Jamf pro management tasks can be scoped to computers using:

• Article
• 04/19/2022
• 5 minutes to read

After you integrate Jamf Pro with Intune, configure Intune compliance policies and Azure Active Directory (Azure AD) Conditional Access policies to enforce compliance of macOS devices with your organizational requirements.

This article can help you with the following tasks:

• Create Conditional Access policies.
• Configure Jamf Pro to deploy the Intune Company Portal app to devices you manage with Jamf.
• Configure devices to register with Azure AD when the device user signs in to the Company Portal app they start from within the Jamf Self Service app. Device registration establishes an identity in Azure AD that allows the device to be evaluated by Conditional Access policies for access to company resources.

The procedures in this article require access to both the Intune and Jamf Pro consoles. Intune supports two methods to integrate Jamf Pro, which you configure separately from the procedures in this article:

After integration is configured, device users learn about Jamf Pro and Intune integration through either a communication from your IT department about how to register a device, or by discovering the Intune Company Portal app that you deploy through Jamf Pro Self Service. After device registration completes, inventory data collected by Jamf Pro for that device is shared with Intune. Information is shared for only those Mac devices that have completed.

Set up device compliance policies in Intune

1. Sign in to the Microsoft Endpoint Manager admin center.

2. Select Devices > Compliance policies. If you're using a previously created policy, select that policy in the console and then go to the next step of this procedure. To create a new policy, select Create Policy and then specify details for a policy with a Platform of macOS. Configure Settings and Actions for noncompliance to meet your organizational requirements, and then select Create to save the policy.

3. On the policies Overview pane, select Assignments. Use the available options to configure which Azure Active Directory (Azure AD) users and security groups receive this policy. Jamf integration with Intune doesn't support compliance policy that targets device groups.

   Note

   Jamf integration with Intune only supports Azure AD user groups. Device compliance policies that are targeted to device groups will not apply.

4. When you select Save, the policy deploys to the users.

Policies you deploy target the devices that are used by the assigned users. Those devices are evaluated for compliance. Compliant devices are marked as compliant for the setting "Require device to be marked as compliant" in Azure AD.

Note

Intune requires full disk encryption to be compliant.

Deploy the Company Portal app for macOS in Jamf Pro

Create a policy in Jamf Pro to deploy the Intune Company Portal. This policy deploys the company portal app so that it's available in Jamf Self Service. Create this policy before you create policy in Jamf Pro for users to register devices with Azure AD.

To complete the following procedure, you need access to a macOS device and the Jamf Pro portal.

To deploy the company portal app

1. On a macOS device, download but don't install the current version of the Company Portal app for macOS. You only need a copy of the app so you can upload the app to Jamf Pro.

2. Open Jamf Pro and go to Computer management > Packages.

3. Create a new package with the Company Portal app for macOS, then select Save.

4. Open Computers > Policies, then select New.

5. Use the General payload to configure settings for the policy. These settings should be:

   • Trigger: select Enrollment Complete and Recurring Check-in
   • Execution Frequency: select Once per computer

6. Select the Packages payload and select Configure.

7. Select Add to select the package with the Company Portal app.

8. Select Install from the Action pop-up menu.

9. Configure the settings for the package.

10. Select the Scope tab to specify on which computers the Company Portal app should install. Select Save. The policy runs on scoped devices the next time the selected trigger occurs on the computer and the criteria in the General payload is met.

Create a policy in Jamf Pro to have users register their devices with Azure Active Directory

After you deploy the Company Portal for macOS through Jamf Pro Self-Service, you can create the Jamf Pro policy that registers a user's device with Azure AD.

Device registration requires a device user to manually select the Intune Company Portal app from within Jamf Self Service. We recommend you contact your end users through email, Jamf Pro notifications, or any other method your organization uses to direct them to complete this action to get their devices registered.

Warning

Launching the Company Portal app manually (such as from the Applications or Downloads folders) won't register the device. If device user launches the Company Portal manually, they'll see a warning, 'AccountNotOnboarded'.

To create the registration policy

1. In Jamf Pro, go to Computers > Policies, and then create a new policy for device registration.

2. Configure the Microsoft Intune Integration payload, including the trigger and execution frequency.

3. Select the Scope tab, and then scope the policy to all targeted devices.

4. Select the Self Service tab to make the policy available in Jamf Self Service. Include the policy in the Device Compliance category. Select Save.

Use the Jamf Pro console to confirm that communication between Jamf Pro and Microsoft Intune is successful.

• In Jamf Pro, go to Settings > Global Management > Microsoft Intune Integration, and then select Test.

The console displays a message with the success or failure of the connection. Should the connection test from the Jamf Pro console fail, review the Jamf configuration.

Removing a Jamf-managed device from Intune

To remove a Jamf-managed device, open the Microsoft Endpoint Manager admin center, and select Devices > All devices, select the device, and then select Delete. Bulk device deletion can be enabled by selecting multiple devices and clicking Delete.

Get information on how to remove a Jamf-managed device in the Jamf Pro docs. You can also file a support ticket with Jamf support for more help.

Next steps

 Alternative Authentication – NoMAD and NoLoAD

NOTE: NoLoAD can be used without NoMAD by simply leaving the NoMAD package out of the policy.  If there is no need to retain kerberos tickets for services like DFS shares NoMAD is not needed.

Create a Jamf Pro policy to install the latest version of both NoLoAD and NoMAD (nomad.menu web site) available from the Jamf Pro packages distribution.  This should be triggered as desired but only run once per computer as in Figure 5.

Figure 5 Jamf Pro Policy for NoMAD installation

Create Admin Users instead of Standard Users

As provided, the value for CreateAdminUser setting is false and all users created will be Standard Users.  Folks with technicians assisting end users should consider setting the preference CreateAdminIfGroupMember in a Profile or using:

defaults write /Library/Preferences/menu.nomad.login.ad CreateAdminIfGroupMember -array 'Tech Support' 'Domain Admins' 'whatever'

If there is need for an end user to be and administrator on the device us a Profile or set with:

defaults write /Library/Preferences/menu.nomad.login.ad CreateAdmin 1

Display a Different Logo on NoLoAD Login Window

To change the graphic on the login window simply replace /Library/Application\ Support/NoLoAD/logo.png with a different PNG file of choice.

Require Terms Of Use Display and Acknowledgement

If there is need to require users to accept the University Terms of Use add a Files and Processes Option that sets the EULATitle and EULAText settings (or use a Profile to do the same) like:

defaults write /Library/Preferences/menu.nomad.login.ad EULATitle "Warning Notice";

defaults write /Library/Preferences/menu.nomad.login.ad EULAText "This is an NC State Information Technology resource that may only be accessed and used by authorized individuals. By using this system, all users acknowledge notice of and agree to comply with NC State’s Computer Use Regulation REG 08.00.02, available at http://go.ncsu.edu/computeruse.

 Unauthorized access or use of this resource may subject violators to criminal, civil, and/or administrative disciplinary action. By using this computer system, users understand that they have no expectation of privacy with regard to any records/data stored on, archived on, or passing over NC State IT resources. NC State may examine the content of both personal and work-related electronic information stored on, archived on, or passing over NC State IT resources."

These commands should be separated by a “;” and the policy will look like Figure 6. Note this is not required if using a Configuration Profile.

Figure 6 Full NoMAD policy with EULA

Alternative Authentication – Jamf Connect

Jamf Connect software is a commercial, for-pay, macOS Security Agent Plugin and Menu Bar App that allows authentication and password sync with OAuth providers such as Okta, MS Azure, Google Identity or others.  For information on how to configure Jamf Connect  at NC State University see (authentication required):
https://docs.google.com/document/d/19aHSs4unm8K9k5duOB_20ueXq4KZEG1w3cuPv3eAFbg/edit?usp=sharing

Printer Setup

Printers are either very trivial or overly complex to deploy on macOS depending on who made the printer and what features need to be supported. The most reliable method is not the default printer setup provided by Jamf Pro.
Jamf provides printer mapping not printer creation.

The two (2) methods that actually work are either
a) use an “Air Print” Configuration Profile from the JSON Profile Manifests Mirror (https://github.com/Jamf-Custom-Profile-Schemas/ProfileManifestsMirror/blob/main/manifests/ManifestsApple/com.apple.airprint.json) which will work for basic printing to the majority of modern printers or

b) setup the printer using the lpadmin Unix command line tool that configures CUPS. Starting with macOS 10.15.x Apple has restricted network printing to the ipp or ipps protocol (direct attached USB should work ongoing and  smb based printing still seems to work but I would not expect it to be there in future versions of macOS.)

–Configuration Profiles – the easy way to setup most printers

Most modern printers do support ipp or ipps print protocols.   These should be setup up as “Air Print” printers by IP Address using the com.apple.airprint.json file from the JSON Profile Manifest Mirror. See Using JSON Profile Manifests for easy macOS Configuration section to learn how to install the custom JSON profile template.
Note: What Apple calls AirPrint has 2 parts, one for self discovery of printers that uses DNS SD and one for actually printing to the printers which uses ipp/ipps protocols.  By using Configuration Profiles to setup printers we get to skip the discovery part and directly add the printer by IP address or DNS Name. See example at

https://www.jamf.com/jamf-nation/feature-requests/6026/add-airprint-as-a-macos-configuration-profile-payload-option

–Printer Setup with the Install_Printer_from_Airprint_Info script in Jamf Pro – when profiles do not work

When configuration profiles have been tried and do not work, OIT has provided a printer setup script in Jamf Pro named “Install_Printer_from_Airprint_Info” based on https://gist.github.com/apizz/5ed7a944d8b17f28ddc53a017e99cd35. (NOTE: this script may or may not work if printing to a print server so test well)  The script uses command line tools to talk to the IP address or DNS name of a network printer over the ipp protocol and pulls back the AirPrint printer configuration information needed.  The printer configuration information is then processed with the ipptoppd tool to create the correct PPD file and the printer is added using the lpadmin command line tool.

Best practice is to create a Jamf Policy and add the script named “Install_Printer_from_Airprint_Info”.  The script will require Parameter Values for only 1 printer.  It is also best practice to have 1 policy per printer.  To setup a printer, fill in values for: IP Address or a fully qualified DNS Name for the printer

PRINTER_NAME_no_spaces_allowed  – a name the CUPS print system will use for the printer. NOTE: as the label says no spaces are allowed in this parameter

–Printer Setup with lpadmin – when noting else works

When configuration profiles and the Install_Printer_from_Airprint_Info script have been tried and they don’t work, then we need to know what type of printer protocol is used for a manual setup with the lpadmin tool. For most of these “other” printers the most reliable setup is to create a Jamf Pro Policy that has a “EXECUTE COMMAND” set on the “Files and Processes” option to use the lpadmin command line tool. WARNING: Most printers that need lpadmin to deploy ALSO require additional software beyond the printer setup and may require multiple install packages installed in a specific order to make them work.

The general command is:
lpadmin -p SomePrinter -D “Some Printer” -E -v ipp://example.ncsu.edu/queuename -P /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Versions/A/Resources/AirPrint.ppd

Best practice here is to set up the printer on a macOS device so you know it works. Make a list of any extra installer packages and configuration files that it takes for an actual print out to work.  After everything works, look at the file /etc/cups/printers.conf file. WARNING: In macOS 10.15.0+ Apple has added this note to the lpadmin man page “Note:  PPD  files  and printer drivers are deprecated and will not be supported in a future version of CUPS” This means the -P option in lpadmin will stop working in future versions of macOS.

The printers.conf file will have 1 or more entries wrapped in the xml tags <Printer somename> </Printer> like

<Printer WolfPrint_BlackAndWhite> PrinterId 5 UUID urn:uuid:bc59184e-e6cf-30f1-6988-2c47b7df094b AuthInfoRequired none Info WolfPrint-BlackAndWhite MakeModel Generic PostScript Printer DeviceURI ipps://print.ncsu.edu/printers/WolfPrint-BlackAndWhite State Idle StateTime 1568986117 ConfigTime 1576252195 Type 8400988 Accepting Yes Shared No JobSheets none none QuotaPeriod 0 PageLimit 0 KLimit 0 OpPolicy default ErrorPolicy abort-job

</Printer>

We need 2 strings out of the printers.conf file: a) the name part from the first tag (in example here would be WolfPrint_BlackAndWhite) and b) DeviceURI (here ipps://print.ncsu.edu/printers/WolfPrint-BlackAndWhite).
The lpadmin command would look like:

lpadmin -p WolfPrint_BlackAndWhite -D “WolfPrint_BlackAndWhite” -E -v ipps://print.ncsu.edu/printers/WolfPrint-BlackAndWhite -P /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Versions/A/Resources/AirPrint.ppd

Some good information is at:
https://www.jamf.com/jamf-nation/discussions/31099/adding-printer-to-mac-via-terminal-command-line-for-airprint

Again these are for printers that use ipp/ipps and have no special setup requirements (thus can use the Generic.ppd printer description file. These are color or black and white, postscript or PCL printers that are single or double sided printing on 8.5″x11″ paper with no more than 2 paper trays (manual feed usually works too).

For printers that use other network protocols like lpd, smb, etc the DeviceURI will be different so just copy/paste from printers.conf.
If the prinrters are multi-function, there will be additional setup packages required.

If you want to explore more complex printer setup have a look at:
https://oit.ncsu.edu/help-support/apple/cups-setup-for-wolfcopy-on-mac-os-x-10-5/

If you need to set some Pre-Sets for printers on macOS (preferences for Double Sided, etc) have a look at this link:

https://aporlebeke.wordpress.com/2020/07/17/building-deploying-mac-printer-presets/

Install InCommon Certificate for Cisco Jabber

The installation of the Cisco Jabber software for macOS here at NCSU requires an InCommon Certificate that is not included with macOS by default.  The certificate must be added to the user’s keychain.  To install the certificate for users in a Jamf Site the following macOS configuration profile can be used with slight modification to update the uuid number for the profile identifier. Here are the steps:

1. Download the template configuration profile at:
   https://drive.google.com/open?id=1cvuS3lnjAtG5AEW2oNjaxPjLP1Tt7KJP
2. Unzip the file by double clicking on it.
3. Download and install Profile Creator.app from
   https://github.com/ProfileCreator/ProfileCreator/releases
4. Run Profile Creator.app and Open the template configuration profile named NCSU-Campus-InCommon RSA Server CA for Cisco Jabber.mobileconfig.  In the General section look for the Identifier field. NOTE: On the first run of ProfileCreator.app the preferences will need to be changed to show the Identifier field. Do this by clicking the Gear Icon in the upper right of the window and check “Hidden” next to “Show Payload Keys: “.
   
   
5. The uuid number in the Identifier field of every configuration profile needs to be unique in all of JAMF. Generate a new uuid number by opening the Terminal. app and using the uuidgen command. The command will look something like this: $ uuidgen

   AA724EBA-DC4B-499E-88BC-FB66809C4CB7

6. Now copy and paste the newly generated uuid number into the Identifier field in Profile Creator.app and save the profile by first Selecting Save from the File menu and then Selecting Export from the File Menu to create a new copy for uploading to Jamf Pro.

Create a Launch or Install Policy for Self Service

Here is a little trick for those interested in creating a jamf policy that either launches an app or runs a policy to install it.
There is an interesting way to use the Files and Processes option in a Jamf Policy and the || operator from the shell to make this happen.  If a command line tool fails then the || operator provides for another command to run. The general  idea is:

/usr/bin/open -a “some application” || /usr/local/bin/jamf -event someCustomTrigger

So we use the open tool with the -a switch to try and open a named application and bring it to the front most window.  If this fails then we run the jamf binary to execute the existing custom trigger policy.
Another example:

/usr/bin/open -a “TextEdit” || /usr/local/bin/jamf -event installTextEdit

Remember of course that the policy calls a custom trigger which would have to exist already (usually one of your existing policies but just add a custom trigger).The policy can be added to the Jamf category  -Launcher to make it easier to find.

The policy in Jamf Pro would look like this:

—

Setting the Date, Time, and Time Zone

Use  the Template macOS Configuration Profile that sets the time zone to America/New_York and configures the Date and Time system preference panel to use time.ncsu.edu.  Remember to change the uuid number to avoid profile conflicts in Jamf Pro

Template Date and Time Configuration Profile

Adding App Store Apps with Devices Licenses

Many popular apps for Apple devices are available in the App Store and can be easily installed as Device Licensed applications.
The steps are:

1) Login to school.apple.com and select Apps and Books under the Content section on the left side bar. Note: The id must have Content Management permissions in Apple School Manager.

2) Find the app you want (Word, etc). Warning here is that many apps, MS included, have both iOS and macOS versions. To make it easier click on the blue and white sort icon (ice cream cone shaped) and set the Type to “Mac”, etc.

3) “Buy” for $0.00 the number of copies needed by filling in the Quantity and pressing the Get button. This will start the license generation process.

4) WAIT until an email confirms the licenses are ready.

Purchasing Books and Content in Apple School Manager

5) In Jamf Pro, select Computers> Mac App Store Apps> +New

6) Search for desired app and click the Add button on the far right.

7) Set a category, Self Service details, etc, add Scope like any other policy.

8 ) Now click save.

9) Now that the App Store App is created, edit it a 2nd time, click Managed Distribution (right most tab) and check the box Assign Content Purchased in Volume

10) Verify that Total Content matches the licenses you purchased (or the total purchased if more than one purchase of the same app has been made) and Click Save again.

Jamf Pro configuration for App Store Apps with Device Licensing

NOTE: The In Use number does not always equal the number physically installed.  It just means that the license is assigned and that many devices have confirmed with the JSS they will use the license.  The install may not have happened yet especially if deployed using Self Service.  If VPP numbers don’t match, wait about 1 hour and confirm again.  For very large purchases 1,000 +  copies it may take 4 or more hours to finish the license generation so wait for that confirmation email.

Apple provides Rosetta 2 to allow macOS software compiled for Intel(i386_64) processors to run on macOS devices that use Apple Silicon processors.  This emulation layer does not come installed by default and must be added.  When an application that needs Rosetta 2 is double clicked a prompt will appear requesting to make the install.  For accounts that do not have software install permissions this will fail.  To avoid this issue or provide a better user experience silently install Rosetta using a Jamf Pro Policy that has the Files and Processes Option set to have an Execute Command of following command:

Trigging this to Run Once per Computer at Enrollment Complete and Recurring Check-in is best practice.  Note: It is also possible to run this command in a post-install script of a PKG installer added to the PreStage but the installer must be signed to work.