Conditional Access

karmadl
New Contributor

Our organization is moving to O365 Services and wants to implement Conditional Access. Ideally any client joined to company domain will sync with Azure AD and CA policies will be applied. Is that possible via JAMF as Microsoft has clearly stated that it will be only applicable to those machine which are enrolled to Intune.

Any suggestion.

6 REPLIES 6

joe_bloom
New Contributor III
New Contributor III

Thank you for the feedback!

I'd suggest that you submit a Feature Request. That will allow us to keep you and the entire Jamf Nation community updated and get additional feedback and votes for this functionality.

TreviñoL
Contributor

We are testing the following to control which devices can access our corporate resources.

  1. Setup a Windows Server 2008 or 2012 CA with a Apple iOS CA Template for Device Certificate deployment using the JSS.
  2. Setup a Windows NDES on Windows Server 2008 or 2012 and have it use the Apple iOS / macOS Template hosted on the CA
  3. Create a new ActiveSync Connection on Exchange that will only allow iOS / macOS certificate authentication.
  4. Setup an Exchange Configuration Profile for iOS / macOs devices and include the (SCEP Profile) / macOS (AD Certificate Profile)
  5. You can also use the AD Certificate Profile with a Wireless Profile (802.1x) for Device Certificate Authentication for Mac laptops

We only allow devices managed by our JSS and with the Exchange / Device Certificate profile to connect to our corporate resources. Everyone else is blocked until they are managed by our JSS. You don't really need Intune MDM, but I do recommend configuring InTune MAM policies on O365 to enable DLP on the Office iOS Apps. Works great in our environment and is free if you have InTune Mobility Suite licenses.

jconte
Contributor II

In addition to the above mentioned, we are using claims rules to restrict access.

rgrayson
New Contributor

We are also facing the same issue where the Intune/Company Portal preview is not able to install an MDM profile because Casper is managing our Mac fleet already. I'm curious to understand if TreviñoL's solution works in a mixed Windows/Mac environment as well as other Office 365 apps besides Exchange Online. We are using Conditional Access to protect against single factor authentication to the entire O365 suite and not just Exchange Online.

If JAMF could work with Microsoft to support this feature that would be great!

gachowski
Valued Contributor II

It's my understanding that MS Conditional Access doesn't fully support the macOS at this time.

C

joe_bloom
New Contributor III
New Contributor III

We are happy to say that we have a purpose-built solution coming. If you have not seen this thread and the Jamf announcement for Conditional Access collaboration with Microsoft EMS, please refer to the following links. - Jamf Nation Discussion "Jamf Intune Integration"
- Jamf Announcement