Greetings Techies, I trust you’re doing fantastic! Today, I would like to dive into the topic of how we can effectively set up Partner Compliance Management through Intune. In this discussion, we will explore the significance of the compliance policy on macOS devices and discover how to partner with Intune as a third-party compliance management tool to manage the organisation’s devices.
In today’s ever-evolving digital landscape, it is essential to prioritise endpoint security and protection to safeguard against cyber threats. Compliance is crucial in achieving this objective, as it ensures that devices remain safe and secure from potential cyberattacks and malicious activities. Admins take these measures to create a safer and more secure digital environment for all employees in the Organisation.
To learn more about macOS compliance policies, I highly recommend checking out my previous article: How to Configure Compliance Policy for Intune-managed macOS Devices. It contains valuable information that can help you stay up-to-date with the latest security practices and keep your devices secure.
This article provides valuable insights into how organisations can benefit from integrating Microsoft Intune with MDM platforms such as Jamf, VMWare Workspace, and MobileIron. By doing so, businesses can leverage Intune’s advanced compliance management features and ensure better device management. This integration can help organisations streamline device management while maintaining compliance with specific security standards.
If you’re interested in making the most out of Microsoft Intune for managing Apple devices, I recommend you to check out my previous article on the Best method to install fonts on macOS through Intune. This article provides valuable insights on how organisations can deploy their standard fonts on Mac devices using Intune to provide a better user experience.
If you’ve been following my articles about managing macOS devices with Microsoft Intune MDM Solution, you’re probably aware of its benefits. I invite you to explore my other posts on the matter to broaden your knowledge by checking out all my posts here.
I would also like to talk about my video on upgrading to macOS Sonoma and introduce some new features that can streamline your work process and help users achieve better results in less time, improving end-user productivity.
Third-Party Device Compliance
Integrating with third-party device compliance partners is a great way to enhance the capabilities of Microsoft Intune. By working with these partners, we can collect additional compliance state data that can be used to create more robust conditional access policies in the Intune Portal.
This, in turn, helps to strengthen the organisation’s security posture and better protect end-users’ data. Microsoft Entra ID (Formerly known as Microsoft Azure) serves as a central repository for this data, making it easy to manage and analyse.
Supported Device Compliance Partners
As we have a range of compliance partners available for Intune integration, let us review the list of supported partners below.
- Addigy
- BlackBerry UEM
- Citrix Workspace device compliance
- IBM MaaS360
- JAMF Pro
- MobileIron Device Compliance Cloud
- MobileIron Device Compliance On-prem
- SOTI MobiControl
- VMware Workspace ONE UEM (formerly AirWatch)
Supported OS platforms for Device Compliance
For Third-party partners, It supports platforms like :
- Android
- iOS/iPadOS
- macOS
Steps to Enable Third-party Device Compliance
As we know, Intune is a Mobile Device Management (MDM) Tool to manage devices. However, we can extend its capabilities by adding a compliance partner to Microsoft Entra ID and Intune. This allows to management of devices assigned to that partner through a user group and utilizes their data to improve device compliance.
To enable this feature, need to follow some essential tasks:
- Configure Intune to work with the device compliance partner.
- Configure the compliance partner to send data to Intune.
- Enrol your devices to your device compliance partner.
Once these tasks are complete, the device compliance partner will send device state details to Intune, which will add this information to Microsoft Entra ID. If a device is in a non-compliant state, its status will be added to its device record in Microsoft Entra ID.
Conditional access policies will evaluate the compliance state stored in Microsoft Entra ID, the same as compliance state data for devices managed by Intune. Intune is a registered compliance partner for iOS and Android by default, but you can add more partners and set the priority order to ensure that the correct partner manages the device to fit your business needs. This will help you manage your devices more efficiently and ensure device compliance.
Prerequisites to Enable Partner Compliance Management
Also, before configuring the settings, let us check the pre-requisites required:
- A subscription to Microsoft Intune and access to Intune Portal.
- Device users must be assigned a license for Intune.
- A subscription to the device compliance partner.
- Review documentation for your compliance partner for supported device platforms and that partner’s prerequisites.
Steps to Configure Intune to Work with a Device Compliance Partner
In this part, we will configure steps to allow a device compliance partner to use its compliance state data with your conditional access policies by following the below steps:
- Sign in to the Microsoft Intune Admin Center: https://endpoint.microsoft.com/.
- Select Tenant Administration > Connectors and Tokens > Partner Compliance management > Click on Add Compliance Partner.
After clicking on the Add Compliance Partner button, Provide the Compliance Partner details from the list of items. Select Platform as macOS and click Next to move further.
On the next page, under the Assignments tab (Included groups), select the particular group (where all the MDM-managed device owners must be present), and click Next.
To create a security group in Intune, follow the steps as mentioned: In Intune Portal, click on Group > All Groups > Click on the New Group button. Also, Group unique Object ID is required while configuring Enterprise Applications in the Entra ID( Formerly known as Microsoft Azure) Portal.
On the Review+create page, please review if any settings need to be changed, or else go ahead and create the Compliance Partner successfully.
To complete the integration, the partner configuration needs to be initiated from the MDM platform Admin Portal after it is created. As in the Intune portal, the compliance partner status should show as “pending” as long as the configuration is not completed on the other MDM Portal.
As we have chosen to use the JAMF MDM platform, the next step would be to initiate the configuration in the Jamf Pro Portal under Settings > Global > Device Compliance, as shown below.
To enable conditional access on devices managed by your organization, it’s important to grant adequate permissions to Intune or Microsoft for accessing relevant data about apps and user profiles. This will help ensure seamless and secure access to organizational resources for end-users.
You can get the details to Integrate Jamf Pro with Microsoft Intune to report device compliance to Microsoft Entra ID here: https://learn.microsoft.com/en-us/mem/intune/protect/jamf-managed-device-compliance-with-entra-id#connect-jamf-pro-to-intune
Check Connector Status
To ensure that the integration with other MDM platforms is working smoothly and the daily sync is happening without any issues, it would be helpful to check the connector status on the page provided below. In Intune Portal, Go to Tenant Administration > Tenant Status > Connector Status
Steps to monitor third-party managed device compliance status
As we have recently integrated Intune, a compliance management tool, into the organization’s environment. As a result, Admins need to add an extra step to the device enrollment process to ensure they can better monitor device compliance.
For example, If a device is enrolled through JAMF Pro, the user must complete an additional step to register their Mac device in Intune using its client app, called Company Portal. Admins make this app and registration available using the Self Service feature in JAMF Pro.
Once the registration in Intune is complete, admins can easily monitor the device compliance status of end-users. Our partner will transmit the compliance details to Intune, and these will be displayed in the Microsoft Entra ID portal. This will give admins better control and visibility over the organization-managed devices.
The list of end-users can be found in Microsoft Entra ID ( Formerly known as Microsoft Azure) Portal > Devices > All Devices.
- Configure FileVault Encryption For MacOS Devices Using Intune
- Configure macOS Compliance Policy in Intune for Devices
End User Awareness
To ensure a smooth end-user experience, it is recommended for Admins to make users aware of the registration process, why it is recommended in the environment and how it works, and a clear timeline to comply with the policy. Also, it is important to remind users to register their devices using the JAMF Self-Service app instead of the Microsoft Company Portal App to avoid any errors.
And as the list of devices managed with the Jamf should not be visible in Intune’s device list, as it has been added as Partner compliance, not as MDM Platform. After users have registered their devices in Microsoft Entra ID (Formerly known as Microsoft Azure), the device’s initial state will show as “Not Compliant.”
The Jamf Pro computer smart group configured for Compliance must be updated to update the device’s compliance status. The status is then sent through the Intune Connector to Microsoft Entra ID (Formerly known as Microsoft Azure).
The frequency of updates to the Microsoft Entra device information is based on the frequency of change of the Compliance computer smart group in Jamf. By following these guidelines, Admins can ensure that the end-users can have a hassle-free experience as well as stay compliant with the organisation’s policy.
Conclusion
The article highlights the importance of device security and compliance in the current era. With platforms integrating together, it is now possible to develop a robust strategy to ensure devices are compliant, upgraded on time, and the organizational environment is secure.
This approach holds immense value as it enables businesses to maintain a safe and secure working environment for all employees, ultimately leading to better productivity and growth.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here.
Author
Snehasis Pani is currently working as a JAMF Admin. He loves to help the community by sharing his Apple Mac Devices Support knowledge. He is an M.Tech graduate in System Engineering.