Configuring the Microsoft Endpoint Manager Integration

You can configure a connection between Jamf Pro and Microsoft Endpoint Manager. This connection allows Jamf Pro to send the compliance status to Azure AD for each mobile device that is registered with Azure AD.

This integration allows you to connect multiple Jamf Pro instances to a single Azure AD tenant.

Note:

This integration is not available for personally owned devices.

Requirements

To configure the Microsoft Endpoint Manager integration with Jamf Pro, you need the following:

  • Jamf Pro 10.29.0 or later hosted in Jamf Cloud

  • A Jamf Pro user account with Conditional Access privileges

  • Microsoft Enterprise Mobility + Security (specifically Microsoft AAD Premium and Microsoft Intune)

Devices you want to monitor for compliance must have the following:

  • iOS 11 or later, or iPadOS 13 or later

  • The Microsoft Authenticator app. Microsoft Authenticator is available from the App Store.

  • Jamf Self Service for iOS 10.10.3 or later

  1. In Jamf Pro, create two smart device groups:

    • A smart device group that contains the devices you want to make the Register with Microsoft object available to in Jamf Self Service for iOS

    • A smart device group that contains the devices you want to monitor for compliance
      Best Practice:
      When creating the smart device group, add the criteria you want compliant devices to have. For example, you may want to include the following criteria:

      • iOS Version

      • Jailbreak Detected

      • Last Backup

      • Passcode Status

      Jamf recommends selecting Send email notification on membership change when creating the smart device group to be notified when a device falls out of compliance.

  2. In Jamf Pro, click Settings in the top-right corner of the page.
  3. In the Global Management section, click Device Compliance .
  4. Click Edit .
  5. Use the switch to enable the integration.
  6. Choose the location of your Sovereign Cloud from Microsoft.
  7. Choose the smart device group you want Jamf Pro to use to monitor device compliance.
  8. Choose the smart device group you want to make the Register with Microsoft object available to in Jamf Self Service for iOS.
    Note:

    Jamf Self Service and Microsoft Authenticator must both be installed on the device in order for the user to register with Microsoft.

  9. Select one of the following landing page options for devices that are not recognized by Microsoft Azure:

    • The default Jamf Pro Device Registration page

    • The Access Denied page

    • A custom webpage

  10. Click Connect.

    You are redirected to the application registration page in Microsoft.

  11. Enter your Azure AD credentials and follow the onscreen instructions to grant the permissions requested by Microsoft.

    After permissions have been granted for the Cloud Connector for Device Compliance app and the User registration app for Device Compliance, you are redirected to the Configure Compliance Partner page.

  12. Click Open Microsoft Endpoint Manager.

    A new tab opens to the Partner compliance management blade in Microsoft Azure.

  13. Click Add compliance partner.
  14. Choose Jamf Device Compliance from the Compliance partner pop-up menu.
  15. Choose iOS from the Platform pop-up menu and click Next.
  16. Choose Selected Groups from the Assign to pop-up menu.
    Important:

    Do not select All users from the Assign to pop-up menu. Selecting this option will prevent the integration from working.

  17. Click Select groups to include and select the Azure AD groups you want to use.

    For more information on creating groups in Azure AD, see the following documentation from Microsoft: Create a basic group and add members using Azure Active Directory.

  18. Click Select and then click Next.
  19. Review your configuration and then click Create.
  20. Navigate back to the previous tab and click Confirm.


    You are redirected back to Jamf Pro. Jamf Pro completes and tests the configuration. The success or failure of the connection displays on the Device Compliance settings page.

  21. (Optional) To connect additional Jamf Pro instances to the same Azure AD tenant, configure the Device Compliance settings for each instance and grant the requested permissions for the Cloud Connector for Device Compliance and the User registration app for Device Compliance. You do not need to add Jamf as a compliance partner again.

Once the connection is successfully enabled, Jamf Pro sends the compliance status to Microsoft for each mobile device that is registered with Azure AD (registering with Azure AD is an end user workflow). You can view the compliance status of the device in Azure AD.