Intune-Jamf BYOD iOS devices

prigowasu
New Contributor

Hi All! I am kind of in a weird situation and curious to know how everyone is handling BYOD. Here is the scenario:

We manage all company owned iOS devices through Jamf. We use Entra ID for SSO everything (mostly). Currently we do not have a good workflow for BYOD restrictions. I have been testing enrolling BYOD iOS devices directly into intune using Intune Company portal app for iOS on personally owned devices, and then setup CA Policies based on mdm profile or any attributes that enrolled devices can be filtered with. We want to provide the same level of access to Jamf enrolled (Company owned) devices as well.

Problem: Entra or Intune does not have any way of knowing the difference between a personally owned device and a company owned device that is managed by Jamf. We ask user to register devices through MS Authenticator app so the devices are in Entra as “Microsoft Entra Registered Devices” for both company owned and personal.

Solutions that I can think of so far:

  1. We setup device compliance between Jamf and Intune (already done) and we need to instruct users to “Register” their company owned devices using self service and the MS Authenticator application. Once this is complete, these devices show up in Entra as Intune managed devices. This way we can setup CA Policies based on the MDM, which would be Intune for both Jamf managed and Intune managed devices.

  2. We start managing all iOS devices using Intune. This will entail migrating current MDM to Intune for all iOS devices which will require user to un-enroll from Jamf, we setup CA that it will require them to enroll into Intune before they can access anything.

I am just wondering if there is some simple solution that I am missing here where I can tell what devices are managed by Jamf and which ones are personal.

Any suggestions would be greatly appreciated. Thanks!

2 REPLIES 2

msergi
New Contributor III

I am in the EXCACT same scenario as you right now. We have jamf corp iphones and intune BYOD phones, and want to do some restrictions via CA.

Option 1 was the only method I could think of to accomplish the goal, however we have started bleeding over our new company owned devices to Intune, so I may hold off as long as I can, as I am dreading having each user have to register their phone manually in company portal. Curious if anyone else has any other suggestions or solutions.

piotrr
Contributor III

2. We just skipped Jamf for devices a few years back anmd moved all our devices into Intune instead.

It wasn't even that hard. Existing devices had to be unenrolled and then ran enrollment in Company Portal. For new devices, I just changed ADE from Jamf to Intune. Well, I did that for all devices actually, so that old devices, if wiped, would also enroll with Intune. 

I don't feel we lost any functionality in doing so, plus I got to know Intune better. You already have the license, so it's a savings too.