Conditional access or device compliance for macOS?

jjouyan
New Contributor

conditional access or device compliance for macOS? Which one is the better way? we start to register mac with Conditional access. should i wait of 10.43 and register all mac with device compliance? Thanks

10 REPLIES 10

sdagley
Esteemed Contributor II

@jjouyan Conditional Access (CA) is going away this year, and at this point there's no migrating an existing CA to Device Compliance (DC). There may be by the time CA is retired, but if you're not far into your adoption of CA restarting with JSS 10.43 and DC is likely to be the better choice. There is also the advantage that the determination of compliance with DC is made on the Jamf Pro side, unlike CA where the determination is made on the Intune/MEM/Whatchamacllit side. That's a huge benefit in my opinion.

@sdagley, can you elaborate on your statement "Conditional Access (CA) is going away this year"? Is this going away on the Jamf side or on the MS side? We have heard nothing about it going away from either Jamf or MS, but your statement has me concerned since we use CA for alot of things including ZNTA access, etc.

sdagley
Esteemed Contributor II

@scottlep Quoting from the Deprecations and Removals Section of the Jamf Pro Release notes (it's been there since at least 10.39):

  • Conditional Access On-Premise SupportJamf will discontinue Conditional Access support in a future release of Jamf Pro (estimated removal date: late 2023) due to the migration away from Microsoft's Partner Device Management legacy API. Jamf will be offering an alternative solution called macOS Device Compliance using Microsoft's new Partner Compliance Management API in 2022. Customers who currently use macOS Conditional Access will need to move their workflows to macOS Device Compliance in Jamf Cloud. For more information on Jamf Cloud support, contact Customer Success

While it is listed as being applicable to On-Premise Jamf Pro installs I'm reading the "deprecation of Microsoft's Partner Device Management API" as being something applicable to all versions. That may not be accurate, but for me the driving factor for adopting DC over CA is that compliance determination is made on the Jamf Pro side and that provides a _lot_ more flexibility than what I've seen with using CA in Intune.

Thanks @sdagley. I guess I should read the Deprecations and Removals Section more often :)

cc_rider
New Contributor III

From the 10.43.0 release notes, also I read this:

"Note: Jamf has not yet determined a recommended workflow to migrate to Device Compliance from Conditional Access. We are looking into possible solutions."

Now...not like I was a big fan of CA (almost always there were issues with our users after changing the password in Active Directory), but I would like to see a workflow with the DC and somehow reviews/pros&cons on what's working and what is not, etc. They are saying that the estimate removal date of the CA's integration will be late 2023, but I need something to work with, since I'm not even sure if it's possible to have both CA and DC working in parallel, until we can turn the CA off. 

As of now it doesn't look like you can have both running. As soon as our instance was upgraded to 10.43.1 I tried to enable DC to start testing to get ahead of the change, but immediately got a warning that CA has to be disabled before you can enable DC. So....so much for building and testing a DC workflow while the CA crap is still active. Yet another seemingly horrible implementation attempt by Jamf.

jcx9228
New Contributor III

Hi,

i was particularly interested in in your comment about : almost always there were issues with our users after changing the password in Active Directory? Can you tell me more about this? What kind of issues? 

in our case Sometimes a password change triggers device to be removed from intune 

cc_rider
New Contributor III

Hi @jcx9228

Yes, the password change in AD usually triggers the JamfAAD with "macOS Connector" popup to be clicked, which sometimes is failing for various reasons (e.g. Chrome is set as a default browser). As a result, the device will be labeled as NonCompliant in Intune and the user will be denied the M365 access from that device.

jcx9228
New Contributor III

Thanks for this. Any other reasons it may fail?  Anything could be done about that? In my case they seem to be deleted from Intune then this happens.  In your case only status change or status that trigger deletion ? 

jcx9228
New Contributor III

What practises do you use to make a transition? 

Do you simply turn off legacy and enable new? This requires deleting all macs from intune - meaning pretty  big user impact as they all will need to re-reigster or do you wait for jamf migration solution ?