![Jam9 Jam9](https://img.itch.zone/aW1hZ2UyL2phbS8yNjQ0ODIvNDgxMzc0MS5wbmc=/original/CdNaZC.png)
There are two ways to restrict OS updates on Macs with Jamf Pro: via Configuration Profiles, and via Restricted Software entries. The configuration profile will allow you to hide updates from end users for up to 90 days after release, while the restricted software entry will automatically quit the installer app if a user tries to launch it. It is recommended to use the configuration profile, but if you need to restrict upgrades for more than 90 days you should also make a Restricted Software entry.
Configuration Profile setup
Windows 64 bit - Post Jam 9 MB. Version 0.0.1 Sep 23, 2019. Linux 64 bit - Post Jam 10 MB. Mac OS X - LD40 Jam 24 MB. Source - LD40 Jam 1 MB. Google Chrome di Mac Google Chrome adalah salah satu browser di MacOS yang terkenal dengan kecepatan dan responsifitasnya dalam melakukan aktivitas browsing. Google Chrome telah tersedia di MacOS Big Sur sejak awal perilisannya pada 17 November 2020 lalu.
- Go the Configuration Profiles section of Jamf Pro and click New.
- In the Restrictions payload on the left, click Configure.
- Under the Functionality tab, scroll down and check the 'Defer updates' box. Set the the menu options to 'Software Updates' and '90 days' (or less if you prefer).
- Click on the Scope tab, and select the computers, groups, or users you want this restriction to apply to.
- Save.
The configuration profile should be installed and take effect as soon as the target computers are connected to the Internet.
Restricted Software
- Go to the Restricted Software section and click New. Depending on your OS you can enter the following:
- In the 'Process Name' field, enter e.g. 'Install macOS Big Sur.app' or 'Install macOS Catalina.app'
- Check the 'kill process' box.
- Add a message to display to the end user if they try to launch the macOS installer.
- Click on the Scope tab, and select the computers, groups, or users you want this restriction to apply to.
- Save.
Software restrictions should take effect on computers after their next check in, which normally happens about once every half hour.
When a user tries to run the macOS installer, it will quit instantly and the user will see the message you specified.
![Mac os 9 games Mac os 9 games](https://img.itch.zone/aW1nLzEwNjQ2NzcuanBn/original/e%2FhR3R.jpg)
Have Questions or Still Need Help?
- If you need assistance creating restrictions or have any questions, please contact the End User Computing team at [email protected].
Now that we have configured the connection between EMS and Jamf Pro we need to make sure that the macOS devices can also be registered to Azure AD. To be able to complete the scenario we need to do the following;
- configure compliance policies
- deploy the company portal app with Jamf Pro
- create a Jamf policy that users need to register their device with Azure AD.
Configuring compliance policies need to be done in Microsoft Intune, for macOS devices you are able to check compliance for the following options;
- Check if system integrity protection is enabled on the device.
- Minimum and maximum OS version
- check if a password is required to unlock the device
- check if complexity of the password is configured.
- check if encryption is enabled.
In this blog I will require encryption to be enabled and require that the minimum macOS version is 12. (a non-existing value)
Mac Os 9 Applications
The Intune Company Portal is not available in the App Store of Apple, so we need to download it from Microsoft and create a policy to deploy it to the macOS devices.
- First download the latest version of the Intune Company Portal for macOS.
- In the Jamf Pro admin console, go to Management Settings, Computer Management and click Packages.
- Click New, click Choose File and browse to the file called CompanyPortal-Installer.pkg.
- Click Save and wait until the file is uploaded.
- Click Computers and Policies.
- Click New, and supply a display name
- Enable the options Enrollment Complete and Recurring Check-in.
- Click Packages and Configure.
- Click Add next CompanyPortal-Installer.pkg.
- Leave the action to Install and set the correct scope (eg All Computers and/or All Users).
- Click Save.
The last part of the configuration is creating a policy that forces the users to register their device with Azure AD.
Jam9 Mac Os Update
- Still in the Jamf Pro admin console, go to Computers, Policies and click New.
- Supply a Name and click on the Microsoft Intune Integration payload.
- Click Configure
- Enable the checkbox Register computers with Azure Active Directory and click Scope to scope the deployment of the policy.
- Click Self Service and enable Make the policy available in Self Service.
- Click Save.
In Microsoft Intune you will see the macOS device appearing and you will see that it is managed by Jamf. And in this case it is not compliant.
View more information about why the device is not compliant in the Microsoft Intune console.
In the Jamf Pro console you see the device with the Azure AD information.
After the device is remediated, it will be reported as compliant. Hexterio mac os.
The end user needs to go through some manual steps to register the Jamf managed device with Azure AD, so that the inventory can be shared with Microsoft Intune.
Registering the device
In the Self Service app from Jamf the user needs to start the Azure AD registration application to start the registration in Azure AD. The Intune Company Portal is automatically installed.
After starting the registration app, the Company Portal will automatically be started. Pepe dancing to da beat mac os. Login with the user account you want to use to register the device.
Authenticate for the second time.
After the registration is done you will receive the message that the company access setup is completed.
After starting the registration app, the Company Portal will automatically be started. Pepe dancing to da beat mac os. Login with the user account you want to use to register the device.
Authenticate for the second time.
After the registration is done you will receive the message that the company access setup is completed.
Remediation of compliance issues
If a device is not compliant as shown below you can fix it via the Company Portal.
Click Fix It to see why the device is not compliant
Fix the issues and check the compliance state of the device again via Check Compliance.
Some text adv game mac os.
Click Fix It to see why the device is not compliant
Fix the issues and check the compliance state of the device again via Check Compliance.
Some text adv game mac os.
After the fixing the issues the device is marked as compliant again.
While testing the solution the following notes were taken.
- After enrolling the device in Jamf Pro, be sure that the inventory has ran before starting the registration via the Company Portal.
- Don’t start the company portal manually for the registration, the company portal must automatically be started via the AD registration policy.
- Initiate a Policy scan on a macOS device via “sudo jamf policy”
- Initiate an Inventory scan on a macOS device via “sudo jamf recon” (by default inventory runs weekly)
- Only inventory from Jamf Pro is shared with Microsoft Intune
- Only the object ID’s of the user and device in Azure AD are shared from Azure AD with the Jamf Pro cloud
- Running the Test in Jamf Pro to test the connection is a good way to initiate a sync between the two cloud services.
Looking at this integration I think it is a great addition when you already manage your devices with Jamf Pro and you want to control access to Office 365 and/or Azure services via Conditional Access.
- Jamf Pro and Microsoft EMS better together – macOS devices – part 3 (this blog)