Microsoft Intune Integration: Registration requires JAMF enrollment

hansjoerg_watzl
Contributor II

Hi
Question which I don't know if it's related to Jamf or to Microsoft (Intune).

We are using Jamf Pro with Microsoft Intune Integration. Some of our company Mac devices are fully managed and enrolled with our Jamf Pro Server. But some of our company Mac devices are just unmanaged (BYOD).
Both types can be registered in Intune for Conditional Access. Jamf devices need to register with Self Service (which then starts Company Portal).
BYOD devices just register with Company Portal app only.

In the past, we had no issues with this. In the last days, all of our BYOD Macs can not register anymore with Company Portal. There's always the following error message:

Your organization requires you to enroll this device with a different device management provider.

It seems, that Intune now REQUIRES that every (Mac) device needs to be enrolled with Jamf.
We updated our Jamf Pro Server to version 10.16.1 last week, but I don't know, if this is related to this update or if anything on Intune has changed.

Has anybody with Jamf Pro and Intune Integration saw this behavior?

13 REPLIES 13

waqas_khan
New Contributor III

Seems like Intune is not able to distinguish between company owned and BYOD devices. I'd be interested to know how you are separating and/or identifying the devices if both type need to go through the same Intune registration? Also, are you seeing this message on all macOS versions or just the ones running the latest (Catalina)?

druocco
New Contributor III

Yes - I am experiencing the same behavior. We have our corporate Macs on Jamf, but we are starting our BYOD Mac initiative and only want them to enroll in Intune. Jamf seems to be blocking BYOD Intune enrollment. The only way I was able to get this to work was to first enroll the device in Jamf, install Company Portal, unenroll from Jamf, then enroll in Intune from the Company Portal that was installed from Jamf. A very convoluted/not great end user experience.

druocco
New Contributor III

I was able to create a workaround by capturing a Jamf deployed installation of Company Portal and then packaging it with Composer. Then providing that package to a BYOD mac. They were then able to enroll in Intune successfully. The only drawback was this process marks the BYOD mac as "corporate" in Intune. Not the end of the world.

Hey Druocco,

We're in the same boat. We are new to Jamf. We want to mirror our Windows CAP to Jamf but only restrict enrollment to corporate devices. Can you share the script?

hansjoerg_watzl
Contributor II
I'd be interested to know how you are separating and/or identifying the devices if both type need to go through the same Intune registration? Also, are you seeing this message on all macOS versions or just the ones running the latest (Catalina)?

I don't know exactly, how Intune is configured in our company. But I know, that it is not possible to create two separate Intune groups for our Mac devices, where we can separate between managed and unmanaged Macs. So all of our Macs have the same policy in Intune. But as I wrote, we had no issues with registration for managed and unmanaged Macs, even if it's completely different. One small issue we had with this setting was the condition access error message, when somebody wanted to access ressources without registration. This error message contained a link to register the device and redirected all users to our Jamf enroll page (which of course we don't want for unmanaged devices). But with one of the later Jamf Pro versions, you can configure the landing page and we disabled it.
The current issue is not related to Catalina, as I could reproduce it today with an older High Sierra Mac (but with latest Company Portal app).

I was able to create a workaround by capturing a Jamf deployed installation of Company Portal and then packaging it with Composer. Then providing that package to a BYOD mac. They were then able to enroll in Intune successfully. The only drawback was this process marks the BYOD mac as "corporate" in Intune. Not the end of the world.

Thanks for this! Will give it a try. What do you mean with Jamf deployed installation of Company Portal? We download the app directly from Microsoft (and optionally provide it in our Self Service for installation). But the packaged is not edited, it's the same pkg as from Microsoft. What's the difference, when repackage it with Composer? Or do do you mean a snapshot with Company Portal preferences?

hansjoerg_watzl
Contributor II

@druocco btw, what Jamf pro version are you using? I guess, this new behaviour (block registration for non-Jamf-enrolled devices) changed with 10.16.1, because we were using 10.15.1 since October and had this issue only for the last couple of days. (Maybe Microsoft changed something in Intune too...idk)
Maybe we should give 10.17 a try...

hansjoerg_watzl
Contributor II

I just copied only the Company Portal.app from a Jamf enrolled Mac to an unmanaged BYOD Mac and the registration in Intune worked! So it seems, everything which is needed is inside the app folder. I will create a pkg from this app and will test it tomorrow with other users.
Wonder if an AutoUpdate of Company Portal will affect this. (Can test it with an older Company Portal.app and then update it over the Internet.)

hansjoerg_watzl
Contributor II

@druocco We did some more tests. With Company Portal 2.0 (copied from a Jamf enrolled device) it was successfully, but with Company Portal 2.2 it failed again, even if it's copied from a enrolled device.
And it's not possible to update this version with Microsoft AutoUpdate. This will break it again. So, this workaround is very limited.

Who is also using Jamf Pro with Intune Integration in a mixed environment? (enrolled and non-managed Macs)

hansjoerg_watzl
Contributor II

Further investigated and discovered the following in Intune:
e74be8444ff44ee8a298fee07b84d7d8
(Hint shows following message: "This will control if new enrollments for macOS are guided to Intune or Jamf by default.")

In our case, "All Users" are included as default and so all Mac devices are forced to enroll in Jamf (which we don't want).
So it looks, we could control this with Azure AD groups (include or exclude). But the question is, what happens, if a user does use a full managed Mac device (enrolled in Jamf) and wants to register his private Mac (BYOD) in Intune too? In the latter case, no Jamf enrollment is desired. (But as the same user account is used for the registration, a user based AD group could not fix this. Only a device group could handle this.)
Does anybody have more experience in this area?

g_kaplan
New Contributor

I could be entirely off track with this post, so let me know if it has any bearing on what you’re trying to accomplish. We run a similar hybrid azure setup with Intune and conditional access policies and SSO; however, our Jamf Pro instance is cloud based. We also utilize LDAP authentication for user enrollment and disable the enrollment of personal devices through in JAMF via Settings > Global Management > User-Initiated Enrollment> Access.

For new corporate devices enrolling in jamf MDM, we either send the user an email link or kick off MDM by scoping the device in DEP. There are enrollment policies in place that execute and deletes any existing company portal app and installs the older version (1.16) that we’ve found to be more reliable. A few steps down the line it launches the conditional access enrollment part to get the integration with azure/intune worked out.

For BYOD, we just have to download a copy of company portal from Microsoft and tell it to bind. I have had an associate that's reported trouble enrolling with a BYOD device, but the screenshots provided in this post don't match the ones he'd provided.

Just to be sure I wasn’t taking crazy pills, I enrolled a virtual machine with a DEP enabled serial number in Jamf MDM, bound it with Jamf's azure integration after our policy installed Company Portal 1.16 and tested the function of our office applications successfully. Then I restored the machine via snapshot back to its pre-DEP state and cleared it out of azure/intune/jamf. I unscoped it from DEP to behave like a normal BYOD machine, pulled up the "Enroll my Mac" link in safari that you can find on Microsoft's doc page https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp and that linked prompted me to download the app from Microsoft’s page. Installed company portal 2.2 and bound it just like any other BYOD device.

Success/Failure will depend on your machine setup process as well as whether a machine already has previously existing objects in both azure AD as well as the Intune portion of azure under devices. There are a lot of stale objects in azure and cleanup is not enabled as a default. Additionally we’re finding the need to search for and delete the same machines by serial number as well as their old hostname in some cases up to 3 times before they will completely be removed.

1ba75c7df2c841dda5dd176097df7f52

fd1348f0d08641dfb890511273043d51

George-x_chan
New Contributor III

Hey @hansjoerg.watzl

I can't seem to find the connector seting to assign to all users?

Can you advise where?

Thanks
George.

hansjoerg_watzl
Contributor II

You should find it here (portal.azure.com): Home > Microsoft Intune > Device compliance
Then click on Partner device management (bottom left "Setup" category).

Cybit024
New Contributor

We solved this issue by making a user group in 365 that excludes the users with BYOD devices, this can permanently or temporarily remove them from compliance link till registration between company portal and intune is complete.