Jamf Intune Registration Failing

New Contributor III

Hi folks, hopefully someone can help.

I've arrived in a new role at a new organisation and in the last week we have seen a huge increase in devices becoming unregistered from Intune - previously this happened at a rate of around 1 per week, but I'd say there's been 10-15 devices in the last week with this issue.

Also, when users try to re-register their device via Self Service, it will go through all the steps (Self Service > Company Portal > Jamf Page) but not actually re-register the device.

In most cases, the solution is to remove the MDM and re-enrol.

I inherited this setup, but it was configured following this guide from Microsoft. Also, I don't have direct access to Intune (it's a financial company) but I can make requests for changes to be made on that end.

So - where do I start trying to troubleshoot this? What logs am I looking in? What errors am I looking for?



Contributor III

Ask the Intune/office 365 manager to remove the devices on their end, both in Intune/MEM and AzureAD, and ask them to tell you what they find. If, for example, they tell you that the device is already removed from Intune, I have a few users with this problem as well. If not, removing the registered device will allow you to re-register as a new device, rather than colliding with the old data. 
1- First, easy thing to test: Create a policy that runs the command "/usr/local/jamf/bin/jamfaad -verbose clean" on the affected machines, and then try re-enrolling them with Intune. 


2- Second, more difficult thing to try:

A few months ago, there was a bug that wiped keychains for us, and I kind of perfected the art of removing Intune registration without removing the entire Jamf MDM and re-enroll.

The instructions below are harvested from the "Cause 6" section of the article Troubleshooting Jamf Pro integration with Microsoft Intune - Intune | Microsoft Learn . You only need to follow the parts that remove Microsoft, Intune and Company Portal portions: 

  1. Ask your Office 365 provider to delete the Mac from AzureAD and Intune/MEM if it exists. The registered user should be able to do this at https://portal.manage.microsoft.com 

  2. Uninstall Company Portal from the Mac. 
  3. Delete the following files on the device if they exist:

    • /Library/Application Support/com.microsoft.CompanyPortal.usercontext.info
    • /Library/Application Support/com.microsoft.CompanyPortal
    • /Library/Saved Application State/com.microsoft.CompanyPortal.savedState
    • /Library/Preferences/com.microsoft.CompanyPortal.plist
    • /Users/<username>/Library/Cookies/com.microsoft.CompanyPortal.binarycookies
  4. Remove anything from the keychain on the device that references Microsoft, Intune, or Company Portal, including DeviceLogin.microsoft.com certificates. 


  5. Delete any of the following entries that you find:

    • Kind: Application password ; Account: com.microsoft.workplacejoin.thumbprint
    • Kind: Application password ; Account: com.microsoft.workplacejoin.registeredUserPrincipalName
    • Kind: Certificate ; Issued by: MS-Organization-Access
    • Kind: Identity preference ; Name (ADFS STS URL if present): https://<DNS NAME>.com/adfs/ls
    • Kind: Identity preference ; Name: https://enterpriseregistration.windows.net
    • Kind: Identity preference ; Name: https://enterpriseregistration.windows.net/
  6. Restart the Mac.

  7. Reinstall Company Portal

  8. Re-run Intune registration from Jamf Self Service.