Posted on 01-29-2023 08:07 AM
conditional access or device compliance for macOS? Which one is the better way? we start to register mac with Conditional access. should i wait of 10.43 and register all mac with device compliance? Thanks
01-29-2023 07:22 PM - edited 01-29-2023 07:26 PM
@jjouyan Conditional Access (CA) is going away this year, and at this point there's no migrating an existing CA to Device Compliance (DC). There may be by the time CA is retired, but if you're not far into your adoption of CA restarting with JSS 10.43 and DC is likely to be the better choice. There is also the advantage that the determination of compliance with DC is made on the Jamf Pro side, unlike CA where the determination is made on the Intune/MEM/Whatchamacllit side. That's a huge benefit in my opinion.
Posted on 01-30-2023 05:51 AM
@sdagley, can you elaborate on your statement "Conditional Access (CA) is going away this year"? Is this going away on the Jamf side or on the MS side? We have heard nothing about it going away from either Jamf or MS, but your statement has me concerned since we use CA for alot of things including ZNTA access, etc.
01-30-2023 06:32 AM - edited 01-30-2023 06:34 AM
@scottlep Quoting from the Deprecations and Removals Section of the Jamf Pro Release notes (it's been there since at least 10.39):
- Conditional Access On-Premise Support—Jamf will discontinue Conditional Access support in a future release of Jamf Pro (estimated removal date: late 2023) due to the migration away from Microsoft's Partner Device Management legacy API. Jamf will be offering an alternative solution called macOS Device Compliance using Microsoft's new Partner Compliance Management API in 2022. Customers who currently use macOS Conditional Access will need to move their workflows to macOS Device Compliance in Jamf Cloud. For more information on Jamf Cloud support, contact Customer Success
While it is listed as being applicable to On-Premise Jamf Pro installs I'm reading the "deprecation of Microsoft's Partner Device Management API" as being something applicable to all versions. That may not be accurate, but for me the driving factor for adopting DC over CA is that compliance determination is made on the Jamf Pro side and that provides a _lot_ more flexibility than what I've seen with using CA in Intune.
Posted on 01-30-2023 07:21 AM
Thanks @sdagley. I guess I should read the Deprecations and Removals Section more often :)
Posted on 02-14-2023 12:37 PM
From the 10.43.0 release notes, also I read this:
"Note: Jamf has not yet determined a recommended workflow to migrate to Device Compliance from Conditional Access. We are looking into possible solutions."
Now...not like I was a big fan of CA (almost always there were issues with our users after changing the password in Active Directory), but I would like to see a workflow with the DC and somehow reviews/pros&cons on what's working and what is not, etc. They are saying that the estimate removal date of the CA's integration will be late 2023, but I need something to work with, since I'm not even sure if it's possible to have both CA and DC working in parallel, until we can turn the CA off.
Posted on 02-14-2023 01:32 PM
As of now it doesn't look like you can have both running. As soon as our instance was upgraded to 10.43.1 I tried to enable DC to start testing to get ahead of the change, but immediately got a warning that CA has to be disabled before you can enable DC. So....so much for building and testing a DC workflow while the CA crap is still active. Yet another seemingly horrible implementation attempt by Jamf.
Posted on 03-08-2023 12:17 AM
Hi,
i was particularly interested in in your comment about : almost always there were issues with our users after changing the password in Active Directory? Can you tell me more about this? What kind of issues?
in our case Sometimes a password change triggers device to be removed from intune
Posted on 03-08-2023 03:59 AM
Hi @jcx9228,
Yes, the password change in AD usually triggers the JamfAAD with "macOS Connector" popup to be clicked, which sometimes is failing for various reasons (e.g. Chrome is set as a default browser). As a result, the device will be labeled as NonCompliant in Intune and the user will be denied the M365 access from that device.
Posted on 03-14-2023 04:00 AM
Thanks for this. Any other reasons it may fail? Anything could be done about that? In my case they seem to be deleted from Intune then this happens. In your case only status change or status that trigger deletion ?
Posted on 02-28-2023 11:50 PM
What practises do you use to make a transition?
Do you simply turn off legacy and enable new? This requires deleting all macs from intune - meaning pretty big user impact as they all will need to re-reigster or do you wait for jamf migration solution ?
Posted on 07-15-2024 10:02 AM
this session will answer most questions - Jamf Pro and Compliance – Deep-Dive Update | JNUC 2023 (youtube.com)
Highly recommend to spend 30 minutes to go through the video.