Conditional access deprecation and migration to macOS device compliance

jcx9228
New Contributor III

Hello,

Any businesses using conditional access model here? 

I would like to raise a forum to get some knowledge about practices you use once migrating from legacy Intune integration to new MacOS device Compliance.   

As JAMF have no way to migrate for now and current legacy integration have issues of its own we have now a dilemma:

Should we wait for Jamf Solution to migrate smoothly?  

Or should turn off legacy and integrate new one without migration? If we go this way - all macs will lose office 365 access and will need to re- register every single device.

That will create pretty big service disturbance. Just wonder what practices other companies' approach to deal with this?   

 

 

 

23 REPLIES 23

trull_sengar
New Contributor III

Hello,

 

Thank you for raising this. We have the same question at our business, hence I'm bumping this thread.

 

jcx9228
New Contributor III

we migrated . how did this go on your side ? does it work better ?

trull_sengar
New Contributor III

We haven't migrated yet. We plan to do it after beginning of next year. I've been reading though the macadmins slack channel and could see mixed feedbacks.
Some having no issues whatsoever, some other having random incidents.
From what I understood and what I read from the Jamf documentation, the migration should be rather easy to do. How did it go for you?

jcx9228
New Contributor III
Hi, well it worked maybe 60 – 70% affective . The rest we still needed to re – register manually . Maybe it would be more if user wont need to do anything , but he needed to get a pop where he needed to log in once whohc of course some ignored . The registration itself do not seem to change . seems to be same company portal – with same registration policy in self-service which give the same user-unfriendly authentication steps where after login you get button done – but the browser still open further steps . IT works I would say little batter .

This email may contain information which is privileged or protected against unauthorized disclosure or communication. If you are not the intended recipient, please notify the sender and delete this message and any attachments from your system without producing, distributing or retaining copies thereof or disclosing its contents to any other person.

Telia Company processes emails and other files that may contain personal data in accordance with Telia Company’s Privacy Policy<>.

jcx9228
New Contributor III

we found a way to re - trigger migration with this 

#!/bin/sh

/usr/bin/sudo -u $3 /usr/local/jamf/bin/jamfaad gatherAADInfo
/usr/bin/sudo -u $3 /usr/local/jamf/bin/jamfaad gatherAADInfo

AL1992
New Contributor

Thanks for sharing,

We are also facing legacy conditional access issues lots. 

jcx9228
New Contributor III

do you get any drops from azure once computers changes ad password ?

trull_sengar
New Contributor III

I recommend you (if you are not doing it already) to follow the "jamf-intune-integration" Slack channel here: https://macadmins.slack.com/archives/CSLNS5GEN

I accessed the Slack channel you mentioned, but when I tried to authenticate my email address, I received an error message that said, "It doesn't look like there's an account associated with this email address for MacAdmins." What should I do to join the Slack channel?

CAEN
New Contributor

Edit: wrong user used to answer :-)

trull_sengar
New Contributor III

Try to join the MacAdmins Slack channel from here: MacAdmins.org

Thank you! I was able to participate.

spalladino
New Contributor III

I am in the same boat my entire company uses conditional access for office... Hopefully JAMF will have a solution that will allow for a smooth transition... im scared lol 

Jay_007
Contributor

Just an update for anyone that might be looking for some answers. Microsoft have pushed out the removal date to mid 2024 and they are working with Jamf to provide a migration option. So there's no need to panic (yet)...

"Jamf will discontinue Conditional Access support in a future release of Jamf Pro (Microsoft's estimated removal has changed. Estimated removal date: mid 2024) due to the migration away from Microsoft's Partner Device Management legacy API. Jamf now offers an alternative solution called macOS Device Compliance using Microsoft's new Partner Compliance Management API. Jamf and Microsoft are collaboratively developing a migration path from the legacy Partner Device Management API to the new Partner Compliance Management API. Once the migration path is available, the legacy Partner Device Management API will remain active for one year, allowing organizations leveraging the legacy API time to migrate to the new API. Jamf recommends that environments currently leveraging the macOS Conditional Access (Partner Device Management API) wait for the migration path to be made available to ensure the smoothest transition to the new macOS Device Compliance (Partner Compliance Management API). In the future, when migration is available, Jamf customers will need to move their workflows to macOS Device Compliance in Jamf Cloud before the deprecation of the Microsoft Partner Device Management API."

obi-k
Valued Contributor III

Anything for iOS Compliance once Conditional Access support is retired?

DMH2000
Contributor

I hope someone can answer a few questions.  We are going to update in January due to another security product relying on Intune and didn't want a disruption of that software also.

Am I right that at a high level overview that:

  • We remove users from the Jamf Connectors and tokens | Partner device management in Intune
  • Add the new Jamf Connector in Intune
  • Create the appropriate Smart Groups in Jamf
  •  Disable Conditional Access in Jamf
  • Enable the new Device Compliance in Jamf

Once this is done the Macbooks already in Intune will have users prompted to sign in again?

No MacBooks need to be removed from Intune and have people enroll all over again?

Thanks in advance for any insight you can provide.

mforeman1
New Contributor III

Hello, we are planning to do the migration this coming March. just wondering if you already got the answer? Thanks for the help!

DMH2000
Contributor

@mforeman1 

We still are going with this in March. Personally, I took MS & Jamf documentation and made a checklist from them, putting check boxes next to all the steps.  It helps me look at the steps and any issues we may have, team members needed to help, etc.

Also, we have about 50 macbooks with error "macOS Intune Integration: WPJ Key present. AAD ID not acquired" which we are fixing before migration starts. I have a ticket open with Jamf on why these fell out or never correctly registered.  This error is that the user has a WPJ certificate in their keychain, but JamfAAD has not successfully obtained the Azure AD ID of the user..  and there is no device for the user in Intune...

 

Once this is done the Macbooks already in Intune will have users prompted to sign in again?  I was told normally they shouldn't.  If you change the compliance or conditional access policies, they will. 

No MacBooks need to be removed from Intune and have people enroll all over again? No, devices will not be removed.

ysdevgan
Contributor

Seeking guidance from those who have migrated. If you have a checklist or workflow, lessons learnt please share – it would be a huge help! Thanks in advance

DMH2000
Contributor

@ysdevgan Don't forget to un-enable PassportSSO in your Azure AD SSO Extension profile as there is a bug. It bit us in the butt.

https://www.jamf.com/blog/device-compliance-with-microsoft-entra-id/

 

trull_sengar
New Contributor III

How did it go the Migration for all of you?

I've done mine in Feb and went smoothly, though it was before the new script was published on the Jamf documentation.
I have a new migration happening soon for ~1300 devices (macOS), and this is the checkpoint I gathered from experience, reading Slack macadmins channel, Jamf documentation etc...

The way I understood it and performed it is as follows:

  • Create first all the Smart Groups, so everything is already ready
    • Eg: Applicable Group, Compliance Group, Compliance Rules Groups (see link to video below), Group to check devices that are not migrated to Device Compliance
    • Create policy with the script that migrates devices from CA to Device Compliance (https://learn.jamf.com/en-US/bundle/technical-paper-microsoft-intune-current/page/Migrating_from_mac...)
    • When the time comes to migrate, deactivate Conditional Access in Jamf 
      • The PDM (Partner Device Management) will be terminated in Intune
      • The devices assigned to it will be removed
    • Enable Device Compliance in Jamf
      • Entra ID global admin opens consent URL from Jamf
      • Authenticate and accepts the "Permissions requested" for the App Registration
    • Open Microsoft Endpoint Manager (aka Intune) from Jamf
    • Create the PCM (Partner Compliance Management) API in Intune for the platform you're supporting (macOS or iOS)
    • Verify that it is active
    • Verify through the group created in the first steps that the devices are migrating.
  • Users will have to re-register their device to Intune
  • The script will help with the migration and reduce JamfAAD prompts to the user

Our downfall came after consulting MS and Jamf experts for a few weeks preparing for this in March. The PSSO extensionIdentifier was pushed by MS thru a new version of Company Portal, which JAMF had turned on, on their side (Resolve Device Compliance with Microsoft Entra ID PSSOe (jamf.com)) It broke most of the machines in the company. We had to have top level Jamf consultants help us get the computers registered again.  The low-level techs had to reach out and go thru our documentation on how to remove the computer from Intune, re-register, etc.  Not a fun time.

ysdevgan
Contributor

Migration was smooth for us. Jamf engineer recommended to deployed SSO plugin as per Configure macOS Enterprise SSO app extension with MDMs | Microsoft Learn

Created smart groups and self-service app for script as per Migrating from macOS Conditional Access to macOS Device Compliance - Technical Paper: Device Complia...

~20% users had to re-register the device again which takes less than 2 minutes.