, with no “unwinding” in Entra ID or Jamf needed.

The secret was unexpectedly simple: I merely added an undocumented URL, https://enterpriseregistration.windows.net, to the list of IdP URLs in the SSO Extensions payload of the profile. If this doesn’t work for you, you might try exporting logs with Company Portal (open Company Portal, no need to sign in, just go to Help menu and choose Save Diagnostics Report), and in the exported SSOExtension.log, review the activity for other URLs used. I also saw an older https://login.windows.net and a regional https://login.microsoftonline.de which were also not in the MS nor Jamf implementation docs, but these didn’t unlock the magic.

Unfortunately, testing is uncertain; it’s working some but not all of the time. In some cases where it’s still failing, removing and then re-deploying the profile allows it to succeed, but not in every case. We might still have to pivot to trying to find a way to “de-register” with Intune and Jamf Device Compliance on enrolled devices. I’m open to further insights...

Terms & ConditionsCookie settings