Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Join us in person at the ninth annual Jamf Nation User Conference (JNUC) this November for three days of learning, laughter and IT love.

Jamf - Conditional access - Just nightmare ?

I would to know if I am the only one that has issues on conditonal access and Jamf integration.

All the times seeing issues like
Outlook ask for login and when logged in it ask for enrollment (even the mac is enrolled with jamf already)
Clients just randomly dissapear inside Intune -> Azure AD devices. So conditional access will then of course fail when they don´t exist and need to run company portal registration again

Do anyone experience same random behavior on these issues ? I could understand if all clients would fail that something was setup wrong. But here we are talking about 10-15% of clients that randomly is being hit by this without any pattern, other then users are really pi.... off, when they see this issue

Like Comment
Order by:
SOLVED Posted: by Stevie

Yes, we had the same problem for months which stopped us rolling out Offie365. It turned out in our case our InfoSec team had decided to start inspecting the SSL certs from Microsoft which would random break clients. Once we stopped them inspected the traffic our problems disappeared.

Also, If you are using Zscaler which were are then tenant restrictions do not currently work and has to be turned off. This issue is being investigated by Zscaler with a fix to be rolled out during their next release.

Like
SOLVED Posted: by jameson

When checking in azure on devices, lot´s of clients has no activity for several days/weeks. And until a certain point it seems, that when they have no activity in azure they are just kicked out and fails conditional access even the client is listed in azure.

Like
SOLVED Posted: by txhaflaire

@jameson Hi

We have currently +- 600 managed macOS devices in Jamf Pro, which are also registered in Microsoft Intune for a while and all is working fine.
Till.. we last month upgraded to Jamf Pro 10.14. where a new "Cache" functionality was introduced for the JamfAAD binary.

Now we are hitting the following issue;
A (mobile account AD FV enabled) user is changing their password on their device through NOMAD / Sys Prefs and after a couple of hours loses their entry in Intune and Conditional Access fails so the user is being kicked out of his resources.

The workaround for now is that the user register the device again.. but then we hit a prompt in the JamfAAD that says the credentials are invalid, when you choose for "Sign in with other account" with the same creds all is good for the next 90 days till password hits expiration.

Jamf Support is working on this, but it is hard to replicate it for them but they have mentioned an other customer has reported in the same issue.

But for you maybe this support article can be useful?

https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Troubleshooting-issues-with-macOS-devices-when-using/ba-p/462912

Like
SOLVED Posted: by jameson

Exactly - that also a new one that I have meet regarding that the password is not invalid (even the password is correct). But doing sign in with different account solves it for some reason.

The strange this is even that I disable conditional access for users, their mac´s are still having problems connecting to mail and needs to register etc

Like
SOLVED Posted: by txhaflaire

@frederick.abeloos Regarding ticket JAMF-0741561

Like
SOLVED Posted: by jameson

To keep Clients communicating do you have run this daily /usr/local/jamf/bin/jamfAAD gatherAADInfo
it seems that this is the trick, but don´t know if any one else is using this ?

Like
SOLVED Posted: by mrowell

@jameson Check your Devices - Device cleanup rules in Intune. Devices that haven't contact Intune can be automatically removed after a number of days.

Like