Wednesday, 29 May 2024
Technology

Manually Integrate Jamf Pro with Intune for Compliance

Microsoft Intune offers the capability to integrate your Jamf Pro deployment, which brings device compliance and Conditional Access policies to your macOS devices. This integration allows you to ensure that your macOS devices, managed by Jamf Pro, meet your Intune device compliance requirements before accessing your organization’s resources. With the combination of Intune’s compliance engine and intelligence about the device user’s Microsoft Entra identity, enforcement through Conditional Access is possible. This article provides a step-by-step guide on how to manually integrate Jamf Pro with Intune.

jamf conditional access

Prerequisites

Products and Services

To configure Conditional Access with Jamf Pro, the following are necessary:

  • Jamf Pro 10.1.0 or later
  • Microsoft Intune and Microsoft Entra ID P1 licenses (recommended Microsoft Enterprise Mobility + Security license bundle)
  • Global admin role in Microsoft Entra ID.
  • A user with Microsoft Intune Integration privileges in Jamf Pro
  • Company Portal app for macOS
  • macOS devices with OS X 10.12 Yosemite or later

Network Ports

To ensure proper integration, the following network ports must be accessible for Jamf and Intune:

  • Intune: Port 443
  • Apple: Ports 2195, 2196, and 5223 (push notifications to Intune)
  • Jamf: Ports 80 and 5223

Additionally, for APNS (Apple Push Notification Service) to function correctly, outgoing connections and redirects from the Apple 17.0.0.0/8 block over TCP ports 5223 and 443 from all client networks must be enabled. Ports 2195 and 2196 from Jamf Pro servers should also be allowed.

Tham Khảo Thêm:  IT Services & IT Support for Chicago Law Firms

Connect Intune to Jamf Pro

To establish the connection between Intune and Jamf Pro, follow these steps:

  1. Create a new application in Azure.
  2. Enable Intune to integrate with Jamf Pro.
  3. Configure Conditional Access in Jamf Pro.

Create an Application in Microsoft Entra ID

In the Azure portal, go to Microsoft Entra ID > App Registrations, and select New registration. On the Register an application page, provide the necessary details such as the name, supported account types, and redirect URI. Register the application and record the Application (client) ID for later use. Then, create a new client secret and grant permissions required for updating device attributes. Ensure that the API permissions only include the update_device_attributes permission.

Enable Intune Integration with Jamf Pro

Sign in to the Microsoft Intune admin center and navigate to Tenant administration > Connectors and tokens > Partner device management. Paste the Application ID from the previous step into the Specify the Microsoft Entra App ID for Jamf field and save the settings.

Configure Microsoft Intune Integration in Jamf Pro

In the Jamf Pro console, open Global Management > Conditional Access and select Edit on the macOS Intune Integration tab. Enable Intune Integration for macOS and choose Manual as the connection type. Provide the Sovereign Cloud location, open the administrator consent URL, and enter the Microsoft Entra tenant name, application ID, and client secret. Save the settings, and Jamf Pro will test the configuration and verify the success.

Set up Compliance Policies and Register Devices

After successfully configuring integration between Intune and Jamf Pro, you need to apply compliance policies to Jamf-managed devices.

Tham Khảo Thêm:  Step-by-Step Guide to Orbi Factory Reset

Disconnect Jamf Pro and Intune

If necessary, you can remove the integration between Jamf Pro and Intune using one of the following methods:

Deprovision Jamf Pro from within the Microsoft Intune admin center

In the Microsoft Intune admin center, go to Tenant administration > Connectors and tokens > Partner device management. Select the Terminate option to remove the integration. Refresh the view to update the changes.

Deprovision Jamf Pro from within the Jamf Pro console

In the Jamf Pro console, go to Global Management > Conditional Access and select Edit. Clear the Enable Intune Integration for macOS checkbox, save the settings, and verify the termination status in the Microsoft Intune admin center.

Frequently Asked Questions

  • Q: What are the prerequisites for integrating Jamf Pro with Intune?
    A: The prerequisites include Jamf Pro 10.1.0 or later, Microsoft Intune and Microsoft Entra ID P1 licenses, a global admin role in Microsoft Entra ID, a user with Microsoft Intune Integration privileges in Jamf Pro, Company Portal app for macOS, and macOS devices with OS X 10.12 Yosemite or later.

  • Q: Which network ports are required for integration?
    A: The required network ports are Intune: Port 443, Apple: Ports 2195, 2196, and 5223, and Jamf: Ports 80 and 5223.

  • Q: How do I disconnect Jamf Pro from Intune?
    A: You can disconnect Jamf Pro from Intune by using either the Microsoft Intune admin center or the Jamf Pro console. Follow the provided steps for each method.

Tham Khảo Thêm:  Use Shazam with Apple Music, Spotify, and More

Conclusion

By manually integrating Jamf Pro with Intune, you can ensure device compliance and enforce Conditional Access policies for your macOS devices. This integration allows you to protect your organization’s resources and securely manage your devices. Follow the steps outlined in this article to successfully configure the integration and enjoy the benefits of enhanced security and control.

For more information, visit Eireview.