Jamf Nation Community

Hi, this has been done.

Are your Mac's showing s/w inventory in Intune?

The just released Jamf Pro version 10.9 has an interesting new feature, which could help you on troubleshooting Intune integration issues:

macOS Intune Integration Logs You can now view the inventory data sent to Microsoft Intune for each username associated with a computer when the macOS Intune Integration is enabled. To view which inventory attributes were sent to Microsoft Intune, navigate to a computer's history and click the macOS Intune Integration Logs category.

(I have not tested it, as we are still running 10.8, but as we have lots of issues with Intune integration, we're thankful to every additional feature and we will likely update very soon to 10.9)

@hansjoerg.watzl - how have you got on resolving your issue? We are having the same problems and currently testing 10.9 for production deployment.

Have you clicked on the Open Administrator consent URL and approved the Enterprise App?

I have this configured & successfully registered to Intune.

Once you are done to consent on application by clicking Open Administrator consent URL and tested the connection. You need to create a policy and configure payload "macOS Intune Integration" and published it in the Self Service/set policy triggering.

Makesure you already push Intune Company portal app to the machine and run the Policy. It will prompt you to login to Azure & register the Mac to Intune.

Notes : - Do not run Company portal app manually from the machine. Once you have configured register to Intune policy, it will pop start Company portal automatically. - Intune only can check on the compliance policy based on Device Health, Device property & System Security.

Can any of you tell me what JAMF > Intune gives you? I have rumblings of Intune at some client sites and it has me curious...
Thanks.

@scottb You can set conditional access on MS intune.

@George-x.chan - thank you. Forgot about this thread...do you find this works well?

@scottb yeah for the most part it does work quite well. there were a couple times where Intune didn't pass the password compliance policy although it was set correctly. We ended up having to re-register into Intune which done the trick.

The best part of having conditional access set up is we're seeing users logging calls to question why they're getting MFA prompts for O365 - the reason being they're not registered into intune / enrolled into Jamf thus allowing us to discover "unknown" macs.

@George-x.chan - thank you. Appreciate the info...

I don't think really any vendor/solution is doing conditional access properly. The jamf + Intune integration doesn't do much unless you are gate-keeping everything by MSFT SSO. Also, for those that do use it, how long does it take to sync Mac system state data to Intune? Intune is not really good at rapidly doing anything, except at Autopilot. That is for the management piece of it anyway.

Can anyone give examples of how they are actually leveraging this? I am looking to start to build conditional access in 2020

Can anyone give examples of how they are actually leveraging this? I am looking to start to build conditional access in 2020

This is what I need too. I keep asking, and I can't see a lot of benefit to it (yet). We get lots of folks that must have been told otherwise because I'm getting this more and more...

My problem is I don't want to wait hours/days for data to sync from jamf to Intune to stop someone from accessing a resource. Lets toss a real world scenario into play. You have a senior developer leave your Org for a new job. They day they leave, all their access should be cut to all systems. This should be done via a triggered event, or an event based workflow so it happens as soon as it can. You don't want someone with prod access who leaves the Org to have an active account. Someone's system gets compromised, and your EDR/DLP/whatever-security-tool detects it, and now you need to quarantine that system and probably that account to mitigate all risks. Now lets take into account all OS and third party app patching, you want to access a captive portal or some app via SAML/SSO, and you are using a known vulnerable web browser, how do we make sure we stop you from doing so?

HR software solutions can take care of the off boarding stuff and they can ship events, or at least the few I know of can. What I don't want is something to trigger an event to cut off conditional access, and it then take hours to days to sync to kick in. I am not sure this tool exists yet either, but I am highly interested in it