kras99 - Fotolia
An integration that links Jamf Pro and Microsoft Intune's conditional access could fill in Microsoft's macOS management gaps.
This integration, which experts discussed during a virtual session at Jamf Nation User Conference 2020, allows administrators to establish a connection between Jamf Pro and Intune -- now renamed Microsoft Endpoint Manager. This connection communicates whether trusted users are working on a secure and compliant endpoint with only the approved applications and resources available. Jamf administrators can link Jamf Pro's device inventory data with Microsoft Azure Active Directory (AD) compliance policies in Intune.
This feature bolsters organizations' ability to run a zero-trust security model with both macOS and Windows endpoints as well, said Jack Gold, president and principal analyst at J. Gold Associates.
"Everyone's now trying to play up the zero-trust model -- meaning 'I don't trust anything that comes into my network.' That's what Microsoft is concentrating on with this," Gold said.
What can the Jamf Pro integration with Intune offer administrators?
The integration's ability to provide Intune with a top-down view of macOS endpoints and their security status, including the OS version that users are running, is a significant improvement for Mac endpoint management, said Todd Ness, a senior Mac IT engineer at Veritas Technologies, in a session he hosted at the conference.
"You [can] set a minimum OS level, and if users try to log in and check their email with an old OS, they can't do it," Ness said. "[Users] will be highly motivated to get their computer up to date."
This feature is especially relevant with the uptick in BYOD Mac usage due to the pandemic-induced work-from-home boom, Gold said. Organizations must be especially wary granting remote, personally-owned Mac devices access to the corporate network and resources.
This integration also enables IT admins to control authentication and access permissions for the Office 365 suite on macOS devices with the same Intune policies they use for Windows desktops. Additionally, once a user authenticates for a single Office 365 app, that permission applies to the entire suite of Office 365 applications. These connections can reduce work for administrators that tried to manually connect macOS applications with Azure AD.
"Before this integration came out, I had to create the enterprise applications [for the Mac devices] in Azure AD manually … by matching the URLs and making sure everything was perfect. Now you can just open the Jamf console, enable the integration and it redirects you to Azure AD," said Kyle Ericson, a systems engineer at a large manufacturing organization.
Intune and Jamf Pro integration lacks streamlined support, automation
Like any new technology integration, however, administrators face some challenges that stand in the way of a successful rollout. For example, retiring desktops can be an issue.
Jack GoldPresident and principal analyst, J. Gold Associates
"The Azure records do not ever get cleaned up automatically when you delete a computer from Jamf. When you delete a computer from Jamf it should go get the active record out of Intune for you, but if there are multiple entries, it will only clean up one," Ness said during his virtual JNUC 2020 session.
This can lead to more steps during inventory management, adding to IT's workload. Additionally, the integration can lead to some incompliance false positives.
"When you run certain compliance policies with Intune … this can lead to syncing issues where users get a noncompliance inside of Intune even though the device is totally compliant. That communication piece sometimes breaks down," Ericson said.
Ness struggled to find adequate support for troubleshooting this integration, he said in the session. He had to open a ticket with both Microsoft and Jamf, and the two vendors weren't quickly or directly communicating to discover the root cause of the issue.
"[Relying on multiple vendors for support] is a perennial issue … and it's only going to increase as organizations rely more on external sources for technology services. Getting the root cause from multiple external services is getting harder and harder," said Andrew Hewitt, an analyst at Forrester Research.
This leaves customers in a difficult place as they try to troubleshoot issues with two different support teams that aren't familiar with the other vendor's platform.
"The support teams are doing their best, but troubleshooting this integration is like asking Toyota to fix one of their models after you've put a Chevy engine under the hood," Gold said.
Microsoft fills in MacOS management gaps with Jamf integration
The integration allows organizations to use Microsoft and Jamf's individual strengths -- Microsoft's breadth of enterprise-grade services and Jamf's specialty in macOS management -- to simplify their management processes and eliminate the need for custom scripts to connect Jamf Pro and Intune.
"Microsoft wants to be the command center for all things enterprise, but they know their macOS management isn't enterprise-quality … so they said, 'Let's partner with the company that does it best,' and that's Jamf," Gold said.
Intune's macOS management capabilities are limited, Ericson agreed.
"Intune isn't the best platform for Mac devices… it's a little behind the times," he said. "But then I saw that Jamf announced the integration with Intune and thought 'Oh, perfect, we can use the best of the best for Windows and Mac.'"
This allows Microsoft to help organizations that run Windows and macOS endpoints -- and even iOS endpoints -- to maintain connectivity to Azure AD across all of their devices.
Organizations that want a deep level of control and insight on both macOS and Windows desktops can keep them within Azure AD to capitalize on the strengths of Jamf Pro and Intune.
"Jamf offers a high level of granularity when it comes to management that can't be matched elsewhere, so this conditional access integration basically allows Jamf customers to fully integrate with the Microsoft ecosystem," Hewitt said.