A lot of organizations use Jamf Pro to manage their Apple devices. Let’s face it, Jamf is just better at managing Apple devices than Intune. That isn’t to say that Intune doesn’t do a good job, but Jamf is just better at it. Apple device adoption is growing rapidly within enterprises, as evidenced by Apple’s investment in technologies such as platform SSO. We are seeing more companies invest in an Apple-first management platform like Jamf to provide the same level of management that is available on Windows from tools like ConfigMgr and Intune.
For organizations that rely on endpoint management services this integration strengthens unified device compliance and security across both Apple and Windows ecosystems.
This blog post will walk you through the benefits of integrating the two so that you can use device state information from Jamf to determine compliance for Entra ID Conditional Access (CA). In essence, this allows a lot of the same conceptual behavior that you get from compliance policies within Intune.
How Does the Integration Work?
Jamf uses the Partner Compliance Management API to send compliance state to Intune, which then sends the compliance state to Entra ID. The device never shows up in Intune – it only shows up in Entra ID as a registered device object with a compliance state.
Smart Groups
Jamf evaluates compliance based on two smart groups. The first smart group (called the applicable group in Jamf’s documentation) should be all devices that are eligible to access the resources protected by Entra ID Conditional Access. For most environments, this is probably all devices, but you might split out personal devices if you allow those to be enrolled into your Jamf environment.
The second smart group (called the compliance group in Jamf’s documentation) has criteria set to match your compliance settings, such as operating system version, FileVault status, security patch level, or any other criteria for smart groups. If the computer is in this group, it is marked as compliant. If the computer is in the Applicable Group, but not in this group, it marked as non-compliant.
Just as hint, one of the criteria for the compliance group should be membership in the applicable group.
Configuration
During the configuration of device compliance in Jamf, you will provide the two smart groups discussed above. Once this is configured, you will configure a partner connection in Intune. This will require the creation of an Entra ID app registration. This app will need admin consent granted for the Intune API permission update_device_attributes and the Graph API permission Application.Read.All. These are application permissions.
Once the compliance configuration is set up, you can now use the compliance data in conditional access policies to restrict or grant access to resource control by Entra ID. If the Apple device falls out of the compliance group, it will be automatically marked as non-compliant by Entra ID and the CA policy will prevent access from that device.
You can read all the details for setting up the integration here: View Details
Final Thoughts
Integrating Jamf Pro with Entra ID Conditional Access gives organizations the best of both worlds: Apple-first management with Jamf and enterprise-wide compliance enforcement. By leveraging Jamf’s smart groups to define compliance and Intune’s Partner Compliance Management API to share that state, you can enforce zero-trust principles without compromising the Apple user experience.
Configuring this integration, especially when managed under comprehensive endpoint management services ensures that only trusted users on compliant devices gain access to sensitive resources, while still allowing you to manage Apple devices with the depth and precision Jamf provides.
As Apple adoption continues to grow in the enterprise, the partnership between Jamf and Microsoft will remain a cornerstone for organizations that want to balance user choice with strong security.
