Jamf - Conditional access - Just nightmare ?

jameson
Contributor II

I would to know if I am the only one that has issues on conditonal access and Jamf integration.

All the times seeing issues like
Outlook ask for login and when logged in it ask for enrollment (even the mac is enrolled with jamf already)
Clients just randomly dissapear inside Intune -> Azure AD devices. So conditional access will then of course fail when they don´t exist and need to run company portal registration again

Do anyone experience same random behavior on these issues ? I could understand if all clients would fail that something was setup wrong. But here we are talking about 10-15% of clients that randomly is being hit by this without any pattern, other then users are really pi.... off, when they see this issue

19 REPLIES 19

Stevie
Contributor

Yes, we had the same problem for months which stopped us rolling out Offie365. It turned out in our case our InfoSec team had decided to start inspecting the SSL certs from Microsoft which would random break clients. Once we stopped them inspected the traffic our problems disappeared.

Also, If you are using Zscaler which were are then tenant restrictions do not currently work and has to be turned off. This issue is being investigated by Zscaler with a fix to be rolled out during their next release.

jameson
Contributor II

When checking in azure on devices, lot´s of clients has no activity for several days/weeks. And until a certain point it seems, that when they have no activity in azure they are just kicked out and fails conditional access even the client is listed in azure.

ThijsX
Valued Contributor

@jameson Hi

We have currently +- 600 managed macOS devices in Jamf Pro, which are also registered in Microsoft Intune for a while and all is working fine.
Till.. we last month upgraded to Jamf Pro 10.14. where a new "Cache" functionality was introduced for the JamfAAD binary.

Now we are hitting the following issue;
A (mobile account AD FV enabled) user is changing their password on their device through NOMAD / Sys Prefs and after a couple of hours loses their entry in Intune and Conditional Access fails so the user is being kicked out of his resources.

The workaround for now is that the user register the device again.. but then we hit a prompt in the JamfAAD that says the credentials are invalid, when you choose for "Sign in with other account" with the same creds all is good for the next 90 days till password hits expiration.

Jamf Support is working on this, but it is hard to replicate it for them but they have mentioned an other customer has reported in the same issue.

But for you maybe this support article can be useful?

https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Troubleshooting-issues-with-macOS-devices-when-using/ba-p/462912

jameson
Contributor II

Exactly - that also a new one that I have meet regarding that the password is not invalid (even the password is correct). But doing sign in with different account solves it for some reason.

The strange this is even that I disable conditional access for users, their mac´s are still having problems connecting to mail and needs to register etc

ThijsX
Valued Contributor

@frederick.abeloos Regarding ticket JAMF-0741561

jameson
Contributor II

To keep Clients communicating do you have run this daily /usr/local/jamf/bin/jamfAAD gatherAADInfo
it seems that this is the trick, but don´t know if any one else is using this ?

mrowell
Contributor

@jameson Check your Devices - Device cleanup rules in Intune. Devices that haven't contact Intune can be automatically removed after a number of days.

glennmiller
New Contributor III

@Stevie what was your resolution? We're currently struggling with the same problems most likely due to inspection but we can't disable inspection as we need the tenant restrictions.
Currently have an open case with Microsoft and Zscaler.
d7bface35ba4412b94a5673dfc5abcb4

d_mccullough
New Contributor III

We're interested in this as well, as we've seen similar behavior... @txhaflaire , @jameson , @Stevie , what kind of behaviors were you seeing while SSL inspection was turned on?

glennmiller
New Contributor III

Latest update from Microsoft:
"Product team is now able to reproduce this issue in their environment and they are still working on it. Besides, there are two more tenants reporting the similar issue and we have shared the feedback to Product team as well."

d_mccullough
New Contributor III

Excellent. Thank you for the update, Glenn.

glennmiller
New Contributor III

Latest from MS:
The development team have a potential fix. ETA to come in the next week 🙂

brushj
New Contributor III

Has there been any other updates on this? @glennmiller

glennmiller
New Contributor III

@brushj Microsoft have released version 2.2b which has the fix.
I've only briefly tested in our environment, but it looks to be working with Zscaler now.

Captainamerica
Contributor

An old post, but have just an additional question.
When devices are registered in Azure and the computer need to be re-installed. It will ask for registration again, but then there are 2 devices in azure and that will gives issues. Is there somehow a Script etc to solve this, so it can remove old computers with same serial number ?. Normal servicedesk don´t have access to go into azure and remove clients, so the process of re-installing a mac require some 2nd level to do in and remove the old device.
Is this a known issue or how do other handle this ?

glennmiller
New Contributor III

@Captainamerica I've not experienced issues with having multiple registrations for the same computer. AAD and Conditional Access works off the Azure AD Device ID which is unique for each registration and saved in the keychain somewhere. We currently use device clean-up rules in Intune and give our service desk a custom RBAC role to be able to delete objects.

The only other option would be to utilise the graph api but this creates some security risks as you'll generally have to have the appid and client secret in plain text.

Microsoft are currently working on a feature to prevent this from happening, but to no surprise, this is only for Windows objects so far.

Captainamerica
Contributor

Interesting - I got info from Jamf that only one object must be registered in azure, as else it will give issues and registration of conditional access will fail and ask for new enrollment even it is already enrolled

StephenBacon
New Contributor
Posted: 6/22/2020 at 4:00 AM CDT by Captainamerica Interesting - I got info from Jamf that only one object must be registered in azure, as else it will give issues and registration of conditional access will fail and ask for new enrollment even it is already enrolled

This is what we have been told and what we see in our environment. Has anyone come up with a process to avoid these issues? Maybe something that can be ran from the client itself by the user?

RickDalton
New Contributor III