So i have Jamf and intune talking fine the app ID is all good and all says its fine.
I can enrol from self service and the Mac shows in Azure as registered but then it never seems to talk to InTune to pass on the computer details and become compliant.
Is anyone else having trouble with this? I use version 1.5 of company portal but have had this issue since version 1.1. It worked once for one device but now its fully broken and nothing enrols correctly.
Any help would be amazing as even Microsoft have no idea and the case is still ongoing.
Thanks for the reply I was really excited to think that was the answer but still no luck 😞
So if i enrol through Self Service its adds to Azure but no further but then if i run the portal app from applications it adds to InTune but fails to manage because of the JAMF MDM Profile already installed.
would you be able to share any of your set up just to see if part of mine is wrong? It was half set up by a Microsoft Admin and Myself doing the Jamf side. I've recently been given Global Admin rights to Azure so i can scrap anything that has been set up and start again which i feel might be the way to go.
Log into Azure, find the Intune blade.
Click on "Create a compliance Policy"
Name it something logical.
Click on "Properties"
Create a policy. Nothing needs to be configured.
Now the Company Portal App will check in and see there is a policy for the Mac. As long as your criteria is met, you are compliant.
I have had about the same problem for many weeks: I registered a number of Macs via Self Service in Intune, but it didn't work on all devices, probably because of a temporary bug which is obviously fixes now. In Jamf all Macs are managed correctly, but Intune does not recognize them all as compliant. I can't delete the incorrectly registered devices in Intune either - according to support there is no possibility to do this so far.
But what I finally achieved: I registered the faulty devices again in Intune - via the Self Service and this time correctly. They now appear twice, once compliant.
First I had to delete a series of files, folders and entries on each client.
I deleted it in user/Library (if available of course and probably less would have sufficed):
- Application Support/com.microsoft.CompanyPortal.usercontext.info
- Application Support/com.microsoft.CompanyPortal
- Application Support/com.jamfsoftware.selfservice.mac
- Saved Application State/com.jamfsoftware.selfservice.mac.savedState
- Saved Application State/com.microsoft.CompanyPortal.savedState
I also removed the following entries from the keychain (if available):
- com.jamf.management. jamfAAD
After that I was able to re-register the Macs in Intune via the self service. With some devices I had to perform the registration process several times - but in the end it worked for all of them.
I hope this helps you all.
Thanks for the detailed information, @thomasjweiss.
Two days ago, I opened a case with Microsoft.
Yesterday morning, I put my Stage lane nodes running Jamf Pro 10.5.0 in debug mode and then enrolled a fresh device via DEP and ran our Workplace Join policy with zero issues.
Yesterday afternoon, after speaking with the Microsoft technical support rep, Dominic Taylor (2RBConsulting Inc), I decided to close the case since I couldn't duplicate the issue.
In the case notes I received yesterday evening, here's an interesting, undocumented tid bit about Jamf's side (emphasis added):
More Information: Per our conversation, we also went over the "Consent" Experience that when a User that has Global Administration for Azure AD and Intune, that when they setup the JAMF App, they will have to give consent to allow the users to use the JAMF App to enroll through the Company Portal that is pushed out to the JAMF Self-Service Page.
Also, we did talk about the Mac PC "Heartbeat" on the JAMF side checks in every 4 hours. Which Dan did confirm with the JAMF Tech support that was talking with him as well.
- If the Mac PC is out of compliant, they will have to wait 4 hours for the Mac PC to check back in and get compliant again.
Just an update for others who may be dealing with this. It looks like we're having the same issue Perry described. Data from Azure can no longer be decrypted by our Jamf server. Jamf and Microsoft are looking into it. If you are trying to enabled conditional access in your environment, check your Jamf server logs for this error:
2018-06-30 04:40:07,623 [ERROR] [Thread-5 ] [AADIdSubmissionAction ] -Could not extract user and device id from AAD token. com.jamfsoftware.conditionalaccess.extraction.userdeviceid.ExtractUserDeviceAADIdTokenException: Could not extract user device aad id from token.
I had similar problems. In our case we hadn't assigned users to Jamf Native macOS Connector app. As soon as users were added, the device could be integrated.
Find Jamf Native macOS Connector under Azure Active Directory/Enterprise applications, select it and click "Sign-ins" under Activity, maybe you see failures there.
@prbsparx Hey, hope you're doing well. Heartbeat is to let Intune know that Jamf Pro is alive and operating. In response, Jamf Pro gets information about any failures with inventory, etc. It's decoupled from the registration. If you register a device, it should get reflected in Intune right away (within minutes).
One testing trick ... you can change the computer name and run a recon so that Jamf receives inventory from a device that is "different." When the inventory is different, Jamf Pro will communicate that change right away to Intune so that compliance can be reevaluated.
@kericson Company Portal isn't fully loading for me. I think this is because we disabled the ability for Macs to enroll in Intune. We were hoping it would prevent users from enrolling using Company Portal when opened outside of Self Service. Disabling the enrollment in Intune also seems to make it where when the Office apps say "you need to enroll" it actually redirects the user to Casper Suite instead of to "download company portal and register with Intune"
@joe.bloom Doing great, thanks for the quick comment on this one. I will play with that on another computer. Ok, the heartbeat makes sense. I'm seeing the same issue as @lindell whenever I register the device I'm testing with. I'll submit a ticket to my Jamf Buddy shortly.
It would be great to have more detailed documentation about the InTune integration:
1. What settings should we be using in Intune?
2. How do we make it where if a computer isn't registered the "register your computer" links in Office apps redirect to the Casper Suite DeviceRegistration page. (https://jss.domain.com:port/DeviceRegistration.html)
3. "Azure Active Directory ID" attribute in Computer > Local User Accounts - what do the different values mean and how can we troubleshoot?
In other words - the documentation on the Intune integration is rather lacking.
Hi, I am having a same issue with different condition.
ash-3.2$ sudo /Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfAAD.app/Contents/MacOS/JamfAAD gatherAADInfo -disable-cache-read -verbose verbose: Requesting Azure tenant info from jamf daemon verbose: Requesting device ID from Azure tenant xxxxx.onmicrosoft.com xxxxxxxxxxx: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx. Resource value from request: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx. Resource app ID: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx. List of valid resources from app registration: 00000002-0000-0000-c000-000000000000. Trace ID: Correlation ID: Timestamp: 2018-10-19 08:50:23Z bash-3.2$
What for us increased 100% enrollment consistency was going into Azure AD to;
Azure AD -> Mobility ( MDM and MAM ) -> Configure Microsoft Intune -> Scope it to users/groups with users that are going to be enrolled.
This has increased from like 3/10 successful enrolments to 10/10 successful enrollments, Inventory data submitted in Intune within 1 minute.
We discovered this by setting this option for Windows 10 devices, and voila the macOS devices magically started enrolling.
@rastogisagar Here is a 3-part guide how to set it up, except the Intune configure i posted earlier about.
we just set up with 10.6 and now upgraded to 10.7.1 in cloud, and the steps are I believe now different using NativeOSConnector in intune. we finally got it working, steps are different and now each user has an azure ID under users in JAMF, per user not device registration. we found references all over describing different ways of doing his and some are the older 1st method introduced end of 2017 when this function became available and then they changed it in I believe June 2018. would really love to see docs updated properly as I see many have issues with setup, and even having a MS Senior engineer on the phone, they were not even aware of the new setup steps. I am very nervous this function will break if/when they change the way this works again which I have heard, and then having clients become out of compliance and no one knowing how this is truly to be setup properly. Yes it works, but for now, who knows for how long. Better clearer and correct documentation is needed by both parties, we should not be the ones doing trial and error to see if we can get this to work, only to find out months later it stops working and no one told us why nor do they have a clue on the changes needed.