Creating a Policy Directing Users to Register Mac Computers with Azure Active Directory

You can create a policy in Jamf Pro that directs end users to initiate the device registration process by running the Company Portal app. Users must launch the Company Portal app from Jamf Self Service for macOS to register their Mac computers with Azure Active Directory (Azure AD) as a device managed by Jamf Pro.

Requirements

You must deploy the Company Portal App before registering computers with Azure Active Directory (Azure AD). For more information, see, Deploying the Company Portal App from Microsoft to End Users .

Important:

Prior to deploying the policy, Jamf recommends that you notify your end users that they will be prompted to take action.

You must exclude the User registration app for Device Compliance when creating the conditional access policy. Failing to exclude the User registration app for Device Compliance will prevent users from being able to register with Azure AD.

  1. In Jamf Pro, click Computers at the top of the sidebar.
  2. Click Policies in the sidebar.
  3. Create a new policy requiring users to register their Mac computer with Azure AD.
  4. Use the General payload to specify policy settings.
    Best Practice:

    For Execution Frequency, Jamf recommends that you select Once per computer. This prevents the policy from running multiple times on the same computer which can cause duplicate Azure AD records

  5. Configure the macOS Intune Integration payload.
  6. Click the Scope tab, and scope the policy to all targeted Mac computers.
  7. Click the Self Service tab and configure the policy to be made available in Jamf Self Service for macOS.
  8. (Optional) Include the policy in the Device Compliance category in Self Service.
  9. Click Save .
Jamf Pro prompts users to register their computers with Azure AD by opening the Company Portal app from Self Service.

The Company Portal app must be launched from Jamf Self Service to begin device registration. Launching the Company Portal app manually (e.g., from the Applications or Downloads folder) will not register the device. If an end user launches the Company Portal app manually, they will see an AccountNotOnboarded warning message.