Posted on 11-18-2022 10:39 AM
Hello everyone,
We have a really frustrating issue and so far nothing worked. We are moving from Intune MDM to Jamf MDM, but we are using Conditional access so the integration between Jamf and Intune must exist. The problem is that if you forget to remove the entries from Intune after resetting the device and you try to run the integration script you will receive an error, and from that point nothing will work.
Steps to reproduce:
Have an entry of an macbook enrolled with intune
wipe the macos and add it to Jamf server
Run the integration scrip
Company portal will open
sign in with AAD user
complete the steps on screen and you will receive an error
Reset the logs for integration scrip
Run again the script and after finishing company portal steps "Authentication for JamfAAD" prompt will open
A browser should open at this point, but nothing happens
What we tried so far:
Change default browser
Delete the entries from Jamf/Intune/AAD of the targeted device, Wipe de device and retry
Delete the entries from Jamf, delete de mdm profiles and rejoin the device with user enrollment
Completely wipe the device and retry
Step 6 from Microsoft documentation: https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-protection/troubleshoot-jamf#cause-...
Remove the device from ABM, reset the device, rejoin the device in ABM, retry the integration
Steps mentioned here: https://community.jamf.com/t5/jamf-pro/cannot-remove-profile/m-p/243119
So far we have to 2 devices in this conditions, unable to use them due to conditional access policy.
We also tried to sign in the user on a new device and we had no issues with the integration (no entries were in Intune of the device before we tried to run the integration scrip), however we tried to integrate the affected device with another user, but the issue still exist. Same behavior.
I have tried to contact Jamf support and Microsoft support, but so far nothing worked.
Is there anything else we can try?
Regards,
Traian
Posted on 11-18-2022 11:23 AM
Maybe the script in this thread can help?
Posted on 11-18-2022 03:15 PM
Please let me know if I am wrong, but this script does not do the same thing that Microsoft is suggesting on this link? https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-protection/troubleshoot-jamf#cause-...
Posted on 11-18-2022 02:43 PM
Shot in the dark, but have you tried waiting for FileVault to finish encrypting before trying the integration? I think that's like the out of the box config for allowing Intune and Jamf to talk.
Posted on 11-18-2022 03:18 PM
I managed to make it work. Not sure how. All the other devices had no issues with the enrollment, but they were on Monteray when we did the enrollment. Both devices that had problems where on Ventura, what I did was to create a bootable stick with Monteray, and I even waited to make sure that the encryption finished and the inventory for Jamf updated. After that, I tried to run the integration again and it worked.
Posted on 11-21-2022 07:24 AM
If I remember correctly you need to manually remove any record of the Mac in AAD (Intune) before attempting to reenroll in to Intune or it will error on AAD registration. There is no way to automate this that I am aware of.
The AAD registration script is just the line below. Its runs the jamfAAD Binary with the registerWithIntune switch. If you are getting as far as you are, the jamfAAD is working fine. The issue is on the Azure side.
/usr/local/jamf/bin/jamfAAD registerWithIntune
We had found that JAMF +Intune (MEM) integration was just hot garbage so we killed the entire integration months back. Intune is not a JAMF Product so JAMF does not support it, and Microsoft really has no clue how it works so their support sucks. After multiple tickets running on for 3-4 months on the Microsoft side I gave up.