Troubleshooting integration of Jamf Pro with Microsoft Intune

This article helps Intune administrators understand and troubleshoot problems with integration of Jamf Pro for macOS with Microsoft Intune. Each of the following sections describes a common issue, and offers a potential cause and troubleshooting steps for a resolution.

Important

Jamf macOS device support for Conditional Access is being deprecated.

Starting from September 1, 2024, the platform that Jamf Pro's Conditional Access feature is built on will no longer be supported.

If you use Jamf Pro's Conditional Access integration for macOS devices, follow Jamf's documented guidelines to migrate your devices from macOS Conditional Access to macOS Device Compliance.

If you have questions or need help, contact Jamf Customer Success. For more information, see Transitioning Jamf macOS devices from Conditional Access to Device Compliance.

Prerequisites

Before you start troubleshooting, collect some basic information to clarify the problem and reduce the time to find a resolution. For example, when you encounter a Jamf-Intune integration-related issue, always verify that prerequisites have been met. Consider the following before you start troubleshooting:

• Review the prerequisites from the following articles, depending on how you configure Jamf Pro integration with Intune:
  • Use the Jamf Cloud Connector to integrate Jamf Pro with Intune
  • Integrate Jamf Pro with Intune
• All users must have Microsoft Intune and Microsoft Entra ID P1 licenses
• You must have a user account that has Microsoft Intune Integration permissions in the Jamf Pro console.
• You must have a user account that has Global Admin permissions in Azure.

Collect the following information when investigating Jamf Pro integration with Intune:

• Exact error message(s)
• Location of the error message(s)
• When the problem started, and whether your Jamf Pro integration with Intune worked previously
• How many users are affected (all users or just some)
• How many devices are affected (all devices or just some)

Devices are marked as unresponsive in Jamf Pro

Cause: The following are common causes of devices being marked as Unresponsive by Jamf Pro:

• Device fails to check in with Jamf Pro.
  Jamf Pro expects devices to check in every 15 minutes. Devices are marked as unresponsive by Jamf when they fail to check in over a 24-hour period.

• Device fails to check in with Microsoft Entra ID.
  With successful registration to Microsoft Entra ID, macOS devices receive an Azure token:

  • This token refreshes every 12 hours.
  • When the token refresh fails for 24 hours or more, Jamf Pro marks the device as unresponsive.
  • If the Azure token expires, users are prompted to sign in to Azure to obtain a new token. A refresh token for Azure access is generated every seven days.

Solution
After a device is marked as Unresponsive by Jamf Pro, the enrolled user of the device must sign in to correct the non-responsive state. It must be the user who has workplace-joined the account as they have the identity from Intune in their keychain.

Mac devices prompt for keychain sign-in when you open an app

After you configure Intune and Jamf Pro integration and deploy conditional access policies, users of devices managed with Jamf Pro receive password prompts when opening Microsoft 365 applications, such as Teams, Outlook, and other apps that require Microsoft Entra authentication.

For example, a prompt with text similar to the following example appears when opening Microsoft Teams:

Microsoft Teams wants to sign using key "Microsoft Workplace Join Key" in your keychain.
To allow this, enter the "login" keychain password

Cause: These prompts are generated by Jamf Pro for each applicable app that requires Microsoft Entra registration.

Solution
At the prompt, the user must provide their device password to sign in to Microsoft Entra ID. Options include:

• Deny - Do not sign in and do not use the app.
• Allow - A one time sign-in. The next time the app opens, it prompts for sign-in again.
• Always Allow - The sign-in credentials are cached for the application. The next time the app opens, it doesn't prompt for sign-in.

Selecting Always Allow for one app only approves that app for future sign-in. Additional apps prompt for authentication until they also are set as Always Allow. Cached credentials for one app can't be used by another app.

Devices fail to register with Intune

There are several common causes for Mac devices that fail to register with Intune through Jamf Pro.

Cause 1 - Jamf Pro doesn't have correct permissions

The Jamf Pro enterprise application in Azure has the wrong permission or has more than one permission. When you create the app in Azure, you must remove all default API permissions and then assign Intune a single permission of update_device_attributes.

Solution
Review and if necessary correct the permissions for the Jamf app. If you use the Jamf Pro Cloud Connector, this app was created for you. If you manually configured the integration, you created the app in Microsoft Entra ID. For the app permissions, see Create an application (for Jamf) in Microsoft Entra ID.

Cause 2 - Wrong tenant or account

The Jamf Native macOS Connector app wasn't created in your Microsoft Entra tenant or consent for the connector was signed by an account that doesn't have global admin rights.

Solution
See the Configuring macOS Intune Integration section in Integrating with Microsoft Intune on docs.jamf.com.

Cause 3 - User doesn't have valid license(s)

Lack of a valid Intune or Jamf license can result in the following error, which indicates that the Jamf license is expired:

Unable to connect to Microsoft Intune.
Check your Microsoft Intune Integration configuration.

Solution

• Jamf license: Contact Jamf for assistance to obtain a new license for Jamf.
• Intune license: Assign the user a valid license or contact Microsoft or your Partner for information about how to obtain a current license.

Cause 4 - User didn't use Jamf Self Service

For a device to successfully enroll and register with Intune through Jamf, the user must use Jamf Self Service to open the Intune Company Portal. If the user opens the Company Portal manually, the device enrolls and registers without its connection to Jamf.

To determine which service the device used to enroll and register, look in the Company Portal app on the device. When registered through Jamf, you should receive a notification to open the Self-Service app to make changes.

In the Company Portal app, the user might see Not registered, and an entry similar to the following example might appear in the Company Portal logs:

Line 7783: <DATE> <IP ADDRESS> INFO com.microsoft.ssp.application TID=1
WelcomeViewController.swift: 253 (startLogin()) Portal launched without WPJ only arg while account is under partner management

Solution

To change the registration source from Intune to Jamf:

1. Remove the macOS device from Intune. To avoid further complications for devices that aren't fully removed from Intune, see Cause 6 below.

2. On the device, use Jamf Self Service to open the Company Portal app, and then register the device with Microsoft Entra ID. This task requires you to have already completed the following tasks:

   • Deploy the Company Portal app for macOS in Jamf Pro
   • Create a policy in Jamf Pro to have users register their devices with Microsoft Entra ID

3. When the portal opens, the first screen you see prompts you to sign in. Use your work or school account

4. The Company Portal confirms your account information and shows your Device Enrollment and Device Compliance statuses. Yellow triangles highlight the actions you need to take to secure your macOS device for school or work. Click Begin to start enrollment.

5. If prompted, type in your computer's sign-in information.

It might take a few minutes to register your device. You'll receive a message after the registration is completed to let you know you're done.

Cause 5 - Intune integration is turned off

If Intune integration is turned off, users receive a pop-up window in the Company Portal with the following message when they try to register a device:

Invalid command line input Registration-only command line flag (-r) can only be used when partner management is enabled in Intune. Please contact your IT admin.

The Jamf Pro server sends a pulse to the Intune servers when integration is turned off that tells Intune that integration is disabled.

Solution
Re-enable Intune integration within Jamf Pro. See the following depending on how you configure integration:

• Use the Jamf Cloud Connector to integrate Jamf Pro with Intune
• Manually configure Microsoft Intune Integration in Jamf Pro.

Cause 6 - The device was previously enrolled in Intune

If a device is unenrolled from Jamf but not correctly removed from Intune (if it had been enrolled previously), or if the user has made several registration attempts, you might see multiple instances of the same device in the portal. This causes Jamf enrollment to fail.

Solution

1. On the Mac, start Terminal.

2. Run sudo JAMF removemdmprofile.

3. Run sudo JAMF removeFramework.

4. On the JAMF Pro server, delete the computer's inventory record.

5. Delete the device from AzureAD.

6. Delete the following files on the device if they exist:

   • /Library/Application Support/com.microsoft.CompanyPortal.usercontext.info
   • /Library/Application Support/com.microsoft.CompanyPortal
   • /Library/Application Support/com.jamfsoftware.selfservice.mac
   • /Library/Saved Application State/com.jamfsoftware.selfservice.mac.savedState
   • /Library/Saved Application State/com.microsoft.CompanyPortal.savedState
   • /Library/Preferences/com.microsoft.CompanyPortal.plist
   • /Library/Preferences/com.jamfsoftware.selfservice.mac.plist
   • /Library/Preferences/com.jamfsoftware.management.jamfAAD.plist
   • /Users/<username>/Library/Cookies/com.microsoft.CompanyPortal.binarycookies
   • /Users/<username>/Library/Cookies/com.jamf.management.jamfAAD.binarycookies
   • com.microsoft.CompanyPortal
   • com.microsoft.CompanyPortal.HockeySDK
   • enterpriseregistration.windows.net
   • https://device.login.microsoftonline.com
   • https://device.login.microsoftonline.com/
   • Microsoft Session Transport Key (public AND private keys)
   • Microsoft Workplace Join Key (public AND private keys)

7. Remove anything from the keychain on the device that references Microsoft, Intune, or Company Portal, including DeviceLogin.microsoft.com certificates. Remove JAMF references except for JAMF public and private key.

   Important

   Removing the public and private key will break device enrollment.

8. Delete any of the following entries that you find:

   • Kind: Application password ; Account: com.microsoft.workplacejoin.thumbprint
   • Kind: Application password ; Account: com.microsoft.workplacejoin.registeredUserPrincipalName
   • Kind: Certificate ; Issued by: MS-Organization-Access
   • Kind: Identity preference ; Name (ADFS STS URL if present): https://<DNS NAME>.com/adfs/ls
   • Kind: Identity preference ; Name: https://enterpriseregistration.windows.net
   • Kind: Identity preference ; Name: https://enterpriseregistration.windows.net/

9. Restart the Mac device.

10. Uninstall Company Portal from the device.

11. Go to portal.manage.microsoft.com and delete out all the instances of the Mac device. Wait at least 30 minutes before you go to the next step.

12. Re-enroll the device in JAMF Pro.

13. Reopen Self Service and start Registration policy.

Cause 7 - User didn't provide JamfAAD access to their key

JamfAAD requests access to a "Microsoft Workplace Join Key" from the users' keychain. During registration, the user of a macOS device receives the following prompt to allow JamfAAD access to a key from their keychain:

JamfAAD wants to access key "Microsoft Workplace Join Key" in your keychain. To allow this, enter the "login" keychain password

Solution
To successfully register the device with Microsoft Entra ID, Jamf requires the user to provide their account password, and select Allow.

This request is similar to the request for Mac devices prompt for keychain sign-in when you open an app.

Mac device shows compliant in Intune but noncompliant in Azure

Cause: The following conditions can cause a device to show as compliant in Intune but not as compliant in Azure:

• The device isn't registered correctly.
• The device was registered multiple times without the necessary cleanup.

Solution
To resolve this issue, follow the steps in Cause 6.

Duplicate entries appear in the Intune console for Mac devices enrolled by using Jamf

Cause: A device is registered with Intune multiple times, typically being re-registered after being removed from Intune.

When a device is removed from Intune and Jamf Pro integration, some data can be left behind which can cause successive registrations to create duplicate entries.

Solution
To resolve this issue, follow the steps in Cause 6.

Compliance policy fails to evaluate the device

Cause: Jamf integration with Intune doesn't support compliance policy that targets device groups.

Solution
Modify compliance policy for macOS devices to be assigned to user groups.

Could not retrieve the access token for Microsoft Graph API

You receive the following error:

Could not retrieve the access token for Microsoft Graph API. Check the configuration for Microsoft Intune Integration.

The source of this error can be one of the following causes:

Cause 1

There's a permission issue with the Jamf Pro application in Azure. While registering the Jamf Pro app in Azure, one of the following conditions occurred:

• The app received more than one permission.
• The Grant admin consent for <your company> option wasn't selected.

Solution
See the resolution for Cause 1 for Devices fail to register, earlier in this article.

Cause 2

A license required for Jamf-Intune integration has expired.

Solution See the resolution for Cause 3 for Devices fail to register.

Cause 3

The required ports aren't open on your network.

Solution Review the information for network ports in Prerequisites for integrating Jamf Pro with Intune.