Help

Jamf/Intune

tdenton
Contributor II

Posted on ‎12-19-2024 01:54 AM

Morning All

I have been working for sometime on getting our macs compliant with intune. It does seem to work.

The process seems extremely clunky with users running through the steps in company portal which seems very user driven.

I'm sure I have read somewhere this process has become obsolete, is that right? Is there a better way?

Thanks 

0 Kudos
Reply
9 REPLIES 9

danlaw777
Contributor III

Posted on ‎12-19-2024 04:40 AM

i use this profile, send it out to all of your target machines, then run your device compliance install

danlaw777_0-1734611993749.png

 

0 Kudos
Reply

tdenton
Contributor II
In response to danlaw777

Posted on ‎12-19-2024 04:55 AM

what does it do?
I assume you still have push company portal down to the device 

0 Kudos
Reply

danlaw777
Contributor III

Posted on ‎12-19-2024 04:58 AM

yes, push company portal, then this profile, which bypasses the users browser settings.

0 Kudos
Reply

tdenton
Contributor II
In response to danlaw777

Posted on ‎12-19-2024 04:59 AM

So they dont have to go through the config process with company portal or just makes it easier. Sorry for all the questions thanks

 

0 Kudos
Reply

danlaw777
Contributor III

Posted on ‎12-19-2024 05:01 AM

yes they do, but when the device compliance is initiated, it uses this profile to control it, the end user has to sign in and verify. 

0 Kudos
Reply

AJPinto
Esteemed Contributor

Posted on ‎12-19-2024 06:18 AM

Are you in Intune or Entra? The Intune Conditional Access was replaced with Entra Device Compliance when Microsoft made API updates last year. Devices should not have live Objects in Intune anymore, everything should be in Entra.

 

I completely agree this is a very clunky user driven process, mainly because Entra (and Intune before it) are driven by user identity, and there is no way to automate sorting out user identity so the user must be directly involved for just about all troubleshooting.

0 Kudos
Reply

tdenton
Contributor II
In response to AJPinto

Posted on ‎12-19-2024 06:32 AM

yep entra I belive we had to make some changes when the update was done

0 Kudos
Reply

AJPinto
Esteemed Contributor
In response to tdenton

Posted on ‎12-19-2024 08:30 AM

On your question about whether there’s a better way: We moved away from the Entra Device Compliance workflow earlier this year because its functionality can be replicated more efficiently through other means that are far simpler to troubleshoot.

For example:

  1. Posture Checking via Security Clients:

    • Many security clients can perform posture checks and block processes (like Office apps) or restrict traffic (e.g., Outlook) if a device is non-compliant. This effectively mirrors the behavior of the Device Compliance workflow without requiring the same clunky user involvement.

  2. Jamf App Restrictions:

    • We use Jamf to target app restrictions at smart groups that define what a compliant device is. While this doesn’t provide a popup from Outlook saying “you can't access this resource,” the user still can’t use Outlook—it force quits with a clear message explaining what steps they need to take to regain compliance.

I plan to revisit Device Compliance in a few months as part of my 2025 review of Microsoft Defender and Purview for macOS. Until then, the alternative workflows have proven faster and less user-driven for us.

 

What we do may not be ideal for many organizations. However, we really have no need to have our Macs registered in Entra for anything else so it's an easy hassle to not deal with for me.

Reply

ScottEKendall
Contributor

Posted on ‎12-21-2024 03:20 AM

This is the config profile that we used.  Users still do have to do the "Register with EntraID", but this configuration script makes life a little easier.

 

ScottEKendall_0-1734780008813.png

 

0 Kudos
Reply
Back to Top