Posted on 04-12-2019 05:51 AM
We've followed all the instructions for setting up InTune integration with our Jamf Server on both sides. When I run the self service policy to get a Mac registered in InTune, it goes through all the steps until it gets to the JamfAAD.app where it basically stops. I've let it sit with the spinning gear for an hour with no progress at all. Here's the screenshot:
When I click on More Details, here's what it says:
Has anyone else encountered this? What app is it trying to get? Could this window be any more vague?
Posted on 04-12-2019 06:55 AM
Have you deployed the Company Portal app to the Mac? Have a look through this thread - https://www.jamf.com/jamf-nation/discussions/28426/jamf-intune-intergration-issues - this should point you in the right direction.
Posted on 04-12-2019 07:00 AM
Yes. The Company Portal is installed before running the registration policy. We actually get through the portal registration part but at the very end it pops up that window telling us to "Get the app". The Conditional Access setting on the Jamf Server passes the test when I click test. I'll look through that thread to see if there's any parallels, but upon a quick search I don't see anything about "get the app".
Posted on 04-12-2019 03:09 PM
Not sure what the get the app is for.
We just got a few machines setup and the 3 main pieces are
Posted on 04-13-2019 03:38 AM
Yep, I get stuck at the same point.
Posted on 04-13-2019 05:45 AM
Try this command in terminal window without using Sudo :
/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfAAD.app/Contents/MacOS/JamfAAD -verbose gatherAADInfo -disable-cache-read
above command will re-open Jamf AAD for registration again, once registration finished successfully, you will able to access MS office apps like one note, MS Teams, one drive etc..
Posted on 04-14-2019 06:13 AM
@hafizulla.chittoor that doesn't make a difference for me, I still get the same issues as per the OP first post.
Posted on 04-14-2019 03:33 PM
Did you have company portal deployed through self service or just by installing it?
Were these machines already setup with company portal in the past?
We saw an issue where there were a lot of things left over after deleting company portal before installing it through self service. We had to go through the users library folder under Application Support, Containers, Group Containers, Keychain, Preferences and deleted everything related to company portal. After that it all worked fine.
If you go under conditional access in Jamf settings and test it, does it test out properly?
Posted on 04-14-2019 11:30 PM
@bjhobbs What's the difference between installing (not registering!) Company Portal with Self Service or just a deployment policy? (or even manually download)
I guess, only the Intune register process have to be run from the Self Service (which itself starts Company Portal for registering).
But I also saw this "Get the app" message on a device last week. I don't remember how I fixed it (I had to kill the process). In these cases we always run a "Company Portal cleaning" script followed with the Intune registering again. This helps most of the time.
btw does anybody knows if Microsoft supports a "mixed" mode of BYOD Macs (not managed by Jamf) and Jamf managed Macs (with Intune Integration) on the same Intune tenant?
We have both Jamf unmanaged and managed Macs which are registered in Intune and everything works so far. But last week one of our BYOD Macs (which was never managed by Jamf) got a similar Conditional Access message window as above, but with the following text:
And after the user pressed "Enrol now" he was redirected to our Jamf Pro server, which should not happen. But why does Intune get the Jamf URL from the Jamf Connector for a unmanaged (BYOD) Mac?
Posted on 04-15-2019 12:18 AM
Company portal was installed as part of our jamf build process.
The computers were already enrolled but following a password reset the keychain was deleted.
3. CA tests work fine.
Posted on 06-06-2019 09:08 AM
We've made some progress, but are still stuck. We discovered that Netskope is blocking the Macs from registering with Intune. We have proven that if we disable Netskope on our Macs, the registration is successful and works as advertized. Unfortunately, we don't know how to fix it while keeping Netskope installed. Our Netskope administrator has hit a dead end on figuring out how to permit the traffic to flow freely. Has anyone else registered their Macs with Intune while Netskope is installed?
To help our Netskope admin understand the communication between our Macs and the various servers involved, I drew up this Intune Parallelogram. If it's accurate, feel free to use it yourself.
Posted on 09-25-2019 12:57 PM
Hi @AVmcclint ,
I'm not sure if you have seen a resolution to this, but we have been working with Netskope to diagnose this as well. It looks like a certificate pinning issue that might be mitigated by setting a process based exception for "Company Portal" on Macs. The app will be added for default bypass in the near future. This did work in our case, but your's could differ.
Posted on 10-23-2019 04:00 PM
Just one more recent note on this, we also needed to set up an exception for "JamfAAD". We recently upgraded to Jamf Pro 10.15.1, and this process became an issue too. "Jamf Native macOS Connector" is what the dialog reported as the application.
Posted on 10-24-2019 03:50 AM
@dmueller Could you elaborate on setting up "an exception for JamfAAD"? Is that an exception in Netskope or somewhere else? To get our setup to work, our Netskope admin essentially had to whitelist every external address that dealt with O365. It turned out that Netskope was getting in the way of a LOT of O365 communications - not just Intune enrollment.
Posted on 10-24-2019 09:55 AM
Hi @AVmcclint , Sure thing. We had to apply the same process based exception as we did for "Company Portal" to "JamfAAD" in Netskope. I'll get you more detail on this if you like. For your O365 issues, I'm curious as to what you're seeing. We have just started some heavier testing, and these gotchas might be good to be aware of. We will be excluding the Azure auth domains from the proxy, but if you're still seeing issues after all of your whitelisting, I'll relay this to the team that is trying to bring this into our environment.
Posted on 02-18-2020 12:03 PM
Posted on 02-18-2020 05:11 PM
Hi @Cayde-6, Which piece? Or better yet, where are you stuck in the process? We had to set up a cert-pinned app exception in Netskope for both Company Portal.app and JamfAAD. I'm still on Jamf Pro 10.16.1, so it is possible something else will be seen when I upgrade to 10.19.
Posted on 06-23-2021 01:39 AM
We had this issue because our users were not signed into self service with the AD creds. Once signed in, workplace join worked (if you can describe this horrible process as working)
Posted on 06-30-2021 05:31 PM
@AVmcclint Im getting the exact same error when trying to enroll.
Did you ever figure out what was causing the "Get App" Prompt?
Posted on 06-30-2021 05:55 PM
In our case it was caused by Netskope getting in the way. I had our Netskope administrator work with Netskope to get it working. Unfortunately I don’t remember what specific changes needed to be made. If you aren’t using Netskope then it could be some other tool that sits between the users and the outside world: proxy, firewalls, web filters….???
Posted on 07-07-2021 04:21 PM
That did it. Firewall.