Jamf / Intune

rbingham917
New Contributor III

This one is driving me bonkers.

My org has integrated Intune with conditional access in our environment. I have set it up with the JAMF portal without issue. That connection is happy. I am able to run the command from Self Service or the trigger command, and they can all enroll successfully. But whenever my clients leave the network they keep getting asked to to enroll within InTune, which will fail because it's not being invoked from self service.

I've been going the rounds with Microsoft, but I am wondering if any of you JAMF Jeniuses have been able to get this #&%* system to work properly. This is not a game breaker, but with it hitting our C level execs, it's a problem.

13 REPLIES 13

gachowski
Valued Contributor II

We are looking at issues too.. my current thought is that the new 1.5 company app portal isn't registering machines correctly. The show correctly registered in Intune and Azure AD but it just doesn't work. I have version 1.1 of that app and that looks like it might be working better.

C

Stevie
Contributor

Hi,

We have the same issue at our site and Microsoft support are currently looking into the issue for us. At this stage it looks like the issue is with InTune and the Company portal app (version 1.5) not triggering the sign-in process correctly after the app has enrolled. Microsoft have told me they can see the traffic to the Azure but it’s not responding.

They should be calling me next week and they wanted to remove all the settings from both the Jamf cloud and Azure services and set them back up again. I will post Microsoft findings as soon as I know.

Regards

Steve

gachowski
Valued Contributor II

@Stevie

Let MS know that "other" customers are seeing the same issue... Also can you post if the "remove all the settings" works... Our Intune guy doesn't think that will help or we would have done that already.. Also if you want to share you MS ticket number I will open a ticket in our portal and add that to our ticket when I get back from my memorial day holiday.

Thanks

C

Stevie
Contributor

Thanks for the update. I am just trying an out of the box system which has no settings whatsoever and see if I can join it to our setup from my home address. I will update you later on how I get on.

Stevie
Contributor

Hello,

Sadly removing all the setting from InTune/Jamf Server and from the client didn't make any difference. I have tested with and without Zscaler installed. I also did a packet trace and didn't see any blocked URL's on port 80/443.

The laptop which a rebuilt and manually joined to the jams server didn't work.

I deleted the following items each test

rm -Rf /Users/daviesst/Library/Application Support/com.microsoft.CompanyPortal
rm -Rf /Users/daviesst/Library/Caches/CompanyPortal

rm -Rf /Users/daviesst/Library/Caches/com.microsoft.CompanyPortal
rm -Rf /Users/daviesst/Library/Preferences/com.microsoft.CompanyPortal
.plist
rm -Rf /Users/daviesst/Library/Caches/jamfAAD

I also manually deleted all of the certs from the computer.

Our Microsoft case number is REG:118030717767867. A point of interest is that between the point I click down and the JamfAAD auth box should appear the Company Portal app does show a 1 in the dock before it quits.

Thanks

Steve

rbingham917
New Contributor III

We just updated to 10.5, tested with a brand new machine that I have removed all entries from inTune, and AAD, and still nothing.

Is there any more granular logging that we can find? This issue is rather infuriating.

KyleEricson
Valued Contributor II

Yes, same issue here. Looks like Company Portal 1.5 is broken. I worked directly with the Microsoft product team on the older 1.4.2 Company Portal. I have created a support ticket with them.

Read My Blog: https://www.ericsontech.com

KyleEricson
Valued Contributor II

Guys try this tool I built then redo the registration. Removal Tool Intune Also,4ca7868cb6de4804abcdce5704990dff Microsoft now allows you to delete device synced by JAMF in Intune

Read My Blog: https://www.ericsontech.com

rbingham917
New Contributor III

Just got a wonderful email from my TAMs at both MS and JAMF that this issue, at least on my part, is a known product issue where you cannot get CA to work with Mobile Accounts.

They say that the Company Portal is unable to write to the keychain for Mobile users the same way that it is able to write for local accounts.

Both companies have said that they can submit feature requests for this, but it's unknown if or when they will be adopted.

KyleEricson
Valued Contributor II

I have a mix of mobile accounts and local accounts and CA works fine. I used Company Portal 1.4.2 & 1.5.

Read My Blog: https://www.ericsontech.com

amcclelland
New Contributor

@rbingham917 I have a similar set up to yours, and the Jamf policies are working fine. But, Company Portal hangs when it tries to register with Intune and never completes. If I close out of Company Portal, the registration continues and will call up the keychain access for me to enter info, but then it tells me I need to install Jamf Native macOS connector for it to work. The oddest part? It's working for some users. I have about 5 users that are marked as compliant in Intune and Intune's CA is working as expected. Do you have a case# from MS that I can reference with my MS contact to see if he has any more insight?

gachowski
Valued Contributor II

@kerickson

While that delete button works in the GUI, the machines just come back in our portal... : ) I think we just need to be patience as MS will get there... we have to remember that this is only about 6 or 7 months old...

C

KyleEricson
Valued Contributor II

@gachowski Everyone always tags the wrong @kericson not @kerickson . Yeah, I get it.

Read My Blog: https://www.ericsontech.com