Skip to main content
Solved

Migrating Macs from Intune to Jamf Questions

Antbanks51
Forum|alt.badge.img+4

Okay all.  I searched through the community forums and saw some very helpful information but it also added more questions.  I figured I'd make another post  and detail everything out.  Any help would be appreciated.

 

Goal:  Move around 280 MacOS devices from Intune to Jamf with as little interruption to the end user as possible.

I know one of the first things that will need done is un-enrolling from Intune but this is where I start to get confused on best practice.  I am new to both Jamf and Intune but one thing I understood from my previous company is that the check-in time for Intune could take as long as 24 hours.  I also see how the MDM profiles are not removable by the end user for our Intune managed devices.  While i totally understand why this needs done this leads me to my first question.

What is the best way to allow for User-Initiated enrollment so that there can be a seamless transition from Intune to Jamf?

If I am understanding what I have been told correctly it seems like my only option is to delete the devices from Intune and give it around 24 hours before the user can initiate enrollment into Jamf.  Is this true?  Is there an easier way?  I read the article at https://learn.microsoft.com/en-us/mem/intune/user-help/unenroll-your-device-from-intune-macos but it just seemed to verify my thoughts.  This leads me to question 2:

Does User-Initiated enrollment provide a sub-par experience when it comes to managing devices?

I was reading https://community.jamf.com/t5/jamf-nation/microsoft-intune-to-jamf-migration/m-p/275286#M873 where I saw the comment that you will not get full management of the device.  These devices I'm dealing with are all in ABM so I'm assuming that may means the best path forward is to just wipe and re-enroll but I'm hoping that's wrong.   

 

Thanks for taking time to read this.  Sorry if any of it is a dumb question but again I am new to this and did my best to search before posting.

Best answer by Levi_

Hey AntBanks51,

You're right. The intune check-in time can go up to 24 hours but usually, when I delete devices from Endpoint Manager it's usually around 20 minutes. Are you going to be using Jamf to register Macs with Intune for compliance around conditional access? If so you will need to clean the intune files left behind on the Mac and this may be helpful. That script does what it says, some of it isn't needed right away but it will clean up the other files left behind so you can re-enroll devices with Intune from Jamf when you're ready. If you ever have to re-register a Mac that script is your friend, Bryce is Wizard and helped a lot of us with just that one script alone 😁.

The MDM profile won't be removable by non-admins, the same is true with user-initiated enrollment, they will need an admin to install the jamf mdm profile. Depending on how you want to do this it will definitely be quicker to just enroll the Mac's and over time you can wipe them with the 1 click-erase install method and enroll via prestage so you get the full management state. Just make sure to switch your ABM MDM's server to JAMF from Intune so they go to the right place 😁.

View original
    Did this topic help you find an answer to your question?

    3 replies

    L
    Forum|alt.badge.img+7
    • Levi_
    • Valued Contributor
    • 82 replies
    • Answer
    • December 13, 2022

    Hey AntBanks51,

    You're right. The intune check-in time can go up to 24 hours but usually, when I delete devices from Endpoint Manager it's usually around 20 minutes. Are you going to be using Jamf to register Macs with Intune for compliance around conditional access? If so you will need to clean the intune files left behind on the Mac and this may be helpful. That script does what it says, some of it isn't needed right away but it will clean up the other files left behind so you can re-enroll devices with Intune from Jamf when you're ready. If you ever have to re-register a Mac that script is your friend, Bryce is Wizard and helped a lot of us with just that one script alone 😁.

    The MDM profile won't be removable by non-admins, the same is true with user-initiated enrollment, they will need an admin to install the jamf mdm profile. Depending on how you want to do this it will definitely be quicker to just enroll the Mac's and over time you can wipe them with the 1 click-erase install method and enroll via prestage so you get the full management state. Just make sure to switch your ABM MDM's server to JAMF from Intune so they go to the right place 😁.

    Antbanks51
    1 person likes this
    • Antbanks51
      Antbanks51
    Antbanks51
    Forum|alt.badge.img+4
    • Antbanks51
    • Author
    • Contributor
    • 10 replies
    • December 13, 2022
    Levi_ wrote:

    Hey AntBanks51,

    You're right. The intune check-in time can go up to 24 hours but usually, when I delete devices from Endpoint Manager it's usually around 20 minutes. Are you going to be using Jamf to register Macs with Intune for compliance around conditional access? If so you will need to clean the intune files left behind on the Mac and this may be helpful. That script does what it says, some of it isn't needed right away but it will clean up the other files left behind so you can re-enroll devices with Intune from Jamf when you're ready. If you ever have to re-register a Mac that script is your friend, Bryce is Wizard and helped a lot of us with just that one script alone 😁.

    The MDM profile won't be removable by non-admins, the same is true with user-initiated enrollment, they will need an admin to install the jamf mdm profile. Depending on how you want to do this it will definitely be quicker to just enroll the Mac's and over time you can wipe them with the 1 click-erase install method and enroll via prestage so you get the full management state. Just make sure to switch your ABM MDM's server to JAMF from Intune so they go to the right place 😁.


    Thank you for the info!  We do have Company Portal as a default deployment so they can still register with Intune however there are no conditional access policies currently in Intune for us.  It looks like it was basically just a few profiles to add McAfee and enable some restrictions.

    One thing that was decided by people who make a lot more than I do is that each user will still have local admin access.  I believe this is due to the nature of our Macs.  They are being used by executives or marketing.

    I guess my final follow up question would be if the Mac would be able to be enrolled via User-Initiated enrollment as soon as it checks in with Intune.  The end user would not get an error stating that the device already belongs to an MDM correct? 

    L
    Forum|alt.badge.img+7
    • Levi_
    • Valued Contributor
    • 82 replies
    • December 13, 2022

    Ah. Yeah, that makes it a little easier for you than if they have local admin. There are some tools available where you can remove a user's local admin access and keep them as a standard but allow them to upgrade to an administrator for 30 minutes at a time. You might be interested in this as Execs are the white wales malicious actors who go after the hardest. Anyone who is a local admin can remove the Intune MDM profile and install the Jamf MDM profile themselves with instructions. They can also remove the JAMF MDM profile too so there's that.

    That last part, are you going to have some sort of mechanism to trigger an enrollment like the device isn't compliant? I've used conditional access policies to block access to resources unless they're enrolled with Intune as this also requires Jamf. But to my knowledge, I don't know if there is any other mechanism to automatically trigger an enrollment prompt once they drop out of Intune. My advice in this situation would be to send instructions on how to remove the Intune MDM profile and install the new Jamf MDM profile, and mass mail enrollment invitations from Jamf to your users. I hope this helps. Test and double-test the instructions being sent to make sure your #1 customers in your ticketing systems can follow the instructions without problems 🙃.

     

    Antbanks51
    1 person likes this
    • Antbanks51
      Antbanks51

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings