Enforce compliance on Macs managed with Jamf Pro
Applies to: Intune in the Azure portal
You can use Azure Active Directory and Microsoft Intune's Conditional Access policies ensure that your end users are compliant with organizational requirements. You can apply these policies to Macs that are managed with Jamf Pro. This requires access to both the Intune and Jamf Pro consoles.
Set up device compliance policies in Intune
- Open Microsoft Azure, then navigate to Intune > Device Compliance > Policies. You can create policies for macOS, including choosing a series of actions (for example, sending warning emails) to noncompliant users and groups.
- Select the policy > Assignments. You can include or exclude Azure Active Directory (AD) security groups.
- Choose Selected groups to see your Azure AD security groups. Select the user groups you want this policy to apply > Choose Save to deploy the policy to users.
You applied the policy to users. The devices used by the users targeted by the policy are evaluated for compliance and marked as compliantfor the setting "Require device to be marked as compliant" in Azure Active Directory.
Intune requires full disk encryption to be compliant.
Deploy the Company Portal app for macOS in Jamf Pro
You should deploy the Company Portal app for macOS in Jamf Pro as a background installation following the procedure below:
- On a macOS device, download the current version of the Company Portal app for macOS. Do not install it; you need a copy of the app to upload to Jamf Pro.
- Open Jamf Pro, then navigate to Computer management > Packages.
- Create a new package with the Company Portal app for macOS, then click Save.
- Open Computers > Policies, then select New.
- Use the General payload to configure settings for the policy. These settings should be:
- Trigger: select Enrollment Complete and Recurring Check-in
- Execution Frequency: select Once per computer
- Select the Packages payload and click Configure.
- Click Add to select the package with the Company Portal app.
- Choose Install from the Action pop-up menu.
- Configure the settings for the package.
- Click the Scope tab to specify on which computers the Company Portal app should be installed. Click Save. The policy will run scoped devices the next time the selected trigger occurs on the computer and meets the criteria in the General payload.
Create a policy in Jamf Pro to have users register their devices with Azure Active Directory
You need to deploy the Company Portal for macOS before going through the next steps.
End users need to launch the Company Portal app through Jamf Self Service to register the device with Azure AD as a device managed by Jamf Pro. This will require your end users to take action. We recommend that you contact your end user through email, Jamf Pro notifications, or any other methods of notifying your end users to click the button in Jamf Self Service.
The Company Portal app must be launched from Jamf Self Service to begin device registration.
Launching the Company Portal app manually (e.g., from the Applications or Downloads folders) will not register the device. If an end user launches the Company Portal manually, they will see a warning, 'AccountNotOnboarded'.
- In Jamf Pro, navigate to Computers > Policies, and create a new policy for device registration.
- Configure the Microsoft Intune Integration payload, including the trigger and execution frequency.
- Click the Scope tab, and scope the policy to all targeted devices.
- Click the Self Service tab to make the policy available in Jamf Self Service. Include the policy in the Device Compliance category. Click Save.
Removing a Jamf-managed device from Intune
You can remove a Jamf-managed device from the Intune console by selecting Delete in the All devices view. Bulk device deletion can be enabled by selecting multiple devices and clicking Delete.