Integrating Jamf Pro with Intune

MacJunior
Contributor III

Hey everyone, 

 

I'm thinking to start integrating our Jamf Pro instance with Intune just for the sake of having confidtionl access, what do you think? any issues that I will encounter? tips?

Thanks

5 REPLIES 5

sdagley
Esteemed Contributor II

@MacJunior Your timing is good, the new(er) Device Compliance integration between Jamf Pro and Intune/AzureAD is much less complicated/fragile than the older Conditional Access integration. Compliance evaluation is now handled via a Jamf Pro Smart Group so you have much more flexibility in the criteria that can be used to determine compliance.

Unfortunately there isn't a large volume of information available about the new Device Compliance integration, and searching will turn up primarily material on the older Conditional Access integration. Here's a link tot he latest Jamf documentation on Device Compliance configuration: https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Device_Compliance.html There is also a JNUC22 session on the new integration: https://www.jamf.com/blog/microsoft-partner-compliance-management-api-for-macos-jnuc2022/

 

MacJunior
Contributor III

@sdagley how about the personal Mac devices "BYOD" .. how can we restrict those devices from accessing our company resources if they don't match our security criteria? any thoughts?

sdagley
Esteemed Contributor II

@MacJunior I would strongly discourage any sort of BYOD for macOS devices at this time. There is no support in macOS for a managed "partition" like is currently supported on iOS/iPadOS. Unless your users are willing to grant your company total control over their personal Mac (which I do not think that anyone should, or would want to, do) you're not going to be able to enforce your org's security criteria.

MacJunior
Contributor III

Then how do companies figure out if an employee is using their personal Mac to access their resources!? how do they protect their data? I feel i'm missing something here.

sdagley
Esteemed Contributor II

@MacJunior If you're using Jamf Pro/Intune/Device Compliance you're going to be requiring a company managed device that's configured properly before it can access your M365 connected services. Another access restriction approach is that a device be connected to your corporate network before it'll have access, and that connection can depend on a VPN that does a compliance check or a system like Cisco ISE so non-corporate devices aren't allowed on the network.