An Alternative to the Jamf Intune Integration (No more jamfAAD pop-ups)

bwoods
Valued Contributor

If any of you are tired of your users receiving jamfAAD pop-ups, I would highly recommend transitioning to device identification using certificates. This method of conditional access allows you to control conditional access directly from your Jamf Pro server. Access is simply determined by the presence of your certificate. (This does require your users to have E5 licenses)

The certificate is deployed via configuration profile...so no more manual registration either. Perfect for zero-touch deployments. To stop the pop-ups unload or delete any launchAgents related to the jamfAAD Agent. 

You can read more about this process here

 

17 REPLIES 17

Levi_
Contributor II

This is definitely worth looking into. I wonder if an MS Defender for Office Plan 1 or Enterprise Mobility + Security E3 license is enough. Picking up E5's for everyone is definitely not cheap.

bwoods
Valued Contributor

Hi @Levi_ , I've got more useful information on Microsoft Cloud App Security here.

piotrr
Contributor II

Will look into this, thanks bwoods. We're already at that license with Defender deployed. 

bwoods
Valued Contributor

 

#!/bin/bash
# Disable jamfAAD
# Brandon Woods
# January 2022
# This script will remove all jammADD components and disable the microsoftCAEnabled preference key

# Delete JamfAAD.app
rm -rf /Library/Application\ Support/JAMF/Jamf.app/Contents/MacOS/JamfAAD.app

# Delete JamfAAD symbolic link
rm -rf /usr/local/jamf/bin/jamfAAD

# Unload com.jamf.management.jamfAAD.agent.plist
launchctl unload -w /Library/LaunchAgents/com.jamf.management.jamfAAD.agent.plist

# Delete com.jamf.management.jamfAAD.agent.plist
rm -rf /Library/LaunchAgents/com.jamf.management.jamfAAD.agent.plist

# Unload com.jamf.management.jamfAAD.clean.agent.plist
launchctl unload -w /Library/LaunchAgents/com.jamf.management.jamfAAD.clean.agent.plist

# Delete com.jamf.management.jamfAAD.clean.agent.plist
rm -rf /Library/LaunchAgents/com.jamf.management.jamfAAD.clean.agent.plist

# Disable microsoftCAEnabled preference key
defaults write /Library/Preferences/com.jamfsoftware.jamf.plist microsoftCAEnabled -bool false

exit 0;		## Success
exit 1;		## Failure

 

TimArnold
New Contributor II

@bwoods - Thanks for the Tip. We have been getting a lot of user complaints since rolling out Intune Integration. I would love to make those go away. 

I have few question:

  • When you are deploying the Config Profile to install the certificate are you installing at the Computer level or User level?
  • Are you enabling "Allow all apps access" for the certificate?
  • Are there any special information needed in the Certificate Subject or Subject Alternative Name?

bwoods
Valued Contributor

@TimArnold. I found that system and user certs work for macOS. I would recommend using a system cert. If your have ADCS or SCEP configured for Wireless you don't even need to deploy a cert. Just upload the Root and Intermediate cert of your ADCS/SCEP cert and the policy will use the PKI cert for conditional access.

I do have "All all apps access" enabled for the certificate.

My San is the same as my wireless cert because my wireless cert and conditional access cert are one in the same. (Let me know if this doesn't make sense.)

Reach out on the #jamf-intune-integration MacAdmins Channel. My username is brndnwds6.

@bwoods we don't have ADCS/SCEP but we deploy CA and intermidiate cert with config profile to the endpoint which we have to update every year. So you are saying same cert need to be on Azure? And then remove JamfAAD to avoid that pop up? is that means machine don't need to register thorugh JamfAAD if both system (Azure and Jamf) has those cert? Then I guess we don't need to deploy company portal as well right? Please clarify.

jlombardo
Contributor

This looks real cool.  Going to add this to the POC we are doing.

Is there any documentation to create requirements to get the cert from the config policy?  The link shows how to setup a CA policy in Azure that requires the presence of the cert to get access, but I do not see where we can leverage Jamf in a way that would only pass those certs to machines we deem compliant.  I suppose Smart groups would be the best solution?

bwoods
Valued Contributor

I basically gave this to my security team and we began testing with a dummy certificate. I would suggest using a PKI cert because they automatically renew:

Conditional Access - device identification using certificates - ChrisOnSecurity

sharif_khan
Contributor

@bwoods 

I was checking that JamfAAD presence before removal. I just found only one location JamfAAD presence which is: 

/usr/local/jamf/bin/jamfAAD. Other than that no where i found any JamfAAD presence on my test machine. But still I am getting pop up that same error. So is that will help me to run your script? And another thing for your information we are not using Jamf connect, we are using Jamf Pro. As per Microsoft JamfAAD is for Jamf connect not for Jamf pro. Any comment on this please?

bwoods
Valued Contributor

@sharif_khan I noticed that some of my users started getting prompted again a few weeks ago. Jamf made changes to the "jamfAAD.app". They changed the name to the "Jamf Conditional Access.app".

bwoods_0-1677182499492.png

 

@bwoods Thanks for reply. Here I make some changes which I think need to work your script.

# Delete JamfAAD.app
rm -rf /Library/Application\ Support/JAMF/Jamf.app/Contents/MacOS/Jamf\ Conditional\ Access.app

But couldnot find any plist for following commands

# Unload com.jamf.management.jamfAAD.agent.plist

launchctl unload -w /Library/LaunchAgents/com.jamf.management.jamfAAD.agent.plist

 

# Delete com.jamf.management.jamfAAD.agent.plist

rm -rf /Library/LaunchAgents/com.jamf.management.jamfAAD.agent.plist

# Unload com.jamf.management.jamfAAD.clean.agent.plist

launchctl unload -w /Library/LaunchAgents/com.jamf.management.jamfAAD.clean.agent.plist

# Delete com.jamf.management.jamfAAD.clean.agent.plist

rm -rf /Library/LaunchAgents/com.jamf.management.jamfAAD.clean.agent.plist

So do we need to remove these .plist or I am missing something?

Another thing is before write to com.jamfsoftware.jamf.plist, we can add a check point as below

# Disable microsoftCAEnabled preference key

if [ $(defaults read /Library/Preferences/com.jamfsoftware.jamf.plist microsoftCAEnabled) != 0 ]; then

defaults write /Library/Preferences/com.jamfsoftware.jamf.plist microsoftCAEnabled -bool false

else

echo "No change required"

fi

bwoods
Valued Contributor

Ah yes the script, I found that just using a jamf restriction works much better.

 

sjlo
New Contributor II

Hi, I'm currently setting up and evaluating MCAS for Conditional Access. We've set up the policy as described and it blocks app login when the certificate is not present. When the certificate is present, it doesn't block... but it the (office) apps is failing to authenticate the user.

bwoods
Valued Contributor

I don't know if this helps, but we had to create an exception group in Azure AD that excludes members from all other conditional access policies. Now we just add them to the group during imaging.

sharif_khan
Contributor

I have a question regarding Jamf and Intune integration. What is actual benifit with that besides Inventory information? Can any one give me some detail informaiton what other benifit we can gain with that integration.

Conditional access and compliance monitoring in Azure  and Intune, which enables risk-based sign-in management.