Posted on 04-17-2023 03:01 AM
Hello,
I have followed all the steps in this manual. https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Device_Compliance.html.
I install portal company from jamf self service.
Then I enroll device to intune.
In intune I see device with compliance state.
Every think look ok, but when I start use browser chrome or safari in aad logs I didn't see complinace state or device ID.
Do you have a same issue?
How to force browser to use intune certificate?
Posted on 04-17-2023 04:54 AM
Its been a while since I used Conditional Access, but if I remember correctly it was just for Microsoft Apps, or things that authenticate with ADFS. Thought it would probably be best to run questions about Conditional Access and AAD by Microsoft, for better or for worse.
Posted on 04-24-2023 06:46 AM
Safari and Edge will work - chrome should too. First time logging in, the user should see this:
Did you enroll Jamf devices using the Microsoft Device Compliance payload? You cannot run Company Portal directly.
Posted on 04-25-2023 06:06 AM
Yes, I did.
I see microsoft wokplace join key in keychain but browser didn't used it.
This picture what you sent I had when I stared enrolment policy form self service.
Then I gave a password and "always allow" box.
After that I logined to portal office on chrome or safiri, but in azure logs I didn't saw device ID or device marked like complinance.
In AAD I see market device like compliance.
Posted on 05-15-2023 06:12 AM
I have just (a few days ago) implemented this on one of our customers (still at testing from us though thank god) but we are facing similar issues. The Device Compliance is setup and all is good on that part. It works when registering a device with "Microsoft Device Compliance" payload policy except it doesn't always. So when running the registration through self-service i get this (below picture).
All is good, and you can see the device in Azure AD under devices. Except once you press the "Done" button following is supposed to show up:
And this is my problem, this JamfAAD authentication does not show up everytime. It's very random.
Anyone have any ideas on how to troubleshoot this or what we can try?
It is working sometimes, i have gotten it to work where the JamfAAD pops up, but reinstalling my test machines and registering to intune again through self-service "Microsoft Device Compliance" payload it didnt pop up. Then after a couple of hours, i ran to register again through self-service then it popped up.
Anyone have any ideas? Same problems?
Posted on 06-01-2023 03:38 AM
Hi,
we had this issues to. I just added "sudo jamf manage" to my azure ad registration policy in self service. That helped a lot. so may 9 from 10 try's are working.
No i added the new ms sso extension also to the macs we manage and it works a lot better and the user doesnt have to enter the credentials twice and the popup for the keychain doesnt have to be done by user. This works automaticaly.
From my experience, and i tested a lot of times and also longer time with jamf support as help, is that it works the best, when the machine has the latest os version and i use the latest company portal.
Posted on 08-31-2023 02:13 PM
Hi Jacek - When you say you added sudo Jamf manage to your policy - where did you configure that? Was it part of a script or creating a local account? Thank you.
Posted on 08-31-2023 10:25 PM
Hi eherbster
I swear I tried it all the way, in different policys script and so on. Just to explain a bit better.
We have started with deploying the device compliance only for new devices (for the moment). This means only new employees or employees they receive a new machine need to register the device for compliance. So it was bit easier to test, write a guide for them and control also. I spent a lot of time with testing.
In the end i ended with an policy which start an osascript. In this osascript a redirect is done to the selfservice policy, when the user have to start the registration. And in exactly this script i had the best results with the sudo jamf manage command. I had also a "sleep 10" in this policy. Because directly after the PreStage enrollment, some machines went to fast to the policy and have lost the policy while opening it although they was scoped correctly with an smartgroup.
I think it depends a bit like your configuration is done.
We try always to use the latest versions. MacOS, Company Portal and everything we have on our machines. In the meantime i am not sure if the jamf manage command is necessary.
I am testing this days another new prestage with an extended Notify Script. So I think, I will test also, if this is necessary.