Posted on 08-22-2023 10:22 AM
We use Jamf Pro Cloud to manage our Mac fleet but would like to hybrid join our Macs to Intune as a method to control who can use Office 365. I see that Conditional access is being Deprecated. Can I accomplish this with just using Device Compliance? I keep getting Notifications in endpoint stating that an Intune update is coming concerning Intune device compliance. I’m new to Azure / Intune so I apologize for my ignorance on that side.
Solved! Go to Solution.
Posted on 08-22-2023 10:50 AM
There's no such thing as a hybrid join on Mac. An Apple device can have one MDM profile on it at a time, so if you are managing with Jamf Pro you would be unable to join to Intune.
Device Compliance sends a compliant signal to Azure (Entra) based on a Smart Group in Jamf Pro. If a device falls into the Smart Group, it is compliant. If it falls out, it is not compliant.
The devices will show up under Devices in Azure AD (Entra AD) and their compliant status will be visible there. You can then utilize the Conditional Access blade in Azure to set a policy for access to O365 properties.
Hopefully that makes sense. Some links:
https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Device_Compliance.html
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/overview
Posted on 08-22-2023 10:50 AM
There's no such thing as a hybrid join on Mac. An Apple device can have one MDM profile on it at a time, so if you are managing with Jamf Pro you would be unable to join to Intune.
Device Compliance sends a compliant signal to Azure (Entra) based on a Smart Group in Jamf Pro. If a device falls into the Smart Group, it is compliant. If it falls out, it is not compliant.
The devices will show up under Devices in Azure AD (Entra AD) and their compliant status will be visible there. You can then utilize the Conditional Access blade in Azure to set a policy for access to O365 properties.
Hopefully that makes sense. Some links:
https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Device_Compliance.html
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/overview
Posted on 08-22-2023 11:53 AM
@bern In addition to the information that @stevewood provided, make sure that the Azure AD credentials you are using to set up the Device Compliance integration have the Global Administrator permission. That little tidbit seems to be missing in the Jamf docs, and without it you won't get past the "Need admin approval" screen when signing in to Azure AD/Intune.
Posted on 08-22-2023 12:21 PM
Good callout on that! I'll put a ticket in to get that documentation updated to indicate Global Admin privs are necessary. I could've sworn we already made that change.
Posted on 08-22-2023 01:04 PM
It is called out in the old MS docs on Conditional Access integration (https://learn.microsoft.com/en-us/mem/intune/protect/conditional-access-jamf-cloud-connector), but I didn't find it in any of the Jamf Device Compliance configuration docs.
Posted on 08-23-2023 02:07 AM
Everyone else commenting has given you great tidbits on how to handle the conditional access pieces. The one thing that is worth adding in is that "binding" in the traditional "joining devices to Active Directory" sense is dead. It was never a great experience with on-premise Active Directory and it's not really something you can do with Azure AD/Entra ID either. If controlling identity as a means of controlling access to the Mac is important to you, you'll want to use JAMF Connect in conjunction with Azure AD/Entra ID.
Posted on 09-11-2023 05:40 PM
Thank you guys for your guidance and sharing your experiences. Diving into Entra ID really makes me appreciate the Jamf experience that much more!