Enforce compliance on Macs managed with Jamf Pro
When you integrate Jamf Pro with Intune, you can use Conditional Access policies to enforce compliance on your Mac devices with your organizational requirements. This article will help you with the following tasks:
- Create Conditional Access policies.
- Configure Jamf Pro to deploy the Intune Company Portal app to devices you manage with Jamf.
- Configure devices to register with Azure AD when the device user signs in to the Company Portal app they start from within the Jamf Self Service app. Device registration establishes an identity in Azure AD that allows the device to be evaluated by Conditional Access policies for access to company resources.
The procedures in this article require access to both the Intune and Jamf Pro consoles.
Set up device compliance policies in Intune
Sign in to the Microsoft Endpoint Manager Admin Center.
Select Devices > Compliance policies. If you're using a previously created policy, select that policy in the console and then go to the next step of this procedure. To create a new policy, select Create Policy and then specify details for a policy with a Platform of macOS. Configure Settings and Actions for noncompliance to meet your organizational requirements, and then select Create to save the policy.
On the policies Overview pane, select Assignments. Use the available options to configure which Azure Active Directory (Azure AD) users and security groups receive this policy. Jamf integration with Intune doesn’t support compliance policy that targets device groups.
When you select Save, the policy deploys to the users.
Policies you deploy target the devices that are used by the assigned users. Those devices are evaluated for compliance. Compliant devices are marked as compliant for the setting "Require device to be marked as compliant" in Azure AD.
Intune requires full disk encryption to be compliant.
Deploy the Company Portal app for macOS in Jamf Pro
Create a policy in Jamf Pro to deploy the Intune Company Portal. This policy deploys the company portal app so that it's available in Jamf Self Service. Create this policy before you create policy in Jamf Pro for users to register devices with Azure AD.
To complete the following procedure, you need access to a macOS device and the Jamf Pro portal.
To deploy the company portal app
On a macOS device, download but don't install the current version of the Company Portal app for macOS. You only need a copy of the app so you can upload the app to Jamf Pro.
Open Jamf Pro and go to Computer management > Packages.
Create a new package with the Company Portal app for macOS, then select Save.
Open Computers > Policies, then select New.
Use the General payload to configure settings for the policy. These settings should be:
- Trigger: select Enrollment Complete and Recurring Check-in
- Execution Frequency: select Once per computer
Select the Packages payload and click Configure.
Click Add to select the package with the Company Portal app.
Select Install from the Action pop-up menu.
Configure the settings for the package.
Select the Scope tab to specify on which computers the Company Portal app should install. Select Save. The policy runs on scoped devices the next time the selected trigger occurs on the computer and the criteria in the General payload is met.
Create a policy in Jamf Pro to have users register their devices with Azure Active Directory
After you deploy the Company Portal for macOS through Jamf Pro Self Service, you can create the Jamf Pro policy that registers a user's device with Azure AD.
Device registration requires a device user to manually select the Intune Company Portal app from within Jamf Self Service. We recommend you contact your end users through email, Jamf Pro notifications, or any other method your organization uses to direct them to complete this action to get their devices registered.
Launching the Company Portal app manually (such as from the Applications or Downloads folders) won't register the device. If device user launches the Company Portal manually, they'll see a warning, 'AccountNotOnboarded'.
To create the registration policy
In Jamf Pro, go to Computers > Policies, and then create a new policy for device registration.
Configure the Microsoft Intune Integration payload, including the trigger and execution frequency.
Select the Scope tab, and then scope the policy to all targeted devices.
Select the Self Service tab to make the policy available in Jamf Self Service. Include the policy in the Device Compliance category. Click Save.
Validate Intune and Jamf integration
Use the Jamf Pro console to confirm that communication between Jamf Pro and Microsoft Intune is successful.
In Jamf Pro, go to Settings > Global Management > Microsoft Intune Integration, and then select Test.
The console displays a message with the success or failure of the connection.
Should the connection test from the Jamf Pro console fail, review the Jamf configuration.
Removing a Jamf-managed device from Intune
To remove a Jamf-managed device, open the Microsoft Endpoint Manager Admin Center, and select Devices > All devices, select the device, and then select Delete. Bulk device deletion can be enabled by selecting multiple devices and clicking Delete.