Troubleshooting Microsoft Azure Login Using JamfAAD
The JamfAAD integrates Jamf Pro 10.17.0 or later with Microsoft Azure to grant conditional access, which allows you to use the JamfAAD (Azure Active Directory) to troubleshoot login issues with Microsoft Azure.
-
If users are marked as unresponsive in Azure Active Directory (Azure AD) and there are network issues, you can configure the JamfAAD to recheck for a valid token at check-in.
-
If you think users may be connecting to the wrong server or using an incorrect email address, you can enable additional JamfAAD logging.
For more information on how to troubleshoot pre-fill authentication, see the Troubleshooting the JamfAAD Pre-fill Authentication Issue article.
Configure the JamfAAD Check-in
To resolve issues with users in an unresponsive state or network issues, you can configure the JamfAAD to recheck for a valid Azure AD token at check-in by using the tokenRetryCount and tokenRetryWaitTime preferences. By default, tokenRetryCount is set to zero retries and tokenRetryWaitTime is set to five seconds.
-
Deploy a PLIST file using a configuration profile with the Custom Settings payload configured.
-
Run a script using a policy with the execution frequency of "Once per user per computer".
- PLIST Example
-
To configure JamfAAD check-in by deploying a PLIST file, use the following example:
- Script Example
-
To configure JamfAAD check-in by running a script using a policy with the execution frequency of "Once per user per computer", use the following example:
Enabling Additional JamfAAD Logging
logPII preferences key to log additional personally identifiable information from the Azure login process. Personally and organizationally identifiable information is only logged on the computer's local log system— it is not sent to the Jamf Pro server. The log will report the following information:-
userID—Email address used to log in
-
Authority host—Server the user was redirected to for sign in
-
Token number
-
Deploy a PLIST file using a configuration profile with the Custom Settings payload configured.
-
Run a script using a policy with the execution frequency of "Once per user per computer".
- PLIST Example
- To enable JamfAAD logging by deploying a PLIST file, use the following example:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key><key>logPII</key></key> </true> </dict> </plist>When configuring the Custom Settings payload, enter the following in the Preference Domain field:com.jamf.management.jamfAAD
For instructions on deploying configuration profiles with the Custom Settings payload configured, see the Deploying Custom Configuration Profiles Using Jamf Pro article.
- Script Example
- To enable JamfAAD logging by running a script using a policy with the execution frequency of "Once per user per computer", use the following example:
#!/bin/sh defaults write com.jamf.management.jamfAAD logPII -bool trueIf you want to disable JamfAAD logging, you can use the following script:#!/bin/sh defaults delete com.jamf.management.jamfAAD logPII
Additional Information
-
Integrating with Microsoft Intune in the Jamf Pro Administrator's Guide.
-
Integrating with Microsoft Intune to Enforce Compliance on Mac Computers Managed by Jamf Pro technical paper.