Enforce compliance on Macs managed with Jamf Pro
Important
Jamf macOS device support for Conditional Access is being deprecated.
Beginning on September 1, 2024, the platform that Jamf Pro's Conditional Access feature is built on will no longer be supported.
If you use Jamf Pro's Conditional Access integration for macOS devices, follow Jamf's documented guidelines to migrate your devices to Device Compliance integration at Migrating from macOS Conditional Access to macOS Device Compliance – Jamf Pro Documentation.
If you need help, contact Jamf Customer Success. For more information, see the blog post at https://aka.ms/Intune/Jamf-Device-Compliance.
Tip
For guidance for integrating Jamf Pro with Intune and Microsoft Entra ID, including how to configure Jamf Pro to deploy the Intune Company Portal app to devices you manage with Jamf Pro, see Integrate Jamf Pro with Intune to report compliance to Microsoft Entra ID.
After you integrate Jamf Pro with Intune, configure Intune compliance policies and Microsoft Entra Conditional Access policies to enforce compliance of macOS devices with your organizational requirements.
This article can help you with the following tasks:
- Create Conditional Access policies.
- Configure Jamf Pro to deploy the Intune Company Portal app to devices you manage with Jamf.
- Configure devices to register with Microsoft Entra ID when the device user signs in to the Company Portal app they start from within the Jamf Self Service app. Device registration establishes an identity in Microsoft Entra ID that allows the device to be evaluated by Conditional Access policies for access to company resources.
The procedures in this article require access to both the Intune and Jamf Pro consoles. Intune supports two methods to integrate Jamf Pro, which you configure separately from the procedures in this article:
- Recommended - Use the Jamf Cloud Connector to integrate Jamf Pro with Intune
- Manually configure integration of Jamf Pro with Intune
After integration is configured, device users learn about Jamf Pro and Intune integration through either a communication from your IT department about how to register a device, or by discovering the Intune Company Portal app that you deploy through Jamf Pro Self Service. After device registration completes, inventory data collected by Jamf Pro for that device is shared with Intune. Information is shared for only those Mac devices that have completed.
Set up device compliance policies in Intune
Sign in to the Microsoft Intune admin center.
Go to Devices > Compliance. If you're using a previously created policy, select that policy, and then go to the next step of this procedure. To create a new policy, select Create Policy and then specify details for a policy with a Platform of macOS. Configure Settings and Actions for noncompliance to meet your organizational requirements, and then select Create to save the policy.
Select Properties.
Go to Assignments > Edit. Use the available options to configure which Microsoft Entra users and security groups receive this policy. Jamf integration with Intune doesn't support compliance policy that targets device groups.
Note
Jamf integration with Intune only supports Microsoft Entra user groups. Device compliance policies that are targeted to device groups will not apply.
When you select Save, the policy deploys to the users.
Policies you deploy target the devices that are used by the assigned users. Those devices are evaluated for compliance. Compliant devices are marked as compliant for the setting "Require device to be marked as compliant" in Microsoft Entra ID.
Note
Intune requires full disk encryption to be compliant.
Deploy the Company Portal app for macOS in Jamf Pro
Create a policy in Jamf Pro to deploy the Intune Company Portal. This policy deploys the company portal app so that it's available in Jamf Self Service. Create this policy before you create policy in Jamf Pro for users to register devices with Microsoft Entra ID.
To complete the following procedure, you need access to a macOS device and the Jamf Pro portal.
To deploy the company portal app
On a macOS device, download but don't install the current version of the Company Portal app for macOS. You only need a copy of the app so you can upload the app to Jamf Pro.
Open Jamf Pro and go to Computer management > Packages.
Create a new package with the Company Portal app for macOS, then select Save.
Open Computers > Policies, then select New.
Use the General payload to configure settings for the policy. These settings should be:
- Trigger: select Enrollment Complete and Recurring Check-in
- Execution Frequency: select Once per computer
Select the Packages payload and select Configure.
Select Add to select the package with the Company Portal app.
Select Install from the Action pop-up menu.
Configure the settings for the package.
Select the Scope tab to specify on which computers the Company Portal app should install. Select Save. The policy runs on scoped devices the next time the selected trigger occurs on the computer and the criteria in the General payload is met.
Create a policy in Jamf Pro to have users register their devices with Microsoft Entra ID
After you deploy the Company Portal for macOS through Jamf Pro Self-Service, you can create the Jamf Pro policy that registers a user's device with Microsoft Entra ID.
Device registration requires a device user to manually select the Intune Company Portal app from within Jamf Self Service. We recommend you contact your end users through email, Jamf Pro notifications, or any other method your organization uses to direct them to complete this action to get their devices registered.
Warning
Launching the Company Portal app manually (such as from the Applications or Downloads folders) won't register the device. If device user launches the Company Portal manually, they'll see a warning, 'AccountNotOnboarded'.
To create the registration policy
In Jamf Pro, go to Computers > Policies, and then create a new policy for device registration.
Configure the Microsoft Intune Integration payload, including the trigger and execution frequency.
Select the Scope tab, and then scope the policy to all targeted devices.
Select the Self Service tab to make the policy available in Jamf Self Service. Include the policy in the Device Compliance category. Select Save.
Validate Intune and Jamf integration
Use the Jamf Pro console to confirm that communication between Jamf Pro and Microsoft Intune is successful.
- In Jamf Pro, go to Settings > Global Management > Microsoft Intune Integration, and then select Test.
The console displays a message with the success or failure of the connection. Should the connection test from the Jamf Pro console fail, review the Jamf configuration.
Removing a Jamf-managed device from Intune
To remove a Jamf-managed device, open the Microsoft Intune admin center, and select Devices > All devices, select the device, and then select Delete. Bulk device deletion can be enabled by selecting multiple devices and clicking Delete.
Get information on how to remove a Jamf-managed device in the Jamf Pro docs. You can also file a support ticket with Jamf support for more help.