Skip to main content
Solved

Jamf Intune Conditional Access Integration

D
Forum|alt.badge.img+2

Hello, Using hybrid joined Azure, we appear to have an issue with our Conditional Access configuration between Jamf and Entra. We have configured Jamf Device Compliance with a Compliance Test Group and an Application Group, the connection verification status: Success between Jamf and Intune is confirmed and partner compliance management configured.

A group of test Mac’s in Jamf have Company Portal and Intune integration policies installed and they are registered in Entra

 

We have configured Conditional Access policies in Intune and targeted all cloud apps but when we run the CA policy we are locked out of Cloud Apps because according to Entra Sign-in logs the Mac is non-compliant

Am I missing something?

Best answer by sdagley

@dav25bangor If the Mac is showing as compliant in Entra ID (the 2nd screen shot in your post) that implies your access rules are not set up correctly in Intune to allow Entra ID compliant Macs access. You'd want someone who really understands the "logic" (quoted because I find it anything but logical) that Microsoft uses for those rules to review your configuration because it's pretty easy to have conflicting rules which will prevent the expected access.

View original
Did this topic help you find an answer to your question?

3 replies

AJPinto
Forum|alt.badge.img+26
  • AJPinto
  • Legendary Contributor
  • 2716 replies
  • January 9, 2024

As you said all your syncing is working, there is not much in JAMF to check.

  1. Check your Smart groups and ensure they are configured correctly.
  2. Check the devices to make sure it is showing as compliant in JAMF.
  3. Check to make sure you are using the correct Compliance Group in Settings > Device Compliance.

Literally everything else is on the Azure side. I would suggest opening a ticket with Microsoft or starting a discussion on Technet.

High level things to check on the Azure side.

  1. Make sure the device's activity is current.
  2. Make sure the Device is showing as compliant (assuming its compliant in JAMF).
  3. If either of these are not correct, the device needs to be reregistered.

 

We stood up conditional access 4th quarter last year, and learned it is really just not worth it. You can target the same compliance and non-compliance groups at JAMF App restrictions and force quit apps for non-compliant devices and basically perform conditional access with just JAMF and not deal with Azure at all. Devices also love to just stop syncing which requires device level troubleshooting and often a reregister.

D
1 person likes this
  • D
    dav25bangor
sdagley
Forum|alt.badge.img+25
  • sdagley
  • Jamf Heroes
  • 3536 replies
  • Answer
  • January 9, 2024

@dav25bangor If the Mac is showing as compliant in Entra ID (the 2nd screen shot in your post) that implies your access rules are not set up correctly in Intune to allow Entra ID compliant Macs access. You'd want someone who really understands the "logic" (quoted because I find it anything but logical) that Microsoft uses for those rules to review your configuration because it's pretty easy to have conflicting rules which will prevent the expected access.

D
1 person likes this
  • D
    dav25bangor
D
Forum|alt.badge.img+2
  • dav25bangor
  • Author
  • New Contributor
  • 1 reply
  • January 11, 2024

@AJPinto and @sdagley thank you for the pointers, it appears we had a couple of issues which masked the problem, one of them being the tenancy stopping the installation of OneDrive sync client on the Mac. The other issue was related to configuring Jamf Connect for Entra with Conditional Access

Integrating Jamf Connect with Microsoft Entra ID - Jamf Connect Documentation 2.31.0 | Jamf document updated 10/1/2024. Thanks again, we may just have this sorted...

Reply


Most helpful members this week

Terms & ConditionsCookie settingsAccessibility statement

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings