Let’s Get Conditional - Manual Connection Setup
This is the sixth of a multi-part series about the macOS Intune and Azure AD integration for inventory data and Conditional Access with Jamf Pro.
The topic of this post is explaining the set up process of the Manual connection for the integration.
TL;DR: There is no tl;dr you have to do all the steps for it to work.
The manual connection is available to on-premises hosted Jamf Pro servers and Jamf Cloud Servers. More information on the enterprise applications created in this post can be found here.
List of tasks to complete before and items to have at the ready for the setup process:
Azure admin account
API and Secrets Blade Access
App Registration Access
Jamf Pro admin account
Video of setup
Setup Steps
1.) In Jamf Pro, navigate to the Global Management settings page, then to the Conditional Access settings. Select the Edit button.
In the conditional access settings, enable Intune Integration for macOS.
2.) In another browser tab open Azure Active Directory and navigate to the App Registrations area.
Create a New Registration.
3.) The new registration could be named after server, or after the service (Jamf, etc.). Select the first radio button "Accounts in this organizational directory only (Jamf only - Single tenant) for who can use this application or access this API. Copy your Jamf Pro instance URL to be the redirect URL. Click the Register button then.
4.) With the App creation done we will now see the Application client ID. Copy that to the clipboard, and navigate back to Jamf Pro to paste the ID in the Application ID field. Also, enter the Azure AD Tenant Name.
5.) We will also copy the Application ID and paste into the Device Compliance > Partner Device Management blade, "Specify the Azure Active Directory App ID for Jamf" field. Click Save.
6.) Go back into Azure Active Directory and the App Registration that was just created. Navigate to the Certificates and secrets blade. Click New Client Secret button. In description name after the server or service, and set expiration as desired. Click Add. Copy the client secret "value" before leaving the blade. After leaving, the value will not be visible any longer.
7.) Take the copied value from the previous step, navigate back to Jamf Pro settings and paste the value into the Client Secret field.
Note: If you don't have access to Jamf Pro at this time (if an Azure AD admin is running the set up Azure side and sending the values to the Jamf Pro admin), you could paste into a text document to paste into Jamf Pro (then destroy the text document) at a later time.
8.) Navigate back to Azure and go to API Permissions blade. Click on User Read of the Microsoft graph permission and remove that permission set. With no permissions added, click on Add a permission then click on Intune API. Click on Application permissions and check box for update_device_attributes. Then select Add permissions. Once that permission is added, click on Grant admin consent for Jamf button (yes to pop up). Click refresh to ensure everything went through successfully.
9.) Navigate back to Jamf Pro, where all variables should now have been completed within the previous steps, and click Save.
Go back to Azure > Device Compliance and select the Partner Device Management blade again. You should see the last connection date as the time when the heartbeat went through from the saved set up. This tells us the server side is set up and communicating now.
10.) For the final step, navigate back to Jamf Pro and select Open administrator consent URL to create the native connector that is used client side during the registration and subsequent check in process. This will redirect you to enter your credentials to your Azure tenant with your admin account, and click Accept. A message will pop up saying the app has been added.
Go back to Azure Active Directory blade and Enterprise Applications blade to see the two enterprise applications that were just created.
The manual server integration is now complete.