Jamf-Intune Co-Existence Thoughts

Matt_Roy93
Contributor

I was wondering what people thought about the current state of Jamf - Intune Co-existence, having the device managed by Jamf but sending inventory info and compliance for CA to Intune?  Our grand plan is to have the M365 suite accessible off VPN by utilizing CA and compliance with Intune, has anyone else really explored all the features of this pairing and what are your thoughts?

 

 

Thanks!

1 ACCEPTED SOLUTION
5 REPLIES 5

bwoods
Valued Contributor

The Jamf/Intune integration is terrible. I would suggest managing device compliance with MCAS certificates. I highly recommend visiting the #jamf-intune-integration channel on Slack and you'll see the constant issues with the integration.

brandonpeek
New Contributor III

I just want to echo this sentiment.  We've given the standard approach to Intune integration a chance over the last two years or so and it has become progressively worse over time for various reasons.

  1. We use Microsoft Defender and one version release wiped out the keychain entries for Intune causing a need to re-register the devices -- and device registration is a pain because the existing Intune device records need to be managed in these cases.
  2. If someone forgets their password (and they will) accessing the system with the Filevault recovery key breaks the Intune integration and registration is required again (and this also again requires manages the Intune device records)
  3. You cannot customize the prompts coming from Microsoft Intune that ask people to "Enroll" their device and many will encounter scenarios where this messaging appears incorrectly and people action the prompts leading to duplicate device registation in Intune (which mean managing the Intune device records). 

A lot of effort in required to sustain the integration and working functionality, which is broken very easily with common occurences such as forgetting your password.  If you have a large environment it's very difficult to have all of the support technologists properly educated on supporting this integration and you will spend a majority of your time addressing Macs with broken integration that keep people from accessing their applications and being able to deliver work.  

 

We recently came across the MCAS option and are looking at this to see if we can make the switch.  

 

Matt_Roy93
Contributor

AHA I am not the only one who thinks its bad, I will need to look into this other option you suggested as our ORG is full steam ahead with Jamf/Intune.  Thanks!

 

AVmcclint
Honored Contributor

It has been a couple years since I had to deal with InTune integration, but I remember I hate hate hated it! It put too much responsibility on the user to make sure it happened. I hated that the integration was tied to the user account. I hated that it relied on the Mac Keychain - and we all know how fragile the keychain is even on a good day.  I hate that the integration broke EVERY DAY and it required Herculean efforts to completely remove all traces of InTune's files and certificates only to have the user go through the process of re-registering with InTune again.  I hate that the Company Portal was very confusing for the user. If their integration broke previously, they might see 3 or 4 copies of the same computer listed.  I hated how if Microsoft pushed an update to the InTune system, any new features would default to ON. This meant that any new conditions they added would be required for CA to work, but if it's a condition we didn't care about or prepare for, all the Macs would be denied access and it would send everyone scrambling to determine why. All the things that we would have set in InTune to allow access can easily be locked down and controlled using Jamf, so there really is no point in having an external system doublecheck and approve what Jamf is already doing. I agree with @bwoods in using the certificate method. If Jamf says you've checked off all the boxes, then that should be the authority that lets you in the door.