Speaker: Simon Binder, Principal Technical Architect, TruSeq
It’s no secret that Jamf and Apple have a very close relationship. At Jamf we are completely transparent about the fact that we currently assist with management of the complete lifecycle of Apple devices. It’s even in our company mission, “Helping businesses succeed with Apple”. Along with this territory may come the notion that Microsoft is inherently a competitor. After all, the fabled clash of tech giants Apple and Microsoft is a well-known storyline.
But if there was one aspect of Jamf’s keynote that a person should take away, it’s that with each passing day that competition begins to little a little bit more like a partnership in within the enterprise. Apple devices and Mac are making immense strides to immerse themselves into the working world as the preferred devices people want as new workflows streamline and blend the user processes to bring ease, efficiency, and flexibility to each use. So are they really competitors or a match made in the Cloud?
Jamf and Microsoft from an IT perspective
Many people that are tasked with the management and security of Mac are well aware of and used to Jamf Pro, but with the new integrations and partnerships between Apple, Jamf and Microsoft, there are plenty just like Simon who come from a world of Microsoft and managing Mac with Intune wondering when to combine the two. According to Simon, that’s when you are really concerned about the security of your Mac.
There are three platforms to take into account, but the trifecta make a seamless experience:
- Jamf Pro
- Config Manager
- Microsoft Intune
By leveraging all three, you can offer equality in the workplace when it comes to user experience. Your users want the same service, security, and manageability regardless of selecting Mac or Windows. For many, herein lies the challenges.
When you come from a world of Apple or a world of Windows, understanding the otherside and create a number of challenges. Microsoft 365 is the combination of Windows Office and EMS, but you can remove ‘Windows’ and put in the platform you like. It’s about Enterprise Mobility and Security and the focal point of Azure AD. That’s where Microsoft focuses their security posture.
This is because Identity is the key. As a Windows admin, what you really care about is security in a zero-trust environment. Microsoft Intune is not a part of this process to be the better management platform for Mac, it’s there to provide Identity Protection come from a Mac to any applications.
To do this, as a Windows Admin, you need to understand how the Apple ecosystem works. How is it encrypted? How do we ensure that we get anti-malware running? How do we sign into it? Finally, understanding that Microsoft is very enterprise focused, in contrast to Apple who prioritizes that individual user experience — for better or worse.
Jamf Pro and Microsoft Intune
Think about it this way – Jamf Pro is the engine that manages the device and is sending reporting data back to Microsoft Intune. Microsoft Intune is then responsible for looking at that data and determining if the device is compliant or not.
Compliance is what we say it is. We can require settings, complex passwords, encryption, or a state a of sleep after timed inactivity. These compliance settings are the communication point between Microsoft Intune and Jamf Pro. Applying these policies, allows you to know if the device is properly configured or needs action on your part.
Where things differ is the action of associating this state of compliance or non-compliance to a user. Enter Conditional Access. A Microsoft Intune-only feature allowing others to integrate, but the control exists within Intune. With these policies, compliance, and security measures we see the communication between Intune and Jamf Pro forming, the relationship created, and a level of security takes form.
It’s the beauty of this relationship. You can get the full spectrum of management capabilities through Jamf Pro while protecting identities and accesses to the services from your Mac with Microsoft Intune and Azure AD.
Why have this relationship?
We talked a little bit before about this relationship being one that potentially seems out of place when looked at as competitors, but as Simon Binder points out, “macOS is a first-class citizen in an Microsoft environment.” Standardizing on one platform is unnecessary. With integrations like this and the relationship between Jamf and Microsoft, there is no reason not to welcome Mac into your environment with open arms. Even as a Windows Admin, you can make them as secure, as manageable and as integrated as any of your Windows devices.
The conversation is no longer around picking the device type you want to standardize, nor having one ineffective platform to force management all in the same way. These devices. To their core, function differently. The solution is about arming yourself with the best options for each device, for yourself, and letting integrations and relationships like Intune and Jamf’s lead the way.
Binder reassures anyone listening that the goal of Microsoft, of their Intune teams, and their internal goals are always to embrace every operating system and secure them equally. It’s more about offering a platform that gives IT what they need from a security and identity point of view. From there, it is up to you to choose which is best to do your work from.
To end his session, Simon walked us through a demo of creating that connection between Jamf Pro and Intune that is definitely worth the watch. The session is available for replay for this week, and will be placed on Jamf’s website later in October. If you aren’t registered, JNUC registration is STILL open and STILL free!
Get all the JNUC content!
Have you found any negatives with the integration between Jamf and Microsoft? Challenges?
No, not really since Jamf made the integration super easy! The main aspect would be that it may not be used to the full extent and that the configuration as such (in Microsoft Endpoint Manager) can be quiet complex if you have a lot of different requirements for different apps.
Microsoft Endpoint Manager also offers macOS/iOS App Management. Why not use it instead of JAMF?
MEM offers a great experience for managing Apple devices especially for BYOD - where you don't need the full capabilities of Jamf. Jamf still has a lot of superior and more advanced features. So - many of my customers combine MEM and Jamf and the Apple devices that need the more advanced features are managed by Jamf and the "BYOD" or devices where you only require compliance and limited management MEM is a great choice.
Honestly, how effective is the Jamf Pro + Intune configuration at this time? Is it ready for headache-free use or are there true limitations that need to be evaluated?
Today - Conditional Access and Compliance policies with Jamf Pro and MEM works as expected and I have found very few caveats with it. Most of the work with the integration is really on the MEM side, so that hurdle would be to learn that if you haven't worked with Microsofts security and management features previously.
Is it possible to connect Jamf Pro to a Hybrid AzureAD design or does it only work if the AD is not Hybrid and 100% clound based?
From a Microsoft perspective, you can use both Hybrid and Azure AD native configurations. There may be some limitations for Jamf Connect, but for Jamf Pro - the identities should work in the same way - as long as you sync your accounts to Azure AD.
Are there plans to integrate Jamf Pro and Intune more in-depth in the future?
Yes, yesterday's announcement on the iOS integration is a great step on the way. I do foresee more integrations in the future - especially from a security point of view. That is not limited to Microsoft Intune, but to the full M365 stack.
Is this only for checking compliance on MacOS, or will it work with iOS devices as well?
That capability was announced yesterday. So now it's possible to manage compliance on both macOS and iOS using Jamf Pro and Microsoft Intune.
What are best-recommended compliance Policy
Compliance policies are very different from organization to organization. You can read more about it on my blog here: https://www.kneedeepintech.com/the-underestimated-compliance-policy-in-microsoft-intune/ or in the official MS documentation here: https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started
Is it possible to use if a Mac computer is in Jamf but not AD Bound?
Yes! The computers shouldn't be in AD at all tbh - and you don't need to use Jamf connect integrated with Azure AD either — even if I do recommend it.
If a user has a Smart Phone and Computer - if the computer is non-compliant does the Smart Phone also lose access since it is user-based?
No, its always the combination of the user and the device that is being evaluated for compliance. So if your mac is non-compliant and your iPhone is compliant you can connect from the phone but not from the computer. However, if you user is non-compliant (which is a feature in Azure AD) you cant connect from any device.
We are looking to migrate from SCCM/Config Manager to Intune in the next budgetary year. If we are not using AAD federation for SaaS authentication/gatekeeping, is there a good use-case for integrating with Jamf Pro?
It depends, if you use Office 365 then there are definitely a lot of value with the integration. But the value increases with the amount of Azure AD integrated apps you have an want to protect.
Does MAM work with macOS as it does with iOS/iPadOS?
No, currently there are limited device-based data protection capabilities for macOS - but there are solutions in development, and I would advise you to look into Microsoft Cloud App Security to enable a better data protection environment on your Macs - if you are using Office 365.