1 ACCEPTED SOLUTION
I found the issue! It was a very dump mistake on my part.
I had the "Applicable Group" and "Compliance Group" fields mixed up 🤦
To my justification, all documentation I've seen, first describes the "Applicable Group" and then the "Compliance Group", while the Jamf settings page has them the other way around. So if you're not paying attention, you might mix them up. I think the order as documented makes more sense.
@sakul Does Jamf Pro show your Device compliance connection status is verified and you have the macOS platform enabled as shown below?
I found the issue! It was a very dump mistake on my part.
I had the "Applicable Group" and "Compliance Group" fields mixed up 🤦
To my justification, all documentation I've seen, first describes the "Applicable Group" and then the "Compliance Group", while the Jamf settings page has them the other way around. So if you're not paying attention, you might mix them up. I think the order as documented makes more sense.
Thank you for clearing it out.
So basically I've done everything as instructed, the connection between Jamf and Azure is set successfully but I cannot see the devices in Azure. On my Mac for instance, in the Company Portal app, I see that the device is not managed (screenshot attached), what am I missing?
I thought I can share how we have done it (it's working but not really and it's getting frustrating, to be honest). We had issues as well in the beginning and we also mixed up the two smart groups at first meaning:
"Compliance Group Smart computer group Jamf Pro will use to calculate device compliance." - The smart group that is connected to this one is the one that tells Jamf that these devices are Compliant and members here will make it so in Azure compliant is "Yes". So if the device is not a member of this smart group the compliance status will show "No".
So this smart group is where you wanna set certain criteria, for example Firewall needs to be ON, just one example to meet criteria to be a member of this group and count as being compliant "Yes".
"Applicable Group Smart group containing all computers Jamf Pro uses to send a compliance status to Microsoft Intune. This also makes the Register button available in Self Service." - Computer members of this smart group is what tells Jamf to send status to Azure.
Now, remember you don't find the device object in Intune (meaning endpoint.microsoft.com) the devices that has registered with Company Portal are only showing up in Azure AD under devices and that's were you will see the compliance status as well (Yes or No).
When we at first were registering devices with Company Portal we had issues. We were getting the message "You're all set!" and the device was showing up in Azure AD under devices BUT on MDM it was saying "None" and Compliant "N/A".
We later figured out, via other posts here in Jamf community, that if you add in the policy where you are running the payload "Microsoft Device Compliance - Register computers with Azure Active Directory"
A "File and Processes" payload and "Execute Command" you run "jamf manage", so that basically "jamf manage" runs before registration.
After doing this, device registration to Azure was working every time. Devices were showing up in Azure showing MDM "Microsoft Intune" and also the Compliance status Yes/No
The reason it wasn't working before running "jamf manage" was because the jamfAAD authentication never popped up, meaning this part:
That authentication needs to be done. When that is done it also creates a .plist file called jamfAAD.plist and it's location is under users folder: "/Users/$loggedInUser/Library/Preferences/com.jamf.management.jamfAAD.plist"
If that has been created then you know the jamfAAD authentication was done correctly.
I can add that we automated the jamfAAD authentication as well by adding a configuration profile (CP) with this .plist settings:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>useWKWebView</key>
<true/>
</dict>
</plist>
Can also advice to create a CP for Microsoft Enterprise SSO for company portal:
https://learn.microsoft.com/en-us/mem/intune/configuration/use-enterprise-sso-plug-in-macos-with-int...
But... we are actually now facing a really strange issue. We had 4 test computers before running in production, i had 1 virtual machine and 3 physical machines and when testing with them it works great. But we just had all the users registering their devices, the registration part is working fine, the users are members of the smart group that tells Jamf to send status Compliant Yes to Azure but... all of them are show Compliant No. We have no clue why, our test machines are working even after reinstalling them and re registering them, if anyone is experiencing similar issues, please let us know how you solved it!
Hi @nadsad,
All of the above steps are correct. One thing if you have not checked yet.
Go to Microsoft Intune Admin Center —> Tenant Administration —> Partner Compliance Management —> Select Jamf Device Compliance —> Go to Properties —> Check if the user that you are trying to enrol with intune is present in the AD Group mentioned in Included Groups.
