Help

User Switching After Enrollment – Impact on Jamf Connect, Jamf Pro, and Entra ID Integration

test_qweqwe
New Contributor II

a week ago

Hi everyone,

I’d like to raise a question and share some real-world challenges we’ve encountered regarding user switching on macOS devices enrolled via Jamf Pro and managed with Jamf Connect + Entra ID integration.

Scenario:

A Mac is enrolled in Jamf under one user (e.g., during setup), but then another user logs in and becomes the primary user of the device. This scenario is quite common in cases of device handoff, testing, or human error during deployment.

Observed Issues:

  1. Incomplete Deployment of Policies and Apps:

    • After re-enrollment (even with full device removal from Jamf Pro and Entra ID), not all policies or apps are being deployed properly.

  2. Device Registration & Compliance in Entra ID:

    • Devices sometimes fail to register properly in Entra ID.

    • Even if the device appears registered (sometimes duplicated 2–3 times), the "Compliance" status is either missing or errors out.

    • After several re-enroll attempts and manually removing the device from all platforms (Jamf, Entra ID, Intune), this can be resolved — but it’s inconsistent and time-consuming.

  3. Jamf Connect Password Sync / Change Issues:

    • In one case, I couldn’t change the password via Jamf Connect after switching users.

    • It redirected to the “My Profile” page in the browser, but Entra ID claimed the device wasn’t registered — despite the device ID in the logs matching what’s in Entra ID.

    • Essentially, the user experience broke, and password sync became impossible.

Questions:

  • How bad is this practice technically — switching users after enrollment? Are we breaking expected workflows in Jamf Connect and Jamf Pro?

  • Has anyone else experienced issues with Entra ID device registration/compliance when a different user starts using the device?

  • What’s the best practice for handling user transitions on Jamf-managed macOS devices? Is full wipe and re-enrollment the only reliable method?

  • Are there logs or tools you recommend to better diagnose device-user mismatches or broken compliance registration?

Any advice, insights, or similar experiences are welcome. Thanks in advance!

0 Kudos
Reply
2 REPLIES 2

AJPinto
Esteemed Contributor

a week ago

Generally speaking, Jamf Pro doesn't care what Jamf Connect does. From Jamf Pro’s perspective, Jamf Connect is just a tool that installs, creates a user account, and moves on. The details of how the user is created or authenticated are abstracted away.

That said, Entra ID (formerly Azure AD) device registration is a more delicate process, and honestly, Microsoft hasn’t made it the most stable system. Device registration is a 1:1 relationship between user and device, so when switching primary users (especially without wiping), you're very likely to run into registration or compliance issues. Inconsistent behavior here is, unfortunately, common.

Best practice: If you’re transferring a Mac from User A to User B, your safest bet is to wipe and reinstall macOS, allowing User B to enroll fresh. It’s more time-consuming, but helps avoid these exact issues.

As for diagnostics:

  • Jamf Connect logs: Found in Console log show --predicate 'subsystem == "com.jamf.connect"' --info --last 1h
    /var/log/jamf-connect.log     

  • macOS console logs:
    Run this to start digging into device registration:

    log show --predicate 'eventMessage contains "EnterpriseEnrollment"' --info --last 1d

  • dscl / profiles tools:
    Use dscl . list /Users to see local users.
    profiles status -type enrollment to confirm MDM status.

  • Company Portal / Intune (if in use): Logs are in ~/Library/Logs/Microsoft/Intune.

  • Entra admin portal: You can search by serial number or device ID and validate the primary user or check for duplicate/stale records. Not the most intuitive, but useful in context.

Unfortunately, there's not a silver bullet for this one; it's a layered problem that stems from how Microsoft and Apple have built their ecosystems.

Reply

sharriston
Contributor III

Wednesday

Have you looked into Jamf Setup Manager

This tool will let you provision a mac before the first user accout is created. Then just have the user log in with Jamf Connect. This way the computer can still be on-boarded by a tech then given to a user to sign in to Jamf Connect. 

Reply