Jamf / Entra Device Compliance - Weird behaviour with MDM Authority

NinaW
New Contributor II

Hello Everyone,

I am at my wits end here and might need some more brains to figure out what the issue is. I am not fully sure if this is the right forum for this topic either, but I am giving it a try... 

We have set up the Device Compliance in Jamf Pro for several weeks/months now and started to slowly onboard our macs.

What we did: 

  • We have a mac user group in our AD which is being synced to Azure. 
  • Created a Mac App via Jamf Catalogue to roll out the company portal to specific devices only
  • Set our two Smart Groups for Compliance and Applicable Macs. This checks if the Company portal is installed and applies our Configuration Profiles and Policies. 

This seems to work. I can also see that our devices are being rolled out and the Compliance is good... 

However, then it gets weird. When I check Azure / Entra a few days later... Devices that were being enrolled and were properly reported with everything, suddenly have "NONE" set as MDM Authority?! 

NinaW_0-1696919552679.png

This does not apply to all of our macs. Just a few so far. We have rolled out 36 for now, and had this issue with 4 devices. 

Re-enrolling doesn't seem to do the trick either. I tried with two devices but they still report none. 

Also, a lot of devices are already in this list for weeks or months and still report properly. So I think the settings should be fine? 

If it helps I can of course provide more info on the settings etc. 

 

Did anyone see this weird behaviour before and may be able to help out?

12 REPLIES 12

Jacek_ADC
Contributor II

Hi Nina

We are in exactly the same situation. Everything has worked fine. 

Check the PI PI113193

https://account.jamf.com/products/jamf-pro/known-issues

We have already an open case at jamf support and wating for some solution. 

I have almost spent the entire last week for searching the issue, because we had a few new employees they started and almost all of them was registered first successfully and then lost the connection.

So our MacBooks are loosing the MS Workplace Joinkey and when checking the ~/Library/Preferences/com.jamf.management.jamfAAD.plist file, we see an successfull tokentimestamp but the have_an_Azure_id changed to false.

<key>LoginKeychainEmpty</key>
<true/>
<key>have_an_Azure_id</key>
<true/>
<key>last_aad_token_timestamp</key>
<real>1696928734.5948009</real>

 

So i recommend to open also a case in jamf support.

BR

J

NinaW
New Contributor II

Thanks for the additional input and the info about the ticket! 

I deleted one of the affected macs from the Entra / Azure Portal and flushed the successful enrollment. The device was then added to Entra again and apparently the bind is now back. It didn't work before, when I just flushed the Policy but the left device in Entra.


I will check if this approach helps or not. If this comes back, I will open a ticket as well! 

Best,

Nina

Jacek_ADC
Contributor II

I have done the same and a lot of other tries. Last friday I have done the enrollment with all affected users myself (remote). Deleting everything from device, reinstall company portal, deleting device in entra. Checking the logs, done the registration myself with each of the user. Everything was fine til monday morning :)

All of the macbooks i've done at friday hast lost again the connection to entra.

So, jamf support was asking if we are using sso extension and if we have an endpoint protection installed. 
Both i can answer with = yes.

SSO Extension is configured and we use the MS Defender.

I am sure jamf or MS will find the issue. Its really not sure, that this is a jamf issue.

NinaW
New Contributor II

Oh welp. Thanks for the additional input. Then I guess I'll just open a ticket right away. 

We also have the SSO Extension and an endpoint protection in place. But we're using Sophos Endpoint right now.

 

Glad to hear they're working on it though :( 
(Btw, I like that this became a chat between a cat and a dog. :D) 

I thought the same for the dog and cat. But i can also switch to a dog.
I have enough of dog pictures for my dog.
So hopefully MS or jamf will find here some solution!

MacJunior
Contributor III

I had the same issue, some devices were showing up as "not compliant" in Azure and MDM is "Non" .. when I tried to delete the records of those Macs from Azure and re-register them again it worked but some one the Macs showed up all of a sudden again as "Not compliant" ..  I did the re-integration with MS Azure and so far it works well and hopefully it will continue like that.

Hi @MacJunior roughly how long is so far? Days, weeks, months? Very interested! Thx!

it's been like 3 weeks since we did the re-integration and so far haven't seen any Macs showing up as "not compliant" or the MDM field is "None".

NinaW
New Contributor II

So far, it helped for me to delete the devices from azure and reenroll them... I wonder how long it will last though. 

I will keep your solution in mind though! Thanks for telling me about it! 


I did open a support case with jamf but so far it seems like I am not affected by this bug or the logs I provided were not helpful. 🙈

I opened up a ticket with Jamf support and provided some logs as they asked and it doesn't seem we're affected by PI113193 so I would say try to re-integrate if the issue shows up again.

piotrr
Contributor III

I rolled out to 90 machines and had this issue on around 10 of them. On some, doing the Company portal registration again helped, on others I had to erase every trace of Company Portal, Workspace Join Keys and most things under point six here - and then re-run the registration procedure from Self Service. 

I've also had one computer - luckily one of my lab computers - be completely registered and compliant in Jamf and Azure, but the computer itself not recognizing that it actually is. Hm. That's a device I have been testing SSOe on... 

K_SB
New Contributor

Hello,

 

May I ask a question Jamf Pro and having these devices appear within Microsoft Entra?