Jamf > Intune Integration

ranski
New Contributor

Hi all,

Has anyone got this working correctly? in terms of the Intune piece?

We are enrolling into Jamf, then registering into Intune just fine. However our Mac's are not pushing across inventory from Jamf into Intune, in turn we are seeing that device configurations, compliance policies are not applying, they either error or stuck in pending/evaluating status

However, if i remove Jamf from the equation so that the Mac is only enrolled in Intune, all of the above works

Thanks in advance
Richard

14 REPLIES 14

EmakinaGroup
New Contributor

You have to add one more step! You probably just configured the company portal installation but you need to setup another policy for actual registration in Azure AD 053addb0a67743e8b9ba919dd9487626

Kr,
PY

ranski
New Contributor

Hi, this has been done.

Are your Mac's showing s/w inventory in Intune?

hansjoerg_watzl
Contributor

The just released Jamf Pro version 10.9 has an interesting new feature, which could help you on troubleshooting Intune integration issues:

macOS Intune Integration Logs You can now view the inventory data sent to Microsoft Intune for each username associated with a computer when the macOS Intune Integration is enabled. To view which inventory attributes were sent to Microsoft Intune, navigate to a computer's history and click the macOS Intune Integration Logs category.

(I have not tested it, as we are still running 10.8, but as we have lots of issues with Intune integration, we're thankful to every additional feature and we will likely update very soon to 10.9)

jimmy-swings
Contributor II

@hansjoerg.watzl - how have you got on resolving your issue? We are having the same problems and currently testing 10.9 for production deployment.

Cayde-6
Valued Contributor

Have you clicked on the Open Administrator consent URL and approved the Enterprise App?
945b479b008345aab781555a1ae73e57

exactsoftware
New Contributor

I have this configured & successfully registered to Intune.

Once you are done to consent on application by clicking Open Administrator consent URL and tested the connection. You need to create a policy and configure payload "macOS Intune Integration" and published it in the Self Service/set policy triggering.

Makesure you already push Intune Company portal app to the machine and run the Policy. It will prompt you to login to Azure & register the Mac to Intune.

Notes : - Do not run Company portal app manually from the machine. Once you have configured register to Intune policy, it will pop start Company portal automatically. - Intune only can check on the compliance policy based on Device Health, Device property & System Security.

scottb
Valued Contributor III

Can any of you tell me what JAMF > Intune gives you? I have rumblings of Intune at some client sites and it has me curious...
Thanks.

George-x_chan
New Contributor III

@scottb You can set conditional access on MS intune.

scottb
Valued Contributor III

@George-x.chan - thank you. Forgot about this thread...do you find this works well?

George-x_chan
New Contributor III

@scottb yeah for the most part it does work quite well. there were a couple times where Intune didn't pass the password compliance policy although it was set correctly. We ended up having to re-register into Intune which done the trick.

The best part of having conditional access set up is we're seeing users logging calls to question why they're getting MFA prompts for O365 - the reason being they're not registered into intune / enrolled into Jamf thus allowing us to discover "unknown" macs.

scottb
Valued Contributor III

@George-x.chan - thank you. Appreciate the info...

tlarkin
Honored Contributor

I don't think really any vendor/solution is doing conditional access properly. The jamf + Intune integration doesn't do much unless you are gate-keeping everything by MSFT SSO. Also, for those that do use it, how long does it take to sync Mac system state data to Intune? Intune is not really good at rapidly doing anything, except at Autopilot. That is for the management piece of it anyway.

Can anyone give examples of how they are actually leveraging this? I am looking to start to build conditional access in 2020

scottb
Valued Contributor III
Can anyone give examples of how they are actually leveraging this? I am looking to start to build conditional access in 2020

This is what I need too. I keep asking, and I can't see a lot of benefit to it (yet). We get lots of folks that must have been told otherwise because I'm getting this more and more...

tlarkin
Honored Contributor

My problem is I don't want to wait hours/days for data to sync from jamf to Intune to stop someone from accessing a resource. Lets toss a real world scenario into play. You have a senior developer leave your Org for a new job. They day they leave, all their access should be cut to all systems. This should be done via a triggered event, or an event based workflow so it happens as soon as it can. You don't want someone with prod access who leaves the Org to have an active account. Someone's system gets compromised, and your EDR/DLP/whatever-security-tool detects it, and now you need to quarantine that system and probably that account to mitigate all risks. Now lets take into account all OS and third party app patching, you want to access a captive portal or some app via SAML/SSO, and you are using a known vulnerable web browser, how do we make sure we stop you from doing so?

HR software solutions can take care of the off boarding stuff and they can ship events, or at least the few I know of can. What I don't want is something to trigger an event to cut off conditional access, and it then take hours to days to sync to kick in. I am not sure this tool exists yet either, but I am highly interested in it