Conditional access to device compliance move. 2 different servers

DavidN
Contributor

Hello.

 

I am in need of assistance on this. I have a ticket open with JAMF support but no answers yet.

 

Here's an overview:


On premise JAMF behind a firewall.
• Conditional access connected to Intune and devices are enrolled in Intune.
• Only laptops using conditional access. About 40-50.

 

Recently updated to a Jamf cloud instance
• We are un-enrolling devices from On Premise and re-enrolling in Jamf cloud.
• Laptops would be last. We need to find a method to move from Conditional access to device compliance.

I need to find out if there is a way to have BOTH conditional access and device compliance active in Azure/Intune. This way we could move devices slowly to cloud instance and register them with conditional access. Otherwise we have to pull the switch on all 40+ laptops at the same time and move them over, and enroll them all in Device compliance.

 

Thanks for any information!

5 REPLIES 5

czarmark
New Contributor III

I don't know the answer to your questions but I can recommend posing this in the #jamf-intune-integration channel in Mac Admins Slack, lurking there has helped me experiment with device compliance in our Jamf sandbox. (By the way, as a cloud customer, you can get a free sandbox/dev cloud environment by contacting your rep. They cap the number of devices you can enroll but it's a fantastic tool. It starts out a blank slate though.)

In addition, I found this migration guide in Jamf documentation, not sure if your simultaneous on-prem to cloud migration throws a monkey wrench into it: https://learn.jamf.com/en-US/bundle/technical-paper-microsoft-intune-current/page/Migrating_from_mac...

Hope those help. 

DavidN
Contributor

I did see the documentation. This part leads me to believe they both cannot be active.

"Important: To ensure device compliance remains accurately reported, you must enable the device compliance integration immediately after disabling the Conditional Access integration."

 

 

But given the fact that I have two different servers I'm hopeful it means both cannot be active on the JAMF side, not the Intune/Azure side. 

 

AJPinto
Honored Contributor III

Conditional access has been replaced by device compliance. This is due to Microsoft API changes, not JAMF changes. As far as I’m aware, a device can only be registered using one of the two methods, not both.

Honestly, you need to start migrating and device still using conditional access to device compliance before support is ended for conditional access. 

Thank you. I do understand the change and that this is due to Microsoft API. I'm not looking to have a device registered in both, I am asking if it's possible to have both active at the same time in Azure. From the documentation it appears that having both is not possible. That you first need to turn off conditional access before enabling device compliance.

DavidN
Contributor

Update: I was able to get BOTH working simultaneously in Azure. The important part is you need separate AD groups. One for Conditional access and one for Device compliance. Users cannot be in both groups. This is a HUGE win for migration from on-premise to cloud as we can un-enroll/re-enroll Macs from on prem to cloud, then upgrade them from conditional access to device management.