Intune and Jamf setup and tips

7 min readFeb 11, 2019

Whilst Integrating Intune with JAMF so that we could build some Conditional access policies based on the JAMF compliance, I followed the Microsfoft Docs and all worked well, except for adding the App from Jamf and a few issues with Macs being Non Compliant. I’ve outlined the main setup and steps to resolve these within this guide.

Create an application in Azure Active Directory

In the Azure portal, go to Azure Active Directory > App Registrations.

Select +New application registration

Enter a display name, (Can be anything you like)

Select Web app / API.

Specify the Sign-On URL (this is your login URL to your Jamf admin portal)

Select create. The application is created and the portal presents the application details.

Save a copy of the Application ID somewhere like notepad you’ll need it later in both JAMF and Azure portal

select Settings and go to API Access > Keys.

Go to Keys pane,

specify a Description, (can be anything )

how long to before it Expires, (can be 1 year 2 years or never expire up to you )

and then select Save to generate the Application Key (Value).

**Important ** The Application Key is only shown once during this process. Be sure to save it somewhere where you can easily retrieve it i.e notepad (although if you forget this part you can always create a new key and delete the old)

Back On settings pane choose required permissions

On the Settings pane for the app, navigate to API Access

Select any existing permissions and then click Delete and delete all permissions.

To assign a new permission, select +Add > Select an API > Microsoft Intune API, and then click Select.

On the Enable Access pane, select Send device attributes to Microsoft Intune and then click Select, and then Done.

On the Required permissions pane, select Grant Permissions and then Yes to apply the required permissions to the application.

Enable Intune to integrate with Jamf Pro

In the Azure portal, go to Microsoft Intune > Device Compliance > Partner device management.

**ENTER THE APPID YOU SAVED EARLIER ONTO NOTEPAD***

Click Save

Configure Microsoft Intune Integration in Jamf Pro

*** IMPORTANT *** you will need your Azure AD Tenant ID for the JAMF configuration***

In Azure Ad go to properties Copy your Directory ID

In Jamf Pro, navigate to Global Management > Conditional Access. Click the Edit button on the Microsoft Intune Integrationtab.

Select the checkbox for Enable Microsoft Intune Integration.

Provide the required information about your Azure tenant, including ..

Location : (mine was Global, yours may be in public cloud)

Azure AD tenant Name : See above this is your Directory ID from Azure AD Properties it should be a long string of numbers.

and the Application ID and Application Key: These you saved to notepad when you setup the App in Azure from the previous steps.

Select Save. Jamf Pro tests your settings and verify your success.

****IMPORTANT***** This assumes that the Jamf Admin is also a Global Admin on Azure, a url will be opened and you’ll be asked to authenticate the App, if your’re not a Global Admin you may receive the following notification.

If you get the Above message ask you Global Admin to approve the App, if you are a JAMF admin and not an Azure Admin you can send the URL to the Azure Global Admin when they open it they can Approve the App

Deployment to users

**IMPORTANT** Before you deploy the portal to users ensure the Users are in a Group in Azure AD that is also targeted for MDM. If you dont do this you will find you often getting non compliant devices.

Deploy the Company Portal app for macOS in Jamf Pro

On a mac, download the current version of the Company Portal app for macOS. Do not install it; you need a copy of the app to upload to Jamf Pro.

Open Jamf Pro, then navigate to Computer management > Packages.

Create a new package with the Company Portal app for macOS, then click Save.

Open Computers > Policies, then select New.

Use the General payload to configure settings for the policy. These settings should be:

Trigger: select Enrollment Complete and Recurring Check-in
Execution Frequency: select Once per computer

Select the Packages payload and click Configure.

Click Add to select the package with the Company Portal app.

Choose Install from the Action pop-up menu.

Configure the settings for the package.

Click the Scope tab to specify on which computers the Company Portal app should be installed. Click Save. The policy will run scoped devices the next time the selected trigger occurs on the computer and meets the criteria in the General payload.

Create a policy in Jamf Pro to have users register their devices with Azure Active Directory

The Company Portal app must be launched from Jamf Self Service using the profile app you push out

Launching the Company Portal app manually (e.g., from the Applications or Downloads folders) will not register the device. If an end user launches the Company Portal manually, they will see a warning, ‘AccountNotOnboarded’.

In Jamf Pro, navigate to Computers > Policies, and create a new policy for device registration.

Configure the Microsoft Intune Integration payload, including the trigger and execution frequency.

Click the Scope tab, and scope the policy to all targeted devices.

Click the Self Service tab to make the policy available in Jamf Self Service. Include the policy in the Device Compliance category. Click Save.

Success

Once a user enrolls their Mac you should now start to see macs in Devices

Final tips

If you get non compliant devices (a few people have mentioned this on the JAMF forums, it seems to happen if your MDM policies aren’t set or the user tries to register Company Portal manually) you can user the following hack (not recommended) this will force compliance if you really don’t want to ask the users to uninstall and reinstall and go through registration again.

In Powershell get the Device Object ID you can do this several ways one way is

Get-Msoldevice -Name “put in the name of your device”