Posted on 09-19-2024 10:10 AM
I've run into an issue with using Company Portal to register Macs in Entra for compliance purposes. It SEEMS to be a permissions issue. My admin account can register them, but my Joe Schmoe user account with no privileges can't. What I can't wring out of Microsoft or Jamf is what type of permissions my normal account might need to perform this action. We use Intune, not Jamf, for our mobile device management and we have Windows machines there as well. I can register or enroll all of those devices just fine, in testing. And my Admin account works just fine. Shows the device, compliance syncs over. All the fun bells and whistles. But with my regular account, I get this incredibly generic error when trying to even sign into Company Portal from the Self Service registration workflow...
Anyone have any ideas what permissions/privileges our standard accounts might need to register Macs in Entra for compliance?
Posted on 09-19-2024 11:35 AM
How many devices do you have registered to your regular account, and are other users getting this same issue or just you? I can get this from time to time if I have been lax about clearing out test device records and I reach the enrollment quota on my primary account.
Posted on 09-19-2024 11:38 AM
Good thought and thanks for chiming in so quickly, but I did clear out devices, worried about this exact issue first. Our org also has set a manual limit to, like, 100 devices or something, so, SO FAR it's not a device limit issue. But that's absolutely a good place to start, thank you!
Posted on 09-19-2024 11:39 AM
Also, to answer the rest of your question, yes. It's universal across the folks I have testing in IT at least. Our standard account is unable to get past that error and our Admin accounts work perfectly.
Posted on 09-23-2024 03:52 AM
Hi there
This is always a hard one as everyone has slight variations in their company config. From a permission perspective we really did not have to do anything special with our users. Just adjust a few scopes and tweak a few CAs.
A few questions, for the other accounts you are trying to register with.
Are the users in scope for device compliance on your Compliance Partner in Intune?
Do you have any Conditional Access policies that may block a standard user from reaching "User Registration App for Device Compliance" in Azure/Entra?
Are the devices in scope for Device compliance?
3 weeks ago
Thanks for the response, yes to the first and last questions and I have our security guys taking a look at the middle question.
a month ago
Confirm the user you are doing the registration under is in the right Azure groups that's scoped on your Jamf Partner Device connector.
3 weeks ago
Yep, we have it scoped to our equivalent of an "active employees" group in AD. And I'm definitely a member of that group as scoping things to that group has workedd in the past, but it was worth checking.
4 weeks ago
Please ensure that users are not scoped to both the Partner Device Management and Partner Compliance management modules. Users should be scoped to either of these modules.