It seems to be either that or the request for the sign-in does not ask for that. It is not clear and I have not been able to replicate this on demand ever. If you have a device that falls into that state we need to look into that with AppleCare Enterprise and Microsoft as a team since the data is across all three. This however will not just flag the device as ‘non-compliant’, it will remove the device record in Intune/MEM.
Your ReEnroller application should look something like the above. Retry interval – ReEnroller will retry after 30 minutes by default. This is a pretty good default setting I’d suggest leaving as-is, but feel free to change if you need to. Maximum number of retries – ReEnroller will retry automatically if it finds any issues . I’d suggest leaving this blank to have ReEnroller keep retrying until its successful.
Once the configuration options and requirements are clear, it’s time to look at the configuration of the Microsoft Enterprise SSO plug-in. The configuration for iOS/iPadOS and macOS devices is identical. That platform difference will make sure that the correct configuration is applied to the correct app. The following eight steps walk through the steps to configure the Microsoft Enterprise SSO plug-in. This all means that, to use the SSO app extension, an administrator should make sure that the correct app is installed and that the correct configuration is applied.
You should also check the logs for the policies to check if they did run, and if they had any errors! This should be the “migration complete” policy and the API MDM removal policy. Once reenrolled, the “migration complete” policy will be called to confirm all was successful 1. Once again, if this fails, ReEnroller will revert the enrolment back to the source server. If the MDM Profile was removed, ReEnroller will use the Jamf binary to enrol the MDM side without UAMDM.
However, whenever this silent authentications fails, for whatever reason, jamfAAD will go into interactive mode and prompt the end user to authenticate again! Furthermore, there are other situations where Azure may even instruct jamfAAD to go in interactive mode, such as an expired MFA lifetime. You can only add 1 on-prem JPRO server tesst college student loan forgiveness to an Intune tenant for this integration. This because for on-prem JPRO servers you need to use the manual configuration. For JamfCloud instances you can use the Cloud Connector which does allow multiple JamfCloud instances to be integrated with the SAME Intune tenant. The Cloud Connector is not available for on-prem JPRO servers.
It must be the user who has work-placed joined the account as they have the identity from Intune in their login keychain. If you’ve enrolled macOS devices into your source server with DEP and a non-removable MDM Profile , you’ll need to setup an account on the source Jamf Pro instance in order to remove the profile. @bryce Sounds like you has a lot of knowledge on this.