Posted on 01-27-2021 07:38 AM
We use Jamf for our Apple management but recently our organization got InTune running for the Windows folks. It was asked if Intune can be used for the Apple devices to which I'm aware that jamf can tie into it. I just don't know the extent of that and don't think it's a good idea to switch completely. We're behind the times in getting filevault rolled out for various reasons. One of which right now is that we need to get MFA configured for Jamf if we're going to store the keys there. Is there a way to continue using Jamf for everything but store the keys in Intune?
Storing them there with the Windows keys seems like it would be a benefit from a support standpoint.
Posted on 01-27-2021 08:05 AM
@jhuls Since both Jamf Pro and InTune would use a Configuration Profile to tell FileVault to escrow the encryption key I don't think it's possible to have the key escrowed with both systems. I did learn today that you can have the FV key escrowed with both Jamf Pro and a McAfee ePO, but that's due to McAfee's MNE component programmatically accessing fdesetup
rather than using a Configuration Profile which leaves that avenue available to Jamf Pro.
Posted on 01-27-2021 11:51 AM
@sdagley Actually I don't need the key in both locations. I just want to continue using Jamf for as much management as possible because from what I've gathered Intune isn't really quite there yet. Having the keys in Intune would be beneficial for standardizing where anyone needing access to them would only have one place to go.
Posted on 01-27-2021 12:54 PM
@jhuls You can definitely use the combo of Jamf Pro and InTune if you're using InTune for Conditional Access controls. If you want to mix management capabilities, that's not going to be work as only one MDM Profile can exist on a Mac at a time. And without InTune being the system that installed the MDM Profile it can't deploy the Configuration Profile that enforces FileVault and sets the recovery key escrow