Jamf Nation Community

ericbenfer · ‎07-18-2023

We are using Jamf Device Compliance with InTune.

Following this tech paper we have it working fairly well. Technical Paper: Integrating with Microsoft Intune to Enforce Compliance on Mac Computers Managed by...

When the end user goes through computer registration and JamfAAD opens they are prompted to "Always Allow" "Microsoft Workplace Join Key". This is expected and documented here. (Although it would be great to have a smoother workflow)
Our issue is the certificate in the login keychain for Device Compliance is not trusted for some reason. (See attached image)

The cert seems to be issued by "MS-Organization-Access" I don't have that CA and our Azure folks don't seem to know about it either.

Thoughts?

Eric

sdagley · ‎07-18-2023

@ericbenfer You can ignore the lack of trust for that certificate. While your Mac may not trust it, the Device Compliance integration with Azure AD/Intune does.

View solution in original post

sdagley · ‎07-18-2023

@ericbenfer You can ignore the lack of trust for that certificate. While your Mac may not trust it, the Device Compliance integration with Azure AD/Intune does.

ericbenfer · ‎07-19-2023

That is what Microsoft also told us. Although that does not give me a warm and fuzzy feeling.

Every PKI bone in my body wants to fix this. I guess I will have to go against my instincts.

Thanks for confirming @sdagley

K_SB · ‎12-19-2023

Hello,

May I ask a question Jamf Pro and having these devices appear within Microsoft Entra?

MacJunior · ‎09-07-2023

We have registered our Mac fleet in Azure AD and they show up as "Compliant" .. when turn on the compliance policy from Intune and people try to access our company resources they get error messages like this one :

if they use incongnito mode in Chrome for example they get a window to select certificate then they have to enter their login password and hit "always allow" to be able to login successfully to their email for example.

is that the normal behaviour? i'm definitely missing something here so any tips?

sdagley · ‎09-07-2023

@MacJunior When you say "We have registered our Mac fleet in Azure AD..." does that mean you used a Jamf Pro policy with the Microsoft Device Compliance payload to trigger the enrollment process via the Company Portal app? During that enrollment your users should have gone through the process of always allowing access to the certificate installed during enrollment.

Jamf revised their technical paper of the Device Compliance integration yesterday, and it does clarify some areas that weren't clear in older docs, so it might be helpful to review: https://learn.jamf.com/bundle/technical-paper-microsoft-intune-current/page/Device_Compliance_with_M...

MacJunior · ‎09-08-2023

yeah that explains why a small amount of users are getting blocked while the majority are working fine with 0 issues .. thanks for highlighting this point

MacJunior · ‎09-14-2023

I have now the second device that becomes "Not compliant" out of no where ! but it's still a member of the compliance criteria smart group that I created, the interesting part is that under the MDM part it says "none" anyone experience such a weird behaviour?

KS-Floww · ‎09-29-2023

Yes I am having the same issue.

Raised with JAMF do you have a fix yet?

MacJunior · ‎10-01-2023

Not yet, last thing they adviced is to re-do the integration between Jamf & Entra.

will keep you posted

sdagley · ‎10-02-2023

For anyone running into the problem with Device Compliance enrollment breaking after the JSS 10.50 update PI113193 is the Product Issue ID that's been assigned for it. You should probably contact your Customer Success rep if you've been impacted.

JM12 · ‎10-21-2023

Did you ever get a resolution to this issue? I just had lot devices have the same falling out.

KS-Floww · ‎10-30-2023

11.01 upgrade should fix

Jamf Nation Community

Jamf - Intune - Azure - Device Compliance Certificate untrusted