Jamf Entra compliance and BYOD concerns

Rolden
New Contributor II

Hi All,

We have implemented JAMF compliance Entra integration and have now come to implementing personal enrolment of BYOD macOS devices in Intune.  It seems that once the compliance policies have been setup this disables users from being able to the personally enrol a Mac in Intune.  Has anyone overcome this problem?  Do we have to have the users temporarily added to the Entra exclusion group temporarily to allow the enrolment of a personal device?  Whichever way I look at this it seems cumbersome and service desk impacting.

3 REPLIES 3

czarmark
New Contributor III

Are you using Device Compliance, or are you using the soon-to-be-deprecated Conditional Access? Also curious if you are using ABM for DEP enrollment and does that work?

We are testing DP and I ran into issue after erasing a test machine whereby I couldn't sign in via Entra to start enrollment and setup because the device wasn't compliant and couldn't be compliant until macOS setup completed and it actually a user account. Looking at Azure / Entra Sign In logs, I identified our Azure SSO app for Jamf as the entity authenticating and failing there. I then updated the conditional access policy in Entra's Target resources > Exclude > Select excluded cloud apps to add our SSO app, that resolved that issue. I did check the sign-in logs for that SSO app to make sure excluding it wasn't a risk and didn't seem to be.

So that's why I asked about your new machine enrollments and how you are doing them - maybe excluding the SSO app will overcome your user-initated enrollment issue? But I don't know what's in your DP smartgroup criteria; if you're requiring the Self Service.app, you're in a catch-22. 

czarmark
New Contributor III

DP? Don't know where that came from :) I meant DC for Device Compliance. Can't edit original reply. Sorry.

Rolden
New Contributor II

Thanks for your response.

We will be using Device Compliance.  For BYOD though we would be enrolling personal Mac devices in Intune and this appears to be blocked via the device compliance inclusion group.