Jamf Nation Community

anotherAdmin · ‎04-20-2022

Overview:

I was really struggling to configure SMTP with M365. We have a distribution list that our Operations team are all apart of and wanted to receive email notifications from Jamf for a variety of reasons.

Our environment has MFA enabled and I was continuously fighting with both Jamf/Azure to figure out a workaround to the authentication errors I was seeing in the Jamf Server Logs.

It wasn't until after creating a service account without MFA applied it(account being authenticated in Jamf SMTP) and enabling "Send As" and "Send on behalf" in the distribution list by adding the service account to the delegates list that mail was delivered.

Lets look at a couple server logs I was experiencing first.

Server Log Error generated from an account with MFA enabled:

javax.mail.AuthenticationFailedException: Authentication unsuccessful, the request did not meet the criteria to be authenticated successfully. Contact your administrator.

With the error above I messed around in Azure quite a bit and got no where. I made exceptions with my user for MFA and I attempted trying to configure an "App Password" which doesn't seem to exist anymore? Or at least was not available within my users account settings for some reason.

Server log Error generated from authenticating with a service account created in M365 with no MFA enabled.

com.sun.mail.smtp.SMTPSendFailedException: SendAsDenied;

The "SendAsDenied" stuck out to me and I remembered in Exchange that you could configure an account to "Send As". It wasn't until after enabling the service account (account being authenticated in Jamf SMTP) to send as the distribution list that I was targeting mail was finally delivered.

Below is the configuration / solution which allowed for mail to be delivered successfully from Jamf Pro to our M365 Server using a service account without MFA.

Microsoft 365 Configuration:

Step 1: Navigate to admin.microsoft.com

Step 2: Users > Active Users > Add a User

Enter all required information. I added Exchange Admin as Administrator credentials to this service account.
Assign a license that will provide this service account a mailbox.
In the User settings > Mail > Mail Apps > verify that Authenticated SMTP is enabled.

Step 3: Navigate to Exchange Online Admin Center from M365 Admin Center.

Step 4: Navigate to Recipients > Groups > Distribution List and locate the Distribution List you want to target.

Step 5: Select the Distribution List > Settings > Manage Delegates > Edit Delegates > Add a delegate > Add the service account you created and choose the “send on behalf” option. Save changes.

Jamf Pro Configuration:

Step 1: Sign into your Jamf Cloud Instance

Step 2: Select the Settings cog in the top right

Step 3: Navigate to System Settings > SMTP Server

Step 4: Enter the following information:

Server and port: smtp.office365.com | 587
Encryption: TLSv1.2
Connection Timeout: 15 [You can play around with this depending on what you want/need]
Sender Display Name: [Up to you]
Sender Email Address: Enter the mailing address you want mail to be sent from. I sent mine from a distribution group.
Requires Authentication: Enter the credentials of the service account you’ve created in M365.

Step 5: Save and Test. At this point I received an email.

Note: This is how I accomplished this, it may not work for your environment. If you think I skipped a step or didn't explain something clearly please let me know and I'll take a look.

RaxiaDK · ‎04-27-2022

Thank you for your guide, I keep getting: javax.mail.AuthenticationFailedException: 535 5.7.139 Authentication unsuccessful, basic authentication is disabled. [AS8PR07CA0033.eurprd07.prod.outlook.com]

This not working for me: Disable Basic authentication in Exchange Online | Microsoft Docs

RaxiaDK · ‎06-23-2022

it was a time issue, it work for me now

MSB · ‎06-03-2022

Foe Me Its work First time only Not sure why But its working

"A test message was successfully sent."

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/authenticated-client...

scottb · ‎07-11-2022

Can anyone here get the "Sender Display Name" to work? I've got the emails working fine, but I never get the Sender Display Name to use what I have entered, and it's confusing as I have a bunch of Jamf servers...

Thank you

RaxiaDK · ‎07-11-2022

Mine Work fine

sarvagya · ‎08-26-2022

Hi, it's not working! I tried this:

- Created an user in Outlook

- Enabled SMTP Auth for that user mailbox.

- smtp.outlook365.com | 587

- TLS1.2 and connection timeout 15sec

Added username (email) and password

Not working!

RaxiaDK · ‎08-26-2022

try use your EOP on port 25

sarvagya · ‎08-26-2022

I tried this not working.

RaxiaDK · ‎08-26-2022

I do this, but look your log

sarvagya · ‎08-26-2022

I tried this not working.

scottb · ‎08-26-2022

Odd, this was working until the 10.40.1 update...now it's not. This sucks!

scottb · ‎08-29-2022

Well, this may be part of what we're seeing...we recently changed our auth to modern using OKTA verify, so we'll have to see if we can make changes or change to another email solution for this:

Basic Authentication Deprecation in Exchange Online – May 2022 Update

Jay_007 · ‎06-07-2023

Yeah, since Microsoft enforced Modern Authentication at the end of 2022, it completely broke this. You can allow Basic Authentication for the single email account to get it working, but this is a security risk.

I suggest putting a vote on this feature request to get Jamf to intergrade with Modern Auth:

https://ideas.jamf.com/ideas/JN-I-16171

benjaminherrin · ‎08-17-2023

Am I correct in thinking that auth should still work if you setup an App Password on an account that has Enforced MFA? As long as you enable SMTP auth on the account it should work with the App Password?

Vnds · ‎07-11-2023

I have done everything as suggested here but its not working for us. What else we need make changes in the both side JAMF pro and M365 side?

BM-Degenkamp · ‎11-21-2023

Worked fine up to begin of November (last succesfull use is from 02/11). Tested yesterday and it is not working anymore.

obi-k · ‎11-30-2023

Joining the party. Has anybody successfully set up SMTP with Jamf and M365?

BM-Degenkamp · ‎12-13-2023

So far (extensive) testing shows that it works once or twice and then stops. We have the idea that MFA kicks in and everything stops.

JeffBugbee · ‎01-04-2024

Same issue. Looks like port 25 is completely blocked in Jamf Cloud: https://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html

"Note: To help keep data and communications as secure as possible, port 25 is blocked in Jamf Cloud. Jamf recommends using port 587 with TLS."

No luck with 587 at the moment either.

BM-Degenkamp · ‎01-05-2024

Tried the 587 with various TLS settings and multiple newly created accounts several times and nothing works. It is rather strange though that a new account does work shortly (send once or twice succesfully), before getting blocked. Looks like MFA suddenly kicks in or the address gets blacklisted somewhere?

obi-k · ‎01-05-2024

Same here. Since port 25 is blocked, we tried port 587 and 465 with various TLS settings.

Nothing.

We have a ticket in with Microsoft but they are pointing at Jamf. We're stuck. Is it a Jamf or Microsoft thing?

Have you guys looked into your Firewall rules? We're checking to see if the list of new IPs is whitelisted and see if that helps.

https://learn.jamf.com/bundle/technical-articles/page/Permitting_InboundOutbound_Traffic_with_Jamf_C...

BM-Degenkamp · ‎01-05-2024

I did find something about it in a "idea-section" of Jamf (ideas.jamf.com/ideas/JN-I-16171, add https:// in front of it) that refers to it. Looks like they are aware, but not doing much yet about it. And there is a command shown that might help.

adam_s_fw · ‎01-10-2024

My understanding is that the issue with it working once or twice then stopping is due to new Microsoft default policies kicking in "require MFA" for any users with a risk status of medium or above. This paired up with their recent stricter triggers for risk (new IP, or using smtp), seems to be causing the issue.

Thus.... the oauth/modern auth feature request is becoming even more crucial.

el2493 · ‎02-12-2024

I spoke with Jamf Support about this the past few weeks. We have an O365 account that has basic authentication and SMTP AUTH enabled, and we used to use it with direct send method before port 25 got shut down by Jamf. We tried to switch to SMTP AUTH configuration, but in Jamf Server logs kept seeing a message about basic auth being disabled for the account (even though it definitely wasn't).

After getting escalated in Jamf Support, we were told that the only way to use O365 as an SMTP server in Jamf now was to use app passwords (which our org has disabled). I tried to press for any information on the roadmap for OAuth and didn't get any response.

obi-k · ‎02-12-2024

We got ours to work in Jamf Production and test. We ended up changing a Microsoft Conditional Access policy.

BM-Degenkamp · ‎02-12-2024

Do you have some details on that? And did that really solve it?

Prakash1 · ‎03-15-2024

Can you please explain, what changes you have made?

sbrammer · ‎02-13-2024

Yesterday i realzied i have not been receiving emails from Jamf when a device goes into\leaves a particular Smart Group. I went into the smtp settings, and like many of you, it fails with a generic unable to connect to server message. I have tried to increase the timeout as well as change from tls 1.2 to SSL, and both did not work. I also currently have a case open with Support, but so far they have not been much help.

stutz · ‎02-19-2024

Like others we noticed our reports from Jamf Pro not getting sent to us and found out our SMTP broke because we were using port 25. Here is what we did:

- Created a service account, gave it O365 E1 license (Online only).
- Created a mailbox for the account (if you are a hybrid environment do it on your exchange server and sync it to the cloud).
- Changed the login creds from our tenant to "@companyname.onmicrosoft.com" This allows you to login directly to Microsoft.
- The sender also needs to match up with the username authenticating to the cloud. Otherwise the Sender will need to be an O365 account as well and be given "sendas" permissions on the SMTP account.
- To limit the access into the service account, we locked down IMAP,POP & Mapi.

Look at the Jamf Pro Console Server logs if you do an SMTP test and it fails. That is how we noticed our issue with not having the Authentication account and Sender Email Address the same.

"SendAsDenied; notify@companyname.onmicrosoft.com not allowed to send as jamf_notice@companyname.com;"

Hopefully this helps someone running into this issue.

llitz123 · ‎03-26-2024

This worked for me. I had to use a business basic license. Wish there was a 'free' workaround.

Thanks for the writeup.

Eric_SD_Wrkr · ‎03-26-2024

Could you go into a bit more detail about what you did? We tried this setting with a licensed account but it still wasn't working for us. Did you have to change anything on the tenant?

llitz123 · ‎03-26-2024

I followed this exactly. I didnt change anything in the process other than I had to use a different M$ license type for my M$ account (Business Basic vs OP's E1 license).

llitz123 · ‎04-01-2024

I thought I replied to this?

I followed the exact steps by @stutz above. I didnt change anything in the process.

CasperSally5432 · ‎04-01-2024

@stutz @llitz123 are you jamf cloud customers? We can't seem to get past the error we have in logs " 535 5.7.139 Authentication unsuccessful, basic authentication is disabled" and jamf support hasn't helped beyond talking about app passwords which AFAIK isn't a thing anymore? Are you using those?

llitz123 · ‎04-01-2024

I am a cloud basic customer if that's what it is? I think there are multiple tiers for cloud and we're basic or whatever?

CasperSally5432 · ‎03-21-2024

It's wild to me how bad the support answer has been from jamf on Microsoft stopping support for basic auth. App passwords? Disable MFA? Really?

Jamf supports SMTP in their other product (Protect) from what I've read, how in the world are they not supporting it for their SaaS customers?

CasperSally5432 · ‎04-04-2024

I assume this was in beta release notes for awhile and we missed it - and jamf support didn't mention it despite us asking for a solution now for weeks. It's an interesting solution for jamf not wanting to provide SMTP themselves, I guess.

https://learn.jamf.com/en-US/bundle/technical-articles/page/Configuring_Jamf_Pro_to_Use_Microsoft_Gr...

llitz123 · ‎04-04-2024

Well that looks like fun. Thanks for finding it. We'll give it a shot.

el2493 · ‎04-05-2024

Thanks for sharing, scheduling a meeting with our M365 team to see if this is something they can get on board with since App Passwords seems like a non-starter.

Jamf Nation Community

Guide: How To Configure Jamf Pro SMTP with M365