I would to know if I am the only one that has issues on conditonal access and Jamf integration.
All the times seeing issues like
Outlook ask for login and when logged in it ask for enrollment (even the mac is enrolled with jamf already)
Clients just randomly dissapear inside Intune -> Azure AD devices. So conditional access will then of course fail when they don´t exist and need to run company portal registration again
Do anyone experience same random behavior on these issues ? I could understand if all clients would fail that something was setup wrong. But here we are talking about 10-15% of clients that randomly is being hit by this without any pattern, other then users are really pi.... off, when they see this issue
Yes, we had the same problem for months which stopped us rolling out Offie365. It turned out in our case our InfoSec team had decided to start inspecting the SSL certs from Microsoft which would random break clients. Once we stopped them inspected the traffic our problems disappeared.
Also, If you are using Zscaler which were are then tenant restrictions do not currently work and has to be turned off. This issue is being investigated by Zscaler with a fix to be rolled out during their next release.
We have currently +- 600 managed macOS devices in Jamf Pro, which are also registered in Microsoft Intune for a while and all is working fine.
Till.. we last month upgraded to Jamf Pro 10.14. where a new "Cache" functionality was introduced for the JamfAAD binary.
Now we are hitting the following issue;
A (mobile account AD FV enabled) user is changing their password on their device through NOMAD / Sys Prefs and after a couple of hours loses their entry in Intune and Conditional Access fails so the user is being kicked out of his resources.
The workaround for now is that the user register the device again.. but then we hit a prompt in the JamfAAD that says the credentials are invalid, when you choose for "Sign in with other account" with the same creds all is good for the next 90 days till password hits expiration.
Jamf Support is working on this, but it is hard to replicate it for them but they have mentioned an other customer has reported in the same issue.
But for you maybe this support article can be useful?
Exactly - that also a new one that I have meet regarding that the password is not invalid (even the password is correct). But doing sign in with different account solves it for some reason.
The strange this is even that I disable conditional access for users, their mac´s are still having problems connecting to mail and needs to register etc
An old post, but have just an additional question.
When devices are registered in Azure and the computer need to be re-installed. It will ask for registration again, but then there are 2 devices in azure and that will gives issues. Is there somehow a Script etc to solve this, so it can remove old computers with same serial number ?. Normal servicedesk don´t have access to go into azure and remove clients, so the process of re-installing a mac require some 2nd level to do in and remove the old device.
Is this a known issue or how do other handle this ?
@Captainamerica I've not experienced issues with having multiple registrations for the same computer. AAD and Conditional Access works off the Azure AD Device ID which is unique for each registration and saved in the keychain somewhere. We currently use device clean-up rules in Intune and give our service desk a custom RBAC role to be able to delete objects.
The only other option would be to utilise the graph api but this creates some security risks as you'll generally have to have the appid and client secret in plain text.
Microsoft are currently working on a feature to prevent this from happening, but to no surprise, this is only for Windows objects so far.
Posted: 6/22/2020 at 4:00 AM CDT by Captainamerica Interesting - I got info from Jamf that only one object must be registered in azure, as else it will give issues and registration of conditional access will fail and ask for new enrollment even it is already enrolled
This is what we have been told and what we see in our environment. Has anyone come up with a process to avoid these issues? Maybe something that can be ran from the client itself by the user?