Jamf and Intune coexistence

Jason
Contributor II

Hello.  This is more of a Microsoft question, but i'm not having luck down that route yet.

 

We want Jamf Cloud to manage all of our institutionally owned iPads with MDM.  We want Intune to manage all user-owned Apple devices with Application Protection Policies.  The problem is, users only have 1 account.  So if they sign into a corporate iPad, they get a mix of both Jamf MDM configuration profiles and Intune application protection policies on their corporate device.  We want the Intune Application Protection Policies to ONLY apply when a user signs in on a personally owned device, and not a Jamf managed device.

 

I don't know if that is possible since scoping an Application Protection Policy is based on AD group.  If their ID is in that group then they get Intune App.  I don't see any other criteria to filter out a device if it is Jamf MDM managed.

 

Has anyone run into this or found a solution?

 

Thanks

15 REPLIES 15

vinu_thankachan
Contributor

Try this dynamic membership query 

 (device.managementType -eq "MDM")

device.managementType equals "MDM"  only for the intune managed devices. 

Jason
Contributor II

Would device management type still be MDM for a personally owned device if it's not actually managed by Intune?  The personally owned devices aren't enrolled in Intune, they just use Application Protection Policies (MAM not MDM)

SteveS
New Contributor III

I am guessing no one has found a solution to this?

We have shared devices with Jamf and are looking to roll out app protection policies to all users. Jamf devices are not recognized in intune so we cant exclude these devices from the app protection policy that targets all unmanaged ios devices.

Jason
Contributor II

@SteveS I've made some progress.  For each Mobile Device App in Jamf that is also managed with MAM in Intune, i can add this to the App Config:

 

<dict>
<key>IntuneMAMUPN</key>
<string>$EMAIL</string>
</dict>

 

That will make Intune think it is a managed device.  I can then go to Intune and exclude managed devices from the MAM policy.  This seems to work, but i haven't tried it for every app.

Maxb
New Contributor III

You know that feeling when you scour the internet and you find that one response where someone casually mentions the exact solution you're trying to implement. 

This is that moment Jason. 

So I actually already have this value pushed with Outlook as part of the larger app config we push to manage autologin and various other things but we still can't seem to get the devices to reflect 'managed' within intune.

 

Is the trick that 'every' MS app needs to have the KVP 'IntuneMAMUPN' and string $EMAIL added? 

Exact same use case - we just want to differentiate 3rd party MDM (JAMF) managed vs BYOD - from a MAM perspective.

SteveS
New Contributor III

So the intunemam key worked when app protection policies were deployed managed app vs managed device. That setting is no longer used and you should switch to all devices and use a filter. But there is no filter for this. 

Maxb
New Contributor III

So have you found a way to maintain two different app protection policies through a filter or KVP? 

I don’t have a need for changing conditional access I just need to have a slightly more lax app protection policy on fully MDM managed devices vs unmanaged BYOD.

Jason
Contributor II

HI @Maxb , yes i did.  In Intune i created a filter (Home > Apps > Filters) for iOS BYOD devices.  I use "(app.deviceManagementType -eq "Unmanaged")" as the syntax for that.  Then i add that filter to the scope for all of my MAM BYOD policies.  This ensures they only apply to BYOD type devices.  

Then in Jamf i go to App Configuration for the managed apps i had overlapping Intune policies for and add the "IntuneMAMUPN" key.  This marks it as managed.  When a user opens one of those apps Intune won't apply the MAM policy because the filter excludes it as it only applies to unmanaged devices

Maxb
New Contributor III

That's very helpful thank you.

So our 365 admins aren't seeing any of our devices showing as 'managed' in intune today and we are pushing the KVP for 'IntuneMAMUPN' and string $EMAIL with our Outlook for iOS app config - I'm not sure we have a 'managed' app policy created today and I'm curious if maybe that needs to be created before 'managed' devices appear within Intune perhaps? Or where can we view the 'managed' status of a device to confirm the KVP is working as intended. I really appreciate you taking the time to help me out.

SteveS
New Contributor III
This is what I am referring to. The intune app protection policies you used to be able to target to managed device or managed app. That setting no longer works or is being removed. Instead you need to just use managed device as the setting and a filter for managed app vs managed device. Initially when I started this project the managed app vs managed device was effective. But using the managed device and the filter option my jamf devices are again being targeted by the policy.

Hello Steve, I work with Max. So are you saying we CANNOT use a app protection policy with a filter as that no longer works? Does a managed device configuration policy with a filter work? I just know the config policies dont have all the specific app settings we want to control/limit. Just trying to understand what DOES work and what our options are. If we cannot get filters to work we will need to try and do the compliance partner setup within Intune and I heard that is hit or miss as well. 

Also for what its worth, @SteveS or @Jason do you have the devices show up in Intune because of a partner connection between JamF and Intune or are you bypassing it by using this KVP (kev value pair) and the filters? I only say this because if I setup a managed device filter or policy I dont see anything as we dont have the devices showing/enrolled in Intune.

SteveS
New Contributor III
Ok here is the filter I am using

(app.deviceManagementType -eq "Unmanaged")

My app protection policy is targeted with all users and filter Include.

The app protection policy is "Target to apps on all device types"

>From Microsoft in intune when editing the app protection policy:

"If you apply assignment filters to this policy, the 'Device Management Type' property will apply in addition to the values specified for 'Target to apps on all device types' and 'Device types' on the 'Apps' page.

To edit device management type targeting, reset 'Target to apps on all device types' = 'Yes'. Then create a MAM assignment filter with the desired values for 'Device Management Type'. Learn more about assigning App Protection Policies<>"





I am finding that my Jamf shared devices, when the user launches teams etc, they are still getting the same app protection policy.



My jamf Teams app configuration is as follows.



IntuneMAMAllowedAccountsOnly Enabled IntuneMAMUPN $USERNAME



I find the above does NOT work.

Ok. so this is what we are doing as well. We have the app protection policy setup and filtered just like you and our system has the same config values as well. We are not seeing the personal devices filtered out on the company device policy and vice versa. they are all being applied to the same policy. Have you found a workaround or confirmed how to get this to work or thats what you are still trying to figure out as well? @SteveS 

SteveS
New Contributor III
I still have no solution myself.

Before Microsoft changed the policy targeting it worked well.