Guide: How To Configure Jamf Pro SMTP with M365

anotherAdmin
New Contributor II

Overview:

I was really struggling to configure SMTP with M365. We have a distribution list that our Operations team are all apart of and wanted to receive email notifications from Jamf for a variety of reasons.

Our environment has MFA enabled and I was continuously fighting with both Jamf/Azure to figure out a workaround to the authentication errors I was seeing in the Jamf Server Logs.

It wasn't until after creating a service account without MFA applied it(account being authenticated in Jamf SMTP) and enabling "Send As" and "Send on behalf" in the distribution list by adding the service account to the delegates list that mail was delivered.

Lets look at a couple server logs I was experiencing first.

 

Server Log Error generated from an account with MFA enabled:

  • javax.mail.AuthenticationFailedException: Authentication unsuccessful, the request did not meet the criteria to be authenticated successfully. Contact your administrator.

With the error above I messed around in Azure quite a bit and got no where. I made exceptions with my user for MFA and I attempted trying to configure an "App Password" which doesn't seem to exist anymore? Or at least was not available within my users account settings for some reason.

 

Server log Error generated from authenticating with a service account created in M365 with no MFA enabled.

  • com.sun.mail.smtp.SMTPSendFailedException: SendAsDenied;

The "SendAsDenied" stuck out to me and I remembered in Exchange that you could configure an account to "Send As". It wasn't until after enabling the service account (account being authenticated in Jamf SMTP) to send as the distribution list that I was targeting mail was finally delivered. 

 

Below is the configuration / solution which allowed for mail to be delivered successfully from Jamf Pro to our M365 Server using a service account without MFA.

 

Microsoft 365 Configuration:

Step 1: Navigate to admin.microsoft.com

Step 2: Users > Active Users > Add a User

  • Enter all required information. I added Exchange Admin as Administrator credentials to this service account.
  • Assign a license that will provide this service account a mailbox.
  • In the User settings > Mail > Mail Apps > verify that Authenticated SMTP is enabled.

Step 3: Navigate to Exchange Online Admin Center from M365 Admin Center.

Step 4: Navigate to Recipients > Groups > Distribution List and locate the Distribution List you want to target.

Step 5: Select the Distribution List > Settings > Manage Delegates > Edit Delegates  > Add a delegate > Add the service account you created and choose the “send on behalf” option. Save changes.

5jamf-smtp-config-1.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Jamf Pro Configuration:

Step 1: Sign into your Jamf Cloud Instance

Step 2: Select the Settings cog in the top right

Step 3: Navigate to System Settings > SMTP Server

Step 4: Enter the following information:

  • Server and port: smtp.office365.com | 587
  • Encryption: TLSv1.2
  • Connection Timeout: 15 [You can play around with this depending on what you want/need]
  • Sender Display Name: [Up to you]
  • Sender Email Address: Enter the mailing address you want mail to be sent from. I sent mine from a distribution group.
  • Requires Authentication: Enter the credentials of the service account you’ve created in M365.

    jamf-smtp-config-1.png
  •  

 

 

 

 

 

 

 

 


Step 5:
Save and Test. At this point I received an email.

Note: This is how I accomplished this, it may not work for your environment. If you think I skipped a step or didn't explain something clearly please let me know and I'll take a look.

32 REPLIES 32

RaxiaDK
Contributor

Thank you for your guide, I keep getting: javax.mail.AuthenticationFailedException: 535 5.7.139 Authentication unsuccessful, basic authentication is disabled. [AS8PR07CA0033.eurprd07.prod.outlook.com]

This not working for me: Disable Basic authentication in Exchange Online | Microsoft Docs

it was a time issue, it work for me now

MSB
New Contributor

Foe Me Its work First time only Not sure why But its working 

 

"A test message was successfully sent."

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/authenticated-client...

 

scottb
Honored Contributor

Can anyone here get the "Sender Display Name" to work?  I've got the emails working fine, but I never get the Sender Display Name to use what I have entered, and it's confusing as I have a bunch of Jamf servers...

Thank you

RaxiaDK
Contributor

Mine Work fine

sarvagya
New Contributor

Hi, it's not working! I tried this:

 

- Created an user in Outlook

- Enabled SMTP Auth for that user mailbox.

- smtp.outlook365.com | 587

- TLS1.2 and connection timeout 15sec

Added username (email) and password

 

Not working!

try use your EOP on port 25

I tried this not working.

I do this, but look your log

Skærmbillede 2022-08-26 101738.png

sarvagya
New Contributor

I tried this not working.

scottb
Honored Contributor

Odd, this was working until the 10.40.1 update...now it's not.  This sucks!

scottb
Honored Contributor

Well, this may be part of what we're seeing...we recently changed our auth to modern using OKTA verify, so we'll have to see if we can make changes or change to another email solution for this:

Basic Authentication Deprecation in Exchange Online – May 2022 Update 

Yeah, since Microsoft enforced Modern Authentication at the end of 2022, it completely broke this. You can allow Basic Authentication for the single email account to get it working, but this is a security risk.

 

I suggest putting a vote on this feature request to get Jamf to intergrade with Modern Auth:  

https://ideas.jamf.com/ideas/JN-I-16171 

Am I correct in thinking that auth should still work if you setup an App Password on an account that has Enforced MFA? As long as you enable SMTP auth on the account it should work with the App Password? 

Vnds
New Contributor

I have done everything as suggested here but its not working for us. What else we need make changes in the both side JAMF pro and M365 side? 

BM-Degenkamp
New Contributor III

Worked fine up to begin of November (last succesfull use is from 02/11). Tested yesterday and it is not working anymore. 

obi-k
Valued Contributor II

Joining the party. Has anybody successfully set up SMTP with Jamf and M365?

BM-Degenkamp
New Contributor III

So far (extensive) testing shows that it works once or twice and then stops. We have the idea that MFA kicks in and everything stops. 

JeffBugbee
New Contributor III

Same issue. Looks like port 25 is completely blocked in Jamf Cloud: https://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html

"Note: To help keep data and communications as secure as possible, port 25 is blocked in Jamf Cloud. Jamf recommends using port 587 with TLS."

No luck with 587 at the moment either.

BM-Degenkamp
New Contributor III

Tried the 587 with various TLS settings and multiple newly created accounts several times and nothing works. It is rather strange though that a new account does work shortly (send once or twice succesfully), before getting blocked. Looks like MFA suddenly kicks in or the address gets blacklisted somewhere?

obi-k
Valued Contributor II

Same here. Since port 25 is blocked, we tried port 587 and 465 with various TLS settings.

Nothing. 

We have a ticket in with Microsoft but they are pointing at Jamf. We're stuck. Is it a Jamf or Microsoft thing?

Have you guys looked into your Firewall rules? We're checking to see if the list of new IPs is whitelisted and see if that helps.

https://learn.jamf.com/bundle/technical-articles/page/Permitting_InboundOutbound_Traffic_with_Jamf_C... 

BM-Degenkamp
New Contributor III

I did find something about it in a "idea-section" of Jamf (ideas.jamf.com/ideas/JN-I-16171, add https:// in front of it) that refers to it. Looks like they are aware, but not doing much yet about it. And there is a command shown that might help.

adam_s_fw
New Contributor

My understanding is that the issue with it working once or twice then stopping is due to new Microsoft default policies kicking in "require MFA" for any users with a risk status of medium or above. This paired up with their recent stricter triggers for risk (new IP, or using smtp), seems to be causing the issue.

Thus.... the oauth/modern auth feature request is becoming even more crucial.

el2493
Contributor III

I spoke with Jamf Support about this the past few weeks. We have an O365 account that has basic authentication and SMTP AUTH enabled, and we used to use it with direct send method before port 25 got shut down by Jamf. We tried to switch to SMTP AUTH configuration, but in Jamf Server logs kept seeing a message about basic auth being disabled for the account (even though it definitely wasn't).

After getting escalated in Jamf Support, we were told that the only way to use O365 as an SMTP server in Jamf now was to use app passwords (which our org has disabled). I tried to press for any information on the roadmap for OAuth and didn't get any response.

obi-k
Valued Contributor II

We got ours to work in Jamf Production and test. We ended up changing a Microsoft Conditional Access policy.

BM-Degenkamp
New Contributor III

Do you have some details on that? And did that really solve it?

Prakash1
New Contributor

Can you please explain, what changes you have made?

sbrammer
New Contributor III

Yesterday i realzied i have not been receiving emails from Jamf when a device goes into\leaves a particular Smart Group. I went into the smtp settings, and like many of you, it fails with a generic unable to connect to server message. I have tried to increase the timeout as well as change from tls 1.2 to SSL, and both did not work. I also currently have a case open with Support, but so far they have not been much help. 

stutz
Contributor

Like others we noticed our reports from Jamf Pro not getting sent to us and found out our SMTP broke because we were using port 25.  Here is what we did:


- Created a service account, gave it O365 E1 license (Online only).
- Created a mailbox for the account (if you are a hybrid environment do it on your exchange server and sync it to the cloud).
- Changed the login creds from our tenant to "@companyname.onmicrosoft.com"  This allows you to login directly to Microsoft.
- The sender also needs to match up with the username authenticating to the cloud.  Otherwise the Sender will need to be an O365 account as well and be given "sendas" permissions on the SMTP account.
- To limit the access into the service account, we locked down IMAP,POP & Mapi.


Look at the Jamf Pro Console Server logs if you do an SMTP test and it fails.  That is how we noticed our issue with not having the Authentication account and Sender Email Address the same.

"SendAsDenied; notify@companyname.onmicrosoft.com not allowed to send as jamf_notice@companyname.com;"

Hopefully this helps someone running into this issue.

Screenshot 2024-02-19 at 2.44.50 PM.png

llitz123
Contributor III

This worked for me.  I had to use a business basic license.  Wish there was a 'free' workaround.

Thanks for the writeup.

Could you go into a bit more detail about what you did? We tried this setting with a licensed account but it still wasn't working for us. Did you have to change anything on the tenant?

CasperSally5432
New Contributor II

It's wild to me how bad the support answer has been from jamf on Microsoft stopping support for basic auth. App passwords? Disable MFA? Really?

Jamf supports SMTP in their other product (Protect) from what I've read, how in the world are they not supporting it for their SaaS customers?