Conditional Access Not Working on certain SSO apps

jlombardo
Contributor

This is not really a Jamf issue, more an Azure issue.  But curious if anyone else has experienced this issue

Anyone else have an issue where certain SSO local applications don't see the Workplace Join Key and it goes into a loop of "You must register this device," with already compliant/registered machines?

Log Me In for example, if we try to sign in via SSO the app pops up that we have to register the device, then will ask to open self service.  But said device is already registered and compliant

If you look at the logs, you see that the sign in failed because the user tried signing in with an unregistered device.

 

This is happening on some of our installed applications that use SSO.  Also, trying to setup a new email also puts it in this loop.  Whitelisting fixes it, but we don't really want to white list Office 365.

3 REPLIES 3

damienbarrett
Valued Contributor

Any chance that this is actually the known problem with JamfAAD failing to pass authentication to a browser window (Chrome, etc.), so the "handshake" fails, and then InTune enrollment fails. Another symptom is that the JamfAAD will keep stealing focus away from other apps and bring your browser (Chrome) to the front. With Jamf 10.38 -- just released -- they moved the auth passthrough function back to the WebView framework so that it won't call your default browser. I'm awaiting the 10.38.x update in my cloud instance (hopefully this weekend) to further test this. There is discussion about both of these issues on the #jamf-intune-integration channel on MacAdmins Slack.

jlombardo
Contributor

Thanks for the input @damienbarrett.

Interesting, so this is a JamfAAD issue.  I will have to test the new update as well to see if their new released has fixed this issue.  My instance is now 10.38.1

jlombardo
Contributor

Initial testing this has not fixed this issue for me.  Going to test more before failure it admitted.