When it comes to managing Macs, Jamf Pro is currently the number one product to be used in this space when you want to fully control and manage those fruity macOS devices via the MDM channel. Just before Jamf Nation User Conference (JNUC) back in September Microsoft and Jamf announced the upcoming partnership, at JNUC Microsoft and Jamf explained their partnership and what integration was going to be build. Just before New Year the integration between Microsoft EMS (Intune + Azure AD) and Jamf was finally released.
Let’s have a look at this integration and look at why we want to integrate in part-1, how to configure it in part-2 and the end-user experience in part-3 of this blog series about Jamf Pro and Microsoft Intune. The current integration is only available in standalone Intune tenants.
Why integration between Jamf Pro and Microsoft EMS?
As Brad Anderson mentioned in his blog on the 14th of December 2017, mutual customers of Jamf and Microsoft were asking for the ability that besides mobile devices and PCs also for Macs managed by Jamf could use the same Conditional Access policies, which are part of Azure AD. As we all know the Azure AD Condtional Access policies are the best way to control access to apps in Azure and Office 365 based on the compliance state which is managed with Microsoft Intune.
The goal of this integration is to create a good and save conditional access experience to apps and services in Azure and Office 365 for users, but also for administrators.
So, is Microsoft with this partnership stopping their investments of macOS management in Microsoft Intune? The answer is NO(!), Microsoft is investing heavily in this space and the most recent new feature this month is the ability to deploy Microsoft Office 365 ProPlus to Mac devices via Microsoft Intune. More on this in a later blog. It is also very worthwhile to watch the Ignite session of Chris Baldwin and Derrick Isoka about Android, macOS and iOS management in Microsoft Intune.
So, what is Jamf Pro all about?
With Jamf Pro you are able to fully manage your macOS devices from the Jamf Pro cloud service. With Jamf Pro you are able to configure policies, deploy apps, deploy configuration profiles for VPN, SCEP, Certificates, VPN, disk encryption and much more, perform patch management, prestage imaging and deploy ebooks. Looking at it, a complete solution to fully control your macOS devices.
What is the integration all about?
So if we look at the slide from the Ignite session, we can see the workflow of the integration EMS and Jamf Pro.
- A macOS device is managed by Jamf Pro.
- The same macOS device is registred with Microsoft Intune.
- Jamf sends macOS device inventory to Microsoft Intune.
- Intune evaluates the device inventory and calculates the compliance state of the macOS device
- Intune generates a compliance report and sets the compliance state in Azure AD.
- Conditional Access is enforced in Azure AD
- If a device is compliant, access to Office 365/Azure AD is allowed
- If a device is not compliant, access to Office 365/Azure AD is blocked
- Users are guided to remediate their device via the Intune Company Portal and Jamf Self Service application to get compliant and to get access again.
So, if you already have Jamf Pro licenses and you also have Office 365 and other Azure services that you want to control via Conditional Access you might want to also read the following two blogs which will be released soon.
Of course, if the current support for macOS in Microsoft Intune and Azure AD is enough for your company, you may not need Jamf Pro.
- Jamf Pro and Microsoft EMS better together – part 1 (this blog)
- Jamf Pro and Microsoft EMS better together – configuration – part 2
- Jamf Pro and Microsoft EMS better together – macOS devices – part 3