Jamf Nation Community

Also, I'm assuming you created a dummy policy for "macOS"?

Thanks for the reply I was really excited to think that was the answer but still no luck :(

So if i enrol through Self Service its adds to Azure but no further but then if i run the portal app from applications it adds to InTune but fails to manage because of the JAMF MDM Profile already installed.

would you be able to share any of your set up just to see if part of mine is wrong? It was half set up by a Microsoft Admin and Myself doing the Jamf side. I've recently been given Global Admin rights to Azure so i can scrap anything that has been set up and start again which i feel might be the way to go.

Sure. Let me put something together for you.

Part One:

You need TWO policies in JAMF. The first one forces the Company Portal App to all scoped Macs. Once deployed, you need a second policy in Self Service that the user uses to launch the Company Portal App. This second policy also has InTune integration enabled.

Part 2:

Log into Azure, find the Intune blade.

Click on "Create a compliance Policy"

Name it something logical.

Click on "Properties"

Create a policy. Nothing needs to be configured.

Now the Company Portal App will check in and see there is a policy for the Mac. As long as your criteria is met, you are compliant.

Just an FYI on the MDM question you had: That makes no difference. I know it looks like it requires the Mac to be managed by Intune, but it doesn't care.

Thanks for sharing all that mine is set up exactly the same. Do you have the Azure Jamf app set up as well? Also did you do anything with the "Jamf native OS connector" which it says you have to allow in the jamf intune settings?

Ah ha! That is the part your missing. You have to set that up. You will need your tenant information, but it's pretty straightforward.

That is absolutely step 1.

Yeah i have all that set up as well but still no luck :(

I feel like its something to do with the Jamf Native OS connector it doesnt seem to be configured correctly but the details are greyed out and i cant edit them?

Just took a look at my Jamf Native macOS Connector Application and I have all kinds of options to choose from, so there is a permissions issue for you. You should also have a "Jamf Conditional Access" Application configured as well.

So seems to be some sort of SSL error im getting when running JamfAAD to register with Azure. I'm getting completely stuck on this now and neither Jamf or Microsoft seem to know a fix?!

On the off chance it saves someone's sanity, we're noticing massive delays between running the Jamf Pro policy to register a device and for the Intune portal to reflect the change:

• Jamf Pro Policy Date: 6/18/2018, 11:39:00 AM
• Intune Enrollment Date: 6/18/2018, 5:17:22 PM

Hello, everyone,

I have had about the same problem for many weeks: I registered a number of Macs via Self Service in Intune, but it didn't work on all devices, probably because of a temporary bug which is obviously fixes now. In Jamf all Macs are managed correctly, but Intune does not recognize them all as compliant. I can't delete the incorrectly registered devices in Intune either - according to support there is no possibility to do this so far.

But what I finally achieved: I registered the faulty devices again in Intune - via the Self Service and this time correctly. They now appear twice, once compliant.

First I had to delete a series of files, folders and entries on each client.

I deleted it in user/Library (if available of course and probably less would have sufficed):
- Application Support/com.microsoft.CompanyPortal.usercontext.info
- Application Support/com.microsoft.CompanyPortal
- Application Support/com.jamfsoftware.selfservice.mac
- Saved Application State/com.jamfsoftware.selfservice.mac.savedState
- Saved Application State/com.microsoft.CompanyPortal.savedState
- Preferences/com.microsoft.CompanyPortal.plist
- Preferences/com.jamfsoftware.selfservice.mac.plist
- Preferences/com.jamfsoftware.management.jamfAAD.plist
- Cookies/com.microsoft.CompanyPortal.binarycookies
- Cookes/com.jamf.management.jamfAAD.binarycookies

I also removed the following entries from the keychain (if available):
- com.microsoft.CompanyPortal.HockeySDK
- com.microsoft.CompanyPortal
- com.jamf.management. jamfAAD

After that I was able to re-register the Macs in Intune via the self service. With some devices I had to perform the registration process several times - but in the end it worked for all of them.

I hope this helps you all.

Thomas

Thanks for the detailed information, @thomasjweiss.

Two days ago, I opened a case with Microsoft.

Yesterday morning, I put my Stage lane nodes running Jamf Pro 10.5.0 in debug mode and then enrolled a fresh device via DEP and ran our Workplace Join policy with zero issues.

Yesterday afternoon, after speaking with the Microsoft technical support rep, Dominic Taylor (2RBConsulting Inc), I decided to close the case since I couldn't duplicate the issue.

In the case notes I received yesterday evening, here's an interesting, undocumented tid bit about Jamf's side (emphasis added):

More Information: Per our conversation, we also went over the "Consent" Experience that when a User that has Global Administration for Azure AD and Intune, that when they setup the JAMF App, they will have to give consent to allow the users to use the JAMF App to enroll through the Company Portal that is pushed out to the JAMF Self-Service Page.

Also, we did talk about the Mac PC "Heartbeat" on the JAMF side checks in every 4 hours. Which Dan did confirm with the JAMF Tech support that was talking with him as well.

1. If the Mac PC is out of compliant, they will have to wait 4 hours for the Mac PC to check back in and get compliant again.

Did you ever resolve this Perry?

@andymallins No still not resolved.

Seems to be some sort of SSL issue maybe at our end or somewhere between Microsoft and JAMF when JAMF tries to get the information from Azure and then push it back to InTune.

No idea :(

Is anyone else trying to get this to work? Has anyone gotten this to work consistently and reliably?

I have to roll this out to ~3600+ Macs and I can't seem to get it to work the same way twice in a row.

@lindell

You are not the only one...

C

See if this can help out. (https://www.jamf.com/jamf-nation/discussions/28815/company-portal-removal-script-based-on-microsoft-support)

I have been live with this feature since March, there are some odd issues, but for the most part, it just works. I have deployed to 150 Macs.

Just an update for others who may be dealing with this. It looks like we're having the same issue Perry described. Data from Azure can no longer be decrypted by our Jamf server. Jamf and Microsoft are looking into it. If you are trying to enabled conditional access in your environment, check your Jamf server logs for this error:

2018-06-30 04:40:07,623 [ERROR] [Thread-5   ] [AADIdSubmissionAction    ] -Could not extract user and device id from AAD token.
com.jamfsoftware.conditionalaccess.extraction.userdeviceid.ExtractUserDeviceAADIdTokenException: Could not extract user device aad id from token.

Hi,

I had similar problems. In our case we hadn't assigned users to Jamf Native macOS Connector app. As soon as users were added, the device could be integrated.

Find Jamf Native macOS Connector under Azure Active Directory/Enterprise applications, select it and click "Sign-ins" under Activity, maybe you see failures there.

the Mac PC "Heartbeat" on the JAMF side checks in every 4 hours. Which Dan did confirm with the JAMF Tech support that was talking with him as well.

So, from when users register using the Jamf Intune integration to when Intune actually sees the device as registered is 4 hours?

You can kick this sync off by running company Portal from applications after it has been registered. This will send the compliance info to Intune.

@prbsparx Hey, hope you're doing well. Heartbeat is to let Intune know that Jamf Pro is alive and operating. In response, Jamf Pro gets information about any failures with inventory, etc. It's decoupled from the registration. If you register a device, it should get reflected in Intune right away (within minutes).

One testing trick ... you can change the computer name and run a recon so that Jamf receives inventory from a device that is "different." When the inventory is different, Jamf Pro will communicate that change right away to Intune so that compliance can be reevaluated.

@kericson Company Portal isn't fully loading for me. I think this is because we disabled the ability for Macs to enroll in Intune. We were hoping it would prevent users from enrolling using Company Portal when opened outside of Self Service. Disabling the enrollment in Intune also seems to make it where when the Office apps say "you need to enroll" it actually redirects the user to Casper Suite instead of to "download company portal and register with Intune"

@joe.bloom Doing great, thanks for the quick comment on this one. I will play with that on another computer. Ok, the heartbeat makes sense. I'm seeing the same issue as @lindell whenever I register the device I'm testing with. I'll submit a ticket to my Jamf Buddy shortly.

It would be great to have more detailed documentation about the InTune integration:
1. What settings should we be using in Intune?
2. How do we make it where if a computer isn't registered the "register your computer" links in Office apps redirect to the Casper Suite DeviceRegistration page. (https://jss.domain.com:port/DeviceRegistration.html)
3. "Azure Active Directory ID" attribute in Computer > Local User Accounts - what do the different values mean and how can we troubleshoot?

In other words - the documentation on the Intune integration is rather lacking.

Hi, I am having a same issue with different condition.

ash-3.2$ sudo /Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfAAD.app/Contents/MacOS/JamfAAD gatherAADInfo -disable-cache-read -verbose
 verbose: Requesting Azure tenant info from jamf daemon
 verbose: Requesting device ID from Azure tenant xxxxx.onmicrosoft.com
xxxxxxxxxxx: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx. Resource value from request: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx. Resource app ID: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx. List of valid resources from app registration: 00000002-0000-0000-c000-000000000000.
Trace ID: 
Correlation ID: 
Timestamp: 2018-10-19 08:50:23Z
bash-3.2$

@dan-snelson i have observed so much inconsisteny in intune and jamf integration .sometime it works and sometime doesnt.

What is the exact process need to follow for registrion and intune setup

@rastogisagar You probably want to start with:
Integrating with Microsoft Intune to Enforce Compliance on Macs Managed by Jamf Pro.

@dan-snelson its already in place but the challenge is its not consistent

@rastogisagar Ah; two words: Bummer city.

I recommend engaging Jamf support.

Hi,

What for us increased 100% enrollment consistency was going into Azure AD to;
Azure AD -> Mobility ( MDM and MAM ) -> Configure Microsoft Intune -> Scope it to users/groups with users that are going to be enrolled.

This has increased from like 3/10 successful enrolments to 10/10 successful enrollments, Inventory data submitted in Intune within 1 minute.

We discovered this by setting this option for Windows 10 devices, and voila the macOS devices magically started enrolling.

@txhaflaire Are you talking for jamf and intune integration

@rastogisagar yes, conditional access intergration.

@txhaflaire gotca. Can you have complete walkthrough for jamf and intune integaration in a simpler way and how it should configure from mac client machine

@rastogisagar Here is a 3-part guide how to set it up, except the Intune configure i posted earlier about.

Jamf Pro and Microsoft EMS better together – part 1
Jamf Pro and Microsoft EMS better together – part 2
Jamf Pro and Microsoft EMS better together – part 3

we just set up with 10.6 and now upgraded to 10.7.1 in cloud, and the steps are I believe now different using NativeOSConnector in intune. we finally got it working, steps are different and now each user has an azure ID under users in JAMF, per user not device registration. we found references all over describing different ways of doing his and some are the older 1st method introduced end of 2017 when this function became available and then they changed it in I believe June 2018. would really love to see docs updated properly as I see many have issues with setup, and even having a MS Senior engineer on the phone, they were not even aware of the new setup steps. I am very nervous this function will break if/when they change the way this works again which I have heard, and then having clients become out of compliance and no one knowing how this is truly to be setup properly. Yes it works, but for now, who knows for how long. Better clearer and correct documentation is needed by both parties, we should not be the ones doing trial and error to see if we can get this to work, only to find out months later it stops working and no one told us why nor do they have a clue on the changes needed.