Comcast's journey to global device compliance and conditional access

This JNUC 2025 presentation featured Christopher Palmiotto, Project Manager 4 and Sergio Aviles, Sr. Systems Engineer, both from Comcast. Palmiotto and Aviles shared their multi-year journey to implement device compliance and conditional access across thousands of Mac computers globally.

In their talk, titled “A Year in the Life: Implementing Device Compliance and Conditional Access on a Global Scale,” they detailed a strategic, phased approach that balanced enhanced security with a positive user experience — offering a blueprint for other organizations. They leveraged Jamf Pro, custom self-service tools and deep cross-team collaboration. They successfully navigated the complexities of enterprise-wide security initiatives, achieving over 94% compliance.

Key facts

• The project involved a phased rollout across a fleet of tens of thousands of Mac computers, starting with small, controlled test groups and scaling to general availability.
• Comcast developed a "Compliance Monitor" Self-Service tool to empower users to resolve their own compliance issues, significantly reducing help desk tickets.
• The entire initiative was built on a foundation of data-driven decisions, using Jamf Pro Smart Groups and dashboards to track progress and inform strategy.

Strategic planning and phased rollout

Successfully deploying a complex security initiative like conditional access at a global scale requires methodical planning and a structured rollout.

Discovery and planning

Comcast’s journey began in 2022 with a critical discovery and planning phase, where project leaders established a security baseline and defined the "who, what, when, where, how and why" of the program. This foundational work focused on understanding the user experience and the potential impact of restricting access to enterprise applications on personal or non-compliant devices, a core principle of their Zero-Trust Network Access (ZTNA) strategy.

Alpha phase pilot

The team adopted a formal multi-stage pilot program to mitigate risk and gather feedback before a full-scale deployment. The process began with an alpha phase: testing on a small number of IT-managed Mac computers with varied hardware and macOS versions.

Beta and subsequent phases

Next, a beta phase expanded testing to a group of internal Mac experts and volunteers.

Subsequent phases (Phase 0, 1 and 2) progressively rolled out the changes to the broader IT organization and then to randomized percentages of the general user population.

Each phase included a two-week bake period for feedback, allowing the team to pause and address any critical issues before proceeding. This ensured a smooth transition to general availability for all Mac computers.

Empowering users with compliance tools in Jamf Self Service

A core challenge in any device compliance rollout is managing the user experience when access is blocked. To prevent a surge in help desk tickets and to empower users to resolve issues independently, Comcast’s endpoint team developed a custom "Compliance Monitor" app and offered it in Self Service.

Built using a script that leverages Swift Dialog, the tool runs locally on each Mac computer, checking for compliance status every 30 minutes. If a device is found to be non-compliant, a notification appears, guiding the user directly to the solution — whether it's a knowledge base article, a policy in Self Service or an Apple support page for re-enabling System Integrity Protection (SIP).

The importance of Compliance Monitor

This proactive approach was critical because the device compliance integration between Jamf Pro and Microsoft Entra ID lacks native user notifications. Without Compliance Monitor, an employee could be locked out with only a generic Microsoft error page for guidance.

The monitor bridges this gap by providing immediate, actionable feedback. In addition to the automated 30-minute check, the team also provided an on-demand version in Self Service, allowing users to verify their compliance status at any time. This put remediation in the hands of the end user, drastically reducing friction and support overhead.

Data-driven insights and Jamf Smart Groups management

Data was the backbone of Comcast’s compliance strategy: enabling the project team to track progress, identify hotspots and make informed decisions.

Using Jamf Pro, engineers built a comprehensive dashboard with Smart Groups to visualize the compliance status of their entire fleet.

These Smart Groups were cleverly constructed using negative logic — for example, the primary compliance group consisted of devices that were not a member of any non-compliant groups (e.g., "SIP non-compliant" or "OS not compliant"). This method ensured that any device falling out of compliance was automatically removed from the "all-clear" group.

Gathering the data

To gather the necessary data points, the team wrote several custom extension attributes. These were used to track conditions not natively available in Jamf Pro at the time, such as device registration status with Microsoft Entra ID or the user's default web browser. This rich data allowed for highly targeted user education campaigns.

For instance, they could identify all users with an incomplete registration and proactively send communications to help them resolve the issue before a full conditional access rollout. This data-first approach was essential for managing risk and ensuring the organization was ready for each phase of the deployment.

Key takeaways

• The journey to enterprise-wide compliance provided several critical lessons for IT and security teams undertaking similar projects.
• First: self-service and automation are essential for scaling security initiatives without overwhelming support teams.
• Second: rich, real-time data is the foundation for effective project management, enabling teams to track progress, mitigate risk and communicate effectively with stakeholders.
• Finally, deep collaboration between project management, endpoint engineering, security and identity teams is non-negotiable. This partnership ensures that technical solutions align with business goals and that user impact is considered at every stage.

Audience questions and answers

This presentation had a particularly lively and interesting question and answer section that answered important questions and expanded on several parts of the session.

How did you start building your Smart Group for device compliance?

We began with a "negative logic" model, where the main compliant group included devices that were not members of various non-compliant Smart Groups. We started with basic policies inherited from the initial Microsoft Intune integration, such as: System Integrity Protection (SIP) enabled, firewall active and minimum operating system version, and expanded the criteria over time as we identified other essential checks.

What happens when a device is out of compliance? Do users see a landing page?

Yes, users who are blocked by a conditional access policy are directed to the standard Microsoft block page that reads: "Your sign-in was successful, but you can't get here from here." The team decided against a custom landing page to avoid potential user confusion and reduce the risk of phishing attacks.

How were legacy devices or personally owned computers handled if they couldn't be replaced or comply?

We established a formal cyber exceptions process for users with legitimate business or technical reasons for non-compliance. These users had to apply for an exception which, if approved, would exempt them from the policy. This process ensures that all deviations from the security baseline are documented and formally accepted as a manageable risk.

Where in the process did users register their Mac devices and what communications were sent?

For existing devices, a dedicated communications campaign was launched with a hard deadline to drive initial registration. For all new deployments, the registration step is now integrated into the standard setup process, and a "Register my Mac" tool is available in Self Service to simplify the workflow for users.

Could you elaborate on the criteria for the "Entra ID incomplete registration" Smart Group?

That Smart Group was built using a custom extension attribute that checked the local device for a successful registration status. If the script didn't find a "registration complete" value, the device was flagged and added to the "incomplete" group. This helped IT identify and troubleshoot issues like duplicate device records in Microsoft Entra ID or users hitting their device registration limit.

How did you manage your Sited Point of Contact (SPOCK) group for testing?

The SPOCKs were early adopters and testers managed through both communication and technical controls. They participated in a monthly call to stay informed about upcoming projects. Technically, they belonged to a security group in Microsoft Entra ID. A Jamf Pro policy scoped to that group wrote a local file, which was then read by an extension attribute to add the device to a SPOCK Smart Group for targeted testing.