Jamf Device Compliance / Intune / Azure

Jacek_ADC
Contributor II

Hi Guys

I am struggling since multiple weeks with this new feature device compliance in jamf PRO und Azure Compliance.

Everything is setted up like described here: https://learn.jamf.com/bundle/technical-paper-microsoft-intune-mobile-devices-current/page/Configuri...

The connection between jamf and azure is fine. Partner Device Managament in Azure also fine.

SCR-20230323-manc.pngSCR-20230323-mbdx.png

Following scenario:

I tested 5 devices.

  1. one device (my productive) is the only one which was running the complete registration with company portal and jamfaad (jamf conditional access app) completely and the registration process was done completely with the steps in this screenshot
    SCR-20230323-mcfh.png
  2. all other devices are not running
  3. i tried all other device multiple times (after clean install of macos) with my user, with another testuser, with another productive user from 2 colleagues
  4. after some longer troubleshoot i checked in terminal with

 

log show --predicate 'subsystem CONTAINS "jamfAAD"' --last 30m​

 

and receive on all devices which are not working properly following output:

 

test.requester@ADC-MB99099 ~ % log show --predicate 'subsystem CONTAINS "jamfAAD"' --last 30m
Filtering the log data using "subsystem CONTAINS "jamfAAD""
Skipping info and debug messages, pass --info and/or --debug to include.
Timestamp                       Thread     Type        Activity             PID    TTL  
2023-03-23 10:47:48.467341+0100 0x23ba     Default     0x0                  1      0    launchd: [gui/503/application.com.jamf.management.jamfAAD.29083.29232:] internal event: WILL_SPAWN, code = 0
2023-03-23 10:47:48.467350+0100 0x23ba     Default     0x0                  1      0    launchd: [gui/503/application.com.jamf.management.jamfAAD.29083.29232:] service state: spawn scheduled
2023-03-23 10:47:48.467351+0100 0x23ba     Default     0x0                  1      0    launchd: [gui/503/application.com.jamf.management.jamfAAD.29083.29232:] service state: spawning
2023-03-23 10:47:48.467592+0100 0x23ba     Default     0x0                  1      0    launchd: [gui/503/application.com.jamf.management.jamfAAD.29083.29232:] launching: launch job demand
2023-03-23 10:47:48.468654+0100 0x23ba     Default     0x0                  1      0    launchd: [gui/503/application.com.jamf.management.jamfAAD.29083.29232 [1430]:] xpcproxy spawned with pid 1430
2023-03-23 10:47:48.468675+0100 0x23ba     Default     0x0                  1      0    launchd: [gui/503/application.com.jamf.management.jamfAAD.29083.29232 [1430]:] internal event: SPAWNED, code = 0
2023-03-23 10:47:48.468677+0100 0x23ba     Default     0x0                  1      0    launchd: [gui/503/application.com.jamf.management.jamfAAD.29083.29232 [1430]:] service state: xpcproxy
2023-03-23 10:47:48.468700+0100 0x23ba     Default     0x0                  1      0    launchd: [gui/503/application.com.jamf.management.jamfAAD.29083.29232 [1430]:] internal event: SOURCE_ATTACH, code = 0
2023-03-23 10:47:48.668286+0100 0x23ba     Default     0x0                  1      0    launchd: [gui/503/application.com.jamf.management.jamfAAD.29083.29232 [1430]:] service state: running
2023-03-23 10:47:48.668309+0100 0x23ba     Default     0x0                  1      0    launchd: [gui/503/application.com.jamf.management.jamfAAD.29083.29232 [1430]:] internal event: INIT, code = 0
2023-03-23 10:47:48.668317+0100 0x23ba     Default     0x0                  1      0    launchd: [gui/503/application.com.jamf.management.jamfAAD.29083.29232 [1430]:] job state = running
2023-03-23 10:47:48.668494+0100 0x23ba     Default     0x0                  1      0    launchd: [gui/503/application.com.jamf.management.jamfAAD.29083.29232 [1430]:] Successfully spawned Jamf Conditional Access[1430] because launch job demand
2023-03-23 10:47:48.738563+0100 0x26f7     Default     0x0                  1430   0    Jamf Conditional Access: [com.jamf.management.jamfAAD:workflow] Launching Company Portal
2023-03-23 10:49:40.781646+0100 0x26f7     Default     0x0                  1430   0    Jamf Conditional Access: [com.jamf.management.jamfAAD:workflow] Collecting Azure Active Directory ID
2023-03-23 10:49:40.885147+0100 0x26f7     Default     0x0                  1430   0    Jamf Conditional Access: [com.jamf.management.jamfAAD:workflow] No Azure tenant set up
2023-03-23 10:49:40.886243+0100 0x3421     Default     0x0                  1      0    launchd: [gui/503/application.com.jamf.management.jamfAAD.29083.29232 [1430]:] exited due to exit(0)
2023-03-23 10:49:40.886255+0100 0x3421     Default     0x0                  1      0    launchd: [gui/503/application.com.jamf.management.jamfAAD.29083.29232 [1430]:] service state: exited
2023-03-23 10:49:40.886259+0100 0x3421     Default     0x0                  1      0    launchd: [gui/503/application.com.jamf.management.jamfAAD.29083.29232 [1430]:] internal event: EXITED, code = 0
2023-03-23 10:49:40.886262+0100 0x3421     Default     0x0                  1      0    launchd: [gui/503/application.com.jamf.management.jamfAAD.29083.29232 [1430]:] job state = exited
2023-03-23 10:49:40.886297+0100 0x3421     Default     0x0                  1      0    launchd: [gui/503/application.com.jamf.management.jamfAAD.29083.29232 [1430]:] service state: not running
2023-03-23 10:49:40.887192+0100 0x3413     Default     0x0                  1      0    launchd: [gui/503/application.com.jamf.management.jamfAAD.29083.29232:] removing job: caller = runningboardd
2023-03-23 10:49:40.887320+0100 0x3413     Default     0x0                  1      0    launchd: [gui/503/application.com.jamf.management.jamfAAD.29083.29232:] internal event: PETRIFIED, code = 0
2023-03-23 10:49:40.887322+0100 0x3413     Default     0x0                  1      0    launchd: [gui/503/application.com.jamf.management.jamfAAD.29083.29232:] job state = removed

 

  • the most important part from my sight is:

 

2023-03-23 10:49:40.885147+0100 0x26f7     Default     0x0                  1430   0    Jamf Conditional Access: [com.jamf.management.jamfAAD:workflow] No Azure tenant set up​

 

  • On my device which is working, this is not shown in terminal. So I think this cant be the problem on the not working devices, why jamfaad doesnt pop up after the first registration process of the company portal
  • The entire setup in jamf and azure was done twice. So after the first tries, 2 weeks ago with exactly the same results like described above, i was thinking, that something was done wrong

May anyone have an idea what else to check for finding an solution for this?

I created also a sysdiag, but I really don't know, where to search for some informations.
My device is the only one in azure which is correct registered and shown as compliant. This becaus my device is the only one, which was capable to finish the entire registration process

SCR-20230323-mhnn.png

I opened also a ticket in jamf support a while ago, but until now, no one from support was able to help here out

i appreciate any help

14 REPLIES 14

jpoirson
New Contributor III

might be unrelated but did you use the "all users" button in intune when setting up the device compliance ?

if yes, you need to use a specific group otherwise it won't work as per doc

Also....

In my case, our macs appear under the device section in user's account, not in the Devices > macos section

Not very user friendly....

Jacek_ADC
Contributor II

Hi, thx for answering.

@jpoirson We have a specific group configured. :)

Jamf support just answered friday, that here is some problem with the jamf framework on the mac's.

sudo jamf manage before starting the registration process with company portal helps in most cases,

mt-nw
New Contributor II

Seeing this is exact same behavior. We just set this all up yesterday for our limited test group and the test Macs yesterday enrolled fine, the jamfAAD app popped up as expected.

Today, adding a few more devices for the same limited users, all 3 new devices behaved as described above and we see the same "No Azure Tenant Set up" log entry.

Running `sudo jamf manage` and then flushing the Intune Registration policy in Jamf allowed the registration to complete as normal again.

One note:

So far, if Microsoft Edge is the default browser, the browser call to the Company Portal by jamfAAD to select the certificate and add it to Keychain fails and the user is prompted every time to install Company Portal.

Changing the default browser to Google Chrome or Safari work as expected.

RolindaS
New Contributor

You Sir are a magician, thanks for this.

snowfox
Contributor III

The exact same thing happened to me.  I've been pulling my hair out over this for the past few weeks trying to figure out where I went wrong in the configuration.  Also opened a technical support ticket last week.  The rep said he would look into it.  Still waiting for a reply.  Good thing I found this thread.  The sudo jamf manage and flushing the policy worked.  Both my test machines now have a green tick mark beside them on Azure and are listed as compliant once again.

I wasn't getting the second prompt during the registration process (It did initially and then it stopped appearing, even if I deleted the computer record from Azure and erase/installed the Mac).  The above fixed it.  Many thanks to all! :)

 

@mt-nw  Have you tried using the WKWebView to negate the need for a web browser during registration.

Apply it to com.jamf.management.jamfAAD

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>useWKWebView</key>
    <true/>
  </dict>
</plist>

 

 

mt-nw
New Contributor II

We did end up deploying that thanks to your suggestion and finding it in the Jamf Troubleshooting Microsoft Azure Login Using JamfAAD doc, too. We also added a step to the Company Portal install Policy to just run the `sudo jamf manage` as well.

Jacek_ADC
Contributor II

I am now in contact with jamf support and have sent a lot of logs from different tests.

My experience actually is:

Different browsers -> different expereince

clean installed macbooks and fresh enrolled with prestage -> only safari browser installed, and after "sudo jamf manage" -> the sing in to azure through the self service must be done twice. The first try stopps on the login through browser after company portal has registered the device. So jamfaad do not start correct. The second time it works. 

SCR-20230330-jgrc.png

 

SCR-20230330-jgtq.png

SCR-20230330-jieo.png

SCR-20230330-jign.png

mt-nw
New Contributor II

For anyone who ran into this issue, Jamf emailed me today saying they have a hotfix for Jamf Pro 10.45.1 if needed, or it will be patched in 10.46.0 expected to be released at the end of the month (April 2023).

anuj530
New Contributor III

Do we know if this is fixed in 10.46 yet? I havent had a chance to try it out yet.

anuj530
New Contributor III

Yup! Same issue here. For a hot second, I thought it was fixed in 10.45 when I tried it again, and it worked on one of the affected devices. But tried it again on a new device, and it didn't work. A temporary fix is running sudo jamf manage right before the registration, and that seems to work. But glad to hear that the fix is coming in either 10.45.1 or 10.46.

nadsad
New Contributor III

Thank god for this news :D I have been pulling my hair as well.. sudo jamf manage solves it as a workaround but really hoping it will be permanently fixed in 10.46.

TheITGuy69
Contributor

Still not working for me on 10.46.1

Jacek_ADC
Contributor II

the last days i started to deploy it with the updated company portal (updated was released a few days ago) and configured with the sso extension from microsoft. sudo jamf manage is also a part from the sigin policy in the selfservice, but it look to working fine now for us.

jamf pro on version 10.46.1

TheITGuy69
Contributor

any chance someone can post screen shots of their permissions for the following 2 apps created by jamf in azure?

 

User registration app for Device Compliance

And

Cloud Connector for Device Compliance