Intune/Conditional Access/O365 Login Promptapalooza

rtylerdavis
Release Candidate Programs Tester

Hello!

Our organization uses Intune for our standard MDM (iOS and Android devices), and has just recently purchased Jamf for macOS management.

I'm working on getting everything working with the Intune connector, and running o365 apps (teams, outlook, office, Skype) on our Macs. However, I'm having kind of a rough end user experience.

I made a smart group for the initial Intune Integration trigger once devices have started their FV2 encryption, so that devices show up in Intune as being compliant right off the bat. Once the users sign into Company Portal, they're taken to the Jamf AAD integration, and are prompted for 2FA (in our environment, this is done when registering a device with AAD). Once they're totally enrolled, it seems to work fine, a user can launch Outlook, and sign in to get mail without issue.

However...there are an absurd amount of login prompts. There's prompts to login to each app category (login to Outlook, login to Teams, login to Office, login to Skype), then there's keychain login prompts for each app (I've found these can be suppressed by just clicking always allow, rather than allow), then there's occasional re-logins in the communication apps (Outlook and Teams), and in our environment there's auto-discovery redirect logins in Outlook.

It's frustrating to say the least...I'm wondering a few things...Is this an issue that everyone has seen/encountered? Is it an issue with our environment? Or Jamf? Or Microsoft? Or a combination of all 3?

I'm planning to do a fresh build tomorrow and capture some screenshots and get a counter on how many prompts a user actually gets for credentials. It's also worth noting we haven't setup our SAML/OpenAM integration yet, so I'm wondering if that could also help...

6 REPLIES 6

hdsreid
Contributor III

and then when you change the password, you get to do it for each individual app once again :)

ThijsX
Valued Contributor
Valued Contributor

@rtylerdavis Hmm.. i have currently 300+ macOS devices that are registered via Jamf Pro in our Intune environment with many Conditional Access policies, and also Intune as MDM/MAM for our iOS and Android devices.

On enrollment yeah there are the Keychain prompts for the applications that would like to use the 'MS-Organisation-Access' certificate, but in our environment we have do not experience all the prompts when someone changes their password. The prompts only exist after Intune registration and the applications would like to access the cert for the first time.

I can imagine when a login keychain gets "crippled" then you are receiving the same prompts, do you experience this for all your users and devices and are you on the lastest Company Portal version?

mmusante
New Contributor II

It's for reasons like this that our org has resorted to "white glove" deployment for every new Mac user. (and I don't mean Windows Autopilot, I'm talking about a combination of automated tools and real human hands-on, clicking away all the scary/annoying messages and filling in all the first run dialogues) On the first day of work the user can sit down at his or her desk with a fully-operational provisioned Mac with no unnecessary prompts and get familiar with the on-boarding materials. We then walk the user through the password change process so they will know what to expect when the next password change is required. Because this is such a hands-on process, it requires significantly more overhead than what any automated tool offers alone, however it cuts way down on the number of helpdesk calls and minimizes user frustration which both contribute to a smooth transition to their new role. One example is we deploy MS office 365 through VPP and push the apps via MDM but a user still needs to log in with their office365 credentials to get the applications fully operational so we log in for them and get the software activated before they arrive. We're not big enough to afford any kind of SSO solution that may or may not obviate this kind of manual enrollment.

rtylerdavis
Release Candidate Programs Tester

@txhaflaire Interesting...we haven't deployed to many users yet outside of IT, but I'm getting ready to this week. If you don't mind me asking...what do your CA policies look like on the Azure side? I'm redesigning some of ours as we speak to make things a bit simpler...

In that same vein, what does your Intune Registration policy set look like? I had thought I'd read in the documentation on either the Jamf or Microsoft side that you should set the Intune Registration policy to be recurring, so I had set ours to that, but it seemed like if you had a botched Registration (network issue, timeout, etc), you would get de-registered from Intune. I'm also not seeing that anywhere in the documentation now, so I'm wondering if I misunderstood that.

I do expect a few login prompts, especially initially (we have NTLM/IWA for our proxy so we get a bit of it the first couple days), however this just seems excessive.

shawes
New Contributor II

Has anyone managed to find a way around all the keychain login prompts? Currently testing a CA policy and with all these prompts I'm very reluctant to deploy to all users.

rtylerdavis
Release Candidate Programs Tester

It's rough, but it really is just a matter of waiting the few days for everything to cache up/sync to the keychain. After that it's smooth sailing until the next password change. At this point my bigger issue seems to be NTLM/IWA authentication with our proxies. I've been working on getting them to go with kerberos, but it's a lot of work to convince of the need.