Intune - In Real Life

Jamf Pro + Intune: A Powerful Duo for Device Compliance

Introduction

In the modern workplace, managing devices effectively while maintaining security and compliance is critical for organizations. With a growing number of devices and operating systems, particularly macOS, finding a seamless way to ensure compliance while also providing a great user experience can be challenging. However, combining two industry-leading tools—Jamf Pro and Microsoft Intune—provides a powerful solution for device compliance. This blog post will explore how the integration of Jamf Pro with Microsoft Intune can elevate your organization’s compliance strategy, blending the best of both worlds.

Understanding Jamf Pro and Microsoft Intune

Jamf Pro is a renowned solution for managing macOS devices. It offers a wide range of features, including software distribution, inventory management, and security policies. Microsoft Intune, on the other hand, is a cloud-based endpoint management solution. It manages user access to organizational resources and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints.

When combined, Jamf Pro and Intune create a synergistic approach that enables organizations to effectively manage devices across their entire fleet. This integration offers several key advantages:

  • Centralized Management
  • Consistent Policies
  • Enhanced Security
  • Reduced Management Overhead
  • Improved User Experience

Why Device Compliance Matters

Compliance isn’t just a buzzword—it’s a necessity for protecting sensitive data, maintaining trust with clients and customers, and meeting regulatory requirements like GDPR, HIPAA, and others. For IT teams, this means ensuring that every device, regardless of operating system, meets the organization’s security policies. Non-compliant devices can pose serious risks to corporate networks, whether through vulnerabilities, outdated software, or misconfigurations.

To achieve device compliance, organizations often rely on unified endpoint management (UEM) solutions. Both Jamf Pro and Microsoft Intune are widely recognized leaders in device management. Together, they form a compliance powerhouse for hybrid environments.

Why should I integrate Jamf Pro with Microsoft Entra ID?

Microsoft Entra Conditional Access policies are able to require devices to not only meet compliance standards, but also register with Microsoft Entra ID. Organizations are seeking to continually improve their security posture by using Microsoft Entra Conditional Access policies to ensure the following example scenarios:

  • Devices are registered with Microsoft Entra ID.
  • Devices are using a known trusted location or IP address range.
  • Devices are meeting the standards of compliance in order to access corporate resources using Microsoft 365 desktop applications and the browser.

What’s different about Microsoft Entra integration vs the Conditional Access method Jamf previously offered?

For organizations that utilize Jamf Pro but haven’t yet established a connection to Intune, the previous method that utilized the configuration in the Jamf Pro portal’s Settings > Global > Conditional Access path is no longer able to accept new configurations.

New integrations require configurations under Settings > Global > Device Compliance and provide a wizard-based process to walk you through the connection to Intune. The wizard provides a method to create the required Microsoft Entra registered applications. These registered applications can’t be precreated in this current design as they were previously.

How Jamf Pro + Intune Integration Works

Jamf Pro delivers information about the management state and compliance status of computers and mobile devices to Microsoft Intune’s Partner Compliance Connector, which forwards the data to Microsoft Entra ID (formerly Azure AD) for use with Conditional Access policies. Device compliance can be enforced using Jamf Pro’s management capabilities and is calculated using Jamf Pro smart groups. Computer and mobile device records are available in Entra ID and devices listed in Entra ID are labeled as managed by “Microsoft Intune”.

The following diagram shows a high-level flow of the computer and mobile device integration architecture:

https://learn.jamf.com

So with this we have a high level view of the integration, it’s time to get the hand’s dirty with configuring the integration.

Pre-requisites:

Integrating with Microsoft Entra to enforce device compliance involves the following steps:

  1. Configuring the Microsoft Entra Integration
  2. Completing the Compliance Workflow for Computers or Compliance Workflow for Mobile Devices
  3. Creating a Conditional Access Policy

For ease of understanding, I have broken down the requirements into categories: Administrative requirements & Hardware requirements.

Administrative Requirements

To configure the Microsoft Entra integration with Jamf Pro, you need the following:

  • Jamf Cloud-hosted environment or an on-premise environment
  • A Jamf Pro user account with device compliance privileges
  • Microsoft Enterprise Mobility + Security (specifically Microsoft AAD Premium and Microsoft Intune)
  • Working knowledge of administrating Jamf & Intune environments

Hardware/App Requirements

  • macOS 10.11 or later
  • Local or mobile user accounts
  • iOS 11 or later, or iPadOS 13 or later
  • Jamf Pro Self Service for iOS 10.10.3 or later

Jamf Pro Configurations

To enable Jamf Pro to send compliance status to Microsoft Entra ID (formerly Azure AD) for each computer and mobile device registered with Entra ID, you need to set up a connection between Jamf Pro and Microsoft Entra.

Before establishing the connection to Intune, the following Computer Smart Groups and a Computer Policy must be created in the Jamf Pro console as part of the required configurations:

1. Computer Smart Groups: These groups help segment computers based on certain criteria, such as compliance status or installed software, which are necessary for proper reporting to Intune.

2. Computer Policy: This policy ensures that the necessary actions, such as compliance checks or reporting, are performed on the devices in the Smart Groups.

These configurations are crucial for the Jamf Pro and Intune integration to function correctly.

Computer Smart Groups

Create two computer smart groups as shown below:

Applicable: Create a computer smart group containing criteria, which determines the devices that need access to company resources in the Microsoft tenant.

  • Go to Jamf Pro > Computers > Smart Computer Groups create a new group.
  • Criteria: Application Title, Operator = is, Value = CompanyPortal.app

Compliance: Create a second computer smart group containing criteria, which determines if devices are deemed compliant within Jamf and meet your organization’s security standards.

  • Criteria:
    • Last Inventory Update, Operator = Less than x days ago, Value = 2
    • and – Criteria: Application Title, Operator = is, Value = CompanyPortal.app
    • and – File Vault 2, Operator = is, Value = All Partitions Encrypted
Computer Policy

You can create a policy in Jamf Pro that directs end users to initiate the device registration process by running the Company Portal app. Users must launch the Company Portal app from Jamf Self Service for macOS to register their Mac computers with Microsoft Entra ID as a device managed by Jamf Pro.

Create one computer policy that includes the following configurations:

Go to Jamf Pro > Computers > Policy, create a new policy:

  • Options tab:
    • General:
      • Display Name – Give the policy a name.
      • Enabled – Check this box to enable the policy.
    • Microsoft Device Compliance:
      • Enable Register computers with Microsoft Entra ID.
  • Scope tab: Configure Selected Deployment Targets to Add the Applicable computer smart group created in previous step.
  • Self Service tab:
    • Enable Make the policy available in Self Service.
    • Set a display name.
    • Set a button name.
    • Provide a description.
    • Enable Ensure that users view the description.
    • Enable optional Categories as desired.
  • Select Save.
Mac App

Create an app in Mac Apps Jamf App Catalog for the Microsoft Intune Company Portal that deploys to all devices. 

  • Go to Computers > Mac Apps, and select +New.
  • Select Jamf App Catalog, and then select Next.
  • Search for Microsoft Intune Company Portal and select add next to the application.
  • Set Target Group to All Managed Clients.
  • Set Distribution Method to Install Automatically.
  • Enable Install supporting configuration profiles.
  • Enable the Deploy switch at the top right, and then select Save.

Microsoft Entra Configurations

Use the following to create a group, containing users of Jamf managed devices, which will be used to scope the Intune connector.

  • Sign in to https://entra.microsoft.com with an account that has permissions to create groups and to create and edit Conditional Access policy.
  • Expand Groups > All groups > and select New Group.
  • Create a dynamic group with appropriate rules to include the applicable users that will register their Jamf managed devices with Microsoft Entra ID.

Connect Jamf Pro to Microsoft Intune

Jamf Pro uses connectors available in the Microsoft Intune admin center, located under Tenant Administration > Connectors and tokens.

  • Sign in to your Jamf Admin portal.
  • Proceed to Settings > Global > Device Compliance.
  • Select Edit, and then enable the Platform macOS by checking the box.
  • In the Compliance Group drop down, select the computer smart group you created for Compliance in the previous section Computer-smart-groups of this article.
  • In the Applicable Group drop down, select the computer smart group you created for Applicable in the previous section Computer-smart-groups of this article.
  • Enable the Slider at the top right, and select Save.
  • Two Microsoft Authentication prompts are then presented. Each requires a Microsoft 365 Global Administrator to authenticate the prompt:
    • The first authentication prompt creates the Cloud Connector for Device Compliance application in Microsoft Entra ID.
    • The second authentication prompt creates the User registration app for Device Compliance.
  • A new browser tab opens to a Jamf Portal page with a Configure Compliance Partner dialog, and then select the button labeled Open Microsoft Endpoint Manager.
  • A new browser tab opens the Microsoft Intune admin center.
  • Proceed to Tenant administration > Connectors and tokens > Partner compliance management.
  • At the top of the Partner compliance management page, select Add compliance partner.
  • In the Create Compliance Partner wizard:
    • Use the Compliance partner drop-down to select Jamf Device Compliance.
    • Use the Platform drop down to select macOS, and then select Next.
    • In Assignments, select Add Groups, and then select the Microsoft Entra user group created earlier. Do not select Add all users as this will inhibit the connection.
    • Select Next, and then Create.
  • In your browser, open the tab containing the Jamf Portal with the Configure Compliance Partner dialog.
  • Select the Confirm button.
  • Switch to the browser tab showing the Intune Partner compliance management dashboard and select the Refresh icon at the top next to the Add compliance Partner option.
  • Verify the macOS Jamf Device Compliance connector shows a Partner Status of Active.
  • Switch to the browser tab showing the Intune Partner compliance management dashboard and select the Refreshicon at the top next to the Add compliance Partner option.
  • Verify the macOS Jamf Device Compliance connector shows a Partner Status of Active.

End User Experience

Users must register their computers with Microsoft Entra ID for the computer’s compliance status to be sent to Entra ID. The following section describes the user registration experience.

  • From Self Service for macOS, the user runs the registration policy. This will open the Company Portal App

  • Now you need to enter your Microsoft credentials in the Company Portal app.

  • Workplace Join opens and creates the computer record in Microsoft Azure. If the computer is managed by Jamf Pro and compliant, a message displays stating that registration was successful.
  • Jamf Pro sends device compliance and other device information to Entra ID. Device information can be found in Entra ID after a successful registration under All Devices, or under a user’s Devices list.

Verification

  • Launch Company Portal app on the Mac and verify it shows that the device is managed with “Jamf Device Compliance”.
  • The device is shown as a member of the Jamf computer smart group for Compliance. This membership indicates the device is compliant.
  • Open the Terminal application and execute the following command:
/usr/local/jamf/bin/jamfaad gatherAADInfo

If the command does not result in a prompt, and instead returns AAD ID acquired for user $USER, then the registration was good.

Conclusion:

By integrating Jamf Pro with Microsoft Intune, organizations can achieve comprehensive device compliance across their macOS and Windows fleets. This powerful combination offers numerous benefits, including centralized management, consistent policies, enhanced security, reduced overhead, and improved user experience. By carefully planning and addressing potential challenges, organizations can successfully leverage this integration to optimize their device management strategies.

Categories: Intune, Jamf, macOS, Security
Tags: , , , ,

1 thought on “Jamf Pro + Intune: A Powerful Duo for Device Compliance”

  1. Hi Somesh, great post. Can you please include the section on creating the Conditional Access Policy? Also, is a Compliance Policy required?

    Reply

Leave a Reply

You may also like

Search:

Cookies Notice

Intune - In Real Life, uses cookies. If you continue to use this site it is assumed that you are happy with this.

Discover more from Intune - In Real Life

Subscribe now to keep reading and get access to the full archive.

Continue reading