New Popup "Jamf conditional access" wants to Use "" to Sign-in

New Contributor II

This pop-up started 02/06/23 and has been hit or miss with different users reporting it goes away and some stating it shows up every 30mins. What has changed for this to take place?2023-02-06_07-59-06.png



Valued Contributor

Maybe try this thread to clear the prompts? Talk to your AD/Azure folks to see if any changes made.


New Contributor III

From the screenshot, it looks like this is step 3 of user registration for conditional access, which you can read about in Jamf's documentation here

It looks like an admin configured the conditional access integration, then pushed out a registration policy to trigger the process. From the fact that it repeatedly pops up on some machines, it sounds like it may have been misconfigured either on the JSS or within your Azure tenant. I know the required permission set for the enterprise app object in Azure are changing, so those permissions might need to be updated on your tenant.

New Contributor II

I know there hasn't been any changes on our JAMF cloud instance. We currently do not have Device Compliance on. And we use the Cloud Connector with Azure for SSO/LDAP group mapping. We do have CA on for cloud apps. However out of 700 machines a grand total of 20 or so all got it at the pop-up yesterday.


We have deployed the Profiles after reading this Troubleshooting Microsoft Azure Login Using JamfAAD - Technical Articles | Jamf


JamfAAD Check-in to recheck for a valid Azure AD toke

JamfAAD to use WebView

Enabling Additional JamfAAD Logging


Awaiting JAMF response after sending logs. Hopefully this is an easy fix

Contributor III

It's a really clunky process.

Use the following to report the age of the AAD token:

token_epoch=$(defaults read | awk '/"last_aad_token_timestamp"/ { print $NF }' | tr -d '";' | cut -d . -f 1,10) ; token=$(date -r $token_epoch) ; echo $token

 (Even though JamfAAD had been renamed to Jamf Conditional Access, the domain is still the same as it was)

If the token is older than 3 days (I think?) the user will be prompted to sign in again.

Until MS (and Jamf?) improve the process and user experience, I am just unloading the LaunchAgent.

/bin/launchctl asuser "$LoggedInUID" /usr/bin/sudo -iu "$LoggedInUser" /bin/launchctl unload /Library/LaunchAgents/