Let’s Get Conditional - Jamf and Company Portal.app Registration Deconstructed (Part 2 - Server Side)
This is the third of a multi-part series about the macOS Intune and Azure AD integration for inventory data and Conditional Access with Jamf Pro.
The topic of this post is explaining the macOS device registration process (server side) of the integration performed by an end user to start the inventory data sync for Conditional Access, and what the Jamf Pro server does with the data generated by the client.
TL;DR: The macOS device runs a Jamf Pro policy that posts the AAD ID to Jamf Pro data, and Jamf Pro then posts that data to Azure.
Inventory data shared to Azure AD is detailed in this tech paper from Jamf. Once that data is received the values related to the compliance calculation are used by the compliance engine in Intune to calculate compliance.
Under the hood of the inventory data post/send:
In this example we will see the following on screen and in the logs.
They play out in this order (for the manual connection type discussed here):
Data sent from client will be received by Jamf Pro. We will see this data with the log entry “COM_JAMFSOFTWARE_JAMF_AADIDSUBMISSIONREQUEST”.
AADIdSubmissionAction takes in the client data
Token data is extracted
The Computer record is updated in MySQL along with the generation of the JSON of the Inventory data shared to Azure AD from this tech paper.
Communication token is spun up for Microsoft transmission
Connection is made
Data is posted with Graph API
In the case of the Cloud Connector connection type discussed here; the steps 5, 6, and 7 are different as the data is sent to the Jamf Cloud Connector and the connector works as the broker to Azure effectively removing steps 5, 6, and 7.
After registration and the client data send we can look at the AAD ID info that was sent to Jamf Pro for a given registered user.
The other area in the Jamf Pro GUI that is helpful is the data sent by the integration. This will show the last sent data from Jamf Pro to Azure.
In the server logs we see log entries like this during the data gather and start of the inventory post to Azure.
JAMFSoftwareServer.log:
2020-01-13 20:09:44,384 [DEBUG] [Thread-78 ] [lientCommunicationServlet] - Processing action, commandType=COM_JAMFSOFTWARE_JAMF_AADIDSUBMISSIONREQUEST
2020-01-13 20:09:44,384 [DEBUG] [Thread-78 ] [AADIdSubmissionAction ] - processing AAD ID submission for computer id = 5
2020-01-13 20:09:44,405 [DEBUG] [Thread-78 ] [AADIdSubmissionAction ] - Extracted AAD Token: TokenAadInfo[deviceAadId=XXXX,userAadId=XXXX,tenantId=XXXX,issuedAtTime=Mon Jan 13 20:04:43 CST 2020]
2020-01-13 20:09:44,405 [DEBUG] [Thread-78 ] [Computer ] - Adding new AAD Id. User AAD Id: XXXX Device AAD Id: XXXX
2020-01-13 20:09:44,405 [DEBUG] [Thread-78 ] [ComputerHelper ] - Updating AAD ID info for computer id = 5
2020-01-13 20:09:44,431 [DEBUG] [Thread-78 ] [InventoryService ] - 1 inventories added
2020-01-13 20:09:44,777 [DEBUG] [duledPool-1] [InventoryQueue ] - MS intune integration inventory update:
1 inventories taken from queue, 0 left in queue
Once the inventory process sent to Azure (or the Cloud Connector and then Azure) completes we can go and see the shell record created in the client side process by Company Portal.app now filled in with data.
Completed device record in Azure.
Completed device record details in Azure.