Is it normal for AAD to prompt for sign-in every week?

petestanley
New Contributor III

Hi,

Our users on devices configured with Jamf Pro/InTune integration get prompted with the below to sign-in/register with AzureAD about once per week.

6260d921fd394a15a75d95e3d4da09a4

Is this normal behaviour for you other hybrid Jamf/Intune users? Is there anyway to prevent the need for additional sign-ins?

  • Jamf Pro Cloud
  • Intune Integration.
  • AzureAD (no on-prem)
  • MacOS Catalina
13 REPLIES 13

mfletch
New Contributor III

We've dealt with this for years and were never able to get a solution from Jamf, so we moved away from Intune doing our compliance check, and we still have random users that get prompted to sign into JamfAAD so we just changed the permissions on JamfAAD so it can't launch. It was the only way we were able to get it to stop bothering users.

andymcp
New Contributor III

I haven't had a chance to test this myself but it sounds like this could help the re-auth situation: https://www.jamf.com/jamf-nation/articles/790/customizing-the-jamfaad-retry-logic-for-the-microsoft-...

alexjdale
Valued Contributor III

Yep, try those settings, we've been using them and I haven't had a prompt in ages.

petestanley
New Contributor III

Dunno how I missed this. Will test the linked CP.

Thanks for the link folks!

bwoods
Valued Contributor

@mfletch can you show me how you changed the permissions of the jamfAAD prompt? I would like to put it out of it's misery.

jaybagley
New Contributor

The link provided doesn't work, does anyone have an updated one?

bwoods
Valued Contributor

@jaybagley is this what you're looking for? 

jaybagley
New Contributor

I don't think so, this doesn't address the weekly re-authentication that we are seeing. Unless I am missing something

bwoods
Valued Contributor

Upvote this: JamfAAD should use web view instead of | Jamf Nation Feature Requests. Complain to your customer success reps as well.

jhbush
Valued Contributor II

Configure JamfAAD to use WebView

To avoid issues with browser redirection during the login process, you can configure the JamfAAD app to use WebView instead.

To configure the JamfAAD to use WebView for users signing into Azure AD, deploy a policy to managed computers that runs the following script:

#!/bin/sh
defaults write com.jamf.management.jamfAAD useWKWebView true

piotrr
Contributor III

Yeah that scriptlet is incomplete, doesn't specify user, and it seems if the registration has already run before, JamfAAD _still_ won't use WebView but will try to launch your default browser instead. 

So for these cases where JamfAAD devices require re-registration every 7 or 30 days (my case), the 10.38 update does nothing to improve the situation. 

Go_Yes
New Contributor II

#!/usr/bin/env bash
loggedInUser=$( /usr/bin/stat -f %Su /dev/console )
sudo -u $loggedInUser /usr/bin/defaults write com.jamf.management.jamfAAD useWKWebView true
exit 0

Go_Yes
New Contributor II

As Jamf is applying its settings to the root user; the script may need to detect the loggedinuser to set the com.jamf.management.jamfAAD preferences