Help

Jamf Intune Conditional Access Integration

Go to solution
dav25bangor
New Contributor

Posted on ‎01-09-2024 02:14 AM

Hello, Using hybrid joined Azure, we appear to have an issue with our Conditional Access configuration between Jamf and Entra. We have configured Jamf Device Compliance with a Compliance Test Group and an Application Group, the connection verification status: Success between Jamf and Intune is confirmed and partner compliance management configured.

dav25bangor_0-1704795131706.png

A group of test Mac’s in Jamf have Company Portal and Intune integration policies installed and they are registered in Entra

dav25bangor_1-1704795131719.png

 

We have configured Conditional Access policies in Intune and targeted all cloud apps but when we run the CA policy we are locked out of Cloud Apps because according to Entra Sign-in logs the Mac is non-compliant

dav25bangor_2-1704795131723.png

Am I missing something?

0 Kudos
Reply
2 ACCEPTED SOLUTIONS

Go to solution
sdagley
Esteemed Contributor II

‎01-09-2024 05:50 AM - edited ‎01-09-2024 05:50 AM

@dav25bangor If the Mac is showing as compliant in Entra ID (the 2nd screen shot in your post) that implies your access rules are not set up correctly in Intune to allow Entra ID compliant Macs access. You'd want someone who really understands the "logic" (quoted because I find it anything but logical) that Microsoft uses for those rules to review your configuration because it's pretty easy to have conflicting rules which will prevent the expected access.

View solution in original post

Reply

Go to solution
dav25bangor
New Contributor

Posted on ‎01-11-2024 08:39 AM

@AJPinto and @sdagley thank you for the pointers, it appears we had a couple of issues which masked the problem, one of them being the tenancy stopping the installation of OneDrive sync client on the Mac. The other issue was related to configuring Jamf Connect for Entra with Conditional Access

Integrating Jamf Connect with Microsoft Entra ID - Jamf Connect Documentation 2.31.0 | Jamf document updated 10/1/2024. Thanks again, we may just have this sorted...

View solution in original post

0 Kudos
Reply
3 REPLIES 3

Go to solution
AJPinto
Honored Contributor III

‎01-09-2024 05:30 AM - edited ‎01-09-2024 05:31 AM

As you said all your syncing is working, there is not much in JAMF to check.

  1. Check your Smart groups and ensure they are configured correctly.
  2. Check the devices to make sure it is showing as compliant in JAMF.
  3. Check to make sure you are using the correct Compliance Group in Settings > Device Compliance.

Literally everything else is on the Azure side. I would suggest opening a ticket with Microsoft or starting a discussion on Technet.

High level things to check on the Azure side.

  1. Make sure the device's activity is current.
  2. Make sure the Device is showing as compliant (assuming its compliant in JAMF).
  3. If either of these are not correct, the device needs to be reregistered.

 

We stood up conditional access 4th quarter last year, and learned it is really just not worth it. You can target the same compliance and non-compliance groups at JAMF App restrictions and force quit apps for non-compliant devices and basically perform conditional access with just JAMF and not deal with Azure at all. Devices also love to just stop syncing which requires device level troubleshooting and often a reregister.

Reply

Go to solution
sdagley
Esteemed Contributor II

‎01-09-2024 05:50 AM - edited ‎01-09-2024 05:50 AM

@dav25bangor If the Mac is showing as compliant in Entra ID (the 2nd screen shot in your post) that implies your access rules are not set up correctly in Intune to allow Entra ID compliant Macs access. You'd want someone who really understands the "logic" (quoted because I find it anything but logical) that Microsoft uses for those rules to review your configuration because it's pretty easy to have conflicting rules which will prevent the expected access.

Reply

Go to solution
dav25bangor
New Contributor

Posted on ‎01-11-2024 08:39 AM

@AJPinto and @sdagley thank you for the pointers, it appears we had a couple of issues which masked the problem, one of them being the tenancy stopping the installation of OneDrive sync client on the Mac. The other issue was related to configuring Jamf Connect for Entra with Conditional Access

Integrating Jamf Connect with Microsoft Entra ID - Jamf Connect Documentation 2.31.0 | Jamf document updated 10/1/2024. Thanks again, we may just have this sorted...

0 Kudos
Reply