Skip to main content
Question

Potential Issue with Jamf Pro Device Compliance Integration in Microsoft Entra

  • May 22, 2024
  • 2 replies
  • 212 views
R
Forum|alt.badge.img+3

We are investigating potential inconsistencies in device registration status for the Jamf Pro Device Compliance integration with Microsoft Entra.

Observations:

  • Devices are marked as non-compliant in Microsoft Entra despite appearing as compliant within Jamf Pro's "Compliant" Smart Group.
  • The Jamf AAD plist file and the MS-ORGANIZATION-ACCESS keychain entry go missing on affected devices.
  • Re-registration through Self Service/Microsoft Company Portal temporarily resolves the issue, but devices fall out of registration again after a period of time, then fall out of complaince. (approximately two weeks).

Environment:

  • Jamf Pro version: 11.4.2 (presumed not to be related to recent product issues)

Request:

I would appreciate any insights from the community regarding similar experiences or potential solutions.

    2 replies

    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • May 22, 2024

    While I can't say I've seen these exact issues using the Device Compliance integration, I have seen other issues with it. And I think you will hear similar stories from other admins using it in their orgs as well. To put it bluntly, the Entra ID / InTune integration is extremely fragile and problematic, to say the least. It seems to break if you look at it the wrong way, unfortunately. This isn't as much a Jamf issue as it is a Microsoft one.

    For whatever reason, re-registering a device that had an issue like this in Company Portal creates dupe records in Entra ID/InTune. It shouldn't. In a sane world, it would see that it's the exact same device and simply pair up the new registration coming in with the existing one, but no, Microsoft made this in a way to create a whole new record, which then gets messy and causes issues. It's dumb, but it is what it is.

    I only mention this because I'm wondering if as part of your troubleshooting you're deleting the old computer records out of Entra ID before you have someone attempt to re-register. If not, you're asking for problems down the line, as in, the problems may not present themselves right away. That could be part of why you're seeing it work ok for a while and then start showing issues again, though I don't think I've ever seen it last for 2 weeks, let alone even one week before experiencing issues, so maybe that isn't related.

    I also have not seen the Jamf AAD plist and MS-ORGANIZATION-ACCESS keys go MIA, at least not unless we are purposely removing them. We do remove those as part of prepping a Mac for a re-registration when things go sideways. Since you said it happens after some time, have you checked to make sure there is no Jamf policy doing something here? Like maybe some cleanup thing running once a month? That's probably not it, but it's odd that those items would get removed unless they're being acted on by something outside.

    Have you opened up a case with Microsoft, if that's possible to do? They'd ask for logs from affected machines in addition to some other items maybe. They should be able to help figure out what's going on. You can also open a ticket with Jamf support, but I have a feeling this will land more on the MS side of the house to figure out a cause.

    R
    Forum|alt.badge.img+3
    • RolindaS
    • Author
    • New Contributor
    • May 28, 2024

    While I can't say I've seen these exact issues using the Device Compliance integration, I have seen other issues with it. And I think you will hear similar stories from other admins using it in their orgs as well. To put it bluntly, the Entra ID / InTune integration is extremely fragile and problematic, to say the least. It seems to break if you look at it the wrong way, unfortunately. This isn't as much a Jamf issue as it is a Microsoft one.

    For whatever reason, re-registering a device that had an issue like this in Company Portal creates dupe records in Entra ID/InTune. It shouldn't. In a sane world, it would see that it's the exact same device and simply pair up the new registration coming in with the existing one, but no, Microsoft made this in a way to create a whole new record, which then gets messy and causes issues. It's dumb, but it is what it is.

    I only mention this because I'm wondering if as part of your troubleshooting you're deleting the old computer records out of Entra ID before you have someone attempt to re-register. If not, you're asking for problems down the line, as in, the problems may not present themselves right away. That could be part of why you're seeing it work ok for a while and then start showing issues again, though I don't think I've ever seen it last for 2 weeks, let alone even one week before experiencing issues, so maybe that isn't related.

    I also have not seen the Jamf AAD plist and MS-ORGANIZATION-ACCESS keys go MIA, at least not unless we are purposely removing them. We do remove those as part of prepping a Mac for a re-registration when things go sideways. Since you said it happens after some time, have you checked to make sure there is no Jamf policy doing something here? Like maybe some cleanup thing running once a month? That's probably not it, but it's odd that those items would get removed unless they're being acted on by something outside.

    Have you opened up a case with Microsoft, if that's possible to do? They'd ask for logs from affected machines in addition to some other items maybe. They should be able to help figure out what's going on. You can also open a ticket with Jamf support, but I have a feeling this will land more on the MS side of the house to figure out a cause.


    I tested two use cases, I have been removing some the dupe records that get created on a hand full of devices, but what happening now is that that dupe records are no longer being created and the existing record of the device in Entra is getting update with the new registration details. Additionally It looks like all has stabilized, users are no longer being prompted for jamfaad it may have to do with the fix they applied in Jamf 11.5.0.

    Terms & ConditionsCookie settingsAccessibility statement