08-15-2024 10:17 AM - edited 08-15-2024 10:28 AM
Hello Jamf Nation!
This post is to provide you with an update related to the Microsoft and Jamf Device Compliance integration and the Conditional Access deprecation timelines.
As of Jamf Pro 11.6 and 11.7.1, the Microsoft and Jamf Device Compliance integration can be fully leveraged in these environments.
In Jamf Pro 11.7, an issue (PI119904) related to internal proxies was identified that might prevent some customers from migrating from Jamf Pro Conditional Access to Jamf Pro Device Compliance. This issue will be resolved in Jamf Pro 11.9, and this fix is available to test in the 11.9 beta. Customers who are not using an internal proxy are not blocked and should proceed with their migration. You can go to Jamf’s Known Issues page for more information about PI119904.
Last but not least, Microsoft and Jamf will be extending the Partner Device Management API (PDM) deprecation and removal date. To ensure all customers can successfully migrate, Conditional Access will now deprecate on 31 January 2025. Previous, release notes and documentation stated that Conditional Access would be deprecated 01 September 2024. If you have computers enrolled under the legacy Conditional Access integration, you must migrate the computers to the device compliance integration before the new deprecation date.
With this extension, we encourage admins to migrate as soon as possible to ensure you have adequate access to support.
Thank you,
Travis
Jamf Product Management
Posted on 08-19-2024 06:59 AM
Regarding the Conditional Access depreciation, can we get a detailed, step by step end user experience document so users and admins know what to expect? To date, no one seems to know what the experience will be like? Does a user re-register? Is it seamless?
Posted on 08-20-2024 12:21 PM
Also, when enabling the device management, are credentials needed for EntraID/intune after saving or since the connection was already established does it just complete?
08-20-2024 12:24 PM - edited 08-20-2024 12:26 PM
I performed my migration this morning - you'll need to provide Admin Consent to your tenant similar to the original Conditional Access registration.
Edit - are you asking about the switch in Jamf? or the user's end?
Posted on 08-20-2024 12:46 PM
Perfect, thank-you. The switch in Jamf Settings for Device compliance.
Out of curiosity, what is the end user's experience after running the migration script?
Posted on 08-20-2024 12:54 PM
End user experience was (for me) the same as it's always been. I've had some scripts and EA's checking for AAD enrolled status for a few years. My test box that I force removed from Intune got my regular prompt to have users enroll. Basically a pop up to complete enrollment in Intune. The Jamf migration script contains this
su -l $loggedInUser -c "/Library/Application\ Support/JAMF/Jamf.app/Contents/MacOS/Jamf\ Conditional\ Access.app/Contents/MacOS/Jamf\ Conditional\ Access gatherAADInfo"
Which just pops open the Company Portal app like usual.
Posted on 08-20-2024 12:58 PM
And if you were already in compliance with our CA rules, it just kept that with no alert to the end user.
Posted on 08-22-2024 03:39 AM
I would check out the guide and script here https://github.com/benwhitis/Jamf_Conditional_Access/wiki/MacOS-Conditional-Access-Best-Practices
For the end user, warn they might get an authentication pop up on or a few days after the change is made, set expectations that the log in seen is legit. For many of our users the gatherinfo ran in the background and they saw nothing.
Posted on 08-22-2024 07:12 AM
Hi @Tony_A,
Thanks for this request! The below tech document outlines how admins can simplify the end user experience during the migration process. Please reply if you have additional questions.
https://jamf.service-now.com/kb_view.do?sysparm_article=KB0118052
Thanks!
Posted on 08-26-2024 01:39 AM
Last but not least, Microsoft and Jamf will be extending the Partner Device Management API (PDM) deprecation and removal date. To ensure all customers can successfully migrate, Conditional Access will now deprecate on 31 January 2025.
Thanks for your information.
Why didn't we hear about this important information by e-mail? (Your post is 10 days old and not every customer reads Jamfnation regularly).
We had a Jamf support case because we could not activate the Jamf Cloud Services due to the proxy bug ( a requirement for device compliance migration). After this was resolved with a firewall change, we were assured by Jamf that the actual device compliance migration was not affected by the proxy issue and therefore we should not expect any problems.
Unfortunately, the migration got stuck with a “Connection Error” and we had no Intune Connector configured over the weekend. (a new support case was opened)
Only now have we learned that we actually have much more time for this migration and therefore would not have carried out this migration at all.
We have now rolled back to the previous legacy Intune Connector, which (so far) has worked without any problems and, above all, without any user interaction.
Jamf knew from our last support case that we were affected by this problem. We would have expected Jamf to proactively inform us (any customers) about this issue. ☹️