Yep. Went through this exact issue and Micro$oft is clueless.

All you have to do is have the user launch the App and sign in (AGAIN) until they get the "Compliant" screen.

Also, I'm assuming you created a dummy policy for "macOS"?

Thanks for the reply I was really excited to think that was the answer but still no luck :(

So if i enrol through Self Service its adds to Azure but no further but then if i run the portal app from applications it adds to InTune but fails to manage because of the JAMF MDM Profile already installed.

would you be able to share any of your set up just to see if part of mine is wrong? It was half set up by a Microsoft Admin and Myself doing the Jamf side. I've recently been given Global Admin rights to Azure so i can scrap anything that has been set up and start again which i feel might be the way to go.

Sure. Let me put something together for you.

Part One:

You need TWO policies in JAMF. The first one forces the Company Portal App to all scoped Macs. Once deployed, you need a second policy in Self Service that the user uses to launch the Company Portal App. This second policy also has InTune integration enabled.

Part 2:

Log into Azure, find the Intune blade.

Click on "Create a compliance Policy"

Name it something logical.

Click on "Properties"

Create a policy. Nothing needs to be configured.

Now the Company Portal App will check in and see there is a policy for the Mac. As long as your criteria is met, you are compliant.

Just an FYI on the MDM question you had: That makes no difference. I know it looks like it requires the Mac to be managed by Intune, but it doesn't care.

Thanks for sharing all that mine is set up exactly the same. Do you have the Azure Jamf app set up as well? Also did you do anything with the "Jamf native OS connector" which it says you have to allow in the jamf intune settings?

Ah ha! That is the part your missing. You have to set that up. You will need your tenant information, but it's pretty straightforward.

That is absolutely step 1.

Yeah i have all that set up as well but still no luck :(

I feel like its something to do with the Jamf Native OS connector it doesnt seem to be configured correctly but the details are greyed out and i cant edit them?

Just took a look at my Jamf Native macOS Connector Application and I have all kinds of options to choose from, so there is a permissions issue for you. You should also have a "Jamf Conditional Access" Application configured as well.

So seems to be some sort of SSL error im getting when running JamfAAD to register with Azure. I'm getting completely stuck on this now and neither Jamf or Microsoft seem to know a fix?!

On the off chance it saves someone's sanity, we're noticing massive delays between running the Jamf Pro policy to register a device and for the Intune portal to reflect the change:

• Jamf Pro Policy Date: 6/18/2018, 11:39:00 AM


• Intune Enrollment Date: 6/18/2018, 5:17:22 PM

Hello, everyone,

I have had about the same problem for many weeks: I registered a number of Macs via Self Service in Intune, but it didn't work on all devices, probably because of a temporary bug which is obviously fixes now. In Jamf all Macs are managed correctly, but Intune does not recognize them all as compliant. I can't delete the incorrectly registered devices in Intune either - according to support there is no possibility to do this so far.

But what I finally achieved: I registered the faulty devices again in Intune - via the Self Service and this time correctly. They now appear twice, once compliant.

First I had to delete a series of files, folders and entries on each client.

I deleted it in user/Library (if available of course and probably less would have sufficed):
- Application Support/com.microsoft.CompanyPortal.usercontext.info
- Application Support/com.microsoft.CompanyPortal
- Application Support/com.jamfsoftware.selfservice.mac
- Saved Application State/com.jamfsoftware.selfservice.mac.savedState
- Saved Application State/com.microsoft.CompanyPortal.savedState
- Preferences/com.microsoft.CompanyPortal.plist
- Preferences/com.jamfsoftware.selfservice.mac.plist
- Preferences/com.jamfsoftware.management.jamfAAD.plist
- Cookies/com.microsoft.CompanyPortal.binarycookies
- Cookes/com.jamf.management.jamfAAD.binarycookies

I also removed the following entries from the keychain (if available):
- com.microsoft.CompanyPortal.HockeySDK
- com.microsoft.CompanyPortal
- com.jamf.management. jamfAAD

After that I was able to re-register the Macs in Intune via the self service. With some devices I had to perform the registration process several times - but in the end it worked for all of them.

I hope this helps you all.

Thomas

Thanks for the detailed information, @thomasjweiss.

Two days ago, I opened a case with Microsoft.

Yesterday morning, I put my Stage lane nodes running Jamf Pro 10.5.0 in debug mode and then enrolled a fresh device via DEP and ran our Workplace Join policy with zero issues.

Yesterday afternoon, after speaking with the Microsoft technical support rep, Dominic Taylor (2RBConsulting Inc), I decided to close the case since I couldn't duplicate the issue.

In the case notes I received yesterday evening, here's an interesting, undocumented tid bit about Jamf's side (emphasis added):

More Information: Per our conversation, we also went over the "Consent" Experience that when a User that has Global Administration for Azure AD and Intune, that when they setup the JAMF App, they will have to give consent to allow the users to use the JAMF App to enroll through the Company Portal that is pushed out to the JAMF Self-Service Page.

Also, we did talk about the Mac PC "Heartbeat" on the JAMF side checks in every 4 hours. Which Dan did confirm with the JAMF Tech support that was talking with him as well.

1. If the Mac PC is out of compliant, they will have to wait 4 hours for the Mac PC to check back in and get compliant again.

Did you ever resolve this Perry?

@andymallins No still not resolved.

Seems to be some sort of SSL issue maybe at our end or somewhere between Microsoft and JAMF when JAMF tries to get the information from Azure and then push it back to InTune.

No idea :(

Is anyone else trying to get this to work?
Has anyone gotten this to work consistently and reliably?

I have to roll this out to ~3600+ Macs and I can't seem to get it to work the same way twice in a row.

@lindell

You are not the only one...

C

See if this can help out.
(https://www.jamf.com/jamf-nation/discussions/28815/company-portal-removal-script-based-on-microsoft-support)

I have been live with this feature since March, there are some odd issues, but for the most part, it just works. I have deployed to 150 Macs.

Just an update for others who may be dealing with this. It looks like we're having the same issue Perry described. Data from Azure can no longer be decrypted by our Jamf server. Jamf and Microsoft are looking into it. If you are trying to enabled conditional access in your environment, check your Jamf server logs for this error:

2018-06-30 04:40:07,623 [error] [Thread-5   ] [AADIdSubmissionAction    ] -Could not extract user and device id from AAD token.

com.jamfsoftware.conditionalaccess.extraction.userdeviceid.ExtractUserDeviceAADIdTokenException: Could not extract user device aad id from token.

Hi,

I had similar problems. In our case we hadn't assigned users to Jamf Native macOS Connector app.
As soon as users were added, the device could be integrated.

Find Jamf Native macOS Connector under Azure Active Directory/Enterprise applications, select it and click "Sign-ins" under Activity, maybe you see failures there.

the Mac PC "Heartbeat" on the JAMF side checks in every 4 hours. Which Dan did confirm with the JAMF Tech support that was talking with him as well.

So, from when users register using the Jamf Intune integration to when Intune actually sees the device as registered is 4 hours?