Jamf Intune Integration Keeps popping up

jabeyta
New Contributor II

Hello, I have a question. Has anyone else that has integrated Intune with Jamf get the JamfAA pop up continuously to re-register it? I have ours set to Self Service only and almost every morning all the users get that pop up which is quite annoying? any guidance would be greatly appreciated.

Thanks,

9 REPLIES 9

Matt_Roy93
Contributor

@jabeyta Hello! I have experienced this and have two things you will want to check,

1. Upon enrollment via the Intune policy leveraging the Company Portal app that is assumed to already be installed, are the users fully interacting with all the prompts that appear?  More specifically are they logging in the first time upon initial enrollment with the Company Portal app, then also logging into the AAD pop-up with MS account info and fully accepting the MS workplace key cert that appears?  At this second step a webpage re-direct will happen, according to Jamf Support this has to use Safari as the default browser or it can potentially break.

2. To resolve issues with users in an unresponsive state or network issues, you can configure the JamfAAD to recheck for a valid Azure AD token at check-in by using the tokenRetryCount and tokenRetryWaitTime preferences. By default, tokenRetryCount is set to zero retries and tokenRetryWaitTime is set to five seconds.

You can configure the JamfAAD check-in in the following ways:
Deploy a PLIST file using a configuration profile with the Custom Settings payload configured.

Run a script using a policy with the execution frequency of "Once per user per computer".

The following examples show how to configure the JamfAAD to retry three times with 42 seconds between each retry.

 

Example plist for config profile, preference domain: com.jamf.management.jamfAAD

Edit the timeout setting by replacing the key in the plist,

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>tokenRetryCount</key>
<integer>3</integer>
<key>tokenRetryWaitTime</key>
<integer>42</integer>
</dict>
</plist>

jabeyta
New Contributor II

@Matt_Roy93This is great! Thank you so much for getting back to me quickly. I believe the users have fully interacted successfully with the steps in step 1, although some users may not have had their browsers set to Safari but are showing up successfully in Intune.

I believe I'll need to do step 2 in your recommendation, but am very new to Jamf Pro so may need a little bit of guidance on how I set that up, would you mind taking a look and seeing what I'm doing wrong here?

jabeyta_0-1643821812964.png

Sorry For my Minimal knowledge of this.

 

Matt_Roy93
Contributor

No worries at all, happy to help! 

You will want to create a new config profile inside Jamf, select the Application and Custom Setting payload select upload fill out preference domain and paste the plist example I had posted above, make your edits to the values for<key>tokenRetryCount</key> and <key>tokenRetryWaitTime</key> , you will need to experiment with these values to find a balance between removing the pop-up frequency but also having the machine check in with AAD. Name the config profile and save it with correct scoping for test machines.  I will also attach a screen below.Screen Shot 2022-02-02 at 11.21.55 AM.png

jabeyta
New Contributor II

@Matt_Roy93Thank you So much, I'll work on that! I greatly Appreciate all of your help!

brushj
New Contributor III

This happened a while back where MSAL was broken in chromium based browser apps and unless your browser default was set as Safari it would continue to prompt you to authenticate until you set the default browsers and waited or forced a jamfAAD check-in. 

This appears to be happening again. I was able to confirm it earlier on a machine that was set to Edge as the default browser and was constantly getting prompted. I had them change to Safari and did a gatherAADInfo command and they were able to successfully authenticate with the safari prompt. 

I opened a ticket with Jamf support again to see if this is the same issue again or not, still waiting to hear back. 

This is the old thread that was similar to what we are seeing again. https://community.jamf.com/t5/jamf-pro/jamfaad-issue/m-p/237372

Matt_Roy93
Contributor

This is very annoying as we set edge to default browser, be interested to know if they have a timeline on if this will be fixed.

jabeyta
New Contributor II

@brushjThank you, I would assume some of the users did not have safari set as their default browser during this process. Let me know what support says when they get back to you. In the meantime I'll re-register the users with intune trying with safari as their default.

MatG
Contributor III

MSAL is only supported on Safari. Chrome and Edge do not support MSAL. On Windows MSAL in Chrome requires the  an extension which only works on Windows.

https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji?hl=en

SOKA2012
New Contributor

Hello all, we continue having this issue, do you any update?  Ee are using Jamf version 10.41.0-t1661887915. Every 2 hours we receive the AAD popup for registration. For information, we use Safari as the default browser.

Here is the log that generates the popup:

 

2022-10-13 10:27:29.796142-0400 0xf1a1 Default 0x0 1 0 launchd: [gui/502/com.jamf.management.jamfAAD.agent[11371]:] Successfully spawned JamfAAD[11371] because interval 2022-10-13 10:27:29.864644-0400 0xf1a8 Default 0x0 11371 0 JamfAAD: [com.jamf.management.jamfAAD:msal] TID=61861 MSAL 1.1.25 Mac 12.6.0 [2022-10-13 14:27 :29] Not creating login keychain for performance optimization on macOS 10.15, because no items where previously found in it 2022-10-13 10:27:29.864663-0400 0xf1a8 Default 0x0 11371 0 JamfAAD: [com.jamf.management.jamfAAD:msal] TID=61861 MSAL 1.1.25 Mac 12.6.0 [2022-10-13 14:27 :29] Failed to create secondary data source with error MaskedError(MSIDErrorDomain, -51100) 2022-10-13 10:27:29.922883-0400 0xf1a7 Default 0x0 11371 0 JamfAAD: [com.jamf.management.jamfAAD:msal] TID=61864 MSAL 1.1.25 Mac 12.6.0 [2022-10-13 14:27 :29 - 093F0487-8815-4968-945C-DE08BB6E5F6E] [MSAL] No cached preferred_network for authority 2022-10-13 10:27:29.953795-0400 0xf1a7 Default 0x0 11371 0 JamfAAD: [com.jamf.management.jamfAAD:msal] TID=61864 MSAL 1.1.25 Mac 12.6.0 [2022-10-13 14:27 :29 - 093F0487-8815-4968-945C-DE08BB6E5F6E] [MSAL] Didn't find app refresh token 2022-10-13 10:27:29.955121-0400 0xf1a7 Default 0x0 11371 0 JamfAAD: [com.jamf.management.jamfAAD:msal] TID=61864 MSAL 1.1.25 Mac 12.6.0 [2022-10-13 14:27 :29 - 093F0487-8815-4968-945C-DE08BB6E5F6E] [MSAL] Didn't find family refresh token 2022-10-13 10:27:29.955147-0400 0xf1a7 Error 0x0 11371 0 JamfAAD: [com.jamf.management.jamfAAD:msal] TID=61864 MSAL 1.1.25 Mac 12.6.0 [2022-10-13 14:27 :29 - 093F0487-8815-4968-945C-DE08BB6E5F6E] Creating Error with description: No token matching arguments found in the cache, user interaction is required 2022-10-13 10:27:29.955347-0400 0xf1a7 Error 0x0 11371 0 JamfAAD: [com.jamf.management.jamfAAD:msal] TID=61864 MSAL 1.1.25 Mac 12.6.0 [2022-10-13 14:27 :29 - 093F0487-8815-4968-945C-DE08BB6E5F6E] [MSAL] acquireTokenSilent returning with error: (MSALErrorDomain, -50002) Masked(not-null) 2022-10-13 10:27:30.033301-0400 0xf1af Error 0x0 11371 0 JamfAAD: [com.jamf.management.jamfAAD:msal] TID=61861 MSAL 1.1.25 Mac 12.6.0 [2022-10-13 14:27 :30 - 67150C06-A619-4D2B-A35D-880985C5FBDF] [MSAL] Start webview authorization session with webview controller class MSIDAADOAuthEmbeddedWebviewController:

 

Thanks in advance for your help