Hi Everyone, how do you get your users to Enrol in to InTune? I have all the correct apps set up, but it still requires the user to go into Self Service and click on "Register in InTune" and follow the steps, and today when the infosec team enabled conditional access, 300 users who all "claimed" to have enrolled were locked out of MS Office apps? Open to any suggestions
We're not using InTune for conditional access where I am, yet, but it's on our immediate roadmap and I've been tasked with getting it going. Lucky me!
Posts like yours and a large number of other ones I've seen on the subject all have me scared witless. Apparently Jamf / InTune integration for Conditional Access is utter garbage from what I'm gathering. It doesn't seem at all uncommon to hear such stories of users losing access despite registering their device in InTune because InTune thinks they aren't compliant for whatever dumb reason. I don't think it's Jamf's fault. I think this is more on Microsoft, but I can't be sure.
Anyway, I wish I had some advice for you. I may have some in the near future once we go through this mess. Hopefully that advice won't amount to "run for the hills!"
I will say, I've just started testing (yesterday actually) and currently looks like Chrome/Edge are not seeing the registration. I also launched Safari and I was prompted to "register" again, but it was working fine after that but only in Safari, Chrome/Edge still don't see the registration.
I will agree that CA doesn't seem to be a fun experience and I've heard lots of horror stories as well.
Currently working - for provisioning I implemented the following. (You could create a workflow setup like this, all in one in self service)
1st I have a policy that runs @targendaz2s Mac Set Default Apps scripts to set Chrome as the default web browser. - https://github.com/targendaz2/Mac-Set-Default-Apps
2nd I have a policy during provisioning that installs the Company Portal.
3rd I have a Policy with 'macOS Intune Integration' checked available in Self Service.
This can be run by the End User or Onboarding staff (if they know end user creds). This works consistently with Google Chrome. I, personally, have not had success using Edge, Firefox or Safari.
Anyone else have an issue where certain SSO local applications don't see the Workplace Join Key and it goes into a loop of "You must register this device," with already compliant/registered machines?
Log Me In for example, if we try to sign in via SSO the app pops up that we have to register the device, then will ask to open self service. But said device is already registered and compliant
Do you mean the browser part?
Well, Now we are using UseWKWebView feature to avoid any browser being involved in registration process.
This feature uses mac's build in WebView and doesnt require any browser. Thus No registration failure because of the browser.
Everything is mensioned in this article:
I was more talking about macs already registered. Like for jlombardo we have macs that due to a browser not asking for cert rights think they are not registered but device is already registered and compliant. Would reregistering using WKWebView stop the identity preference issues?