Jamf Nation Community

Safari and Edge will work - chrome should too. First time logging in, the user should see this: 

 Did you enroll Jamf devices using the Microsoft Device Compliance payload? You cannot run Company Portal directly. 

Yes, I did.
I see microsoft wokplace join key in keychain but browser didn't used it.
This picture what you sent I had when I stared enrolment policy form self service.
Then I gave a password and "always allow" box.

After that I logined to portal office on chrome or safiri, but in azure logs I didn't saw device ID or device marked like complinance.
In AAD I see market device like compliance.

I have just (a few days ago) implemented this on one of our customers (still at testing from us though thank god) but we are facing similar issues. The Device Compliance is setup and all is good on that part. It works when registering a device with "Microsoft Device Compliance" payload policy except it doesn't always. So when running the registration through self-service i get this (below picture). 

All is good, and you can see the device in Azure AD under devices. Except once you press the "Done" button following is supposed to show up:

And this is my problem, this JamfAAD authentication does not show up everytime. It's very random.

Anyone have any ideas on how to troubleshoot this or what we can try?

It is working sometimes, i have gotten it to work where the JamfAAD pops up, but reinstalling my test machines and registering to intune again through self-service "Microsoft Device Compliance" payload it didnt pop up. Then after a couple of hours, i ran to register again through self-service then it popped up. 

Anyone have any ideas? Same problems?

Hi, 

we had this issues to. I just added "sudo jamf manage" to my azure ad registration policy in self service. That helped a lot. so may 9 from 10 try's are working. 

No i added the new ms sso extension also to the macs we manage and it works a lot better and the user doesnt have to enter the credentials twice and the popup for the keychain doesnt have to be done by user. This works automaticaly.

From my experience, and i tested a lot of times and also longer time with jamf support as help, is that it works the best, when the machine has the latest os version and i use the latest company portal.

Hi eherbster

I swear I tried it all the way, in different policys script and so on. Just to explain a bit better.

We have started with deploying the device compliance only for new devices (for the moment). This means only new employees or employees they receive a new machine need to register the device for compliance. So it was bit easier to test, write a guide for them and control also. I spent a lot of time with testing. 

In the end i ended with an policy which start an osascript. In this osascript a redirect is done to the selfservice policy, when the user have to start the registration. And in exactly this script i had the best results with the sudo jamf manage command. I had also a "sleep 10" in this policy. Because directly after the PreStage enrollment, some machines went to fast to the policy and have lost the policy while opening it although they was scoped correctly with an smartgroup.

I think it depends a bit like your configuration is done.

We try always to use the latest versions. MacOS, Company Portal and everything we have on our machines. In the meantime i am not sure if the jamf manage command is necessary. 

I am testing this days another new prestage with an extended Notify Script. So I think, I will test also, if this is necessary.