Help

Jamf / Intune conditional access - encryption problem

George-x_chan
New Contributor III

Posted on ‎06-17-2019 08:21 AM

Hello,

We have successfully deployed Jamf / Intune conditional access to around 110 machines but it seems a couple of machines are failing the encryption policy in Intune although it's showing correctly in Jamf.

I have updated inventory on the machines a couple of times and both times it has updated the check in within Intune.

Attached are screenshots of the issue.

Just to give context on how we achieved the deployment: We have 2 configuration profiles installed on the machines 10.13 (above and below) and a policy which launches up company portal so the machines can register into Intune.d5ee9b7b614a4c8dac9f6ca0cc3fd5ef
9cdb8b061e7f40fbb08b082ee87a809c
ad3c4a1b3b494b08ae986ecca4e3649b

Any help would be appreciated

Thanks
George.

2 REPLIES 2

ThijsX
Valued Contributor
Valued Contributor

Posted on ‎06-17-2019 12:52 PM

@George-x.chan We have currently 550 +- devices succesfully registered in Intune, and the issue you mention also occurs sometimes in our organisation.

mostly, this happens when an external disk, or Recovery / Preboot volume is mounted and listed in the disks encryption overview.
Jamf then reports as "Boot disk encrypted" and it look likes Intune not always likes this.

So till this buggy has been fixed created an Self Service item for the users they can trigger. You can place this in an category Device compliance remediation for instance.

Self Service script

#!/bin/sh

disk2s2=$(mount | grep /Volumes/Preboot | awk '{print $3}')
disk2s3=$(mount | grep /Volumes/Recovery | awk '{print $3}')


    # Check if Preboot volume is mounted
    if [[ $disk2s2 =~ "Preboot" ]] ; then
        echo "Preboot volume is mounted, going to unmount"
        diskutil unmount disk2s2
    else
        echo "Preboot volume is not mounted"
    fi

    # Check if Recovery volume is mounted #
    if [[ $disk2s3 =~ "Recovery" ]] ; then
        echo "Recovery volume is mounted, going to unmount"
        diskutil unmount disk2s3
    else
        echo "Recovery volume is not mounted"
    fi

# Recon to update inventory and send info to AAD.
/usr/local/bin/jamf recon


exit 0
0 Kudos

George-x_chan
New Contributor III

Posted on ‎06-18-2019 02:44 AM

thanks @txhaflaire - i will give this a try :)

By the way, have you had many issues with the Jamf / intune intergration overall? it seems like we're encountering various issues and there isn't much help online.

Thanks
George.

0 Kudos