Posted on 04-08-2022 01:32 AM
Hi Everyone, how do you get your users to Enrol in to InTune? I have all the correct apps set up, but it still requires the user to go into Self Service and click on "Register in InTune" and follow the steps, and today when the infosec team enabled conditional access, 300 users who all "claimed" to have enrolled were locked out of MS Office apps? Open to any suggestions
Posted on 04-08-2022 05:35 AM
We're not using InTune for conditional access where I am, yet, but it's on our immediate roadmap and I've been tasked with getting it going. Lucky me!
Posts like yours and a large number of other ones I've seen on the subject all have me scared witless. Apparently Jamf / InTune integration for Conditional Access is utter garbage from what I'm gathering. It doesn't seem at all uncommon to hear such stories of users losing access despite registering their device in InTune because InTune thinks they aren't compliant for whatever dumb reason. I don't think it's Jamf's fault. I think this is more on Microsoft, but I can't be sure.
Anyway, I wish I had some advice for you. I may have some in the near future once we go through this mess. Hopefully that advice won't amount to "run for the hills!"
Posted on 04-08-2022 05:42 AM
I will say, I've just started testing (yesterday actually) and currently looks like Chrome/Edge are not seeing the registration. I also launched Safari and I was prompted to "register" again, but it was working fine after that but only in Safari, Chrome/Edge still don't see the registration.
I will agree that CA doesn't seem to be a fun experience and I've heard lots of horror stories as well.
Posted on 04-08-2022 07:37 AM
I can also confirm. We also only use safari for the intune registration in self service.
04-08-2022 01:51 PM - edited 04-08-2022 02:00 PM
Currently working - for provisioning I implemented the following. (You could create a workflow setup like this, all in one in self service)
1st I have a policy that runs @targendaz2s Mac Set Default Apps scripts to set Chrome as the default web browser. - https://github.com/targendaz2/Mac-Set-Default-Apps
2nd I have a policy during provisioning that installs the Company Portal.
3rd I have a Policy with 'macOS Intune Integration' checked available in Self Service.
This can be run by the End User or Onboarding staff (if they know end user creds). This works consistently with Google Chrome. I, personally, have not had success using Edge, Firefox or Safari.
@mm2270 Jamf is On it - https://ideas.jamf.com/ideas/JN-I-25346
Posted on 05-06-2022 07:41 AM
Anyone else have an issue where certain SSO local applications don't see the Workplace Join Key and it goes into a loop of "You must register this device," with already compliant/registered machines?
Log Me In for example, if we try to sign in via SSO the app pops up that we have to register the device, then will ask to open self service. But said device is already registered and compliant
Posted on 05-23-2023 01:22 PM
have you ever found a solution to this? I have this issue and it drives me crazy.
05-23-2023 11:24 PM - edited 05-23-2023 11:24 PM
Do you mean the browser part?
Well, Now we are using UseWKWebView feature to avoid any browser being involved in registration process.
This feature uses mac's build in WebView and doesnt require any browser. Thus No registration failure because of the browser.
Everything is mensioned in this article:
https://github.com/benwhitis/Jamf_Conditional_Access/wiki/MacOS-Conditional-Access-Best-Practices#az...
Posted on 05-24-2023 09:12 AM
I was more talking about macs already registered. Like for jlombardo we have macs that due to a browser not asking for cert rights think they are not registered but device is already registered and compliant. Would reregistering using WKWebView stop the identity preference issues?