If any of you are tired of your users receiving jamfAAD pop-ups, I would highly recommend transitioning to device identification using certificates. This method of conditional access allows you to control conditional access directly from your Jamf Pro server. Access is simply determined by the presence of your certificate. (This does require your users to have E5 licenses)
The certificate is deployed via configuration profile...so no more manual registration either. Perfect for zero-touch deployments. To stop the pop-ups unload or delete any launchAgents related to the jamfAAD Agent.
You can read more about this process here.
#!/bin/bash # Disable jamfAAD # Brandon Woods # January 2022 # This script will remove all jammADD components and disable the microsoftCAEnabled preference key # Delete JamfAAD.app rm -rf /Library/Application\ Support/JAMF/Jamf.app/Contents/MacOS/JamfAAD.app # Delete JamfAAD symbolic link rm -rf /usr/local/jamf/bin/jamfAAD # Unload com.jamf.management.jamfAAD.agent.plist launchctl unload -w /Library/LaunchAgents/com.jamf.management.jamfAAD.agent.plist # Delete com.jamf.management.jamfAAD.agent.plist rm -rf /Library/LaunchAgents/com.jamf.management.jamfAAD.agent.plist # Unload com.jamf.management.jamfAAD.clean.agent.plist launchctl unload -w /Library/LaunchAgents/com.jamf.management.jamfAAD.clean.agent.plist # Delete com.jamf.management.jamfAAD.clean.agent.plist rm -rf /Library/LaunchAgents/com.jamf.management.jamfAAD.clean.agent.plist # Disable microsoftCAEnabled preference key defaults write /Library/Preferences/com.jamfsoftware.jamf.plist microsoftCAEnabled -bool false exit 0; ## Success exit 1; ## Failure
@bwoods - Thanks for the Tip. We have been getting a lot of user complaints since rolling out Intune Integration. I would love to make those go away.
I have few question:
@TimArnold. I found that system and user certs work for macOS. I would recommend using a system cert. If your have ADCS or SCEP configured for Wireless you don't even need to deploy a cert. Just upload the Root and Intermediate cert of your ADCS/SCEP cert and the policy will use the PKI cert for conditional access.
I do have "All all apps access" enabled for the certificate.
My San is the same as my wireless cert because my wireless cert and conditional access cert are one in the same. (Let me know if this doesn't make sense.)
Reach out on the #jamf-intune-integration MacAdmins Channel. My username is brndnwds6.
This looks real cool. Going to add this to the POC we are doing.
Is there any documentation to create requirements to get the cert from the config policy? The link shows how to setup a CA policy in Azure that requires the presence of the cert to get access, but I do not see where we can leverage Jamf in a way that would only pass those certs to machines we deem compliant. I suppose Smart groups would be the best solution?