iOS Device Compliance - Device is not marked as compliant

jonn1e
Contributor

Hi,

I registered a few devices via Self Service and the Device Compliance to our Azure AD. The registration process is fine and the devices show up after 2-3 min in Azure, but it takes many hours or a day that the device is marked as compliant? There is just "N/A". As long as the status isn't marked as compliant the user can't access apps which are restricted to company devices that must be compliant.

Does somebody have the same issues? I think it is not related to AzureAD because Jamf checks the compliance criteria by itself and send it to AAD. The devices are listed in the Smart Group with the compliance criteria's.

Best regards, Jonny
f49083adfdd24d84a9ade60297f655d6

Update: As you can see in the following image, the device was not updated until the next day. The screenshot is from the AAD Audit Log. 3e8ad160844a410697931fb8e464c17f

First the device is marked as "managed" and on the next day as "compliant". eb56a3b6b8634159808c5b1d3c4c505d

87ea4fc89c8f49aabc48d51e7bb7930d

15 REPLIES 15

jonn1e
Contributor

push

Cayde-6
Release Candidate Programs Tester

I've not seen that on my tests, I believe I've heard from Jamf colleagues that compliance is re-assessed after a device unlock or the daily inventory update

jonn1e
Contributor

Hey, Thanks for your reply. Yes, if I registered my own Device it was marked as compliant within minutes in AAD. So I'm wondering why this is happening now.
This workflow would be pretty "inelegant" if we tell new colleagues that they have to wait hours or a day after registration to use their new IPhones. The IPhones were in use after registration.

Any ideas how to trigger the compliance update or maybe a workaround?

Cayde-6
Release Candidate Programs Tester

@jonn1e

I cannot remember where I read about it however there are 2 events that trigger a device compliance check

1). After each device unlock (IE from a locked screen to unlock and access to the homescreen)
2). After the daily inventory scan

jonn1e
Contributor

Hm so it seems like a bug? At least for 1). Today we registered a few more devices and none of them getting marked as compliant and they are in use which means they will get unlocked many times a day. Maybe I should raise a support ticket.

petew
New Contributor

Has anyone found a solution to this as I'm having a similar issue.

jonn1e
Contributor

I'm still investigating with Jamf Support. Will give you an update as soon as possible.

Jan45127
New Contributor

Hi, i am experiencing a similar behavior with my devices. Did you find a solution with Jamf Support?

jonn1e
Contributor

Still corresponding with Jamf Support. We're watiting for the next devices for enrollment, then we can generate a debug log file. 

petew
New Contributor

After spending time with both Jamf and Microsoft Support we finally traced our issue to conditional access policies within Azure blocking "Cloud Connector for Device Compliance".  By excluding this within Conditional Access we were able to get devices registering as compliant.

Hey @petew ,

Thanks for sharing this helpful information with us! 🙂

From which conditional acces enforcement did you exclude the App? MFA, Compliance Status or just from everything? 

Richardcopp
New Contributor

Hi There, appreciate this is a bit of an old post, but im encountering the same issue? Does anyone else have any suggestions? - To confirm, exactly the same issue raised in this post, user registers device, but does not turn compliant until the next day

I'm having a very similar issue, but it's gone a step further. I set everything up as per the docs, it worked about three times without too much of a delay—great, I thought. Now I've gone backwards, all test devices marked as non-compliant and now can't get them compliant again for love nor money.

Things seem to be breaking down at the Compliance Partner / Cloud Connector for Device Compliance level in Azure AD...even though it tells me it's synced successfully, it never marks the devices as compliant.

Did you have any joy with a resolution? Maybe it will shed some light on my issue :-)

@jimmyroot 

I'm not sure what solved my problems with the sync but for now it works fine, except the update of the device status like used iOS version. 
But maybe it's a good idea to wait for 10.43.0 -> regarding the beta announcement Jamf will improve the "Device Compliance integration with Microsoft Endpoint Manager". 

Thanks for the reply my friend.

Yesterday some of the aforementioned devices were eventually marked compliant...but no joy with the others. I ended up de-registering them all from Azure AD, was careful to through and wipe out any old records from AAD/Intune, then re-registering from iOS Self Service → Authenticator.

After that, they were all marked compliant within 10 minutes...so not sure what caused the initial delay. Thinking either stale records in AAD that I hadn't checked previously, or one of the other fixes mentioned above. 

Either way, thanks for drawing attention to the upcoming 10.43.0 beta, it's clearly something that is on the Jamf radar, so to speak 👀