Jamf and Microsoft Entra ID Conditional Access

Microsoft Entra ID Conditional Access policies help to improve your organization’s security posture by enforcing protections dynamically to secure your cloud apps and services. It’s critical to understand not just how Conditional Access policies work but also how they integrate with Jamf to ensure proper security coverage is achieved and maintained while mitigating potential gaps in security coverage or a poor end-user experience if misconfigured.

September 20 2023 by

Jesus Vigo

In this session, learn the best practices of integrating the Jamf suite of products with Microsoft Entra ID to make sure your resources are accessed by your managed devices. Presented by:

  • Michael Epping, Microsoft
  • Mark Morowczynski, Microsoft
  • Sean Rabbit, Jamf

What is conditional access?

In a nutshell, conditional access, or CA for short, is a security policy that aims to strengthen your organization’s security posture by applying zero-trust principles to your cloud apps and services.

Customers who rely on Microsoft for identity and access solutions might know it by its former name — Azure Active Directory (AAD). Morowcznski explains that Entra ID is the comprehensive IDentity as a Service (IDaaS) solution from Microsoft and recaps the different features included alongside conditional access, such as:

  • Single Sign-On (SSO)
  • Provisioning
  • Governance
  • Passwordless

A common use of CA includes a policy that is configured by IT to limit access to protected apps by devices that do not meet minimal endpoint health requirements. For example, your organization utilizes cloud-based file storage for collaboration between employees. To limit network-based security risk, a policy is configured to require that devices attempting to access data from the service must have a network connection secured with Zero Trust Network Access (ZTNA). The policy enforces device compliance by determining the endpoint's current state — and if verified to have ZTNA enabled — it will permit the user access to the requested resource. However, if ZTNA does not exist or cannot be verified for any reason, the CA policy will redirect the request to say, a webpage directing the user to enable ZTNA or to install the agent for their device type.

Jamf and CA

Microsoft is one of Jamf’s largest partners. Thanks to its integration capability, integrations between third-party apps/services and Jamf Pro serve to expand the latter’s comprehensive management abilities while allowing the former seamless access to Jamf’s flagship device management platform. The end result is a win-win for our customers that merges the best of both worlds without compromising on security or management.

Discussing how this integration works and providing excellent resources to aid MacAdmins along their integration pathway, Rabbit walks the audience through the initial setup process all the way through to show how the solutions work in tandem during the demo session.

Following the demo, Epping discusses how to deploy Microsoft Entra ID and Jamf Connect to handle:

  • Identity
  • Access
  • User permissions
  • Security protections

As well as reviewing some common pitfalls that might impact certain organizations and of course, what to look out for to side-step these issues for a smooth, stress-free deployment.

Register for JNUC to access this and other sessions.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.