Skip to main content

Jamf Connect Menu Bar Password Change Window mot Passing Device Compliance with Entra ID

Updated this week

Description

When opening the Jamf Connect password change window, if that sign on is behind a Conditional Access policy that requires device compliance, the user will be blocked from logging in even if the device is compliant. This can be resolved by leveraging the Microsoft Enterprise SSO extension.

Note - In this article, Jamf Connect menu bar refers to settings configured with the com.jamf.connect preference domain. It applies to Jamf Connect menu bar versions 2.x as well as Self Service+ menu bar and/or Self Service+ Account management dashboard.

Understanding the Issue

When a user attempts to access a resource in Entra ID, Entra ID checks all conditional access policies in front of that resource (scoped to the specific user), and enforces those requirements. If a resource is behind a conditional access policy that requires device compliance, Entra ID will request the device identify itself by providing a certificate with the device’s ID for Entra in it. This certificate is referred to as the Workplace Join Certificate, or WPJ certificate for short.

If Entra does not receive the WPJ certificate, it will not be able to identify the device, and assumes it is an unregistered device.

There are some scenarios where a device may be registered with Entra ID, but for one reason or another, it could fail to provide the WPJ certificate during an authentication attempt, resulting in Entra ID prompting the user to register their device.

Entra ID will return an error code 530003when it does not receive the WPJ certificate, as this is the error code for unregistered/unrecognized devices attempting to access a resource that is behind a conditional access policy requiring device compliance.

Using the Entra SSO Extension

Jamf Connect's change password functionality leverages a native apple web view. By default, this web view does not know how to request access to the Workplace Join keychain item. While native Apple web views do not have the capability to directly ask for the WPJ certificate, they do support the Microsoft Enterprise SSO extension which redirects all authentication requests to Entra ID to the Company Portal app. Company Portal will then automatically complete the sign in request. Because the authentication request is now handled by Company Portal, the WPJ certificate is passed in the request!

Configure the SSO extension and allow com.jamf. and com.jamfsoftware. as an allowed app prefix:

https://learn.microsoft.com/en-us/mem/intune/configuration/use-enterprise-sso-plug-in-macos-with-intune?tabs=prereq-jamf-pro%2Ccreate-profile-intune

Custom plist: 

<?xml version="1.0" encoding="UTF-8"?>
<plist version="1.0">
<dict>
    <key>AppPrefixAllowList</key>
    <string>com.microsoft.,com.apple.,com.jamf.,com.jamfsoftware.</string>
    <key>browser_sso_interaction_enabled</key>
    <integer>1</integer>
    <key>disable_explicit_app_prompt</key>
    <integer>1</integer>
</dict>
</plist>

Related Articles
Deploying Privilege Elevation Settings From Jamf Connect
Standardized Introduction Workflow for Jamf Connect Menu Bar
Change Password with Okta Device Trust Certificate and off-VPN/off-site
How to Display the Bluetooth Icon in the Menu Bar for Computers using Jamf Pro
Can Jamf School disable incognito for Google Chrome for iOS devices?
Did this answer your question?