Sending Jamf Pro Compliant Information to Microsoft Intune
Hello All,
We’ve just started to implement Jamf Pro in our company. Nearly all configurations are completed except sending compliant information to Microsoft Intune. We have to do this because we’re using Azure (Entra) Conditional Access rules in our company. If a macOS device is not compliant it cannot reach internal company resources. Just a simple rule.
After enrolling to jamf, we are trying to sign in to Company portal and jamf compliance popup appears. Then we are entering our user account details again but somehow Microsoft login page shows that “get app”. It behaves like Company Portal is not installed.
Briefly some of our computers are being Compliant without any problem, but some of others cannot get in compliance and login pages gives us a message asking us to install Company Portal as if it is not installed on the computer.
Do you have any suggestions for this boring problem? I would be happy If you share your experiences or maybe step by step best practices.
Regards
Page 1 / 1
You should not be opening company portal and signing in directly that way.
You need to run the registration through a self-service policy and that will login and launch company portal for you.
As Suggested by @dmccluskey The registration process needs to be started from JAMF Self Service. Opening the company portal directly will not work. Please create the specified policy, make it available in Self Service, and begin the registration from there.
From what i can gather we need to get our users to run the integration from self service. Is there any way that i can automate this process?
Erlend
Just out of curiosity, would rolling out Microsoft Platform SSO be beneficial here? Tackle to two birds with one stone, which would include sending compliant information to Intune?
We’re unable to automate this process at the moment; user intervention is required. You can use Platform SSO, but instead of registering through self-service, you’ll receive a registration notification and will need to complete the registration from there.
Yes, I understand.
What I’m saying is why not move to Microsoft PSSO now? You can take advantage of the benefits of Microsoft PSSO + Device Complance in one registration.
This may also give your users a better experience with the registration.
I have already created a policy that registers Microsoft Entra ID. Even though we have it, problem still occurs.
Are you using Microsoft Platform SSO now?
Not actually. Should I use?
Platform SSO is handy, but does require some broad Azure Join rights for everyone in your environment. Not all security teams will be OK with that. It may be better to hold off for macOS 26 since it has a workaround for that. Microsoft will have to implement that, but may still be an easier sell than letting anyone join any device.
Microsoft SSO is not my priority right now. My priority is figuring out how to send macOS devices in JAMF to Azure AD as Compliant in the healthiest way. I still haven't reached a clear solution.
Hi @ozkanyavuzun, I went through this process about two years ago. What the other users have directed is correct.
You don’t need to set up Platform SSO, but it would be beneficial.
Jamf will not automatically send the compliance information to Microsoft Intune. This is a Microsoft issue, not a Jamf issue. You need a user to sign into the company portal app, this is also how Microsoft enrolls a device into Intune if Intune is the MDM itself also. The article I linked is how the user will need to enroll. They cannot enroll by opening up the Company Portal themself. They must go through “Register with Microsoft” button from the Self-Service app.
The is not a way to automate this Company Portal registration. To reduce some steps though, you could create a script that will “activate” the “Register with Microsoft” policy which opens the Company Portal and prompts them to sign in.
It does feel like it should be simpler, but we are working with two very different systems - Entra and Jamf. If you have any additional questions, I’d be happy to answer. Hopefully, it did clear up some confusion though.
@drewcymek Just want to make sure I understand before setting up testing groups. The “Compliance Group” is all the rules (OS version, FileVault status, etc) you want to set for whether a device is compliant. The “Applicable Group” is the set of machines that will be prompted to register the computer with Entra. Only devices in the “Applicable Group” will be prompted to register the machine through Self Service, so if you are wanting to pilot it with a subset of users first you can. Is that correct?
@McAwesome Correct.
My application group is essentially “All Managed Clients”
My compliance group is “Applicable group" + “FileVault” + etc
I would recommend setting your applicable group to something like “All Managed Clients” AND “test group” that you define from a static group. This means when you are ready to roll out, you can just remove “test group” from the Smart Applicable group.
For clarification though, users won’t be “prompted” automatically to register. The Require users to register policy will just be available within Self-Service. The user will need to navigate their themself, unless you create some sort of script that displays a dialog to prompt them to run the policy.
