Skip to main content

Jamf Connect Menubar Password Change Window Not Passing Device Compliance with Entra ID

Updated over 3 weeks ago

Issue Description

When opening the Jamf Connect password change window, if that sign on is behind a Conditional Access policy that requires device compliance, the user will be blocked from logging in even if the device is compliant. This can be resolved by leveraging the Microsoft Enterprise SSO extension.

When a user attempts to access a resource in Azure AD, Azure AD checks all conditional access policies in front of that resource (scoped to the specific user), and enforces those requirements. If a resource is behind a conditional access policy that requires device compliance, Azure AD will request the device identify itself by providing a certificate with the device’s Azure AD ID in it. This certificate is referred to as the Workplace Join Certificate, or WPJ certificate for short.

If Azure AD does not receive the WPJ certificate, Azure AD will not be able to identify the device, and assumes it is an unregistered device.

There are some scenarios where a device may be registered with Azure AD, but for one reason or another, it could fail to provide the WPJ certificate during an authentication attempt, resulting in Azure AD prompting the user to register their device.

Azure AD will return an error code 530003when it does not receive the WPJ certificate, as this is the error code for unregistered/unrecognized devices attempting to access a resource that is behind a conditional access policy requiring device compliance.

Troubleshooting Steps

Jamf Connect's change password functionality leverages a native apple webview. By default, this webview does not know how to request access to the Workplace Join keychain item. While Native Apple Webviews do not have the capability to directly ask for the WPJ certificate, they do support the Azure AD SSO Extension. The Azure AD SSO extension redirects all authentication requests to Azure AD to the Company Portal app. Company Portal will then automatically complete the sign in request. Because the authentication request is now handled by Company Portal, the WPJ certificate is passed in the request!

Configure the SSO extension and allow 'com.jamf.' as an allowed app prefix:

https://learn.microsoft.com/en-us/mem/intune/configuration/use-enterprise-sso-plug-in-macos-with-intune?tabs=prereq-jamf-pro%2Ccreate-profile-intune

Custom plist: 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>AppPrefixAllowList</key>
  <string>com.microsoft.,com.apple.,com.jamf.</string>
    <key>browser_sso_interaction_enabled</key>
    <integer>1</integer>
    <key>disable_explicit_app_prompt</key>
    <integer>1</integer>
</dict>
</plist>

Related Articles
Deploying Privilege Elevation Settings From Jamf Connect
Have the Jamf Connect Menubar "Sign In" Window Appear when Password is Out of Sync
FileVault Behavior with Jamf Connect
How to Install SentinelOne with Jamf Now
How to Display the Bluetooth Icon in the Menu Bar for Computers using Jamf Pro
Did this answer your question?