Jamf Nation Community

jameson · ‎04-01-2019

We are globally enrolling to mac users in our company and some of them we have a lot of problems with as they keep on delaying etc and we don't really have a way to force it

So just wondering is there any option by using conditional access to "force" users to do the upgrade. So if their device is not registered in JAMF and intune, they will be blocked with their email account which users cannot work without

I know I can see conditional access up with Intune and require device to be registered in Intune. But is there any option also to force "jamf" to be enrolled

Another issue is then of course, that we don't want to hit users when they try to check mail on their private macs, as we don't want to spend a jamf license on a private device. But guess location can help out on that

jameson · ‎04-24-2019

Anyone used conditional access ?

KyleEricson · ‎04-24-2019

@jameson You could do a Azure Conditional access rule that blocks all cloud apps (everything) unless enrolled with Jamf/Intune.

Read My Blog: https://www.ericsontech.com

ThijsX · ‎04-24-2019

@jameson Like @kericson mentioned, that is how we do it, all our devices ARE registered in Jamf Pro, but the intune registration is a user thing, so we block resources to users that are not marked as compliant, and to be compliant you have to be registered and so on.

So block resources that hurts people, mail, intranet and they definitely will register.

jameson · ‎04-24-2019

Yes i Can make Compliance policy In Intune, but nothing that has to Do with Jamf ?
It Intune own compliance setting and not any policy like “must be enrolled with Jamf”

jameson · ‎04-24-2019

I just wondering how the devices should look in Intune. Can see some have MDM as "none" while other has "intune"

But shouldn't´t it be JAMF as MDM or how does it look in other environment ?

maiksanftenberg · ‎04-25-2019

I do not have a current screenshot available but as MDM it will say "Jamf" instead of Microsoft Intune.
We start to enroll CA as well. That means everyone who want's to use Office 365 is forced to have the Mac registered with Intune via Jamf. With this you can ensure that the device first is enrolled to Jamf and then to Intune to receive CA policies and settings.

Intune will not be able to perform any management activities on the client as Jamf is the MDM authority.

ThijsX · ‎04-25-2019

IF an device is registered correctly through Self Service into Intune, the device HAS two entries.
- An entry in Intune under "All Devices"

- An entry in Intune under "Azure AD Devices"

All Devices entry
you will see the last check-in time. Be aware that current last check-in time is the time Intune received related device inventory data time, not actual MacOS check-in time to Jamf. This corresponds to what’s in the Company Portal app.

Azure AD Device entry
The status displayed under Azure AD Devices will be used for determining access to protected company resources.
Under Azure AD devices, the Compliant field is used to determine whether access to resources will be granted. If the compliant state is No, users will be blocked from protected company resources.
the Activity field for a device does not have significance for Jamf/Intune compliance evaluation.

jameson · ‎04-25-2019

Thanks for the input.

Seemed I missed the the admin consent, while the "MDM" is standing to None

So enrolling new mac´s it works fine, as your describe above with 2 places - one with jamf and one with intune.
But those mac´s I need to add again in the company portal to get them correct into intune, I try to enroll the device into Intune - instead just registering the device in azure

I have tried to delete the wrong entry in azure first, but it will still not

Any have seen this issue before?

KyleEricson · ‎04-25-2019

@jameson Have you seen this setup guide

Read My Blog: https://www.ericsontech.com

Jamf Nation Community

Force Jamf Enrollment - Conditional access