Jamf Nation Community

Hello everyone,

We are currently facing an issue with Jamf Connect where some users keep receiving the notification:

"Registration required - Register with your Microsoft Entra password on your Mac."

Our Setup:

• Jamf Connect installed manually on affected devices
• Devices manually registered in Company Portal
• MacOS 15.3.1
• Latest version of Jamf Connect & Company Portal
• Devices appear as compliant in MS Entra
  
• Devices in Jamf Managed &Supervised

• uniqueIdentifier" : "97BD-IUHGLD-LIUGHW7G-.....ETC."
  

• FileVault 2 Partition Encryption State:Encrypted

Troubleshooting Steps Taken:

1. Verified compliance status in MS Entra
2. Deleted the device from MS Entra and re-registered
3. Cleared keychain entry:

   /Users/testuser/Library/Keychains/65649DB6-A89B14CE16E0E
   

4. Ran a script to reset Entra registration, which:
   • Quits Company Portal
   • Deletes related preference files and saved states
   • Removes keychain entries and identity preferences
   • Deletes the MS-ORGANIZATION-ACCESS certificate
   • Reinstalls Company Portal
5. After a Mac restart, users go through the registration process again, but the notification reappears after a few hours.

Has anyone encountered this issue before?

• Is there an additional cache, token, or certificate that should be removed?
• Could Conditional Access policies or Jamf Connect settings be causing this loop?

Any insights or suggestions would be greatly appreciated!

Thanks in advance!

#!/bin/bash

##############################################################################################################
# Reset Entra ID Registration 
#
# 
#
#----------------------------------------------
# Vers. 2.0, 08.07.2024
#----------------------------------------------
#
##############################################################################################################

# Variables

# $4 Custom Trigger für Jamf Policy "Install Company Portal"
jamfTrigger1="main_companyportal"
#jamfTrigger2="intune_Register"

# Get the username of the currently logged in user
loggedInUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }')
# Get the user's home directory
homeDir=$(dscl . read /Users/$loggedInUser NFSHomeDirectory | awk '/\/Users/{print $2}')

#--------------------------------------------------------------------------------------------------------------

if [[ $(pgrep "Company Portal") != "" ]]; then
  echo "Quitting Company Portal"
  killall "Company Portal"
fi

fileArray=(
  "/Applications/Company Portal.app/"
  "${homeDir}/Library/Application Support/com.microsoft.CompanyPortal.usercontext.info"
  "${homeDir}/Library/Application Support/com.jamfsoftware.selfservice.mac"
  "${homeDir}/Library/Saved Application State/com.jamfsoftware.selfservice.mac.savedState"
  "${homeDir}/Library/Saved Application State/com.jamf.management.jamfAAD.savedState/"
  "${homeDir}/Library/Saved Application State/com.microsoft.CompanyPortal.savedState"
  "${homeDir}/Library/Preferences/com.microsoft.CompanyPortal.plist"
  "${homeDir}/Library/Preferences/com.jamfsoftware.management.jamfAAD.plist"
  "${homeDir}/Library/Cookies/com.microsoft.CompanyPortal.binarycookies"
  "${homeDir}/Library/Cookies/com.jamf.management.jamfAAD.binarycookies"
)

for i in "${fileArray[@]}"; do
  if [[ -e $i ]]; then
    echo "Deleting file $i"
    rm -rf "$i"
  fi
done

passwordItemAccountsArray=(
  'com.microsoft.workplacejoin.thumbprint'
  'com.microsoft.workplacejoin.registeredUserPrincipalName'
  'com.microsoft.workplacejoin.deviceName'
  'com.microsoft.workplacejoin.thumbprint'
  'com.microsoft.workplacejoin.deviceOSVersion'
  'com.microsoft.workplacejoin.discoveryHint'
)

for i in "${passwordItemAccountsArray[@]}"; do
  itemCheck=$(/usr/bin/security find-generic-password -a $i | grep svce) #> /dev/null 2>&1)
  if [[ "$itemCheck" != "" ]]; then
    echo "Deleting Password Item $i"
    /usr/bin/security delete-generic-password -a $i ${homeDir}/Library/Keychains/login.keychain-db > /dev/null 2>&1
  fi
done

# There may be more than one of 'com.microsoft.workplacejoin.devicePatchAttemptTimestamp' so using a while loop to get them all
devicePatchAttemptTimestamp=$(/usr/bin/security find-generic-password -a 'com.microsoft.workplacejoin.devicePatchAttemptTimestamp' | grep svce)
while [[ $devicePatchAttemptTimestamp != "" ]]; do
  /usr/bin/security delete-generic-password -a 'com.microsoft.workplacejoin.devicePatchAttemptTimestamp' ${homeDir}/Library/Keychains/login.keychain-db > /dev/null 2>&1
  devicePatchAttemptTimestamp=$(/usr/bin/security find-generic-password -a 'com.microsoft.workplacejoin.devicePatchAttemptTimestamp' | grep svce)
done

identityPrefArray=(
  'com.jamf.management.jamfAAD'
  'com.microsoft.CompanyPortal'
  'com.microsoft.CompanyPortal.HockeySDK'
  'enterpriseregistration.windows.net'
  'https://device.login.microsoftonline.com'
  'https://device.login.microsoftonline.com/'
  'https://enterpriseregistration.windows.net'
  'https://enterpriseregistration.windows.net/'
)

for i in "${identityPrefArray[@]}"; do
  itemCheck=$(/usr/bin/security find-generic-password -l $i | grep svce)
  if [[ $itemCheck != "" ]]; then
    echo "Deleting Identity Preference $i"
    /usr/bin/security delete-generic-password -l $i ${homeDir}/Library/Keychains/login.keychain-db > /dev/null 2>&1
  fi
done

certCheck=$(/usr/bin/security find-certificate -a -Z | grep -B 9 "MS-ORGANIZATION-ACCESS" | grep "SHA-1" | awk '{print $3}')
if [[ $certCheck != "" ]]; then
    echo "Deleting $certCheck"
    /usr/bin/security delete-identity -Z "$certCheck" -t ${homeDir}/Library/Keychains/login.keychain-db > /dev/null 2>&1
fi

# Install Company Portal
/usr/local/bin/jamf policy -event $jamfTrigger1