Integrating Jamf Pro with Microsoft Endpoint Manager allows you to monitor and report on the compliance status of institutionally owned mobile devices in your environment.

Before configuring the integration, you should do the following:

• Create a smart device group for devices you want to make the Register with Microsoft object available to in Jamf Self Service for iOS.

• Create a smart device group for devices you want to monitor for compliance.

  Note: When creating the smart device group, add the criteria you want compliant devices to have. For example, you may want to include the following criteria:

  • iOS Version

  • Jailbreak Detected

  • Last Backup

  • Passcode Status

  It is recommended that you select Send email notification on membership change when creating the smart device group so that you are notified when a device falls out of compliance.

  For more information on creating smart device groups, see Smart Groups in the Jamf Pro Administrator's Guide.

1. Log in to Jamf Pro.

2. In the top-right corner of the page, click Settings .

3. Click Global Management.

4. Click Device Compliance .

5. Click Edit.

6. Use the switch to enable the integration.

7. Choose the location of your Sovereign Cloud from Microsoft.

8. Choose the smart device group you want Jamf Pro to use to monitor device compliance.

9. Choose the smart device group you want to make the Register with Microsoft object available to in Jamf Self Service for iOS.

   Note: Jamf Self Service and Microsoft Authenticator must both be installed on the device in order for the user to register with Azure AD.

10. Click Connect. You are redirected to the application registration page in Microsoft.

11. Enter your Azure AD credentials and follow the onscreen instructions to grant the permissions requested by Microsoft.
    After permissions have been granted for the Cloud Connector for Device Compliance app and the User registration app for Device Compliance, you are redirected to the Configure Compliance Partner page.

12. Click Open Microsoft Endpoint Management. A new tab opens to the Partner compliance management blade in Microsoft Azure.

13. Click Add compliance partner.

14. Choose "Jamf Device Compliance" from the Compliance partner pop-up menu.

15. Choose "iOS" from the Platform pop-up menu and click Next.

16. Choose "Selected Groups" from the Assign to pop-up menu.

    Important: Do not select "All users" from the Assign to pop-up menu. Selecting this option will prevent the integration from working.

17. Click Select groups to include and select the Azure AD groups you want to use. For more information on creating groups in Azure AD, see the following documentation from Microsoft: Create a basic group and add members using Azure Active Directory.

18. Click Select and then click Next.

19. Review your configuration and then click Create.

20. Navigate back to the previous tab and click Confirm. You are redirected back to Jamf Pro. Jamf Pro completes and tests the configuration. The success or failure of the connection displays on the Device Compliance settings page.

21. (Optional) To connect additional Jamf Pro instances to the same Azure AD tenant, configure the Device Compliance settings for each instance and grant the requested permissions for the Cloud Connector for Device Compliance and the User registration app for Device Compliance. You do not need to add Jamf as a compliance partner again.

Once the connection is successfully enabled, Jamf Pro sends the compliance status to Azure AD for each mobile device that is registered with Azure AD. You can view the compliance status of the device in Azure AD.