Integrate Jamf Pro with Intune for compliance
Applies to: Intune in the Azure portal
If your organization uses Jamf Pro to manage your end-users Macs, you can use Microsoft Intune compliance policies with Azure Active Directory Conditional Access to ensure that devices in your organization are compliant.
You need the following to configure Conditional Access with Jamf Pro:
- Jamf Pro 10.1.0 or later
- Company Portal app for macOS
- macOS devices with OS X 10.11 Yosemite or later
Connect Intune to Jamf Pro
To connect Intune with Jamf Pro:
- Create a new application in Azure.
- Enable Intune to integrate with Jamf Pro.
- Configure Conditional Access in Jamf Pro.
Create an application in Azure Active Directory
In the Azure portal, go to Azure Active Directory > App Registrations, and then select New registration.
On the Register an application page, specify the following details:
- In the Name section, enter a meaningful application name, for example Jamf Conditional Access.
- For the Supported account types section, select Accounts in any organizational directory.
- For Redirect URI, leave the default of Web, and then specify the URL for your Jamf Pro instance.
Select Register to create the application and to open the Overview page for the new app.
On the app Overview page, copy the Application (client) ID value and record it for later use. You'll need this value in later procedures.
Select Certificates & secrets under Manage. Select the New client secret button. Enter a value in Description, select any option for Expires and choose Add.
Before you leave this page, copy the value for the client secret and record it for later use. You will need this value in later procedures. This value isn’t available again, without recreating the app registration.
Select API permissions under Manage. Select the existing permissions and then select Remove permission to delete those permissions. Removal of all existing permissions is necessary as you’ll add a new permission, and the application only works if it has the single required permission.
To assign a new permission, select Add a permission. On the Request API permissions page, select Intune, and then select Application permissions. Select only the check box for update_device_attributes.
Select Add permission to save this configuration.
On the API permissions page, select Grant admin consent for Microsoft, and then select Yes.
The app registration process in Azure AD is complete.
If the client secret expires, you must create a new client secret in Azure and then update the Conditional Access data in Jamf Pro. Azure allows you to have both the old secret and new key active to prevent service disruptions.
Enable Intune to integrate with Jamf Pro
Sign in to Intune, and go to Microsoft Intune > Device Compliance > Partner device management.
Enable the Compliance Connector for Jamf by pasting the Application ID you saved during the previous procedure into the Jamf Azure Active Directory App ID field.
Configure Microsoft Intune Integration in Jamf Pro
In Jamf Pro, navigate to Global Management > Conditional Access. Click the Edit button on the macOS Intune Integration tab.
Select the check box for Enable Intune Integration for macOS.
Provide the required information about your Azure tenant, including Location, Domain name, the Application ID, and the value for the client secret that you saved when you created the app in Azure AD.
Select Save. Jamf Pro tests your settings and verifies your success.
Set up compliance policies and register devices
After you configure integration between Intune and Jamf, you need to apply compliance policies to Jamf-managed devices.
Disconnect Jamf Pro and Intune
If you no longer use Jamf Pro to manage Macs in your organization and want users to be managed by Intune, you must remove the connection between Jamf Pro and Intune. Remove the connection by using the Jamf Pro console.
In Jamf Pro, go to Global Management > Conditional Access. On the macOS Intune Integration tab, select Edit.
Clear the Enable Intune Integration for macOS check box.
Select Save. Jamf Pro sends your configuration to Intune and the integration will be terminated.
Sign in to Intune. Go to Microsoft Intune > Device Compliance > Partner device management to verify that the status is now Terminated.
Your organization's Mac devices will be removed at the date (3 months) shown in your console.