Jamf Nation Community

From the screenshot, it looks like this is step 3 of user registration for conditional access, which you can read about in Jamf's documentation here. 

It looks like an admin configured the conditional access integration, then pushed out a registration policy to trigger the process. From the fact that it repeatedly pops up on some machines, it sounds like it may have been misconfigured either on the JSS or within your Azure tenant. I know the required permission set for the enterprise app object in Azure are changing, so those permissions might need to be updated on your tenant.

I know there hasn't been any changes on our JAMF cloud instance. We currently do not have Device Compliance on. And we use the Cloud Connector with Azure for SSO/LDAP group mapping. We do have CA on for cloud apps. However out of 700 machines a grand total of 20 or so all got it at the pop-up yesterday.

We have deployed the Profiles after reading this Troubleshooting Microsoft Azure Login Using JamfAAD - Technical Articles | Jamf

JamfAAD Check-in to recheck for a valid Azure AD toke

JamfAAD to use WebView

Enabling Additional JamfAAD Logging

Awaiting JAMF response after sending logs. Hopefully this is an easy fix

It's a really clunky process.

Use the following to report the age of the AAD token:

token_epoch=$(defaults read com.jamf.management.jamfAAD | awk '/"last_aad_token_timestamp"/ { print $NF }' | tr -d '";' | cut -d . -f 1,10) ; token=$(date -r $token_epoch) ; echo $token

 (Even though JamfAAD had been renamed to Jamf Conditional Access, the domain is still the same as it was)

If the token is older than 3 days (I think?) the user will be prompted to sign in again.

Until MS (and Jamf?) improve the process and user experience, I am just unloading the LaunchAgent.

/bin/launchctl asuser "$LoggedInUID" /usr/bin/sudo -iu "$LoggedInUser" /bin/launchctl unload /Library/LaunchAgents/com.jamf.management.jamfAAD.agent.plist

Hi Everyone,

Has anyone been able to solve this problem somehow? Although I asked both Jamf and Microsoft about this, I could not get a satisfactory answer or solution. Especially the Microsoft side is having a hard time understanding the problem. Is the main source of this problem Jamf Pro? Is it wrong for me to ask the Microsoft side a question? If anyone has found a solution can you please help me? I had to suspend a huge project right now. This pop-up is very annoying.

I logged a ticket with support and we believe the reason we are getting prompted is because our devices use 802.1x to authenticate on the network and it takes a few seconds to connect once the device is logged in so silent auth fails and interactive mode kicks in and prompts the user. 

I've asked whether its possible to delay the silent auth so the device has connectivity first.

Support email details below:

To give you some background information about the whole process and reference a blogpost created by one of my colleagues, what is happening after registration is the following: 

"Once the initial registration is completed jamfAAD continues to run in the background and has to authenticate every 24 hours to Azure to confirm the Azure AD record is still intact and confirm the AAD Device ID. Why? Well, because it has to report it to JPRO as proof of the integrity of the registration, and the activity of the device.

This is why we have the WPJ key and cached credentials. jamfAAD actually authenticates silently to Azure and uses the items in the keychain to do so. As long as the WPJ key is ok, the Azure AD record is intact, the device is online (to contact Azure), the cached password is valid…. all is well. jamfAAD silently authenticates, gets the Device ID, reports it to JPRO, JPRO sends inventory data to Intune… everyone happy. (Quick note: JPRO only sends an inventory update to MEM when something changed..)

However, whenever this silent authentications fails, for whatever reason, jamfAAD will go into interactive mode and prompt the end user to authenticate again! This is 100% normal and expected behaviour. Furthermore, there are other situations where Azure may even instruct jamfAAD to go in interactive mode, such as an expired MFA lifetime."

I will be listing couple of reasons below why the users can be prompted by this pop-up:

• Device offline for more than 24h
• Azure AD password changed (hence cached credentials are invalid)
• End user created multiple Azure AD records by registering the device multiple times
• MFA is being triggered because of the MFA token lifetime expired
• Keychain issue (corrupted or user did not select always allow when registering…)

Hi,

I solved this problem.

Thanks...