Configuring Jamf Pro and Intune Integration
Published Feb 12 2019 09:30 AM 36.3K Views
Microsoft

Hello everyone, today we have a fantastic article from Intune Sr. Support Engineer and resident Jamf expert Shonda Hodge. Shonda walks through the entire process of configuring integration of Microsoft Intune and Jamf Pro, creating and deploying policies and profiles, as well as enrolling and registering your Mac computers. As always, if you have any feedback for us please leave a comment below.

 

=====

Introduction

This article discusses the integration of Microsoft Intune and Jamf Pro. Topics covered include the following:

  • Architecture and requirements
  • Configuration steps for Jamf and Intune
  • Creating and deploying device compliance policies in Intune
  • Creating and deploying configuration profiles via Jamf
  • Registering user devices with Azure Active Directory (AAD)
  • Enrolling into Jamf and registering with Intune
  • Information on the inventory attributes shared from Jamf to Intune

Architectural Overview

  • Jamf delivers information about the management state and health of Apple’s Mac computers to Microsoft Intune’s device compliance engine.
  • Intune’s device compliance engine integrates with Azure Active Directory and allows you to identify unmanaged and non-compliant Mac computers in your environment.
  • You can then remediate the identified machines in Jamf’s Self Service for macOS.

97913-1.png

Integration Requirements

You will need the following to configure Microsoft Intune integration with Jamf Pro:

  • The latest version of Jamf Pro
  • Microsoft Intune and Microsoft AAD Premium P1 licenses (recommended Microsoft Enterprise Mobility + Security license bundle)
  • A user with Microsoft Intune Integration privileges in Jamf Pro
  • The latest version of the Microsoft Intune Company Portal app
  • End user computers with macOS 10.11 or later

Reference: https://docs.jamf.com/technical-papers/jamf-pro/microsoft-intune/10.17.0/Requirements.html

 

Configuration steps for Jamf and Intune

To enable the connection between Intune and Jamf, configuration is required for both Microsoft Intune and Jamf Pro. When the connection between Microsoft Intune and Jamf Pro is successfully established, Jamf Pro sends the computer inventory state of each managed computer that has checked in with Jamf Pro within the last 24 hours. For a list of the computer attributes that Jamf Pro sends to Microsoft Intune, see Inventory information shared with Microsoft Intune at the end of this post.

 

Configuring the connection between Jamf Pro and Microsoft Intune involves the following steps:

1. Creating a new application for Jamf Pro in Microsoft Azure

2. Configuring Microsoft Intune Integration settings in Jamf Pro

3. Configuring Microsoft Intune to allow the Jamf Pro integration

 

NOTE Information is sent to Microsoft Intune only for computers that have completed the device registration process with Azure Active Directory.

 

Creating a new application for Jamf Pro in Microsoft Azure

 

NOTE When configuring a conditional access policy to work with Jamf and Intune DO NOT target the Jamf Native macOS Connector app. This will break registration.

 

1. Log onto portal.azure.com.

2. Navigate to Azure Active Directory -> Manage -> App registrations.

3. Click +New application registration.

97913-2.png

4. Enter a display name (e.g. IntuneJamfCA)

                Supported account types – leave default option selected

                Sign-on URL: Enter your Jamf Pro instance URL

Shhodge-jch-jamfUpdate1.png

5. Click Register.

6. Copy the Application ID field. The Application ID is required to configure the Compliance Connector in Intune and the Microsoft Intune integration settings in Jamf Pro.

Shhodge-jch-jamfUpdate2.png

7. Under Manage, select API permissions. Click on the permission itself (nested), not the API.

Shhodge-jch-jamfUpdate4.png

8. Click Remove permission. Once gone, the API itself will disappear from the menu.

Shhodge-jch-jamfUpdate5.png

9. Click +Add a permission.

Shhodge-jch-jamfUpdate6.png

10. Select Intune.

Shhodge-jch-jamfUpdate7.png

11. Check the box for update_device_attributes (send device attributes to Microsoft Intune). Click Add permissions.

Shhodge-jch-jamfUpdate8.png

12. Under Grant consent, click on “Grant admin consent for <name of tenant>
Shhodge-jch-jamfUpdate9.png

13. Click Yes on the “Do you want to grant consent for the requested permissions for all accounts in <tenant name>?

Shhodge-jch-jamfUpdate10.png

Shhodge-jch-jamfUpdate11.png

14. Select the Certificates & secrets blade. Select "New client secret".

Shhodge-jch-jamfUpdate12.png

15. Enter a Description (EX: JSS Key) and select an expiration date. Click Add.

Shhodge-jch-jamfUpdate13.png

16. Copy the Client secret ID.

NOTE You won't be able to see it again once you leave so make a safe copy of it.

Shhodge-jch-jamfUpdate14.png

17. Select the Intune service from the far left of portal.azure.com. Select the Device Compliance blade. Click on "Partner device management". Put in the application ID for the enterprise app that was just created and click Save.

Shhodge-jch-jamfUpdate15.png

 

Reference: http://docs.jamf.com/technical-papers/jamf-pro/microsoft-intune/10.9.0/Configure_the_Connection_Betw...

Configuring Microsoft Intune Integration settings in Jamf Pro

 

NOTE Jamf documentation on configuring Microsoft’s Intune Integration settings in Jamf Pro can be found here.

 

1. Log onto the Jamf admin console, click on the gear icon in the upper right-hand corner, then under Global Management select Microsoft Intune Integration and click Edit.

97913-16.png

2. Select Enable Microsoft Intune Integration.

  - Sovereign Cloud – Select Public Cloud

  - Azure AD Tenant Name – <Enter your tenant name>

  - Application ID – <Enter app ID from Azure web app>

  - Application Key - < Enter app key from Azure web app>

 

3. Click Open administrator consent URL.

97913-17.png

4. Pick an account and enter your password.

97913-18.png

97913-19.png

Configuring Microsoft Intune to allow Jamf Pro integration

1. In the Azure portal, navigate to the Intune blade -> Device Compliance -> Partner device management.

2. Enable the Compliance Connector for Jamf by pasting the Application ID into the Jamf Azure Active Directory App ID field.

97913-21.png

NOTE Click Refresh to get the Save option.

 

97913-212.png

97913-23.png

Creating device compliance policies in Microsoft Intune

Now that the connection between Jamf Pro and Microsoft Intune has been established, you can start applying compliance policies to end user computers in Microsoft Intune.

 

1. Open the Microsoft Azure portal, navigate to Intune > Device Compliance > Policies and create policies for macOS. You can also select a series of actions (e.g., sending warning emails) that should be applied to non-compliant users and groups.

2. Once you create all required compliance policies, simply create Assignments for the compliance policies to apply them to specific users or groups.

 

IMPORTANT Due to a known issue that sometimes prevents alphanumeric passwords from being reported correctly from Jamf Pro, the alphanumeric password type should not be used when creating compliance policies in Microsoft Intune.

 

Reference: https://docs.microsoft.com/en-us/intune/conditional-access-assign-jamf; http://docs.jamf.com/technical-papers/jamf-pro/microsoft-intune/10.9.0/Apply_Device_Compliance_Polic...

 

Deploying a configuration profile in Jamf Pro

To register user computers with Jamf Pro and Azure Active Directory, you must first create a policy in Jamf Pro that installs the Company Portal app for macOS on those computers. Deploying the Company Portal app from Microsoft to computers involves the following steps:

 

1. Downloading the Company Portal app from Microsoft.

2. Uploading the Company Portal app to Jamf Pro as a package.

3. Deploying the Company Portal app to computers.

 

Downloading the Company Portal app from Microsoft

On a Mac computer, download the current version of the Company Portal app for macOS from the Microsoft website. Do not install it; you just need a copy of the app to upload to Jamf Pro.

 

Navigate to https://go.microsoft.com/fwlink/?linkid=862280 to download the CompanyPortal_Installer.pkg file.

 

Upload the Company Portal app to Jamf Pro as a package

1. Upload the Company Portal app to a distribution point in Jamf Pro.

2. In Jamf Pro, navigate to Settings -> Computer Management -> Packages.

3. Create a new package with the Company Portal app for macOS and click Save.

 

Deploy the Company Portal app to computers

1. In Jamf Pro, navigate to Computers -> Policies and create a policy that deploys the Company Portal app to users.

  a. Use the General payload to configure policy settings.

  • For Trigger select "Enrollment Complete" and "Recurring Check-in",
  • For Execution Frequency, select "Once per computer".

  b. Select the Packages payload and click Configure.

  c. Click Add for the package with the Company Portal app.

  d. Configure the settings for the package.

  e. Specify a distribution point for computers to download the package from.

 

2. Click the Scope tab to specify the computers on which the Company Portal app should be installed.

3. Click Save.

 

NOTE The policy runs on computers in the scope the next time they check in with Jamf Pro and meet the criteria in the General payload.

 

Reference: http://docs.jamf.com/technical-papers/jamf-pro/microsoft-intune/10.9.0/Deploy_the_Company_Portal_App...

 

Creating a policy in Jamf to have users register their devices with Azure Active Directory

Before directing users or groups to register their computers with Azure AD, you must deploy the Company Portal app to user computers. In Jamf Pro, there are a couple different methods to identify users who do not have the Company Portal app installed on their computers.

 

Method 1

1. In Jamf Pro, create a smart computer group to identify computers that do not have the Microsoft Company Portal app installed.

2. In Jamf Pro, create a policy that deploys the Company Portal app to the smart group created in Step 1.

 

For Trigger select "Login" or "Recurring Check-in“

For Execution Frequency, select "Ongoing".

 

The policy is used to update computer inventory, and if the Company portal app is known to be installed on a computer, a computer will fall out of the smart group created in Step 1 and Jamf Pro will no longer try to install it.

 

Method 2

1. In Jamf Pro, create a smart computer group to identify computers that do not have the Azure Active Directory ID attribute.

2. (Optional) You an add a second criteria to this group of not being a member of the smart group you created in Step 1 to ensure that only computers with the Company Portal app are included in this group.

 

NOTE: For steps on how to create a Smart Group, see the following: http://docs.jamf.com/10.9.0/jamf-pro/administrator-guide/Smart_Computer_Groups.html

 

Reference: http://docs.jamf.com/technical-papers/jamf-pro/microsoft-intune/10.9.0/Create_a_Policy_Directing_Use...

 

Directing users to register their computers with Azure Active Directory

End users need to launch the Company Portal app through Jamf Self Service to register the device with Azure AD as a device managed by Jamf Pro. This will require action on the part of end users. The recommendation is to contact end users through email, Jamf Pro notifications, or any other method that will notify end users telling them to click the button in Jamf Self Service.

1. In Jamf Pro, navigate to Computers -> Policies and create a new policy for device registration.

2. Use the General payload to specify policy settings, including trigger and execution frequency.

 

97913-24.png

3. Configure the Microsoft Intune Integration payload.

97913-25.png

 

4. Click the Scope tab and scope the policy to all targeted devices.

97913-26.png

5. Click the Self-Service tab to make the policy available in Jamf Self Service.

6. (Optional) Include the policy in the Device Compliance category.

7. Click Save.

97913-27.png

IMPORTANT: The Company Portal app must be launched from Jamf Self Service to begin device registrationLaunching the Company Portal app manually (e.g., from the Applications or Downloads folder) will not register the device. If an end user launches the Company Portal app manually they will see a warning, 'AccountNotOnboarded'.

 

Enrolling into Jamf and registering with Intune

There are two ways to enroll into Jamf:

  1. Standard enrollment.
  2. Enrollment using the Quick Add package.

Enrollment using the Quick Add package

1. The user receives the enrollment email and they copy and paste the link into a web browser.

97913-28.png

2. Click Download to begin enrollment.

97913-29.png

NOTE If the message below pops up, click OK. Open System Preferences to allow the package to be installed.

97913-30.png

3. Click Launchpad ->System Preferences Show All -> Security & Privacy

97913-31.png

4. Under “Allow apps downloaded from” choose Open Anyway.

97913-32.png

5. Select Open.

97913-33.png

6. Select Continue.

97913-34.png

7. Select Continue.

97913-35.png

8. Select Install.

97913-36.png

9. Enter your password and click Install Software.

97913-37.png

97913-39.png

10. Click Install to enroll the device into Jamf, install the Company Portal app, and to register the device with Intune.

97913-40.png

11. If there are Microsoft updates, a notification will popup. Click Install to get the latest Company Portal app.

97913-41.png

12. Click Continue.

97913-42.png

13. Click Install.

97913-43.png

14. Click Close Application and Install.

97913-44.png

15. Click Close.

97913-45.png

16. Click Close.

97913-46.png

NOTE You can bypass a Company Portal app (CP app) update if necessary after enrollment, then come back and update the Company Portal app normally.

97913-47.png

97913-48.png

17. Sign-in to register the Mac computer with Intune and create an Azure Active Directory ID.

97913-49.png

18. Click to Accept.

97913-50.png

19. Click Get the app to install the Company Portal.

97913-51.png

20. Click Done.

97913-52.png

21. Approve the MDM profile.

97913-101.png

22. Close out of these screens.

97913-102.png

97913-103.png

97913-104.png

97913-105.png

97913-58.png

23. Click Done.

97913-59.png

24. Enter your password and select “Always Allow

97913-60.png

 

Congratulations! The device is now successfully managed by Jamf and registered with Intune.

 

97913-61.png

From the Jamf console, the device is enrolled into Jamf and registered with Intune.  Note the computer’s Azure Active Directory ID.

97913-62.png

 

Inventory information shared with Microsoft Intune

For a list of inventory attributes shared from Jamf to Microsoft Intune; click here.

 

Resources

10 Comments
Silver Contributor

Wow, lots of work with so many images. Good guide ;)

Brass Contributor

Is there any intention for Intune's native macOS management features to be improved & expanded? Perhaps to the point where an additional & separate MDM (Jamf) is not required?

I've been trying and trying to get access to an NFR license for JAMF but they haven't been forthcoming. I have many customers who would like to know more about the product and without access to it I can't help them. :(

Copper Contributor

While we got this working, I must have missed something.  The screenshots show the company portal app open with a sign-in prompt (16b), then just a blank screen with the enrollment of jamf complete (16c), then the jamf connector login comes up (17).  Is the user supposed to know to close the company portal and does the jamf connector login just come up?  If SSO through Azure is integrated into jamf can the self service pass this information to the connector without the need of so many logins?

Microsoft

Hi @Joshua Millet ,

 

Thank you for your feedback. To answer your questions, the login that comes up on step 17 is a prompt from the Company Portal app to authenticate and begin the registration process with Azure. For the second question, I have not seen the use of SSO being able to limit the number of logins; I believe this is part of the initial registration workflow. I would suggest going to our UserVoice site and submitting a request to limit the number of logins in the workflow.  

 

Uservoice: https://microsoftintune.uservoice.com/forums/291681-ideas

 

Copper Contributor

Great articles! Would  JAMF/Intune integration add more details to reports and PowerBI dashboards in Defender ATP SecurityCenter for Mac devices or other additional features and better visibility in scenario when Intune is connected to Microsoft Defender Security Center and Defender ATP is deployed through JAMF? 

 

 

Microsoft

Hi @AartecWave ,

 

Thank you for your feedback. As far as your question, while we don't currently have that functionality I would suggest submitting a request to our User Voice site. We use this site to determine which new features customers would like to see with our product. Here is the link to the site: https://microsoftintune.uservoice.com/forums/291681-ideas

 

Copper Contributor

Great job Shonda! I am new to the Intune arena and this connects many dots for me......amazing information! RM

Brass Contributor

Hi @John-Marcum 

intune added many features for Apple products in general and macOS as well.
I too have many customers with Mac devices and I feel Intune does the job in most cases. 
But then again, you’re not the first who uses Intune and still wants to try JAMF, I’m guessing it is because some crucial features are missing. 
Could you please share the reasons you want to try JAMF? (Hope I’ll learn from your answer, I have the feeling I’m missing something here :). 

Microsoft

Shonda has provided this detailed guide for creating the manual integration with Intune from Jamf.  I just wanted to mention that there is now a Jamf Cloud Connector integration available for Intune.  The Cloud Connector automates many of the steps you see detailed above in this great guide.  The Cloud connector supports multiple instances of Jamf Pro with a single Azure tenant.  However, you do not need to have multiple instances to use it.  You will need Jamf Pro version 10.18 or later and then you can use the Cloud Connector to set up the integration with Intune.  Here is the Jamf Cloud Connector document for reference: https://docs.microsoft.com/en-us/mem/intune/protect/conditional-access-jamf-cloud-connector.

Co-Authors
Version history
Last update:
‎Nov 30 2023 03:44 PM
Updated by: