Manually Configure the Connection Between Jamf Pro and Microsoft Intune
Manually configuring the connection between Jamf Pro and Microsoft Intune involves the following steps:
-
Create a new application for Jamf Pro in Microsoft Azure.
-
Configure Microsoft Intune to allow the Jamf Pro integration.
-
Configure the macOS Intune Integration setting in Jamf Pro.
Important: Do not attempt to use the manual connection method to connect multiple Jamf Pro instances to a single Azure AD tenant. In addition, the manual connection method should not be used in conjunction with the Cloud Connector. This will prevent the Intune Integration from working correctly.
Note: When configuring the connection between Jamf Pro and Microsoft Intune, you must use the Microsoft Azure website (portal.azure.com) and not the Microsoft Azure portal desktop app.
Note: Due to changes on the Microsoft API backend permissions, changes are needed for the Microsoft and Jamf integration. Refer to Support Tip: Intune service discovery API endpoint will require specific permissions for more information from the Intune team at Microsoft.
The permission requirements for the Jamf integration enterprise apps were made in collaboration with Microsoft.
Step 1: Create a new application for Jamf Pro in Microsoft Azure
-
Open Azure Active Directory, and navigate to App registrations.
-
Click New registration.
-
Enter a display name for the Jamf Pro application.
-
Under Supported account types, select which accounts can use the application.
-
Specify your Jamf Pro URL as the Redirect URL.
-
Click Register.
-
-
Select the newly created application, copy the value from the Application (client) ID field and paste it to another location.
Note: The Application ID is required to configure the Compliance Connector in Intune and for configuring the macOS Intune Integration setting in Jamf Pro.
-
Navigate to Certificates & secrets, and click New client secret.
-
Give the Client Secret a description and select an expiration option. Once a new secret has been added, copy the value for the secret and paste it to another location.
Important: The Client Secret value is required to configure the macOS Intune Integration setting in Jamf Pro. The value for the secret is shown only once after the secret is added. If the Client Secret expires, you must add a new Client Secret in Microsoft Azure, and then update your macOS Intune Integration configuration in Jamf Pro. Microsoft Azure allows you to have both the old secret and new secret active to prevent service disruptions.
-
Navigate to API permissions.
-
Remove all permissions, including the default permissions.
-
Click Add a permission.
-
Navigate to APIs my organization uses. Search for and click Microsoft Intune API. Click Application permissions, and then select update_device_attributes.
-
Under Microsoft Graph, click Application permissions, and then select Application.Read.All.
-
Click Add permissions.
-
Navigate to APIs my organization uses. Search for and click Windows Azure Active Directory. Click Application permissions, and then select Application.Read.All.
-
Click Add permissions.
-
Click the Grant admin consent for your organization button, and then click Yes.
-
Step 2: Configure Microsoft Intune to allow the Jamf Pro integration
-
In the Microsoft Azure portal, navigate to Microsoft Intune > Device Compliance > Partner device management.
-
Enable the Compliance Connector for Jamf by pasting the value you copied from the Application ID field into the Jamf Azure Active Directory App ID field.
-
Click Save.
Step 3: Configure the macOS Intune Integration setting in Jamf Pro
-
In Jamf Pro, navigate to Settings > Global Management.
-
Click Conditional Access .
-
Navigate to the macOS Intune Integration tab, and then click Edit.
-
Select the Enable Intune Integration for macOS checkbox.
When this setting is enabled, Jamf Pro sends inventory updates to Microsoft Intune. Clear the selection if you want to disable the connection but save your configuration. -
(Cloud-hosted instances only) Select "Manual" under Connection Type.
Note: This setting does not display for instances hosted on-premise.
-
From the Sovereign Cloud pop-up menu, select the location of your Sovereign Cloud from Microsoft.
-
Click Open administrator consent URL, and follow the onscreen instructions to allow the Jamf Native macOS Connector app to be added to your Azure AD tenant.
-
Add the Azure AD Tenant Name from Microsoft Azure.
-
Add the Application ID and Client Secret (previously called Application Key) for the Jamf Pro application from Microsoft Azure.
-
Select one of the following landing page options for computers that are not recognized by Microsoft Azure:
-
The Default Jamf Pro Device Registration page
Note: Depending on the state of the computer, this option redirects users to either the Jamf Pro device enrollment portal (to enroll with Jamf Pro) or the Company Portal app (to register with Azure AD).
-
The Access Denied page
-
A custom webpage
-
-
Click Save.
Jamf Pro will test the configuration and report the success or failure of the connection.