Common questions about achieving compliance with Microsoft and Apple

We had a lot of great questions from our recent webinar about achieving compliance with Microsoft and Apple, and we wanted to share our answers in the hope of helping others with similar questions on the topic. Read on to watch the webinar on demand, get a detailed summary and get your questions answered.

About the webinar

As Apple continues to grow in the enterprise, organizations need to expand their view of management and security beyond Windows devices. Hybrid environments require new strategies and tools, and in the evolving technology landscape, IT teams must prioritize bringing Mac, iPhone and iPad devices into compliance.

In our on-demand webinar, "Complete Enterprise Compliance with Microsoft and Apple", in-house expert Bryce Carlson gives a thorough overview of what it takes to achieve Apple device compliance in a Windows world. He covers topics such as:

• Benefits of a unique relationship with Microsoft
• Powerful product integrations for hybrid environments
• Achieving compliance for Mac and iOS devices
• How to grant secure access to Office 365 apps

Want to follow along while reading the Q&A? Check out the full webinar below:

FAQ

If you’re like our live attendees, you may have important questions that need more answers than we had time to cover. If so, peruse the following common questions and solutions for helpful insight into specific issues.

Q: Do you get any cases with SSO extensions, where an Azure Active Directory (AAD) password change triggers the non-compliance? I know with the Enterprise Connect we've seen problems when this happens.

A: Yes, with the SSOe being in beta, that has been an issue where the token is not refreshed. When that becomes more polished I would expect that to be fixed.

-

Q: If you don't install office on the Mac, it sounds like the only Microsoft licensing needed is an EMS user cal or the Intune user cal and the server cal. Any advice on properly buying Microsoft licensing?

A: Correct. You could use this with only the WebApps and not have the Microsoft macOS desktop apps. In that case, you would only need the E3 and E5 Security incenses, plus whichever Office 365 web-only apps you’d like.

-

Q: Any recommendations on hiding the Company Portal (CP) app to reduce customers directly launching it? Or does the CP app have a setting where we can make it launch Self Service instead (i.e. push a config profile with setting)?

A: That’s a hard one. The app cannot be hidden as it needs to be called in registration mode. That being said, some customers will remove the CP app after registration to register from Self Service. To re-register, the registration will put “CP.app” back on the device and then cascade into a registration policy.

-

Q: Can you add a device to Intune after it being enrolled in Jamf or would you have to re-enroll?

A: Yes, for sure. However, the device must always be first enrolled in Jamf Pro and then registered in AAD via the Jamf Policy from the integration.

-

Q: Is there a way to domain join a computer to AAD and is there a way to do this remotely with a proxy server?

A: Yes, that could be done with Jamf Connect, Apple Enterprise Connect, or NoMAD.

-

Q: Is Microsoft Intune Compliance is fully compatible with Big Sur?

A: Yes, I actually just used macOS 11.2 with this setup.

-

Q: Does a computer need to be on the company network to change and sync the AAD password? I have users that change the password on other devices.

A: Jamf Connect would need to be used to sync the passwords fully. This integration for compliance does not do so.

-

Q: How do we grant access to Microsoft apps? For example, can we use this to activate Outlook? Does it require a config profile to de deployed to the device?

A: In AAD, you can set a CA policy on a per-app-and-platform basis. That is what requires the device to be registered. If you are talking about activation of the desktop apps, that is slightly different and I would consult the Volume License Serializer on https://macadmins.software .

-

Q: We tested Jamf Pro and Jamf Connect to perform a closed SSO experience for the client, but, a local account always get created. It is possible to only use the Microsoft 365 account as macOS account?

A: No; Jamf Connect, Apple Enterprise Connect, etc. and of these AAD tie-ins will always make a local account as the macOS can not bind directly to AAD.

-

Q: Are there any benefits to moving to the cloud connector for CA from the older, manual connection?

A: Yes! If you have more than one Jamf Pro Cloud server, you can point them to a single AAD tenant. This allows for a Jamf Pro test server or different global or org areas to connect to the same directory.

-

Q: What additional advantage over Intune justifies the cost of Jamf? Where does the “Jamf magic” happen, in the cloud or on a server (on-premises or in AAD)?

A: What it comes down to is feature set. The Jamf Pro offering gives you the customization and scripting features. MEM/Intune is more basic with that feature set. The calculation is taking place on the MEM side for macOS from the data that Jamf Pro sends. The iOS/iPadOS is acting on what Jamf Pro sends to AAD for compliance.

-

Q: I’ve experienced issues getting prompts to register the Mac device with Intune even though the device is already registered and compliant in Intune/Azure AD. Any insight here?

A: What’s taking place is when a device does an auth. from Team, OneDrive, etc. MSAL is using the WPJ and AAD ID from the login.keychain. What is going wrong is that it’s not sent to the MSFT auth. server for some reason. Thus, it does not know the device is, in fact, compliant. If you can replicate this on demand, please make a case with Microsoft since Jamf Pro is sending the data and it is compliant, but the Office desktop apps are not passing the AAD ID. The root cause is around the MSAL client app or the auth. server not getting the cert.

-

Q: How does Jamf Pro know in which Smart Group to check membership in order to mark a device compliant yes/no?

A: It uses the inventory data that Jamf Pro gathers daily, and the criteria you set for the group.

-

Q: Is there a way for an AAD password expire notification to appear as a Jamf Connect icon?

A: Yes! Check out the Password Expiration Warnings info on this page.

-

Q: Will Jamf be doing the same thing as with Microsoft with Google soon?

A: Yes, this is in the works. Check out more info here.

-

If you have any other questions about achieving Microsoft Enterprise Compliance, or have any questions about getting started with Jamf, please reach out to us at info@jamf.com or request a trial today.