How do you handle the Azure AD registration?

verticalben
New Contributor III

Hi all, how do you all manage/handle the Azure AD registration, specifically on end-user devices?

We've finally been able to get the registration to work, so objects are created in AAD and evaluated for Conditional Access. But the process is a bit fiddly. For example, if you don't press 'Always Allow' on the certificate box, it can kill it all.

How do you all handle it in your environments?

Thanks

4 REPLIES 4

Jaykrishna1
Contributor II

In an Azure AD environment, it's important to have a smooth and reliable process for end-user device registration. 

You check and implement few mentioned tips:

  1. Use an automated registration process: Automation can help to simplify the process of registering end-user devices with Azure AD. For example, you can use an MDM solution like Intune to automate the enrollment process, which can help to minimize user error and improve the overall experience for end-users.

  2. Clearly communicate the process to end-users: Make sure that end-users are aware of the registration process and what they need to do in order to complete it successfully. Provide clear instructions, along with visual aids if possible, to help users understand the steps involved.

  3. Test the registration process: Test the registration process thoroughly to identify any potential issues and to ensure that it is working as expected. This will help you to identify any issues and make any necessary changes before the process is rolled out to end-users.

  4. Monitor the registration process: Monitor the registration process to ensure that it is working as expected and to identify any issues that may arise. This will help you to quickly resolve any issues and to ensure that the process is working smoothly.

By following these tips and best practices, you can help to ensure a smooth and reliable Azure AD registration process for end-user devices.

AJPinto
Honored Contributor III

In my org we are 99% Windows, and I am the dedicated JAMF Admin for that 1% of Macs. iOS Devices are managed in Intune.

 

Last year I worked for about 4 months to get JAMF+Intune integration setup, and co-management working as a "replacement" to domain binding. The JAMF side was fairly simple, getting JAMF and Intune to talk was also reasonably simple. The Azure side was another beast entirely. It became very evident very quickly that our Azure Admins had no idea how the full scope of Azure functioned (to be fair Azure is a beast) and turned us over to Microsoft. Microsoft after 3 months was totally unable to assist us in getting Macs to register consistently with Azure from the comp portal. The many Microsoft techs I worked with also seemed to have very little understanding in how AAD registration worked which did not help confidence any.

 

For AAD registration users would just have another unnecessary thing to sign in to and update when they change their password. AAD Registration was very high touch for the users, and every touch point is a chance for a support ticket. So at the end of 4 months I canned the project, support was too poor, and results were inconsistent. JAMF could do 90% of conditional access by itself from the device/application level rather than the identity level without ever involving the user until they were no compliant.

 

It is still very much possible to manually create the AAD Object, and we had explored using API to do it also. However, this is not totally secure and I would not rely on it as a point of trust for issuing certificates. In the end I was able to convince the powers that be, that macOS is not Windows. Azure is a Microsoft product designed to be used with Windows, and does not give the benefits they were looking for from macOS. We still issue ADCS certs to our Macs, this time using the JAMF ADCS Connector. Users still get IDP login and password synchronization with JAMF Connect. JAMF Connect provides SSO for some things and the Okta Verify App provides SSO to other things. 

 

TL;DR:

I suppose to directly answer your question. We accepted the "juice is not worth the squeeze" to deal with macOS in Azure. That you can get pretty much all the functionality of Azure registration without having to deal with the headache. 

 

verticalben
New Contributor III

Thank you for the detailed response. I feel like I'm in a very similar position to you. I've not been impressed with how 'involved' the end-user is in the registration process.

How do you get around things like Conditional Access? Our main reason for getting these devices registered in Azure is because our CA policies require sign-ins to come from a Compliant device.

Of course, we could make a separate CA policy for Macs, but that would remove an extra layer of security on the compliant device sign-ins.

piotrr
Contributor III

We're on 60-40 Mac + Windows, iOS in Intune. Macs are in Jamf and Intune Integration for CA. 

Yes, the end-user Company Portal Intune enrollment is fiddly as hell, even if it's improved a lot in the past two years it is peak "rubber bands and tape" solution. The only way to do it for me has been to be online with the user as they go through it, which is fine if you only have a few dozen machine changes per year, but it would be impossible if you have thousands. 

I am fairly certain that you are going to have to have different CA policies scoped for your Macs than your PCs. It's what we do - and honestly, you can't require the "same" OS versions for Macs and PCs anyway, so you would have needed that regardless. Just require the same things in spirit - complex passwords, disk encryption, require password after idle, that type of thing.