MSEndpointMgr

Integrating Jamf Pro with Intune for Compliance – Part 2

Now that we have in Part 1 integrated Jamf Pro with Intune and Azure AD we need to deploy the Company portal app to our users and a policy for end users to register the devices in Azure Active Directory. This post will cover the following:

  1. Deploy Intune Company portal to macOS devices
  2. Create and deploy the device registration policy

Deploy Company Portal

Step 1: Download the required files

First we need to download the company portal installer from this page: https://go.microsoft.com/fwlink/?linkid=862280 so that we can upload it to Jamf Pro for deployment. After you have downloaded the company portal. I also recommend that you deploy the Microsoft AutoUpdate (MAU) to your devices if you have not done that already so that your Microsoft applications are up to date. That can be found here: https://docs.microsoft.com/en-us/officeupdates/release-history-microsoft-autoupdate

Step 2: Upload the applications to Jamf Pro

Log on to your jamf pro instance and navigate to Settings -> Computer managment -> Packages  and create a new package:

Optional: Repeat this step for the MAU package as well. I know have 2 packages available in Jamf Pro:

Step 3: Identify Mac Computers that don’t have the Company Portal installed

In Jamf Pro, go to Computers – Smart Computer Groups and click on New

Give it a Display Name and go to Criteria to define a criteria that does identifies computers without Company portal installed.

I have been successfully using “Application Title”“is not”“Company Portal.app” (if you want to see this group in your dashboard, remember to click Show in Jamf Pro Dashboard)

Step 4: Deploy Intune Company Portal

In Jamf Pro, navigate to Computers -> Policies and create a policy that deploys the Intune Company Portal to your users

Under General do the following Configuration:

Displayname: Deploy Intune Company Portal
Enabled: Yes
Trigger: Enrollment Complete + Recurring Check-in
Frequency: Once Per Computer

Under Packages click on Configure:

Add your Company Portal Package and Action = Install

Now go to Maintenance and click on Configure Maintenance. After we have installed the package we would like to force a update of inventory as well.

Click the Scope tab and choose the Smart Group we created in step 3.

Click on Save – The Company portal will now be deployed to all computers that does not have it installed. This is how my policy looks after I am done:

Device Registration Policy

Now that we have deployed Intune Company portal we need to create a policy for device registration as well. The reason we need to do this is that the end users MUST launch the Company portal from Jamf Self Service for macOS to register their computer with Azure Active Directory as a device managed by Jamf Pro.

I strongly advise that you inform your users that they need to take action and how to do this. 

Step 1: Create a Smart Group for Computers with Company Portal Installed

First I am create a new Computer Smart Group containing devices that has the Company Portal installed.

Go to Computers -> Smart Computer Group and click on New.

Now I use the same type of group as in Step 3 over, but i use IS instead of is not.
“Application Title”“is”“Company Portal.app”

Step 2: Create the registration policy

This policy should be deployed to the Jamf Self Service portal so that the user can start the registration interactively.

Go to Computers -> Policy and create a new policy for users to register with Azure Active Directory.

Displayname: Register Device for Compliance
Execution Frequency: Ongoing

Now on the bottom click on macOS Intune Configuration and click on Configure:

Go to the Scope tab and target the Smart Group we created in previous step:

Go to the Self Service Tab and make this policy available in Self Service. I have configured it this way:

Important: The Company Portal app must be launched from Jamf Self Service to begin device registration. Launching the Company Portal app manually will not register the device. If an end user launches the Company Portal app manually, they will see an 'AccountNotOnboarded' warning message.

Inventory information is sent to Microsoft Intune only for Mac computers that have completed the device registration process with Azure AD. Jamf Pro sends the inventory state of each managed Mac computer that has checked in with Jamf Pro within the last 24 hours. To view inventory data sent to Microsoft Intune for each username associated with a computer, navigate to a computer’s history and click the macOS Intune Integration Logs category.

This concludes part 2. Next post in this series will focus on the end user experience of registering the device with Azure AD.

Jan Ketil Skanke

Jan Ketil is an Enterprise Mobility MVP since 2016 and are working as a COO and Principal Cloud Architect at CloudWay in Norway. He has been in the industry for more than 20 years working for both Microsoft Partners and Microsoft. He loves to speak about anything around Enterprise Mobility and Secure Productivity. He is also the lead for the community conference Experts Live Norway. Jan Ketil has presented at large industry conferences like Microsoft Ignite, Microsoft Ignite The Tour, Microsoft Inspire, Experts Live Europe, Techmentor HQ (3rd best session 2019) and NIC Conference in Oslo.

Add comment

Sponsors

Categories

MSEndpointMgr.com use cookies to ensure that we give you the best experience on our website.