Description
When opening the Jamf Connect password change window, if that sign on is behind a Conditional Access policy that requires device compliance, the user will be blocked from logging in even if the device is compliant. This can be resolved by leveraging the Microsoft Enterprise SSO extension.
Note - In this article, Jamf Connect menu bar refers to settings configured with the com.jamf.connect preference domain. It applies to Jamf Connect menu bar versions 2.x as well as Self Service+ menu bar and/or Self Service+ Account management dashboard.
Understanding the Issue
When a user attempts to access a resource in Entra ID, Entra ID checks all conditional access policies in front of that resource (scoped to the specific user), and enforces those requirements. If a resource is behind a conditional access policy that requires device compliance, Entra ID will request the device identify itself by providing a certificate with the device’s ID for Entra in it. This certificate is referred to as the Workplace Join Certificate, or WPJ certificate for short.
If Entra does not receive the WPJ certificate, it will not be able to identify the device, and assumes it is an unregistered device.
There are some scenarios where a device may be registered with Entra ID, but for one reason or another, it could fail to provide the WPJ certificate during an authentication attempt, resulting in Entra ID prompting the user to register their device.
Entra ID will return an error code 530003when it does not receive the WPJ certificate, as this is the error code for unregistered/unrecognized devices attempting to access a resource that is behind a conditional access policy requiring device compliance.
Using the Entra SSO Extension
Jamf Connect's change password functionality leverages a native apple web view. By default, this web view does not know how to request access to the Workplace Join keychain item. While native Apple web views do not have the capability to directly ask for the WPJ certificate, they do support the Microsoft Enterprise SSO extension which redirects all authentication requests to Entra ID to the Company Portal app. Company Portal will then automatically complete the sign in request. Because the authentication request is now handled by Company Portal, the WPJ certificate is passed in the request!
Configure the SSO extension and allow com.jamf. and com.jamfsoftware. as an allowed app prefix:
Custom plist:
<?xml version="1.0" encoding="UTF-8"?>
<plist version="1.0">
<dict>
<key>AppPrefixAllowList</key>
<string>com.microsoft.,com.apple.,com.jamf.,com.jamfsoftware.</string>
<key>browser_sso_interaction_enabled</key>
<integer>1</integer>
<key>disable_explicit_app_prompt</key>
<integer>1</integer>
</dict>
</plist>