Intune integration

jonros
Contributor

Hello everyone!
Need to know something about Intune integration with Jamf. What part, Jamf or Intune, will be the master service when you do it? Can it be any of it depending on how you choose to set it up? Or is it always Jamf?

Do you need to install a Intune app on the Apple devices? I heard that if a device (iPhone or iPad) is too old it will make the device unusable because of a loop in the Intune app. Or can you skip it?

Do you still use School/Business Manager connected to Jamf and not Intune?

Right now I'm gathering so much information about this that's impossible. Later on in the fall we will convert our platform from eDirectory to AD and integrate Intune with Jamf. We'd like it to result the best possible way.

7 REPLIES 7

sdagley
Esteemed Contributor II

@jonros There can only be one one MDM configured for a device, so Jamf Pro would be that in the Jamf Pro/Intnue integration scenario. Jamf Pro will provide device compliance data to Intune so that access restrictions to Microsoft services can be applied.

There's no change with ABM/ASM, your Apple still devices have to be registered there to enable automatic enrollment with Jamf Pro.

AJPinto
Honored Contributor II

JAMF would be the MDM. JAMF would do all of the MDM functions. 

 

JAMF would install the Comp Portal using a specific policy that launches the Comp Portal with an argument to trigger an Azure Registration. Once the device is registered in Azure, the Comp Portal more or less SSO's all MS services. If a devices configuration in JAMF does not match the requirements of Intune, Intune will tell the Comp Portal to block all MS based services (or whatever you configure it to do). JAMF and MS call it co-management, it is more or less just conditional access.

jonros
Contributor

Thanks for your information.

stevewood
Honored Contributor II
Honored Contributor II

There are technically multiple integrations with Microsoft Azure:

  • SSO for access to Jamf Pro console
  • Cloud Identity (Jamf Connect)
  • Device Compliance
  • Cloud Identity for directory queries (like LDAP)

So it really depends on what you are specifically referring to. The others have mentioned the fact that you can only have one MDM profile on a device, so Jamf Pro would be the authority when it comes to MDM.

If you are talking about Cloud Identity for getting user info into Jamf Pro, then Azure AD is the authority and Jamf Pro simply queries the data (read only). 

If you are talking about Device Compliance, then Jamf Pro simply provides a compliant or not-compliant flag to Azure (not Intune) for a device. Device compliancy is determined by a Smart Group in Jamf Pro. Devices do need to utilize Company Portal for macOS or Microsoft Authenticator for mobile devices to register with Azure.

Hopefully that adds a little more information to your arsenal.

danlaw777
Contributor III

adding on to this, we currently have company portal integrated manually with azure/intune. our ABM account was just activated but i cant configure device compliance while the legacy version is in place. Anyone know what kind of messages or issues i may run in to while migrating?

jonros
Contributor

When integrering with Intune, do you need to reinstall the devices to connect/integrate them with Intune?

sdagley
Esteemed Contributor II

@jonros If you're asking do you need to re-enroll the Mac with Jamf Pro for Intune Device Compliance integration, no, that's not necessary. You do need to deploy the Comp Portal app to your Mac and then the user will use it to sign in with Intune to enable compliance checks.