Device Compliance - Cannot register devices!

TheITGuy69
Contributor

We have tried to set up device compliance multiple times and it keeps failing on registration. 

 

I currently have a ticket open with jamf support but its going nowhere.

I have upgraded my cloud to version 10.46.1

Here is part of the log from the company portal app.

2023-05-25 13:37:31.279 | workplaceJoinSdk | 344229 | INFO: -[WPJBaseKeychainAccessor getRegistrationInformationWithTenantIdentifierInternal:domainName:error:] [Line 190][2023-05-25 13:37:31 +0000][WPJBaseKeychainAccessor] getRegistrationInformationWithTenantIdentifierInternal - check for incomplete registration or no registration.
2023-05-25 13:37:31.279 | workplaceJoinSdk | 344229 | ERROR: [errorCode:-400][2023-05-25 13:37:31 +0000][WPJBaseKeychainAccessor] getRegistrationInformationWithTenantIdentifierInternal - tenant is unregistered!
2023-05-25 13:37:31.280 | workplaceJoinSdk | 344229 | ERROR: [errorCode:-400][2023-05-25 13:37:31 +0000][WPJDecisionHandler] retrieveKeychainAccessorForTenantInternal - unable to retrieve valid registration information for the tenant. 

 

but we see it connected in both jamf device compliance and intune partner compliance mangement. 

 

is someone able to show me the permissions applied to both of these apps so that i can compare to ours?

User registration app for Device Compliance

And

Cloud Connector for Device Compliance

 

I have tried everything, sudo jamf manage prior to registration, i have applied the webkeyview config profile to eliminate the browser, The jamfAAD never pops up for us . just fails after inputting credentials. 

 

I would appreciate any and all assistance. tyvm!

1 ACCEPTED SOLUTION

TheITGuy69
Contributor

For all of you who are looking to configured Device Compliance with Jamf, here are the detailed steps you need to do. Jamfs KB is lacking and Tech Support for this didn’t help so I am documenting what we did.

Current steps at the time of this writing, Take note of Requirements in each KB:

Jamf KB - https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Device_Compliance.html

Microsoft KB - https://learn.microsoft.com/en-us/mem/intune/protect/device-compliance-partners

 

*-Note, if you currently have Conditional Access from Jamf connected to Intune, its up to you if you want to disable this prior to configuring Device Compliance. We had this connected but where not utilizing it for anything so we disabled it (incorrectly I might -see correct steps to decommission it below) so we didn’t have to do it later when it gets decommissioned by Jamf (est. mid 2024).

Microsoft KB for Conditional access, see the section for deprovisioning-

https://learn.microsoft.com/en-us/mem/intune/protect/conditional-access-integrate-jamf

This is what was causing us issues with registering with the Company Portal app, which kept failing. Once we were able to get the Conditional Access to show “terminated” in Intune, then we were able to register devices.

 

  • Connect Device Compliance Service from Jamf to Intune. The following Azure Enterprise apps will be created, permissions cannot be edited since its created by Jamf.
    1. Cloud Connector for Device Compliance App
    2. User Registration app for Device Compliance.
  • Create Partner Compliance in Intune.
  • Confirm the service is connected in both Jamf Device Compliance section and in Intune under Partner Compliance Management.
  • (not  100% this is needed but we did it.) Create a Compliance policy in Intune under Device, MacOS, Compliance policies.
  • Create a policy to push Self Service app if you don’t have it deployed already.
  • Download Company Portal and create Policy to install
  • Create policy to Register and add to self-service.
  • Create policy from Script below this is to auto run the above policy instead of having the end users navigate to Self Service to run the install.  
  • Create Ext Attribute to confirm device is registered. See below for EA
  • Create Configuration Profile to have JamfAAD bypass Default Browser to
  • Create Configuration Profile to use Azure SSO Plugin -this allows for less actual inputting of username and passwords for mac users.  See below

At the time of this writing we are on Jamf Pro Cloud 10.46.1 and did not have to run a sudo jamf manage prior to enrolling.  Also devices that get enrolled show up in Azure AD devices and show compliant or not compliant.

 

From Step 8 -Script to auto run self service policy, change policy ID and text to your needs.

#!/bin/bash

 

# Define Variables

brandIcon="/Library/Application Support/JAMF/Jamf.app/Contents/Resources/AppIcon.icns"

policyID="291"

#get logged in user

loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

 

answer=$( osascript << EOF

button returned of (display dialog "Please finish setting up your computer by running the Register Mac Device with Azure AD in Self Service. Click OK to get started!" buttons {"OK"} default button 1 with icon POSIX file "$brandIcon")

EOF

)

 

echo "$answer"

 

if [[ $answer -eq "OK" ]]; then

  su "$loggedInUser" -c "killall Self\ Service"

  su "$loggedInUser" -c "open \"jamfselfservice://content?entity=policy&id=$policyID&action=view\""

fi

 

 

From Step 9- Ext attribute

#!/bin/bash

#get user

loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

#check if wpj private key is present

WPJKey=$(security dump /Users/$loggedInUser/Library/Keychains/login.keychain-db | grep MS-ORGANIZATION-ACCESS)

if [ ! -z "$WPJKey" ]

then

  #WPJ key is present

  #check if jamfAAD plist exists

  plist="/Users/$loggedInUser/Library/Preferences/com.jamf.management.jamfAAD.plist"

  if [ ! -f "$plist" ]; then

    #plist doesn't exist

      echo "<result>WPJ Key present, JamfAAD PLIST missing</result>"

      exit 0

  fi

  #PLIST exists. Check if jamfAAD has acquired AAD ID

  AAD_ID=$(defaults read  /Users/$loggedInUser/Library/Preferences/com.jamf.management.jamfAAD.plist have_an_Azure_id)

  echo "$AAD_ID"

  if [[ $AAD_ID -eq "1" ]]; then

    #jamfAAD ID exists

    echo "<result>Registered</result>"

    exit 0

  fi

  #WPJ is present but no AAD ID acquired:

  echo "<result>WPJ Key Present. AAD ID not acquired</result>"

  exit 0

fi

#no wpj key

echo "<result>Not Registered</result>"

 

 

From Step 10- JamfAAD to use Webview Configuration Profile

 

com.jamf.management.jamfAAD

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

                <key>useWKWebView</key>

                <true/>

                <key>logPII</key>

                <true/>

                <key>tokenRetryCount</key>

                <integer>3</integer>

                <key>tokenRetryWaitTime</key>

                <integer>42</integer>

</dict>

</plist>

 

 

From Step 11-Microsoft Enterprise SSO plugin

Payload Type – SSO

Ext. ID - com.microsoft.CompanyPortalMac.ssoextension

Team ID - UBF8T346G9

Sign-on Type- Redirect

URL’s

https://login.microsoftonline.com

https://login.microsoft.com

https://sts.windows.net

https://login.partner.microsoftonline.cn

https://login.chinacloudapi.cn

https://login.microsoftonline.us

https://login-us.microsoftonline.com

Auth Method- Password

 

Custom Config .plist

{ "AppPrefixAllowList": { "value": "com.microsoft.,com.apple.,com.jamf.,com.jamfsoftware.", "type": "string" }, "browser_sso_interaction_enabled": { "value": 1, "type": "integer" }, "disable_explicit_app_prompt": { "value": 1, "type": "integer" } }

View solution in original post

7 REPLIES 7

TheITGuy69
Contributor

For all of you who are looking to configured Device Compliance with Jamf, here are the detailed steps you need to do. Jamfs KB is lacking and Tech Support for this didn’t help so I am documenting what we did.

Current steps at the time of this writing, Take note of Requirements in each KB:

Jamf KB - https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Device_Compliance.html

Microsoft KB - https://learn.microsoft.com/en-us/mem/intune/protect/device-compliance-partners

 

*-Note, if you currently have Conditional Access from Jamf connected to Intune, its up to you if you want to disable this prior to configuring Device Compliance. We had this connected but where not utilizing it for anything so we disabled it (incorrectly I might -see correct steps to decommission it below) so we didn’t have to do it later when it gets decommissioned by Jamf (est. mid 2024).

Microsoft KB for Conditional access, see the section for deprovisioning-

https://learn.microsoft.com/en-us/mem/intune/protect/conditional-access-integrate-jamf

This is what was causing us issues with registering with the Company Portal app, which kept failing. Once we were able to get the Conditional Access to show “terminated” in Intune, then we were able to register devices.

 

  • Connect Device Compliance Service from Jamf to Intune. The following Azure Enterprise apps will be created, permissions cannot be edited since its created by Jamf.
    1. Cloud Connector for Device Compliance App
    2. User Registration app for Device Compliance.
  • Create Partner Compliance in Intune.
  • Confirm the service is connected in both Jamf Device Compliance section and in Intune under Partner Compliance Management.
  • (not  100% this is needed but we did it.) Create a Compliance policy in Intune under Device, MacOS, Compliance policies.
  • Create a policy to push Self Service app if you don’t have it deployed already.
  • Download Company Portal and create Policy to install
  • Create policy to Register and add to self-service.
  • Create policy from Script below this is to auto run the above policy instead of having the end users navigate to Self Service to run the install.  
  • Create Ext Attribute to confirm device is registered. See below for EA
  • Create Configuration Profile to have JamfAAD bypass Default Browser to
  • Create Configuration Profile to use Azure SSO Plugin -this allows for less actual inputting of username and passwords for mac users.  See below

At the time of this writing we are on Jamf Pro Cloud 10.46.1 and did not have to run a sudo jamf manage prior to enrolling.  Also devices that get enrolled show up in Azure AD devices and show compliant or not compliant.

 

From Step 8 -Script to auto run self service policy, change policy ID and text to your needs.

#!/bin/bash

 

# Define Variables

brandIcon="/Library/Application Support/JAMF/Jamf.app/Contents/Resources/AppIcon.icns"

policyID="291"

#get logged in user

loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

 

answer=$( osascript << EOF

button returned of (display dialog "Please finish setting up your computer by running the Register Mac Device with Azure AD in Self Service. Click OK to get started!" buttons {"OK"} default button 1 with icon POSIX file "$brandIcon")

EOF

)

 

echo "$answer"

 

if [[ $answer -eq "OK" ]]; then

  su "$loggedInUser" -c "killall Self\ Service"

  su "$loggedInUser" -c "open \"jamfselfservice://content?entity=policy&id=$policyID&action=view\""

fi

 

 

From Step 9- Ext attribute

#!/bin/bash

#get user

loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

#check if wpj private key is present

WPJKey=$(security dump /Users/$loggedInUser/Library/Keychains/login.keychain-db | grep MS-ORGANIZATION-ACCESS)

if [ ! -z "$WPJKey" ]

then

  #WPJ key is present

  #check if jamfAAD plist exists

  plist="/Users/$loggedInUser/Library/Preferences/com.jamf.management.jamfAAD.plist"

  if [ ! -f "$plist" ]; then

    #plist doesn't exist

      echo "<result>WPJ Key present, JamfAAD PLIST missing</result>"

      exit 0

  fi

  #PLIST exists. Check if jamfAAD has acquired AAD ID

  AAD_ID=$(defaults read  /Users/$loggedInUser/Library/Preferences/com.jamf.management.jamfAAD.plist have_an_Azure_id)

  echo "$AAD_ID"

  if [[ $AAD_ID -eq "1" ]]; then

    #jamfAAD ID exists

    echo "<result>Registered</result>"

    exit 0

  fi

  #WPJ is present but no AAD ID acquired:

  echo "<result>WPJ Key Present. AAD ID not acquired</result>"

  exit 0

fi

#no wpj key

echo "<result>Not Registered</result>"

 

 

From Step 10- JamfAAD to use Webview Configuration Profile

 

com.jamf.management.jamfAAD

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

                <key>useWKWebView</key>

                <true/>

                <key>logPII</key>

                <true/>

                <key>tokenRetryCount</key>

                <integer>3</integer>

                <key>tokenRetryWaitTime</key>

                <integer>42</integer>

</dict>

</plist>

 

 

From Step 11-Microsoft Enterprise SSO plugin

Payload Type – SSO

Ext. ID - com.microsoft.CompanyPortalMac.ssoextension

Team ID - UBF8T346G9

Sign-on Type- Redirect

URL’s

https://login.microsoftonline.com

https://login.microsoft.com

https://sts.windows.net

https://login.partner.microsoftonline.cn

https://login.chinacloudapi.cn

https://login.microsoftonline.us

https://login-us.microsoftonline.com

Auth Method- Password

 

Custom Config .plist

{ "AppPrefixAllowList": { "value": "com.microsoft.,com.apple.,com.jamf.,com.jamfsoftware.", "type": "string" }, "browser_sso_interaction_enabled": { "value": 1, "type": "integer" }, "disable_explicit_app_prompt": { "value": 1, "type": "integer" } }

Where do you add the custom configuration plist file? I created a file with the above info then attempted to add this into Jamf 11.0.1 and i get an error Invalid resource file. File cannot be processed.

Hey,

 

are you using the right file? When coping the Code to an Editor it says by default .xml.
Try to change it to .plist

Greetings

Thanks Mathias...Managed to get this all sorted now and functioning

 

Cheers

MathiasO
New Contributor II

Hey,

very good Instructions, most of them were helpful to us.
One Question is left:

After all the Registration and successfully compliant tagged Devices. We are having trouble getting  "Device ID" and "Join type" of all our Users.. Edge and Safari are working fine, only Chrome and Firefox wont ereport any Details.

Thanks for your help!

Jordan_Mastel
New Contributor

Have a similar issue, we never used JAMF conditional access. Tried to terminate the connection but it just said not connected. Tried to set it up but now the JAMF conditional access page has a big ol' warning on it saying it's deprecated so I can't complete it and Intune is stuck waiting on JAMF approval.

 

I Ran the command Suso JAMF Manage and then /usr/local/jamf/bin/jamfAAD gatherAADInfo on the Mac but that brings up what appears to be the old Jamf Conditional access window. Not the JAMFAAD message that I can see in the documentation.

 

As far as I can tell everything is set up correctly, Intune and JAMF both say device compliance is successfully connected. But whenever I launch the register policy from Self-service it launches Company portal, allows me to sign in, then doesn't bring up the JAMFAAD window. After running those commands it brings up the Jamf Conditional access window whenever I run the register computer policy. I reimaged the mac and tried the same steps and it's doing the same thing. 

I've spent a good 6+ hours on this issue with no resolution. Really not as seamless as it should be.

Found a solution for my specific issue and posting in case it helps in the future. The problem was apparently the registration app didn't have a default browser to use but JAMF Support provided an article for how to specify one, after adding the PLIST file it works for me. https://learn.jamf.com/en-US/bundle/technical-articles/page/Troubleshooting_Microsoft_Azure_Login_Us...