Jamf InTune Intergration issues

perryd
Contributor

So i have Jamf and intune talking fine the app ID is all good and all says its fine.

I can enrol from self service and the Mac shows in Azure as registered but then it never seems to talk to InTune to pass on the computer details and become compliant.

Is anyone else having trouble with this? I use version 1.5 of company portal but have had this issue since version 1.1. It worked once for one device but now its fully broken and nothing enrols correctly.

Any help would be amazing as even Microsoft have no idea and the case is still ongoing.

55 REPLIES 55

danreedphoto
New Contributor III

Yep. Went through this exact issue and Micro$oft is clueless.

All you have to do is have the user launch the App and sign in (AGAIN) until they get the "Compliant" screen.

f4b027f1373c43659d27614d31492ae1

danreedphoto
New Contributor III

Also, I'm assuming you created a dummy policy for "macOS"?

perryd
Contributor

Thanks for the reply I was really excited to think that was the answer but still no luck 😞

So if i enrol through Self Service its adds to Azure but no further but then if i run the portal app from applications it adds to InTune but fails to manage because of the JAMF MDM Profile already installed.
4ac8d6f6e26e4905ad0f0d79efccbb03

perryd
Contributor

would you be able to share any of your set up just to see if part of mine is wrong? It was half set up by a Microsoft Admin and Myself doing the Jamf side. I've recently been given Global Admin rights to Azure so i can scrap anything that has been set up and start again which i feel might be the way to go.

danreedphoto
New Contributor III

Sure. Let me put something together for you.

danreedphoto
New Contributor III

Part One:2285f9b41dbd49f3aa49d1109710ab17
cbb3060789df437ba0ba271aafde560d

You need TWO policies in JAMF. The first one forces the Company Portal App to all scoped Macs. Once deployed, you need a second policy in Self Service that the user uses to launch the Company Portal App. This second policy also has InTune integration enabled.

danreedphoto
New Contributor III

Part 2:

Log into Azure, find the Intune blade.

Click on "Create a compliance Policy"

Name it something logical.

Click on "Properties"

Create a policy. Nothing needs to be configured.

ddea176e38fd4817ad659af968b6c709
f2092dbba7894fec99e246ba578c932d
fc963484d7134d1d8ac357cf103bc6d6
f18a960c418440478a91c1b5f47e4ee1

Now the Company Portal App will check in and see there is a policy for the Mac. As long as your criteria is met, you are compliant.

danreedphoto
New Contributor III

Just an FYI on the MDM question you had: That makes no difference. I know it looks like it requires the Mac to be managed by Intune, but it doesn't care.

perryd
Contributor

Thanks for sharing all that mine is set up exactly the same. Do you have the Azure Jamf app set up as well? Also did you do anything with the "Jamf native OS connector" which it says you have to allow in the jamf intune settings?

danreedphoto
New Contributor III

Ah ha! That is the part your missing. You have to set that up. You will need your tenant information, but it's pretty straightforward.

That is absolutely step 1.

perryd
Contributor

Yeah i have all that set up as well but still no luck 😞

perryd
Contributor

I feel like its something to do with the Jamf Native OS connector it doesnt seem to be configured correctly but the details are greyed out and i cant edit them?

danreedphoto
New Contributor III

Just took a look at my Jamf Native macOS Connector Application and I have all kinds of options to choose from, so there is a permissions issue for you. You should also have a "Jamf Conditional Access" Application configured as well.

perryd
Contributor

24ff2306c64544fa90bf05e50eb8c63f

So seems to be some sort of SSL error im getting when running JamfAAD to register with Azure. I'm getting completely stuck on this now and neither Jamf or Microsoft seem to know a fix?!

dan-snelson
Valued Contributor II

On the off chance it saves someone's sanity, we're noticing massive delays between running the Jamf Pro policy to register a device and for the Intune portal to reflect the change:

  • Jamf Pro Policy Date: 6/18/2018, 11:39:00 AM
  • Intune Enrollment Date: 6/18/2018, 5:17:22 PM

--
Dan

thomasjweiss
New Contributor

Hello, everyone,

I have had about the same problem for many weeks: I registered a number of Macs via Self Service in Intune, but it didn't work on all devices, probably because of a temporary bug which is obviously fixes now. In Jamf all Macs are managed correctly, but Intune does not recognize them all as compliant. I can't delete the incorrectly registered devices in Intune either - according to support there is no possibility to do this so far.

But what I finally achieved: I registered the faulty devices again in Intune - via the Self Service and this time correctly. They now appear twice, once compliant.

First I had to delete a series of files, folders and entries on each client.

I deleted it in user/Library (if available of course and probably less would have sufficed):
- Application Support/com.microsoft.CompanyPortal.usercontext.info
- Application Support/com.microsoft.CompanyPortal
- Application Support/com.jamfsoftware.selfservice.mac
- Saved Application State/com.jamfsoftware.selfservice.mac.savedState
- Saved Application State/com.microsoft.CompanyPortal.savedState
- Preferences/com.microsoft.CompanyPortal.plist
- Preferences/com.jamfsoftware.selfservice.mac.plist
- Preferences/com.jamfsoftware.management.jamfAAD.plist
- Cookies/com.microsoft.CompanyPortal.binarycookies
- Cookes/com.jamf.management.jamfAAD.binarycookies

I also removed the following entries from the keychain (if available):
- com.microsoft.CompanyPortal.HockeySDK
- com.microsoft.CompanyPortal
- com.jamf.management. jamfAAD

After that I was able to re-register the Macs in Intune via the self service. With some devices I had to perform the registration process several times - but in the end it worked for all of them.

I hope this helps you all.

Thomas

dan-snelson
Valued Contributor II

Thanks for the detailed information, @thomasjweiss.

Two days ago, I opened a case with Microsoft.

Yesterday morning, I put my Stage lane nodes running Jamf Pro 10.5.0 in debug mode and then enrolled a fresh device via DEP and ran our Workplace Join policy with zero issues.

Yesterday afternoon, after speaking with the Microsoft technical support rep, Dominic Taylor (2RBConsulting Inc), I decided to close the case since I couldn't duplicate the issue.

In the case notes I received yesterday evening, here's an interesting, undocumented tid bit about Jamf's side (emphasis added):

More Information: Per our conversation, we also went over the "Consent" Experience that when a User that has Global Administration for Azure AD and Intune, that when they setup the JAMF App, they will have to give consent to allow the users to use the JAMF App to enroll through the Company Portal that is pushed out to the JAMF Self-Service Page.

Also, we did talk about the Mac PC "Heartbeat" on the JAMF side checks in every 4 hours. Which Dan did confirm with the JAMF Tech support that was talking with him as well.

  1. If the Mac PC is out of compliant, they will have to wait 4 hours for the Mac PC to check back in and get compliant again.

--
Dan

andymallins
New Contributor III

Did you ever resolve this Perry?

perryd
Contributor

@andymallins No still not resolved.

Seems to be some sort of SSL issue maybe at our end or somewhere between Microsoft and JAMF when JAMF tries to get the information from Azure and then push it back to InTune.

No idea 😞

lindell
New Contributor

Is anyone else trying to get this to work? Has anyone gotten this to work consistently and reliably?

I have to roll this out to ~3600+ Macs and I can't seem to get it to work the same way twice in a row.

gachowski
Valued Contributor II

@lindell

You are not the only one...

C

KyleEricson
Valued Contributor

See if this can help out. (https://www.jamf.com/jamf-nation/discussions/28815/company-portal-removal-script-based-on-microsoft-support)

I have been live with this feature since March, there are some odd issues, but for the most part, it just works. I have deployed to 150 Macs.

lindell
New Contributor

Just an update for others who may be dealing with this. It looks like we're having the same issue Perry described. Data from Azure can no longer be decrypted by our Jamf server. Jamf and Microsoft are looking into it. If you are trying to enabled conditional access in your environment, check your Jamf server logs for this error:

2018-06-30 04:40:07,623 [ERROR] [Thread-5   ] [AADIdSubmissionAction    ] -Could not extract user and device id from AAD token.
com.jamfsoftware.conditionalaccess.extraction.userdeviceid.ExtractUserDeviceAADIdTokenException: Could not extract user device aad id from token.

rihardsp
New Contributor III

Hi,

I had similar problems. In our case we hadn't assigned users to Jamf Native macOS Connector app. As soon as users were added, the device could be integrated.

Find Jamf Native macOS Connector under Azure Active Directory/Enterprise applications, select it and click "Sign-ins" under Activity, maybe you see failures there.

prbsparx
Contributor II
the Mac PC "Heartbeat" on the JAMF side checks in every 4 hours. Which Dan did confirm with the JAMF Tech support that was talking with him as well.

So, from when users register using the Jamf Intune integration to when Intune actually sees the device as registered is 4 hours?

KyleEricson
Valued Contributor

You can kick this sync off by running company Portal from applications after it has been registered. This will send the compliance info to Intune.

joe_bloom
New Contributor III

@prbsparx Hey, hope you're doing well. Heartbeat is to let Intune know that Jamf Pro is alive and operating. In response, Jamf Pro gets information about any failures with inventory, etc. It's decoupled from the registration. If you register a device, it should get reflected in Intune right away (within minutes).

One testing trick ... you can change the computer name and run a recon so that Jamf receives inventory from a device that is "different." When the inventory is different, Jamf Pro will communicate that change right away to Intune so that compliance can be reevaluated.

prbsparx
Contributor II

@kericson Company Portal isn't fully loading for me. I think this is because we disabled the ability for Macs to enroll in Intune. We were hoping it would prevent users from enrolling using Company Portal when opened outside of Self Service. Disabling the enrollment in Intune also seems to make it where when the Office apps say "you need to enroll" it actually redirects the user to Casper Suite instead of to "download company portal and register with Intune"

@joe.bloom Doing great, thanks for the quick comment on this one. I will play with that on another computer. Ok, the heartbeat makes sense. I'm seeing the same issue as @lindell whenever I register the device I'm testing with. I'll submit a ticket to my Jamf Buddy shortly.

It would be great to have more detailed documentation about the InTune integration:
1. What settings should we be using in Intune?
2. How do we make it where if a computer isn't registered the "register your computer" links in Office apps redirect to the Casper Suite DeviceRegistration page. (https://jss.domain.com:port/DeviceRegistration.html)
3. "Azure Active Directory ID" attribute in Computer > Local User Accounts - what do the different values mean and how can we troubleshoot?

In other words - the documentation on the Intune integration is rather lacking.

FOLIO_Admin
New Contributor

Hi, I am having a same issue with different condition.

ash-3.2$ sudo /Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfAAD.app/Contents/MacOS/JamfAAD gatherAADInfo -disable-cache-read -verbose
 verbose: Requesting Azure tenant info from jamf daemon
 verbose: Requesting device ID from Azure tenant xxxxx.onmicrosoft.com
xxxxxxxxxxx: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx. Resource value from request: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx. Resource app ID: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx. List of valid resources from app registration: 00000002-0000-0000-c000-000000000000.
Trace ID: 
Correlation ID: 
Timestamp: 2018-10-19 08:50:23Z
bash-3.2$

rastogisagar123
Contributor

@dan-snelson i have observed so much inconsisteny in intune and jamf integration .sometime it works and sometime doesnt.

What is the exact process need to follow for registrion and intune setup

dan-snelson
Valued Contributor II

rastogisagar123
Contributor

@dan-snelson its already in place but the challenge is its not consistent

dan-snelson
Valued Contributor II

@rastogisagar Ah; two words: Bummer city.

I recommend engaging Jamf support.


--
Dan

ThijsX
Valued Contributor

Hi,

What for us increased 100% enrollment consistency was going into Azure AD to;
Azure AD -> Mobility ( MDM and MAM ) -> Configure Microsoft Intune -> Scope it to users/groups with users that are going to be enrolled.

This has increased from like 3/10 successful enrolments to 10/10 successful enrollments, Inventory data submitted in Intune within 1 minute.

We discovered this by setting this option for Windows 10 devices, and voila the macOS devices magically started enrolling.

603bb9e9a73e4263bfe2803de873ef96

rastogisagar123
Contributor

@txhaflaire Are you talking for jamf and intune integration

ThijsX
Valued Contributor

@rastogisagar yes, conditional access intergration.

rastogisagar123
Contributor

@txhaflaire gotca. Can you have complete walkthrough for jamf and intune integaration in a simpler way and how it should configure from mac client machine

ThijsX
Valued Contributor

jkryklywec
New Contributor III

we just set up with 10.6 and now upgraded to 10.7.1 in cloud, and the steps are I believe now different using NativeOSConnector in intune. we finally got it working, steps are different and now each user has an azure ID under users in JAMF, per user not device registration. we found references all over describing different ways of doing his and some are the older 1st method introduced end of 2017 when this function became available and then they changed it in I believe June 2018. would really love to see docs updated properly as I see many have issues with setup, and even having a MS Senior engineer on the phone, they were not even aware of the new setup steps. I am very nervous this function will break if/when they change the way this works again which I have heard, and then having clients become out of compliance and no one knowing how this is truly to be setup properly. Yes it works, but for now, who knows for how long. Better clearer and correct documentation is needed by both parties, we should not be the ones doing trial and error to see if we can get this to work, only to find out months later it stops working and no one told us why nor do they have a clue on the changes needed.