Integrate Jamf Pro with Intune for compliance
Applies to: Intune in the Azure portal
If your organization uses Jamf Pro to manage your end-users Macs, you can use Microsoft Intune compliance policies with Azure Active Directory Conditional Access to ensure that devices in your organization are compliant.
You need the following to configure Conditional Access with Jamf Pro:
- Jamf Pro 10.1.0 or later
- Company Portal app for macOS
- macOS devices with OS X 10.11 Yosemite or later
Connecting Intune to Jamf Pro
To connect Intune with Jamf Pro you:
- Create a new application in Azure
- Enable Intune to integrate with Jamf Pro
- Configure Conditional Access in Jamf Pro
Create an application in Azure Active Directory
In the Azure portal, go to Azure Active Directory > App Registrations, and then select New registration.
On the Register an application page, specify the following details:
- In the Name section, enter a meaningful application name, for example Jamf Conditional Access.
- For the Supported account types section, select Accounts in any organizational directory.
- For Redirect URI, leave the default of Web, and then specify the URL for your Jamf Pro instance.
Select Register to create the application and to open the Overview page for the new app.
On the app Overview page, copy the Application (client) ID value and record it for later use. You'll need this value in later procedures.
Select Certificates & secrets under Manage. Select the New client secret button. Enter a value in Description, select any option for Expires and choose Add.
Before you leave this page, copy the value for the client secret and record it for later use. You will need this value in later procedures. This value isn’t available again, without recreating the app registration.
Select API permissions under Manage. Select the existing permissions and then select Remove permission to delete those permissions. Removal of all existing permissions is necessary as you’ll add a new permission, and the application only works if it has the single required permission.
To assign a new permission, select Add a permission. On the Request API permissions page, select Intune, and then select Application permissions. Select only the checkbox for update_device_attributes.
Select Add permission to save this configuration.
On the API permissions page, select Grant admin consent for Microsoft, and then select Yes.
The app registration process in Azure AD is complete.
If the client secret expires, you must create a new client secret in Azure and then update the Conditional Access data in Jamf Pro. Azure allows you to have both the old secret and new key active to prevent service disruptions.
Enable Intune to integrate with Jamf Pro
Sign in to Intune, and go to Microsoft Intune > Device Compliance > Partner device management.
Enable the Compliance Connector for Jamf by pasting the Application ID you saved during the previous procedure into the Jamf Azure Active Directory App ID field.
Configure Microsoft Intune Integration in Jamf Pro
In Jamf Pro, navigate to Global Management > Conditional Access. Click the Edit button on the Microsoft Intune Integration tab.
Select the checkbox for Enable Microsoft Intune Integration.
Provide the required information about your Azure tenant, including Location, Domain name, the Application ID, and the value for the client secret that you saved when you created the app in Azure AD.
Select Save. Jamf Pro tests your settings and verifies your success.
Set up compliance policies and register devices
After you configure integration between Intune and Jamf, you need to apply compliance policies to Jamf-managed devices.