Jamf Nation Community

From the screenshot, it looks like this is step 3 of user registration for conditional access, which you can read about in Jamf's documentation here. 

It looks like an admin configured the conditional access integration, then pushed out a registration policy to trigger the process. From the fact that it repeatedly pops up on some machines, it sounds like it may have been misconfigured either on the JSS or within your Azure tenant. I know the required permission set for the enterprise app object in Azure are changing, so those permissions might need to be updated on your tenant.

I know there hasn't been any changes on our JAMF cloud instance. We currently do not have Device Compliance on. And we use the Cloud Connector with Azure for SSO/LDAP group mapping. We do have CA on for cloud apps. However out of 700 machines a grand total of 20 or so all got it at the pop-up yesterday.

We have deployed the Profiles after reading this Troubleshooting Microsoft Azure Login Using JamfAAD - Technical Articles | Jamf

JamfAAD Check-in to recheck for a valid Azure AD toke

JamfAAD to use WebView

Enabling Additional JamfAAD Logging

Awaiting JAMF response after sending logs. Hopefully this is an easy fix

It's a really clunky process.

Use the following to report the age of the AAD token:

token_epoch=$(defaults read com.jamf.management.jamfAAD | awk '/"last_aad_token_timestamp"/ { print $NF }' | tr -d '";' | cut -d . -f 1,10) ; token=$(date -r $token_epoch) ; echo $token

 (Even though JamfAAD had been renamed to Jamf Conditional Access, the domain is still the same as it was)

If the token is older than 3 days (I think?) the user will be prompted to sign in again.

Until MS (and Jamf?) improve the process and user experience, I am just unloading the LaunchAgent.

/bin/launchctl asuser "$LoggedInUID" /usr/bin/sudo -iu "$LoggedInUser" /bin/launchctl unload /Library/LaunchAgents/com.jamf.management.jamfAAD.agent.plist