Jamf Nation Community

mlambert · ‎04-13-2020

Hey everyone, lots of Jamf use in the past at my previous company, but we are currently in the process of purchasing Jamf. We currently have Intune as our MDM and curious to see if anyone has any resources on the process of unenrolling from one and enrolling into Jamf. I believe there had been talk of setting a conditional access policy in Intune that redirects to the Jamf enrollment page, but that only solves one of the two things needed.

Any suggestions

danlaw777 · ‎04-13-2020

we have gone thru this recently as well. we went with jamf pro and jamf connect, but at later date. i would recommend going with both to start up so everything can be done at once instead of multiple touches on end users machines. github was amazing as are the authors. there are scripts and policy's written so that the changeover can be done swiftly and completely.

mlambert · ‎04-13-2020

@danlaw777 Thanks, do you have a link to any of these on GitHub?

mlambert · ‎04-16-2020

Bumping this to hopefully get some more info

hdsreid · ‎04-16-2020

i've done this sorta...we were using intune only for MDM and were using another product to manage software on devices. all devices were user initiated MDM and no DEP, which made this somewhat simple..
i took a quickadd package, added a preinstall script in composer that would look for the microsoft identifier for the main intune MDM device profile. once removed, the quickadd package throws on the jamf binary and mdm profile, and the user has to manually approve in self service. an email communication and some quick help desk prep for a morning monday influx of calls can ease this part. the real challenge comes from what you have intune doing currently, and what your future intentions for o365 are...when we used intune, there was no filevault key management, so there was no need to worry about any of that baggage. we were just using it for conditional access. Getting the Macs re-registered in InTune and AAD through Jamf for conditional access is a headache but doable. You will need to remove all of them from InTune and AAD (you can do this through powershell to automate it if you have a lot of machines) and then wipe all of the cached MS credential data from the users' keychains. this is my current best script option for removing this data, it works over 90% of the time in my environment when needed (sometimes cache needs to be reset for CA still lol)...its a combination of a few different ones posted on github with advice from other topics on this and my own observations:

#!/bin/bash

#Get the current user
currentUser=$(python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')

killall 'JAMF'
echo "quit JAMF"
killall 'Company Portal' 
echo "quit Company Portal"
echo "Remove Company Portal"


rm -rf "/Applications/Company Portal.app/"

rm -rf "/Users/$currentUser/Library/Application Support/com.microsoft.CompanyPortal.usercontext.info"
rm -rf "/Users/$currentUser/Library/Application Support/com.jamfsoftware.selfservice.mac"
rm -rf "/Users/$currentUser/Library/Application Support/com.microsoft.CompanyPortal"
rm -rf "/Users/$currentUser/Library/Application Support/Company Portal"

rm -rf "/Users/$currentUser/Library/Saved Application State/com.microsoft.CompanyPortal.savedState"
rm -rf "/Users/$currentUser/Library/Saved Application State/com.jamf.management.jamfAAD.savedState"

rm -f "/Users/$currentUser/Library/Preferences/com.microsoft.CompanyPortal.plist"
rm -f "/Users/$currentUser/Library/Preferences/com.jamfsoftware.management.jamfAAD.plist"
rm -f "/Users/$currentUser/Library/Preferences/com.jamf.management.jamfAAD.plist"

rm -rf "/Users/$currentUser/Library/Cookies/com.microsoft.CompanyPortal.binarycookies"
rm -rf "/Users/$currentUser/Library/Cookes/com.jamf.management.jamfAAD.binarycookies"

rm -rf "/Users/$currentUser/Library/Caches/com.microsoft.CompanyPortal"
rm -rf "/Users/$currentUser/Library/Caches/com.jamf.management.jamfAAD"
rm -rf "/Users/$currentUser/Library/Caches/com.jamfsoftware.selfservice.mac"

echo "Remove keychain password items"

security delete-generic-password -l 'com.jamf.management.jamfAAD'
security delete-generic-password -l 'com.microsoft.CompanyPortal'
security delete-generic-password -l 'com.microsoft.CompanyPortal.HockeySDK'
security delete-generic-password -l 'enterpriseregistration.windows.net'

#Replace-with-your-adfs-server-name-FQDN
security delete-generic-password -l 'https://Replace-with-your-adfs-server-name-FQDN'
security delete-generic-password -l 'https://Replace-with-your-adfs-server-name-FQDN'
#Replace-with-your-adfs-server-name-FQDN

security delete-generic-password -l 'https://device.login.microsoftonline.com'
security delete-generic-password -l 'https://device.login.microsoftonline.com/' 
security delete-generic-password -l 'https://enterpriseregistration.windows.net' 
security delete-generic-password -l 'https://enterpriseregistration.windows.net/' 
security delete-generic-password -a 'com.microsoft.workplacejoin.thumbprint' 
security delete-generic-password -a 'com.microsoft.workplacejoin.registeredUserPrincipalName' 

removecert=$(security find-certificate -a -Z | grep -B 9 "MS-ORGANIZATION-ACCESS" | grep "SHA-1" | awk '{print $3}')
echo $removecert
security delete-identity -Z $removecert
exit 0

I run this in a policy that also installs MS Company Portal. Very important to make sure you run the script first in the policy settings.

Poojavarde65 · ‎09-15-2020

Hi , I am new to this role and I also need to move all INTUNE devices to jamf automatically without disturbing users. Could you please guide me with steps

Jamf Nation Community

Migrating MDM Intune to Jamf