Posted on 09-02-2019 03:42 AM
I would to know if I am the only one that has issues on conditonal access and Jamf integration.
All the times seeing issues like
Outlook ask for login and when logged in it ask for enrollment (even the mac is enrolled with jamf already)
Clients just randomly dissapear inside Intune -> Azure AD devices. So conditional access will then of course fail when they don´t exist and need to run company portal registration again
Do anyone experience same random behavior on these issues ? I could understand if all clients would fail that something was setup wrong. But here we are talking about 10-15% of clients that randomly is being hit by this without any pattern, other then users are really pi.... off, when they see this issue
Posted on 09-02-2019 11:22 PM
Yes, we had the same problem for months which stopped us rolling out Offie365. It turned out in our case our InfoSec team had decided to start inspecting the SSL certs from Microsoft which would random break clients. Once we stopped them inspected the traffic our problems disappeared.
Also, If you are using Zscaler which were are then tenant restrictions do not currently work and has to be turned off. This issue is being investigated by Zscaler with a fix to be rolled out during their next release.
Posted on 09-11-2019 03:45 AM
When checking in azure on devices, lot´s of clients has no activity for several days/weeks. And until a certain point it seems, that when they have no activity in azure they are just kicked out and fails conditional access even the client is listed in azure.
Posted on 09-11-2019 09:23 AM
We have currently +- 600 managed macOS devices in Jamf Pro, which are also registered in Microsoft Intune for a while and all is working fine.
Till.. we last month upgraded to Jamf Pro 10.14. where a new "Cache" functionality was introduced for the JamfAAD binary.
Now we are hitting the following issue;
A (mobile account AD FV enabled) user is changing their password on their device through NOMAD / Sys Prefs and after a couple of hours loses their entry in Intune and Conditional Access fails so the user is being kicked out of his resources.
The workaround for now is that the user register the device again.. but then we hit a prompt in the JamfAAD that says the credentials are invalid, when you choose for "Sign in with other account" with the same creds all is good for the next 90 days till password hits expiration.
Jamf Support is working on this, but it is hard to replicate it for them but they have mentioned an other customer has reported in the same issue.
But for you maybe this support article can be useful?
Posted on 09-11-2019 10:49 PM
Exactly - that also a new one that I have meet regarding that the password is not invalid (even the password is correct). But doing sign in with different account solves it for some reason.
The strange this is even that I disable conditional access for users, their mac´s are still having problems connecting to mail and needs to register etc
Posted on 09-12-2019 01:00 AM
Posted on 09-12-2019 10:18 PM
To keep Clients communicating do you have run this daily /usr/local/jamf/bin/jamfAAD gatherAADInfo
it seems that this is the trick, but don´t know if any one else is using this ?
Posted on 09-12-2019 11:10 PM
@jameson Check your Devices - Device cleanup rules in Intune. Devices that haven't contact Intune can be automatically removed after a number of days.
Posted on 11-05-2019 01:38 AM
@Stevie what was your resolution?
We're currently struggling with the same problems most likely due to inspection but we can't disable inspection as we need the tenant restrictions.
Currently have an open case with Microsoft and Zscaler.
Posted on 11-05-2019 09:55 AM
We're interested in this as well, as we've seen similar behavior... @txhaflaire , @jameson , @Stevie , what kind of behaviors were you seeing while SSL inspection was turned on?
Posted on 11-19-2019 07:48 PM
Latest update from Microsoft:
"Product team is now able to reproduce this issue in their environment and they are still working on it. Besides, there are two more tenants reporting the similar issue and we have shared the feedback to Product team as well."
Posted on 11-20-2019 10:18 AM
Excellent. Thank you for the update, Glenn.
Posted on 12-09-2019 08:44 PM
Latest from MS:
The development team have a potential fix. ETA to come in the next week :-)
Posted on 01-08-2020 08:09 AM
Posted on 01-10-2020 04:13 PM
@brushj Microsoft have released version 2.2b which has the fix.
I've only briefly tested in our environment, but it looks to be working with Zscaler now.
Posted on 06-21-2020 11:48 PM
An old post, but have just an additional question.
When devices are registered in Azure and the computer need to be re-installed. It will ask for registration again, but then there are 2 devices in azure and that will gives issues. Is there somehow a Script etc to solve this, so it can remove old computers with same serial number ?. Normal servicedesk don´t have access to go into azure and remove clients, so the process of re-installing a mac require some 2nd level to do in and remove the old device.
Is this a known issue or how do other handle this ?
Posted on 06-22-2020 01:21 AM
@Captainamerica I've not experienced issues with having multiple registrations for the same computer. AAD and Conditional Access works off the Azure AD Device ID which is unique for each registration and saved in the keychain somewhere. We currently use device clean-up rules in Intune and give our service desk a custom RBAC role to be able to delete objects.
The only other option would be to utilise the graph api but this creates some security risks as you'll generally have to have the appid and client secret in plain text.
Microsoft are currently working on a feature to prevent this from happening, but to no surprise, this is only for Windows objects so far.
Posted on 06-22-2020 02:00 AM
Interesting - I got info from Jamf that only one object must be registered in azure, as else it will give issues and registration of conditional access will fail and ask for new enrollment even it is already enrolled
Posted on 01-18-2021 05:52 PM
Posted: 6/22/2020 at 4:00 AM CDT by Captainamerica Interesting - I got info from Jamf that only one object must be registered in azure, as else it will give issues and registration of conditional access will fail and ask for new enrollment even it is already enrolled
This is what we have been told and what we see in our environment. Has anyone come up with a process to avoid these issues? Maybe something that can be ran from the client itself by the user?
Posted on 05-12-2021 04:00 PM
Posted on 03-28-2022 08:43 AM
We are POC-ing Conditional Access now with Jamf.
Quick Q, in the Company Portal app, on Windows (and Macs directly enrolled into Intune) it will let the end user know what specifically they are not compliant with so they can remediate. With the Jamf/Intune integration, I do not see that.
Anyone else experience this?