← Back to all articles

How to Integrate Jamf Pro with Microsoft Intune and Entra ID for Conditional Access

One of the most common requests I get from IT leaders running mixed Apple and Windows fleets is: “Our Macs are in Jamf, our PCs are in Intune — how do we get one compliance story across both?” The answer is Jamf Pro’s device compliance integration with Microsoft Intune and Entra ID, and after implementing it across 1,000+ endpoints, I can say it’s one of the highest-value projects an endpoint team can ship.

Why integrate Jamf Pro with Intune?

Jamf Pro is the best tool for managing Macs. Microsoft Entra ID and Conditional Access are how modern enterprises gate access to email, files, and SaaS apps. Without integration, your Macs are invisible to Conditional Access — meaning a non-compliant or unknown Mac can still reach corporate data.

With the integration in place:

Prerequisites

The setup, step by step

1. Connect Jamf Pro to Intune

In Jamf Pro, go to Settings > Global Management > Device Compliance and enable the connection for macOS. You’ll authenticate to Microsoft with a Global Administrator account and grant consent to the Jamf applications in Entra ID. On the Intune side, confirm the connector shows as Active under Tenant administration > Connectors and tokens > Device compliance partners.

2. Define compliance in a Smart Group

Jamf decides what “compliant” means using a Smart Group. Build one that captures your real security baseline — for example: FileVault enabled, OS within your supported versions, firewall on, and no critical patches missing. Devices in the group report as compliant; everything else reports as non-compliant.

3. Deploy Company Portal and register devices

Deploy the Company Portal app with a Jamf policy, then prompt users to register their Mac with Entra ID through Jamf Self Service. Registration links the device record in Jamf to the identity platform so Conditional Access can evaluate it.

4. Build the Conditional Access policy

In Entra ID, create a Conditional Access policy that requires a compliant device for your chosen apps — start with Microsoft 365. Scope it to a pilot group first. Once the pilot proves out, expand in rings, just like OS updates.

Lessons from a 1,000+ device rollout

The result

Once live, every Mac in the fleet is evaluated by the same Conditional Access rules as Windows devices. Lost or out-of-date machines lose access to corporate data automatically, auditors get one compliance report instead of two, and the security team stops treating Macs as an exception. If you’re running Jamf and Intune side by side without this integration, it should be next on your roadmap.