Help

Jamf and Intune coexistence

Jason
Contributor II

Posted on ‎07-05-2022 10:38 AM

Hello.  This is more of a Microsoft question, but i'm not having luck down that route yet.

 

We want Jamf Cloud to manage all of our institutionally owned iPads with MDM.  We want Intune to manage all user-owned Apple devices with Application Protection Policies.  The problem is, users only have 1 account.  So if they sign into a corporate iPad, they get a mix of both Jamf MDM configuration profiles and Intune application protection policies on their corporate device.  We want the Intune Application Protection Policies to ONLY apply when a user signs in on a personally owned device, and not a Jamf managed device.

 

I don't know if that is possible since scoping an Application Protection Policy is based on AD group.  If their ID is in that group then they get Intune App.  I don't see any other criteria to filter out a device if it is Jamf MDM managed.

 

Has anyone run into this or found a solution?

 

Thanks

0 Kudos
4 REPLIES 4

vinu_thankachan
Contributor

Posted on ‎07-05-2022 01:33 PM

Try this dynamic membership query 

 (device.managementType -eq "MDM")

device.managementType equals "MDM"  only for the intune managed devices. 

0 Kudos

Jason
Contributor II

Posted on ‎07-06-2022 08:29 AM

Would device management type still be MDM for a personally owned device if it's not actually managed by Intune?  The personally owned devices aren't enrolled in Intune, they just use Application Protection Policies (MAM not MDM)

SteveS
New Contributor II

Posted on ‎04-10-2023 01:25 PM

I am guessing no one has found a solution to this?

We have shared devices with Jamf and are looking to roll out app protection policies to all users. Jamf devices are not recognized in intune so we cant exclude these devices from the app protection policy that targets all unmanaged ios devices.

0 Kudos

Jason
Contributor II

Posted on ‎04-11-2023 07:01 AM

@SteveS I've made some progress.  For each Mobile Device App in Jamf that is also managed with MAM in Intune, i can add this to the App Config:

 

<dict>
<key>IntuneMAMUPN</key>
<string>$EMAIL</string>
</dict>

 

That will make Intune think it is a managed device.  I can then go to Intune and exclude managed devices from the MAM policy.  This seems to work, but i haven't tried it for every app.