Stop using inTune Integration

gloper1977
Contributor

Middle of 2021 our organization decided we were going to enroll all of our MacBooks in inTune.  We had everything working but as many of your know there a many issues with the inTune integration.  Also getting end users to get their devices enrolled themselves was a chore.  We only managed to get about a 1/4 of our MacBooks enrolled and decided to scrap it.  Only real drive for then intune enrollments was for compliance reporting.  Which we decided Jamf provides all the reporting info that we really need.

Occasionally I have a user still getting the JamfADD pop ups when they change their password for some other reason and I end just having them going through the enrollment again.  What is the best we to remove the enrollment for devices that have already enrolled?  Can I just turn off the Conditional Access?  Will that stop devices from getting prompted to re-register?  Haven't turned that off yet because don't want to cause issues with existing devices.

I did find a script someone else posted that is supposed to completely remove the intune company portal and all related files but it must have been written for an older OS because most of the files and folders referenced in the script don't exist anymore and the computers still get the prompts occasionally. 

1 ACCEPTED SOLUTION

garybidwell
Contributor III

There's no harm in leaving co-management integration active; you never know you need it some day so having its integrated already (but not active) still has some benefits if you find yourself requiring to use conditional access again.

Only thing to be aware of is that if you are using conditional access in MEM for other platforms is that I believe Microsoft has now made the default action for any new Azure app using conditional access to default to being "all users", so you just need to make sure you have a exclusions added in all your conditional access polices in MEM with "macOS" to blanket exclude them all.

For the Mac clients you can also just leave the Self Service policy to enrol into Conditional Access in Jamf Pro (just make it in-active so it no longer shows in Self Service for users)
And if you want to remove the workplace join token and all the other files it created on the mac's already enrolled, then I would use this WPJ removal script on Github (this will stop the JamfAAD popups you still get)

jamfAAD-and-WPJ-scripts

This hasn't been updated for a while, so you may need to cross reference and modify as needed with the files listed the Intune-Jamf trouble shooting page - Clause 6 lists the current files you need to delete

https://docs.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-jamf

Once the Mac clients no longer believe they are joined to MEM, you can then just delete all the macOS device objects in Intune (assuming you no longer want them in there)

View solution in original post

2 REPLIES 2

garybidwell
Contributor III

There's no harm in leaving co-management integration active; you never know you need it some day so having its integrated already (but not active) still has some benefits if you find yourself requiring to use conditional access again.

Only thing to be aware of is that if you are using conditional access in MEM for other platforms is that I believe Microsoft has now made the default action for any new Azure app using conditional access to default to being "all users", so you just need to make sure you have a exclusions added in all your conditional access polices in MEM with "macOS" to blanket exclude them all.

For the Mac clients you can also just leave the Self Service policy to enrol into Conditional Access in Jamf Pro (just make it in-active so it no longer shows in Self Service for users)
And if you want to remove the workplace join token and all the other files it created on the mac's already enrolled, then I would use this WPJ removal script on Github (this will stop the JamfAAD popups you still get)

jamfAAD-and-WPJ-scripts

This hasn't been updated for a while, so you may need to cross reference and modify as needed with the files listed the Intune-Jamf trouble shooting page - Clause 6 lists the current files you need to delete

https://docs.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-jamf

Once the Mac clients no longer believe they are joined to MEM, you can then just delete all the macOS device objects in Intune (assuming you no longer want them in there)

gloper1977
Contributor

Thank you, apparently I found this script once before but I never applied it.  Tested with a device I reproduced the enrollment pop ups on again and it worked well.  Going to deploy this to my MacBooks that got enrolled.