Jamf Nation Community

@rtylerdavis Hmm.. i have currently 300+ macOS devices that are registered via Jamf Pro in our Intune environment with many Conditional Access policies, and also Intune as MDM/MAM for our iOS and Android devices.

On enrollment yeah there are the Keychain prompts for the applications that would like to use the 'MS-Organisation-Access' certificate, but in our environment we have do not experience all the prompts when someone changes their password. The prompts only exist after Intune registration and the applications would like to access the cert for the first time.

I can imagine when a login keychain gets "crippled" then you are receiving the same prompts, do you experience this for all your users and devices and are you on the lastest Company Portal version?

It's for reasons like this that our org has resorted to "white glove" deployment for every new Mac user. (and I don't mean Windows Autopilot, I'm talking about a combination of automated tools and real human hands-on, clicking away all the scary/annoying messages and filling in all the first run dialogues) On the first day of work the user can sit down at his or her desk with a fully-operational provisioned Mac with no unnecessary prompts and get familiar with the on-boarding materials. We then walk the user through the password change process so they will know what to expect when the next password change is required. Because this is such a hands-on process, it requires significantly more overhead than what any automated tool offers alone, however it cuts way down on the number of helpdesk calls and minimizes user frustration which both contribute to a smooth transition to their new role. One example is we deploy MS office 365 through VPP and push the apps via MDM but a user still needs to log in with their office365 credentials to get the applications fully operational so we log in for them and get the software activated before they arrive. We're not big enough to afford any kind of SSO solution that may or may not obviate this kind of manual enrollment.

@txhaflaire Interesting...we haven't deployed to many users yet outside of IT, but I'm getting ready to this week. If you don't mind me asking...what do your CA policies look like on the Azure side? I'm redesigning some of ours as we speak to make things a bit simpler...

In that same vein, what does your Intune Registration policy set look like? I had thought I'd read in the documentation on either the Jamf or Microsoft side that you should set the Intune Registration policy to be recurring, so I had set ours to that, but it seemed like if you had a botched Registration (network issue, timeout, etc), you would get de-registered from Intune. I'm also not seeing that anywhere in the documentation now, so I'm wondering if I misunderstood that.

I do expect a few login prompts, especially initially (we have NTLM/IWA for our proxy so we get a bit of it the first couple days), however this just seems excessive.

Has anyone managed to find a way around all the keychain login prompts? Currently testing a CA policy and with all these prompts I'm very reluctant to deploy to all users.

It's rough, but it really is just a matter of waiting the few days for everything to cache up/sync to the keychain. After that it's smooth sailing until the next password change. At this point my bigger issue seems to be NTLM/IWA authentication with our proxies. I've been working on getting them to go with kerberos, but it's a lot of work to convince of the need.