Intune Partner Integration | Disclosure—Jamf integration
Jamf and Microsoft Enterprise Mobility + Security (EMS) announced a partnership to provide an automated compliance management solution for Mac devices accessing applications set up with Azure AD authentication. EMS provides an identity-driven unified endpoint management solution that offers a holistic approach to solve mobility and security challenges as you go through the digital transformation. Jamf is the management standard for the Apple ecosystem. Together, Jamf delivers information about the management state and health of Mac devices to Microsoft Intune’s device compliance engine, which integrates with Azure AD Conditional Access to allow organizations to identify unmanaged and non-compliant Mac devices, and remediate them.
My boss and two teammates are at Ignite. I’ve asked them to go to the breakout session where this will be talked about. Hoping for some good notes. Will post what they find.
My initial thought is that we will at least get the One Drive for Business sync to be enabled due to Azure AD being able to identify a Mac as managed and owned.
We're excited to announce our new collaboration with Microsoft EMS. There are two big takeaways from this collaboration.
First, you will now be able to share your Jamf Pro macOS inventory with Intune for a centralized view of devices. You can drill into that macOS inventory record and see the status of that device. This will be great for reporting, and is similar to our existing SCCM plug-in that shares inventory with SCCM.
Second, we can now provide Conditional Access for Jamf managed Mac devices that are trying to access applications set up with Azure AD authentication. This allows you to protect your data by ensuring that 1) your user has proper authorization and authentication and 2) the device the user is on meets your compliance requirements. For example, let’s say our user is trying to access email, but the password is not strong enough. Intune will evaluate the compliance and prevent the user from accessing email until the password is fixed. We also provide an easy interface for remediation. The user is brought into Jamf Self Service to fix the compliance issue.
We will be providing more resources as they become available.
And here is a view of the Workflow
We will have more details for you in October at our Jamf Nation User Conference. A video will be available of the demo that Dean Hager gave at the Ignite Session as well.
Thanks for posting this as it is very interesting. When we considered Jamf as our MDM in December of 2016, we also looked at Intune and another potential MDM. Microsoft visited us for a few days and did kind of an Intune JumpStart, but at that time it did not meet our needs for things like ASM, multiple VPP tokens, or device based app assignment/management.
Being a predominantly Microsoft organization, I am interested to see where this goes but also realistic in my expectations. Kudos to both companies for working together on this and looking forward to learning more at JNUC 2017.
Just an FYI regarding JAMF Pro and Intune for iOS
We have not completed our Intune configuration so, I have no real time experience with the app, but I understand this method is being used by organizations currently utilizing other MDM solutions.
I've been working with our MS Server team and we have managed to get a test device into Azure AD.
As we use network accounts on the Mac I'm looking for a way to pass their credentials to the Company Portal to 'hide' this step from the user rather than making them log in twice.
[b]View Azure Active Directory ID information in Jamf Pro[/b]
When a computer is registered with Azure Active Directory, you can view Azure Active Directory information for a user and a computer in Jamf Pro. To view Azure Active Directory ID information, navigate to the General tab in inventory information of a computer.
This isn't showing for the Mac, does this feature need the device to be compliant for it to show in Inventory -> General?
@tharr00 For iOS it looks like we are going to have to stick with App Based Conditional Access until the iOS version of Company Portal no longer requires the MDM profile from an Intune Server.
On this moment you can only use Microsoft Intune compliance policies with Azure Active Directory conditional access to ensure that MacOs devices in your organization are compliant. For IOS devices (IPAD en IPhone) it is not possible to use the Intune integration from Jamf. Is this MacOS only, or is iOS able to to the Jamf-InTune co-management as well?
On this moment you can only use Microsoft Intune compliance policies with Azure Active Directory conditional access to ensure that MacOs devices in your organization are compliant. For IOS devices (IPAD en IPhone) it is not possible to use the Intune integration from Jamf. Is this MacOS only, or is iOS able to to the Jamf-InTune co-manigement as well?
@Tad Basically the same as Jamf Pro. We would be using Jamf Pro if the entry point wasn't so expensive and I didn't have to have a minimum quantity of 50.
We're a small shop of 15 users and I'm an IT professional but can't justify the expense of Jamf Pro. Jamf Now is ok but needs more functionality so we can use it alongside InTune. We have InTune as part of Office365 and Azure AD but Microsoft's lack of good macOS management has us looking elsewhere. Jamf Now is starting to limit us so I am looking around. At the moment I am testing SimpleMDM.
I have some general questions about the Intune Integration and maybe somebody has more know-how about this.
We already have a working configuration with an INTERNAL Jamf pro server and Intune Integration. This Jamf pro server is our productive system and contains about 800 enrolled Mac devices. About half of these devices are already registered in Intune and conditional access is working.
Now we want to replace this Jamf pro server with a new Jamf pro server which is accessible from the internet too. So the management URL will change to a public URL.
Our new server will now be installed and configured, so we want to do some tests (including Intune integration). As we have no test server, we would like to run these both servers simultaneously as long as the new server is not ready for production.
And here comes the question:
Is it possible to configure TWO Jamf pro server (at the moment with different databases) to the same Intune Application ID?
As long as we have the valid tenant name, application id and application key, I don't see why this should not be possible.
There's only one issue: the home page and reply URL, which is configured in Intune and links to our internal server at the moment. (But could be changed in Intune)
So, what is the technical meaning of this URL? Is it only used during the device registration (as the company portal app will be started from Self service and redirects to the Jamf pro server)? As far as I know, Intune will not directly access our JSS (it's even not possible with our current internal server). So only JSS will send the device inventory data to Intune and that's it?
So it should be possible to connect two different JSS to the same Azure tenant? Even if they have different URL.
And what happens to the already registered Mac devices from the old server? Does a new connector affect the state of these registrations? On the Azure AD / Intune portal device list I only see an Azure Computer device ID and an Azure User device ID. But both should not change, if the device will be re-enrolled to a new server, right?
There are not many information available, what will broke an already registered device, if nothing will be changed on the device itself (same device id, same user id, same tenant id, same conditional access rules still compliant....just a new JSS server and so a new MDM profile with an different management URL).
Of course we need to change the home page and reply URL in Intune, before we can test some registration from devices on the new server. But it should be possible to change this URL back after the test.