Let’s Get Conditional - Enterprise Applications Explained

macOS Device ComplianceJamf ProAzure AD
Written By Bryce Carlson

This is the first of a multi-part series about the macOS Intune and Azure AD integration for inventory data and Conditional Access with Jamf Pro.

The topic of this post is explaining the Enterprise Applications used by the integration to make it function.

TL;DR: Two apps. One used server side only, and one used client side only.

First we will cover the Manual integration. The manual connection had been around since this integration first was publicly available in Jamf Pro 10.1.0 it has been revised many times since then. The Manual connection is a direct connection from the Jamf Pro server via an Enterprise Application that is paired with a secondary Enterprise Application that is used by the jamfAAD binary client side to gather and verify the AAD ID from the device registration in the WPJ (Work Place Join). The Manual connection is created via the App registrations feature in Azure AD as well as a button in the Jamf Pro settings UI.

Manual connection:

  • Manually” created app for Intune device attribute update - Used server side only for data post

  • Jamf Native macOS Connector - Used client side only for gathering the AAD ID from device registration and verifying the WPJ key made in registration. This is created via Open administrator consent URL button in the Jamf Pro settings.

Here we see the two Enterprise Applications for the Manual connection option in the All applications blade in Azure AD.

Here we see the two Enterprise Applications for the Manual connection option in the All applications blade in Azure AD.

Here we see the settings page for the Manual connection, and the Open administrator consent URL button that is used to create the Jamf Native macOS Connector automatically as part of the Manual connection setup.

Here we see the settings page for the Manual connection, and the Open administrator consent URL button that is used to create the Jamf Native macOS Connector automatically as part of the Manual connection setup.

Starting with Jamf Pro v10.18.0 an additional way to communicate with Azure AD was created. This is called the Cloud Connector. This method uses a service hosted within Jamf Cloud to act as a broker to connect more than one Jamf Pro instance to a single Azure AD tenant for registration of devices, and compliance evaluation. The Cloud Connector set up is much less involved in comparison to the Manual connection. A set up process automatically takes the admin thru the process of creating the two Enterprise Applications. Ensure they have AAD domain admin rights to complete that process. Note: To use the Cloud Connector, your Jamf Pro environment must be hosted in Jamf Cloud.

Cloud Connector connection:

  • Cloud Connector - App for Intune device attribute update - Used server side only for data post

  • Cloud Connector user registration app - Used client side only for gathering the AAD ID from device registration and verifying the WPJ key made in registration

Here we see the two Enterprise Applications for the Cloud Connector option in the All applications blade in Azure AD.

Here we see the two Enterprise Applications for the Cloud Connector option in the All applications blade in Azure AD.

Here we see the settings page for the Cloud Connector connection. All other fields are gone as they are not needed. The setup process automatically takes care of that.

Here we see the settings page for the Cloud Connector connection. All other fields are gone as they are not needed. The setup process automatically takes care of that.

Bryce Carlson
Previous

Let’s Get Conditional - Jamf and Company Portal.app Registration Deconstructed (Part 1 - Client Side)