How to Integrate Jamf Pro with Microsoft Intune and Entra ID for Conditional Access
One of the most common requests I get from IT leaders running mixed Apple and Windows fleets is: “Our Macs are in Jamf, our PCs are in Intune — how do we get one compliance story across both?” The answer is Jamf Pro’s device compliance integration with Microsoft Intune and Entra ID, and after implementing it across 1,000+ endpoints, I can say it’s one of the highest-value projects an endpoint team can ship.
Why integrate Jamf Pro with Intune?
Jamf Pro is the best tool for managing Macs. Microsoft Entra ID and Conditional Access are how modern enterprises gate access to email, files, and SaaS apps. Without integration, your Macs are invisible to Conditional Access — meaning a non-compliant or unknown Mac can still reach corporate data.
With the integration in place:
- Jamf Pro evaluates each Mac against your compliance criteria (encryption, OS version, security settings).
- Jamf shares that compliance state with Intune and Entra ID.
- Conditional Access policies then allow or block access to Microsoft 365 and other apps based on real device health — the same way they already do for Windows devices.
Prerequisites
- Jamf Pro (cloud-hosted or on-prem) with administrator access
- Microsoft Intune and Entra ID P1 licensing for Conditional Access
- The Company Portal app for macOS
- Devices enrolled in Jamf via Automated Device Enrollment (Apple Business Manager) or user-initiated enrollment
The setup, step by step
1. Connect Jamf Pro to Intune
In Jamf Pro, go to Settings > Global Management > Device Compliance and enable the connection for macOS. You’ll authenticate to Microsoft with a Global Administrator account and grant consent to the Jamf applications in Entra ID. On the Intune side, confirm the connector shows as Active under Tenant administration > Connectors and tokens > Device compliance partners.
2. Define compliance in a Smart Group
Jamf decides what “compliant” means using a Smart Group. Build one that captures your real security baseline — for example: FileVault enabled, OS within your supported versions, firewall on, and no critical patches missing. Devices in the group report as compliant; everything else reports as non-compliant.
3. Deploy Company Portal and register devices
Deploy the Company Portal app with a Jamf policy, then prompt users to register their Mac with Entra ID through Jamf Self Service. Registration links the device record in Jamf to the identity platform so Conditional Access can evaluate it.
4. Build the Conditional Access policy
In Entra ID, create a Conditional Access policy that requires a compliant device for your chosen apps — start with Microsoft 365. Scope it to a pilot group first. Once the pilot proves out, expand in rings, just like OS updates.
Lessons from a 1,000+ device rollout
- Pilot with IT first. Registration prompts confuse users if you haven’t prepared communications and a quick how-to article.
- Watch for stale device records. Re-provisioned Macs can leave duplicate Entra ID records; clean them up or users hit access blocks that look random.
- Make the Smart Group forgiving at first. Begin with encryption and OS version only, measure your real compliance rate, then tighten criteria as remediation policies catch devices up.
- Monitor both consoles. Compliance state flows Jamf → Intune → Entra ID; when troubleshooting, check where in that chain the state is stuck.
The result
Once live, every Mac in the fleet is evaluated by the same Conditional Access rules as Windows devices. Lost or out-of-date machines lose access to corporate data automatically, auditors get one compliance report instead of two, and the security team stops treating Macs as an exception. If you’re running Jamf and Intune side by side without this integration, it should be next on your roadmap.