Conditional Access

Microsoft Intune (via Conditional Access) allows organizations to ensure that only trusted users from compliant macOS computers, using approved applications, are accessing company resources.

Integrating Jamf Pro with Microsoft Intune allows you to do the following:

  • Share Jamf Pro computer inventory information with Microsoft Intune.

  • Enforce compliance policies defined in Microsoft Intune on computers managed by Jamf Pro.

  • Restrict access to applications set up with Azure Active Directory (Azure AD) authentication (e.g., Office 365).

  • Feature policies for users in the Compliance category in Jamf Self Service for macOS.

  • Create a policy registering user computers with Azure AD.

  • View the Conditional Access Inventory State for a computer in Jamf Pro.

There are two ways to connect Jamf Pro and Microsoft Intune:

  • Cloud Connector—(Jamf Cloud-hosted environments only) The Cloud Connector simplifies the process of configuring the communication between Jamf Pro and Microsoft Azure by automating the creation of the Jamf Pro application in Azure. In addition, the Cloud Connector allows you to connect multiple Jamf Pro instances to a single Azure AD tenant.

  • Manual connection

For step-by-step instructions on how to integrate with Microsoft Intune, including information on the workflows listed above, see the following technical paper:
Integrating with Microsoft Intune to Enforce Compliance on Macs Managed by Jamf Pro

General Requirements

To configure the Intune integration, you need:

  • (Manual connection only) The Jamf Pro application added in Microsoft Azure (For more information, see the Integrating with Microsoft Intune to Enforce Compliance on Macs Managed by Jamf Pro technical paper)

  • (Cloud Connector only) A Jamf Pro instance hosted in Jamf Cloud

  • A Jamf Pro user account with Conditional Access privileges

  • Microsoft Enterprise Mobility + Security (specifically Microsoft AAD Premium and Microsoft Intune)

  • Microsoft Intune Company Portal app for macOS v1.1 or later

In addition, the macOS Intune Integration requires computers with macOS 10.11 or later that are using a local or mobile account. Network accounts are not supported for the macOS Intune Integration.

Note: When configuring the connection between Jamf Pro and Microsoft Intune, you must use the Microsoft Azure website (portal.azure.com) and not the Microsoft Azure portal desktop app.

Manually Configuring the macOS Intune Integration

The Conditional Access settings allow you to set up the connection to Microsoft Intune in Jamf Pro. When the connection is saved, Jamf Pro shares computer inventory information with Microsoft Intune and applies compliance policies configured in Microsoft Intune to computers.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/81552637/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click Conditional Access images/download/thumbnails/81552637/conditional_access.png .

  5. Navigate to the macOS Intune Integration tab, and then click Edit images/download/thumbnails/81532686/edit.png .

  6. Select the Enable Intune Integration for macOS checkbox.

    Note: When this setting is selected, Jamf Pro sends inventory updates to Microsoft Intune. Deselect the checkbox if you want to disable the connection but save your configuration.

  7. (Cloud-hosted instances only) Select "Manual" under Connection Type.

    Note: This setting does not display for instances hosted on-premise.

  8. Select the location of your Sovereign Cloud from Microsoft.

  9. Click Open administrator consent URL and follow the onscreen prompts to allow the Jamf Native macOS Connector app to be added to your Azure AD tenant.

  10. Add the Azure AD Tenant Name from Microsoft Azure.

  11. Add the Application ID and Client Secret (previously called Application Key) for the Jamf Pro application from Microsoft Azure.

  12. Select one of the following landing page options for computers that are not recognized by Microsoft Azure:

    • The Default Jamf Pro Device Registration page

      Note: Depending on the state of the computer, this option redirects users to either the Jamf Pro device enrollment portal (to enroll with Jamf Pro) or the Company Portal app (to register with Azure AD).

    • The Access Denied page

    • A custom webpage

  13. Click Save images/download/thumbnails/81531754/floppy-disk.png . Jamf Pro tests the configuration and report the success or failure of the connection.

When the connection between Jamf Pro and Microsoft Intune is successfully established, Jamf Pro sends inventory information to Microsoft Intune for each computer that has been registered with Azure AD (registering with Azure AD is an end user workflow). You can view the Conditional Access Inventory State (previously called Azure Active Directory ID information) for a user and a computer in the Local User Account category of a computer’s inventory information in Jamf Pro. For detailed information on Azure AD device registration and inventory information sent to Microsoft Intune, see the Integrating with Microsoft Intune to Enforce Compliance on Macs Managed by Jamf Pro technical paper.

Configuring the macOS Intune Integration using the Cloud Connector

The Cloud Connector simplifies the process of connecting a cloud-hosted Jamf Pro instance with Microsoft Intune by automating many of the steps needed to configure the macOS Intune Integration. When the connection is saved, Jamf Pro sends computer inventory information to Microsoft Intune and applies compliance policies to computers.

You can also use the Cloud Connector to connect multiple Jamf Pro instances to a single Azure AD tenant.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/81552637/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click Conditional Access images/download/attachments/81552637/ConditionalAccess_small.png .

  5. Navigate to the macOS Intune Integration tab, and then click Edit images/download/thumbnails/81532686/edit.png .

  6. Select the Enable Intune Integration for macOS checkbox.

    Note: When this setting is selected, Jamf Pro sends inventory updates to Microsoft Intune. Deselect the checkbox if you want to disable the connection but save your configuration.

  7. (Cloud-hosted instances only) Select "Cloud Connector" under Connection Type.

    Note: This setting does not display for instances hosted on-premise.

  8. Select the location of your Sovereign Cloud from Microsoft.

  9. Select one of the following landing page options for computers that are not recognized by Microsoft Azure:

    • The Default Jamf Pro Device Registration page

      Note: Depending on the state of the computer, this option redirects users to either the Jamf Pro device enrollment portal (to enroll with Jamf Pro) or the Company Portal app (to register with Azure AD).

    • The Access Denied page

    • A custom webpage

  10. Click Connect. You are redirected to the application registration page in Microsoft.

  11. Enter your Microsoft Azure credentials and follow the onscreen instructions to grant the permissions requested by Microsoft.
    After permissions have been granted for the Cloud Connector and the Cloud Connector user registration app, you are redirected to the Application ID page.

  12. Click Copy and open Intune. A new tab opens to the Partner device management blade in Microsoft Azure.

  13. Paste the Application ID into the Specify the Azure Active Directory App ID for Jamf field.

  14. Click Save images/download/thumbnails/81531754/floppy-disk.png .

  15. Navigate back to the original tab and click Confirm. You are redirected back to Jamf Pro.
    Jamf Pro completes and tests the configuration. The success or failure of the connection displays on the Conditional Access settings page.

  16. (Optional) Repeat this process to connect additional Jamf Pro instances to the same Azure AD tenant.

When the connection between Jamf Pro and Microsoft Intune is successfully established, Jamf Pro sends inventory information to Microsoft Intune for each computer that is registered with Azure AD (registering with Azure AD is an end user workflow). You can view the Conditional Access Inventory State (previously called Azure Active Directory ID information) for a user and a computer in the Local User Account category of a computer’s inventory information in Jamf Pro. For detailed information on Azure AD device registration and inventory information sent to Microsoft Intune, see the Integrating with Microsoft Intune to Enforce Compliance on Macs Managed by Jamf Pro technical paper.

Testing the macOS Intune Integration

If you connected Jamf Pro to Microsoft Intune using the manual connection method, you can test the connection to Microsoft Intune at any time.

Note: This option does not display if you used the Cloud Connector to connect Jamf Pro to Microsoft Intune.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/81552637/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click Conditional Access images/download/attachments/81552637/ConditionalAccess_small.png .

  5. Navigate to the macOS Intune Integration tab, and then click Run Test.

A message displays, reporting the success or failure of the connection.

Sending an Inventory Update to Intune

If you connected Jamf Pro to Microsoft Intune using the manual connection method, you can trigger an update of inventory to be sent to Microsoft Intune. This allows Jamf Pro to send computer inventory attributes to Microsoft Intune outside of the standard communication schedule.

Note: This option does not display if you used the Cloud Connector to connect Jamf Pro to Microsoft Intune.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/81552637/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click Conditional Access images/download/attachments/81552637/ConditionalAccess_small.png .

  5. Navigate to the macOS Intune Integration tab, and then click Send Update.

A message displays, reporting the success or failure of the update.

Related Information

For related information, see the following sections in this guide:

  • Computer Inventory Information
    Find out more about the Conditional Access Inventory State displayed in the Local User Account category of a computer’s inventory information.

  • Computer History Information
    Find out how to view inventory data sent to Microsoft Intune for each username associated with a computer.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.