Hi everyone, today we have another post from Intune Support Engineer and resident Jamf expert Shonda Hodge. Shonda already published detailed steps on getting Jamf integration configured here, and today she follows that up with an article on how to troubleshoot integration if you encounter any issues. Special thanks to Bryce Carlson (Sr. Support Engineer @Jamf), Camden Webster (Sr. Support Engineer @Jamf), Lucas Lenard (Support Engineer I @Jamf) and Geoff Root (Test Engineer I @Jamf) who worked closely with Shonda to get this article created.
NOTE If you encounter issues with the integration of Jamf and Intune, please open a ticket with Jamf first. They will advise whether a case needs to be opened with Microsoft.
If your organization uses Jamf Pro to manage macOS devices, you can use Microsoft Intune compliance policies with Azure Active Directory conditional access to ensure that devices in your organization are compliant before accessing company resources. Jamf does this by allowing admins to sync their Mac inventory data with Intune and the Microsoft Cloud. This inventory data can then be analyzed by Intune’s compliance engine to generate a report, then combined with intelligence about the user’s identity, enforce conditional access via EMS. If the Mac device is compliant with the conditional access policies configured, it will be allowed access to the protected company resources.
Device Registration Explained
Device registration is the process in which a device’s identity is established in AAD. It uses the public-private key infrastructure, and on the device/client side it’s referred to as workplace joined (WPJ)/domain-joined (DJ)/Azure AD-joined (AADJ) whereas on the server side it is referred to as Azure Device Registration Service (ADRS or simply DRS). This device identity is needed for Intune registration.
Notes on MacOS Authentication and Registration
NOTE: AuthN primarily deals with user identity: who is this person? Is she who she says she is?
Troubleshooting Intune Registration for Jamf-managed devices
It’s important to note that the Intune Company Portal app must be launched from the Jamf Self Service app; if not the device will not be properly registered. When troubleshooting registration issues, start by gathering the following information:
sudo sysdiagnose -f /path/to/desired/save/location
log show --predicate 'subsystem CONTAINS "jamfAAD"' --last 30m
Here’s an example of a Company Portal log showing successful Intune registration:
2019-01-23 17:32:15.119 INFO com.microsoft.ssp.workplaceJoinSdk TID=27 WorkplaceJoinManager.swift: 796 (workplaceClient(_:logMessage:)) INFO: -[WorkPlaceJoin saveWorkplaceJoinStateToDevice:certificatePerferredPaths:correlationId:error:] [Line 1519][2019-01-23 17:32:15 +0000]Successfully completed device registration
2019-01-23 17:32:15.120 INFO com.microsoft.ssp.workplaceJoin TID=27 WorkplaceJoinManager.swift: 475 (didCompleteJoin()) In-app workplace join succeeded.
2019-01-23 17:32:15.159 INFO com.microsoft.ssp.enrollment TID=1 EnrollmentInProgressPaneViewController.swift: 111 (handleEnrollmentStateChange()) WPJ only enrollment complete, go to checklist page
"[\"ChassisType\": \"Desktop\", \"IsExchangeActivated\": \"0\", \"PartnerLocalizedSelfServicePortalName\": \"SelfService\", \"odata.editLink\": \"https://fef.msua06.manage.microsoft.com/StatelessIWService/Devices(guid'8253763b-8b89-4240-bebe-ef60...", \"ExchangeActivationItemEasId\": \"\", \"PartnerName\": \"Jamf\", \"ManagementAgent\": \"JamfClient\", \"LastContact\": \"2019-01-23T17:28:28\", \"Manufacturer\": \"Apple\", \"Nickname\": \"Rechelle\U2019s MacBook Air\", \"OwnerType\": \"0\", \"ApplicationState\": \"https://fef.msua06.manage.microsoft.com/StatelessIWService/Devices(guid'xxxxxxxx-8b89-4240-bebe-ef60...", \"SetHeartBeat\": \"[\"target\": \"https://fef.msua06.manage.microsoft.com/StatelessIWService/Devices(guid'xxxxxxxx-8b89-4240-bebe-ef60...\"]\", \"Key\": \"xxxxxxxx-8b89-4240-bebe-ef60cccf6e8b\", \"SetRD\": \"[\"target\": \"https://fef.msua06.manage.microsoft.com/StatelessIWService/Devices(guid'xxxxxxxx-8b89-4240-bebe-ef60...", \"ComplianceState\": \"Compliant\", \"CategorySetByEndUser\": \"0\", \"Model\": \"MacBook Air (13-inch Early 2015)\", \"LastContactNotification\": \"0001-01-01T00:00:00\", \"PartnerSelfServicePortalUrl\": \"jamfselfservice://\", \"CategoryId\": \"[null]\", \"SetOptIn\": \"[\"target\": \"https://fef.msua06.manage.microsoft.com/StatelessIWService/Devices(guid'xxxxxxxx-8b89-4240-bebe-ef60...", \"DeviceHWId\": \"10:94:BB:C7:3E:70\", \"AadId\": \"xxxxxxxx-8b89-4240-bebe-ef60cccf6e8b\", \"GetManagementState\": \"[\"target\": \"https://fef.msua06.manage.microsoft.com/StatelessIWService/Devices(guid'xxxxxxxx-8b89-4240-bebe-ef60...", \"AppWrapperCertSN\": \"[null]\", \"CreatedDate\": \"2019-01-23T17:37:03.9872113\", \"PartnerRemediationUrl\": \"jamfselfservice://remediate\", \"RemoteSessionUri\": \"[null]\", \"ManagementType\": \"JamfClient\", \"odata.readLink\": \"https://fef.msua06.manage.microsoft.com/StatelessIWService/Devices(guid'8253763b-8b89-4240-bebe-ef60...", \"IsPartnerManaged\": \"1\", \"OfficialName\": \"Rechelle\U2019s MacBook Air\", \"NoncompliantRules\": \"\", \"OperatingSystem\": \"Mac OS X\"]"
Tips for troubleshooting registration
Note that when configuring a conditional access policy to work with Jamf and Intune DO NOT target the Jamf Native macOS Connector app. This will break registration.
INFO com.microsoft.ssp.application TID=1 WelcomeViewController.swift: 253 (startLogin()) Portal launched without WPJ only arg while account is under partner management
How compliance is evaluated
Jamf Pro sends the inventory attributes listed below to Intune for the purposes of compliance evaluation. Be aware that there are more attributes that Jamf Pro sends, however for the purposes of this guide we’ve only listed those that are used to evaluate compliance. For a complete list of attributes that Jamf Pro sends to Intune, see Jamf Inventory information.
NOTE: If Mac computers have network accounts (or Mobile Home Folder AD accounts), compliance policies dealing with password complexity should not be used within Microsoft Intune as they cannot be reported correctly from Jamf Pro. Password complexity is enforced by the network account server.
Jamf Pro enforces compliance via the configuration profiles scoped to the macOS device and reports to Intune if the computer is managed based on the local attributes of the device at the time check-in. Intune’s compliance engine evaluates inventory data from JamfPro and generates a report and enforces conditional access via Azure AD.
Fields in Azure that displays compliance information
In Azure -> Microsoft Intune – All Devices, you will see the last check-in time. Be aware that current last check-in time is the time Intune received related device inventory data time, not actual MacOS check-in time to Jamf. This corresponds to what’s in the Company Portal app.
Under Azure AD devices, the Compliant field is used to determine whether access to resources will be granted. If the compliant state is No, users will be blocked from protected company resources.
NOTE: In Azure -> Microsoft Intune -> Azure AD devices, the Activity field for a device does not have significance for Jamf/Intune compliance evaluation.
Device check-in and compliance
By default, devices check-in with Jamf Pro every 15 minutes. This is configurable in the Jamf Pro console and you can read more on that here. If a device doesn’t check-in within a 24-hour period, Jamf will mark the device as unresponsive. If a device is marked unresponsive, Jamf will send that status to Intune and the device will be marked as non-compliant once Intune gets that data. Every registered device also has an Azure token. This token is refreshed every 12 hours, and if the token is not able to be refreshed for 24 hours or more, Jamf will mark the device as unresponsive and send that status to Intune.
NOTE: Enrolled users must log on to correct a non-responsive state. It must be the user who has work-placed joined the account as this is the user that has the identity from Intune in their login keychain.
Best practices for compliance
Tips to bring devices back into compliance
"CreatedDate": "xxxx-xx-xxxx:42:09.7465954", "PartnerRemediationUrl": "jamfselfservice://remediate", "RemoteSessionUri": "[[mobile]]", "ManagementType": "JamfClient", "odata.readLink": "https://fef.msua05.manage.microsoft.com/StatelessIWService/Devices(guid'xxxx')", "IsPartnerManaged": "1", "UserApprovedEnrollment": "0", "OfficialName": "[[OfficialName]]", "NoncompliantRules": "[[SettingID": "Device_Encryption_FileVault2Encrypted", "ExpectedValue": "True", "Title": "Turn on device encryption", "MoreInfoUri": "https://go.microsoft.com/fwlink/?linkid=851949", "Description": "You must enable full-disk encryption for this device, which wraps your information in a layer of protective code to keep unauthorized people from accessing it. We recommend you contact your company support to enable it.", "RemediationOwner": " user"]"]", "OperatingSystem": "Mac OS X", "RegisterForAppPushNotifications": "["target": "https://fef.msua05.manage.microsoft.com/StatelessIWService/Devices(guid'xxx')/RegisterForAppPushNoti..."
Managing Stale Devices in Azure AD
Ideally, to complete the lifecycle, registered devices should be unregistered when they are not needed anymore. However, due to, for example, lost, stolen, broken devices, or OS reinstallations you typically have stale devices in your environment. As an IT admin, you probably want a method to remove stale devices, so that you can focus your resources on managing devices that require management.
What is a stale device?
A stale device is a device that has been registered with Azure AD but has not been used to access any cloud apps for a specific timeframe. Stale devices have an impact on your ability to manage and support your devices and users in the tenant because:
For more information on detecting and cleaning up stale devices, please see the following link: https://docs.microsoft.com/en-us/azure/active-directory/devices/manage-stale-devices
Under Azure AD Devices the Mac shows Non-compliant, but under All Devices it shows to be compliant. Which one is accurate?
My Macs have a password set and my compliance policy requires a passcode, but my devices are still not compliant?
Why do I see the device in the Azure AD blade but not in Intune?
If I have a blank compliance policy assigned to my Mac devices, how does Intune evaluate compliance?
If a device has not communicated Jamf in over 24 hours, how do I bring it back into compliance?
How long does a device have to remain in an unresponsive state before Jamf codes it as Unmanaged?
Can you force device check-in from Intune? If so, how do you do it?
What ports need to be open for Jamf and Intune to work properly?
NOTE: Be sure to allow outbound connections to, and redirects from, Apple’s 126.96.36.199/8 block over TCP port 5223 / 443 from all client networks, and on ports 2195 and 2196 from Jamf Pro servers to make sure APNS will function correctly on your network.
Intune reference: https://docs.microsoft.com/en-us/intune/network-bandwidth-use
What causes an Azure AD ID to be reflected as “Deactivated” in Jamf?
If I have an on-premise instance of Jamf and I want to add a cloud instance of Jamf, can I have both linked to Azure at the same time?
If I encounter an issue with my Jamf-managed device registered with Intune and I need assistance, what should I do?
The UPN of the affected user(s)
The AAD Device ID
Company Portal logs
Screenshots of compliance/conditional access policies from Intune and screenshots of Jamf configuration profiles (compliance settings specifically)
When configuring Jamf with Intune, the following error message appears when trying to confirm settings from the Jamf console:
Graph API Access Token cannot be retrieved
This typically occurs is there is a proxy or firewall blocking required ports. Check the ports listed above.
When configuring Jamf with Intune, the following error message appears:
Graph API Access Token cannot be retrieved
The Jamf Pro Server log also contains a 401 error when the connection to Graph is attempted:
[ConditionalAccessHTMLResponse] - Could not enable provisioning
com.jamfsoftware.conditionalaccess.provisioning.InvalidResponseStatusException: Status code 401
This can occur if you did not input your App ID correctly on the Device compliance - Partner device management page. Input and save the correct App ID to resolve this issue.
When trying to register a Jamf enrolled device with Intune, the following message is seen after signing into the Company Portal app:
Invalid command line input. Registration-only command line flag (-r) can only be used when partner management is enabled in Intune. Please contact your IT admin.
This will occur if Intune integration is turned off. The Jamf Pro server sends a pulse to the Intune servers when this is unchecked, telling Intune that the integration is disabled. To resolve this issue, re-enable Intune integration in Jamf Pro
When trying to register a Jamf enrolled device with Intune via Jamf Self Service, the Company Portal does not launch and the following error is generated:
The operation couldn’t be completed. (Com.jamfsoftware.task.errors 1.) [com.jamfsoftware.task.errors code=1}
This occurs if the user shell for your macOS user account is not set to a working directory such as /bin/bash. Set the user shell for your user account to a working directory to resolve the issue.
Intune Support Engineer
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.