Device Compliance

Microsoft Endpoint Manager (via Device Compliance) allows organizations to ensure that only trusted users from compliant iOS and iPadOS devices can access company resources. Integrating Jamf Pro with Microsoft Endpoint Manager allows you to monitor and report on the compliance status of institutionally owned mobile devices in your environment.

Note: This integration is not available for personally owned devices.

For step-by-step instructions on how to integrate with Microsoft Endpoint Manager, see the Integrating with Microsoft Endpoint Manager to Enforce Compliance on Mobile Devices Managed by Jamf Pro technical paper.

Before configuring the integration, you should do the following:

  • Create a smart device group for devices you want to make the Register with Microsoft object available to in Jamf Self Service for iOS.

  • Create a smart device group for devices you want to monitor for compliance.

    Note: When creating the smart device group, add the criteria you want compliant devices to have. For example, you may want to include the following criteria:

    • iOS Version

    • Jailbreak Detected

    • Last Backup

    • Passcode Status

    For more information on creating smart device groups, see Smart Groups.

Requirements

To configure the Microsoft Endpoint Manager integration with Jamf Pro, you need the following:

  • Jamf Pro 10.25.0 or later hosted in Jamf Cloud

  • A Jamf Pro user account with Conditional Access privileges

  • Microsoft Enterprise Mobility + Security (specifically Microsoft AAD Premium and Microsoft Intune)

Devices you want to monitor for compliance must have the following:

  • iOS 11 or later, or iPadOS 13 or later

  • The Microsoft Authenticator app. Microsoft Authenticator is available from the App Store.

  • Jamf Self Service for iOS 10.10.3 or later (For more information, see Jamf Self Service for iOS.)

Procedure

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/81552666/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click Device Compliance images/download/thumbnails/81552666/device_compliance.png .

  5. Click Edit.

  6. Use the switch to enable the integration.

  7. Choose the location of your Sovereign Cloud from Microsoft.

  8. Choose the smart device group you want Jamf Pro to use to monitor device compliance.

  9. Choose the smart device group you want to make the Register with Microsoft object available to in Jamf Self Service for iOS.

    Note: Jamf Self Service and Microsoft Authenticator must both be installed on the device in order for the user to register with Microsoft.

  10. Click Connect. You are redirected to the application registration page in Microsoft.

  11. Enter your Azure AD credentials and follow the onscreen instructions to grant the permissions requested by Microsoft.
    After permissions have been granted for the Cloud Connector for Device Compliance app and the User registration app for Device Compliance, you are redirected to the Configure Compliance Partner page.

  12. Click Open Microsoft Endpoint Management. A new tab opens to the Partner compliance management blade in Microsoft Azure.

  13. Click Add compliance partner.

  14. Choose "Jamf Device Compliance" from the Compliance partner pop-up menu.

  15. Choose "iOS" from the Platform pop-up menu and click Next.

  16. Select "Selected Groups" from the Assign to pop-up menu.

    Important: Do not select "All users" from the Assign to pop-up menu. Selecting this option will prevent the integration from working.

  17. Click Select groups to include and select the Azure AD groups you want to use. For more information on creating groups in Azure AD, see the following documentation from Microsoft: Create a basic group and add members using Azure Active Directory

  18. Click Select and then click Next.

  19. Review your configuration and then click Create.

  20. Navigate back to the previous tab and click Confirm.
    You are redirected back to Jamf Pro. Jamf Pro completes and tests the configuration. The success or failure of the connection displays on the Device Compliance settings page.

  21. (Optional) To connect additional Jamf Pro instances to the same Azure AD tenant, configure the Device Compliance settings for each instance and grant the requested permissions for the Cloud Connector for Device Compliance and the User registration app for Device Compliance. You do not need to add Jamf as a compliance partner again.

Once the connection is successfully enabled, Jamf Pro sends the compliance status to Microsoft for each mobile device that is registered with Azure AD (registering with Azure AD is an end user workflow). You can view the compliance status of the device in Azure AD.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.