So, time to get that done!Checked the link, which suggested that there should be links for 3 downloads. Be more productive Find the feature you need fast and create documents more easily One thing which has been around for quite some time now, and stayed way to long on my blog-to-do list is: Integrate Microsoft Azure Intune in Jamf Pro. For Mac computers, the client certificate requirements are as follows:Start quickly with the most recent versions of Word, Excel, PowerPoint, Outlook, OneNote and OneDrive combining the familiarity of Office and the unique Mac features you love. Much like native mode in Configuration Manager 2007 and the client-server PKI connections in System Center 2012 Configuration Manager, you can use any PKI deployment to deploy the certificate for Mac computers if it adheres to our documented certificate requirements.Azure Site Recovery Keep your business running with built-in disaster recovery service. Goal of this blog is to go through Microsoft’s tech article which you can find here and achieve macOS compliance goals as discussed here.Discover, assess, right-size and migrate your on-prem VMs to Azure. Note Everything in this chapter is tested on macOS, Windows Subsystem for. Have no experience with GO, installed Go and added one by one the respective dependencies.Develop, maintain, and automate applications on the Azure cloud platform. But there are no links, so I attempted to build it myself.
Bak file using Azure Data Studio. Let’s go and see if we can identify any roadblocks or gotcha’s while doing so.SQL Server on Mac Copy file from Host to Docker Step by step tutorial for restoring a SQL Server. Data Box Appliances and solutions for data transfer to Azure and edge compute. Here you can already copy the ‘Application Client ID’, which we’ll need to add in a couple of other places later. Here we’ll need to create an app, which Jamf Pro will connect to, and grant Jamf Pro access to provide inventory information about the devices.To create the app, go to: Azure > App Registrations and click ‘New Registration’.Give the app a name, select “Accounts in this Organizational Directory only” as supported account types, and add your Jamf Pro URL as a ‘Web’ URI (Full URL in the format of Click Register, and you’ll be brought to the overview page of your new app. We’ll come to that below.Let’s start on the Azure side of things. Instead we need to create a SELF SERVICE policy which triggers the Company Portal to run, followed by some additional configs. Just download the pkg from the link in the pre-reqs, upload it to your Distribution Point, and create a policy to deploy and install it to your devices.But, important to know is that, in order to register the devices correctly in Intune, the Company Portal should NOT be executed manually. ![]() Azure Copy Registration And SettingsYou really can only have one permission active for this Intune integration to work.Once you removed all permissions, click on ‘Add permission’ and select Intune:And ONLY select ‘update_device_attributes’:Once you added the permission, don’t forget to click on ‘Grant admin consent for …’ to avoid end users being presented by any such prompt later.That’s it for the app registration and settings.Next, we said we don’t need to assign any user to this Jamf app, but we obviously do need to assign Intune licenses to our users of course. Go to API Permissions, and first REMOVE all API permissions which are present by default. Not a big deal, but just so you know.Next we need to fix some permissions. If you forgot to write it down somewhere, you will need to create a new one. As you can see below, you can't retrieve the secret later. Set up network for mac virtualbox for windows 10Next, and this is an important step which is not well documented in the Microsoft guide, you must click on ‘Open administrator consent URL’ to finalise the setup! This will bring up an Azure login prompt on which you need to authenticate with your Azure admin account, and grant the required permission for the Jamf Native macOS Connector (part of Jamf Pro authenticating to Azure).Once this is done, you can test the communication between Jamf Pro and Intune by hitting the ‘Run test’ button. Because we already configured the API permission, the only thing left to do, is to copy paste our Jamf app client ID (which we copied to our temporary notes earlier) and hit save!This is actually everything we had to do in Azure to make an integration with Jamf Pro possible!To finalise the integration config between Jamf Pro and Azure Intune, go to Jamf Pro Settings > Global Management > Conditional Access.1) the domain name of our Azure Tenant (your actualy Domain name if you have a premium domain name configure in Azure, or something like mydomain.onmicrosoft.com if you don’t)2) the application client ID of the app we created in Azure3) our Azure app secret which of course we nicely wrote down as well :-), which in Jamf Pro is referred to as ‘application key’.Once all the info is there, hit save. For this we go to Microsoft Intune > Device Compliance > Partner device management. We already have the app ready, now we have to tell Intune to actually integrate with Jamf Pro. To fix this, go to the user account, and give the user a location in it’s profile:Now, to finish our setup in Azure, before we head over to the Jamf Pro settings, there is one more thing to do: enable the integration with Jamf Pro in Azure. ![]() If you want you can even select the ‘Include the policy in the Device Compliance category’ which is automatically created for you since you integrated Jamf Pro with Intune:Presuming our device already executed the policy to install the ‘Company Portal’, the end user now needs to run Self Service and execute our Intune policy to register the device:The first thing that will happen is, the ‘Company Portal’ launching (hence the need of deploying that first □ ). Done!Don’t forget to configure the Self Service tab to your liking. This payload is just a matter of enabling a tick box, adding it to Self Service and scoping our policy to the required devices. Just create a new policy, do NOT set any trigger, set the frequency to ‘ongoing’ and add the ‘macOS Intune Integration’ payload. To do that Jamf Pro needs the AAD ID of the device.What follows is another authentication run against Azure (and ADFS in my scenario)…But also a prompt asking for access to a Microsoft key stored in the ‘login keychain’. Remember, it is Jamf Pro sending inventory information to Intune, not the device itself. After clicking ‘done’ at the ‘All set’ screen, the Self Service policy will then throw another Microsoft prompt and ask the end user to authenticate again! Yes, a bit annoying from an end user experience, but that’s how it is.The reason for this is that the jamfAAD agent will grab the AAD Device ID from Azure, and add that to the Jamf Pro inventory. For that, a little bit of extra magic is needed. But in case you were wondering, all works fine with ADFS □The ‘Company Portal’ will then call some resources and register the device into Azure!All set? Well, not really! Far from that actually, because at this point the devices might indeed have been added to Azure AD, but the link to the inventory record in Jamf Pro has not been established yet. In a pure Azure environment, you would just be presented with a normal Azure authentication screen. This is expected and necessary.Once this is done, the device will show up, both in Azure AD Devices, as in ‘All devices’ in Intune, ready to be assessed as compliant or not:Now, in one of my first test runs while writing this post, my device only showed up under ‘Azure AD devices’.
0 Comments
Leave a Reply. |
AuthorRachel ArchivesCategories |