-->

1. Jamf Pro Admin Guide
2. Jamf Pro Api

This article can help you install the Jamf Cloud Connector to integrate Jamf Pro with Microsoft Intune. The Cloud Connector automates many of the steps that are required when you manually configure integration as documented in Integrate Jamf Pro with Intune for compliance.

The name of the group in Jamf Pro must be the same as the group OID value in Azure. This is important when you add Azure AD groups to Jamf Pro for access to the GUI, Self Service or for enrolment authentication. One final note from the Jamf Pro admin guide / release notes. Jamf Pro, developed by Jamf, is a comprehensive management system for Apple macOS computers and iOS devices. With Jamf Pro, IT Technicians proactively manage the entire lifecycle of all Apple devices. This includes deploying and maintaining software, responding to security threats, distributing settings, and analyzing inventory data. Jamf Pro requires a valid push certificate to communicate with Apple Push Notification service (APNs). This communication is required to do the following: Send macOS configuration profiles and macOS remote commands to computers. Distribute Mac App Store apps to computers. We're sorry but Jamf Pro doesn't work properly without JavaScript enabled. Please enable it to continue.

When you set up the Cloud Connector:

• Set up automatically creates the Jamf Pro applications in Azure, replacing the need to manually configure them.
• You can integrate multiple instances of Jamf Pro with the same Azure tenant that hosts your Intune subscription.

Connecting multiple instances of Jamf Pro with a single Azure tenant is supported only when you use the Cloud Connector. When you use a manually configured connection, only a single instance of Jamf can integrate with an Azure tenant.

Use of the Cloud Connector is optional:

• For new tenants that don't yet integrate with Jamf, you can choose to configure the Cloud Connector as described in this article. Or you can manually configure integration as described in Integrate Jamf Pro with Intune for compliance
• For tenants that already have a manual configuration, you can choose to remove that integration, and then set up the Cloud Connector. Both the removal of an existing integration and set up of the Cloud Connector are described in this article.

If you plan to replace your previous integration with the Jamf Cloud Connector:

• Use the procedure to remove your current configuration, which includes deleting the Enterprise apps for Jamf Pro and disabling the manual integration. Then you can use the procedure to configure the Cloud Connector.
• You won't need to re-register devices. Devices tht are already registered can use the Cloud Connector without additional configuration.
• Be sure to configure the Cloud Connector within 24 hours of removing your manual integration to ensure your registered devices can continue to report their status.

For more information about the Jamf Cloud Connector, see Configuring the macOS Intune Integration using the Cloud Connector on docs.jamf.com.

Prerequisites

Products and services:

• Jamf Pro 10.18 or later
• A Jamf Pro user account with Conditional Access privileges
• Microsoft Intune
• Microsoft Azure AD Premium
• macOS devices with OS X 10.12 Yosemite or later

Network:
The following ports and endpoints must be accessible for Jamf and Intune to integrate correctly:

• Intune: Port 443

• Apple: Ports 2195, 2196, and 5223 (push notifications to Intune)

• Jamf: Ports 80 and 5223

• Endpoints:

  • login.microsoftonline.com
  • graph.windows.net
  • *.manage.microsoft.com

For APNS to function correctly on the network, you must enable outgoing connections to, and redirects from the following ports:

• The Apple 17.0.0.0/8 block over TCP ports 5223 and 443 from all client networks.
• Ports 2195 and 2196 from Jamf Pro servers.

For more information about these ports, see the following articles:

• Intune network configuration requirements and bandwidth.
• Network Ports Used by Jamf Pro on jamf.com.
• TCP and UDP ports used by Apple software products on support.apple.com

Accounts:
Procedures in this article require use of accounts with the following permissions:

• Jamf Pro console: An account with permissions to manage Jamf Pro
• Microsoft Endpoint Management admin center: Global Administrator
• Azure portal: Global Administrator

Remove the Jamf Pro integration for a previously configured tenant

Use the following procedure to remove a manually configured integration of Jamf Pro from your Azure tenant before you can configure the Cloud Connector.

If you have not previously set up a connection between Jamf Pro and Intune, or if you have one or more connections that already use the Cloud Connector, skip this procedure and begin with Configure the Cloud Connector for a new tenant.

Remove a manually configured Jamf Pro integration

1. Sign in to the Jamf Pro console.

2. Select Settings (the gear icon in the upper right corner), and then go to Global Management > Conditional Access.

3. Select Edit.

4. De-select the checkbox for Enable Intune Integration for macOS.

   When you deselect this setting, you disable the connection but save your configuration.

5. Sign in to the Microsoft Endpoint Manager admin center and go Tenant administration > Partner device management.

   On the Partner device management node, delete the Application ID in the Specify the Azure Active Directory App ID for Jamf field, and then select Save.

   The Application ID is the ID of the Azure Enterprise app that was created in Azure when you set up a manual integration if Jamf Pro.

6. Sign in to the Azure portal with an account that has Global Admin permissions, and go to Azure Active Directory > Enterprise applications.

   Locate the two Jamf apps and delete them. New applications will be automatically created when you configure the Jamf Cloud Connector in the next procedure.

   After you've disabled integration in Jamf Pro, and deleted the Enterprise applications, the Partner device management node displays the connection status of Terminated.

Now that you've successfully removed the manual configuration for Jamf Pro integration, you can set up integration using the Cloud Connector. To do so, see Configure the Cloud Connector for a new tenant in this article.

Configure the Cloud Connector for a new tenant

Use the following procedure to configure the Jamf Cloud Connector to integrate Jamf Pro and Microsoft Intune when:

• You don't have any integration between Jamf Pro and Intune configured for your Azure tenant.
• You already have a Cloud Connector set up between Jamf Pro and Intune in your Azure tenant and want to integrate an additional Jamf instance with your subscription.

If you currently have a manually configured integration between Intune and Jamf Pro, see Remove the Jamf Pro integration for a previously configured tenant in this article to remove that integration before proceeding. Removal of a manually configured integration is required before you can successfully set up the Jamf the Cloud Connector.

Create a new connection

1. Sign in to the Jamf Pro console.

2. Select Settings (the gear icon in the upper right corner0, and then go to Global Management > Conditional Access.

3. Select Edit.

4. Select the checkbox for Enable Intune Integration for macOS.

   • Select this setting to have Jamf Pro send inventory updates to Microsoft Intune.
   • You can deselect this setting to disable the connection but save your configuration.

   Important

   If Enable Intune Integration for macOS is already selected and the Connection Type is set to Manual, you must remove that integration before continuing. See Remove the Jamf Pro integration for a previously configured tenant in this article before continuing.

5. Under Connection Type, select Cloud Connector.

6. From the Sovereign Cloud pop-up menu, select the location of your Sovereign Cloud from Microsoft. If you're replacing your previous integration with the Jamf Cloud Connector, you can skip this step if the location has been specified.

7. Select one of the following landing page options for computers that are not recognized by Microsoft Azure:

   • The Default Jamf Pro Device Registration page - Depending on the state of the macOS device, this option redirects users to either the Jamf Pro device enrollment portal (to enroll with Jamf Pro) or the Intune Company Portal app (to register with Azure AD).
   • The Access Denied page
   • Custom URL

   If you're replacing your previous integration with the Jamf Cloud Connector, you can skip this step if the landing page has been specified.

8. Select Connect. You are redirected to register the Jamf Pro applications in Azure.

   When prompted, specify your Microsoft Azure credentials and follow the onscreen instructions to grant the requested permissions. You'll grant permissions for the Cloud Connector, and then again for the Cloud Connector user registration app. Both apps are registered in Azure as Enterprise Applications.

   After permissions are granted for both apps, the Application ID page opens.

9. On the Application ID page, select Copy and open Intune.

   The Application ID is copied to your system clipboard for use in the next step, and the Partner device management node in the Microsoft Endpoint Manager admin center opens. (Tenant administration > Partner device management).

10. On the Partner device management node, Paste the Application ID in to the Specify the Azure Active Directory App ID for Jamf field, and then select Save.

11. Return to the Application ID page in Jamf Pro and select Confirm.

12. Jamf Pro completes and tests the configuration and displays the success or failure of the connection on the Conditional Access settings page. The following image is an example of success:

13. In the Microsoft Endpoint Manager admin center, refresh the Partner device management node. The connection should now show as Active:

When the connection between Jamf Pro and Microsoft Intune is successfully established, Jamf Pro sends inventory information to Microsoft Intune for each computer that is registered with Azure AD (registering with Azure AD is an end-user workflow). You can view the Conditional Access Inventory State for a user and a computer in the Local User Account category of a computer's inventory information in Jamf Pro.

After you integrate one instance of Jamf Pro by using the Jamf Cloud Connector, you can use this same procedure to configure additional instances of Jamf Pro with the same Intune subscription in your Azure tenant.

Set up compliance policies and register devices

After you configure integration between Intune and Jamf, you need to apply compliance policies to Jamf-managed devices.

Jamf Pro Admin Guide

Disconnect Jamf Pro and Intune

Should you need to remove integration of Jamf Pro with Intune, use the following steps to remove the connection from within the Jamf Pro console.This information applies to both the Cloud Connector and for a manually configured integration.

1. In Jamf Pro, go to Global Management > Conditional Access. On the macOS Intune Integration tab, select Edit.

2. Clear the Enable Intune Integration for macOS check box.

3. Select Save. Jamf Pro sends your configuration to Intune and the integration will be terminated

4. Sign in to the Microsoft Endpoint Manager admin center.

5. Select Tenant administration > Connectors and tokens > Partner device management to verify that the status is now Terminated.

   Note

   Your organization's Mac devices will be removed at the date (3 months) shown in your console.

Get support for the Cloud Connector

Because the cloud connector automatically creates the Azure Enterprise apps necessary for integration, your first point of contact for support should be Jamf. Options include:

• Email support at support@jamf.com
• Use the support portal at Jamf Nation: https://www.jamf.com/support/

Prior to contacting support:

• Review the Prerequisites such as ports and product version you use.

• Confirm that permissions for the following two Jamf Pro apps created in Azure have not been modified. Changes to the app permissions are not supported by Intune and can cause integration to fail.

  Cloud Connector user registration app:

  • API Name: Microsoft Graph
    • Permission: Sign in and read user profile
    • Type: Delegated
    • Granted through: Admin consent
    • Granted by: An administrator

  Cloud Connector app:

  • API Name: Microsoft Graph (instance 1)

    • Permission: Sign in and read user profile
    • Type: Delegated
    • Granted through: Admin consent
    • Granted by: An administrator

  • API Name: Microsoft Graph (instance 2)

    • Permission: Read directory data
    • Type: Application
    • Granted through: Admin consent
    • Granted by: An administrator

  • API Name: Intune API

    • Permission: Send device attribute to Microsoft Intune
    • Type: Application
    • Granted through: Admin consent
    • Granted by: An administrator

Common questions about the Jamf Cloud Connector

What data is shared via the Cloud Connector?

The Cloud Connector authenticates with Microsoft Azure and sends device inventory data from Jamf Pro to Azure. In addition, the Cloud Connector manages service discovery in Azure, token exchange, communication errors, and disaster recovery.

Where is device inventory data stored?

Device inventory data is stored in the Jamf Pro database.

What credentials are stored?

No credentials are stored. When configuring the Cloud Connector, admins must consent to adding the Jamf multi-tenant app and the native macOS connector app to their Azure AD tenant. Once the multi-tenant application is added, the Cloud Connector requests access tokens to interact with the Azure API. Application access can be revoked in Microsoft Azure at any time to restrict access.

How is data encrypted?

The Cloud Connector uses Transport Layer Security (TLS) for data sent between Jamf Pro and Microsoft Azure.

How does Jamf know which device is associated with which instance of Jamf Pro?

Jamf Pro uses microservices in AWS to correctly route the device information to the correct instance.

Can I switch from using the Cloud Connector to the Manual connection type?

Yes. You can change the connection type back to manual and follow the steps for manual setup. If you have questions, they should be directed to Jamf for assistance.

Permissions were modified on one or both required apps (Cloud Connector and Cloud Connector user registration app) and registration is not working, is this supported?

Modifying the permissions on the apps is not supported.

Is there a log file in Jamf Pro that shows if the Connection Type has been changed?

Yes, the changes are logged to the JAMFChangeManagement.log file. To view the Change Management logs, log in to Jamf Pro, go to Settings > System Settings > Change Management > Logs, search Object type for Conditional Access, and then click Details to view the changes.

Next steps

Jamf Pro requires a valid push certificate to communicate with Apple Push Notification service (APNs). This communication is required to do the following:

• Send macOS configuration profiles and macOS remote commands to computers.

• Distribute Mac App Store apps to computers.

• Enroll and manage iOS devices.

An assistant in Jamf Pro guides you through the following steps to create a new push certificate (.pem) and upload it to Jamf Pro:

1. Obtain a signed certificate signing request (CSR) from Jamf Nation.

2. Create the push certificate in Apple’s Push Certificates Portal by logging into the portal, uploading the signed CSR obtained from Jamf Nation, and downloading the resulting push certificate.

3. Upload the push certificate to Jamf Pro.

If you have a push certificate in .p12 format, you do not have to create a new one. You can simply upload the .p12 file to Jamf Pro.

You can also use Jamf Pro to renew your push certificate when needed.

Note: Uploading a push certificate to Jamf Pro automatically enables the Enable Push Notifications setting in Jamf Pro. For more information, see Security Settings.

To create or renew a push certificate, you need:

• A valid Jamf Nation account
  To create a Jamf Nation account, go to:
  https://www.jamf.com/jamf-nation/users/new

• A valid Apple ID (A corporate Apple ID is recommended.)
  If you are renewing a push certificate that was originally obtained from Apple’s iOS Developer Program (iDEP), you must use the Apple ID for the iDEP Agent account used to obtain the certificate.

1. Log in to Jamf Pro.

2. In the top-right corner of the page, click Settings .

3. Click Global Management.

4. Click Push Certificates .

5. Click New and do one of the following:

   • If the server hosting Jamf Pro has an outbound connection, select Download signed CSR from Jamf Nation.
     Jamf Pro connects to Jamf Nation over port 443 and obtains the signed CSR.

   • If the server hosting Jamf Pro does not have an outbound connection, select Download CSR and sign later using Jamf Nation.

6. Follow the onscreen instructions to create and upload the push certificate (.pem).

If you have a push certificate that’s in .p12 format, you can upload it to Jamf Pro.

Note: You will only have a push certificate in .p12 format if the CSR used to create the certificate was not issued by Jamf Pro.

1. Log in to Jamf Pro.

2. In the top-right corner of the page, click Settings .

3. Click Global Management.

4. Click Push Certificates .

5. Click New .

6. Select Upload push certificate (.p12).

7. Follow the onscreen instructions to upload the push certificate.

Important: It is recommended that you do not delete the existing push certificate from Jamf Pro when renewing a push certificate.

Jamf Pro Api

1. Log in to Jamf Pro.

2. In the top-right corner of the page, click Settings .

3. Click Global Management.

4. Click Push Certificates .

5. Click the push certificate, and then click Renew .

6. Choose a method for renewing the push certificate:

   • If the server hosting Jamf Pro has an outbound connection, select Download signed CSR from Jamf Nation.
     Jamf Pro connects to Jamf Nation over port 443 and obtains the signed CSR.

   • If the server hosting Jamf Pro does not have an outbound connection, select Download CSR and sign later using Jamf Nation.

   • If you have a new push certificate in .p12 format, select Upload push certificate (.p12).

7. Follow the onscreen instructions to renew the push certificate.

Deleting the push certificate from Jamf Pro disables communication between Jamf Pro and APNs. This prevents Jamf Pro from sending macOS configuration profiles and macOS remote commands to computers, and managing iOS devices. In addition, without a push certificate, Mac App Store apps cannot be distributed to computers. To restore these capabilities, you must create a new push certificate, and then re-enroll your computers and mobile devices with Jamf Pro.

1. Log in to Jamf Pro.

2. In the top-right corner of the page, click Settings .

3. Click Global Management.

4. Click Push Certificates .

5. Click the push certificate and click Delete . Then click Delete again to confirm.

For related information, see the following Jamf Knowledge Base videos:

For related information, see the following sections in this guide:

• Security Settings
  Find out how to enable certificate-based authentication and push notifications so you can send macOS configuration profiles and macOS remote commands to managed computers.

• PKI Certificates
  Learn how to configure public key infrastructure certificates to ensure secure communication with APNs.

For related information, see the following Knowledge Base article:

Network Ports Used by Jamf Pro
Find out which ports Jamf Pro uses to communicate with APNs.