AndrewD.32307 (Customer) asked a question.
When going through our device trust policies, I see one potential issue that I can't seem to find a solution for.
Let's say we have a new device that needs to enroll in either JAMF or Intune.
However, we have a Device Trust policy for employees that attempt to access the Admin Panel of JAMF Pro, or any O365 Software.
How do those new device(s) enroll into MDM, if the authentication policies require Device Trust to use the either the Admin Panel of JAMF Pro or any O365 environment?
It seems like we would hit a race condition where, we can't mandate a device trust policy against O365 because the device would need to enroll into Intune, and since Intune uses the O365/Azure account which has a device trust policy on it, you wouldn't be able to enroll the device while still preventing unmanaged devices.
We would hit the same race condition, where JAMF Pro uses the same Auth backend for Jamf Pro Admin, Jamf Pro Self Service Login, and Jamf Device Enrollment. We wouldn't be able to require authentication to register a device, while still having Device Trust policies against the rest of the JAMF Pro service.
Are there workarounds for this type of situation? I have tried researching, asking in a few communities (not this one), the Okta Knowledge Base doesn't seem to have anything related to this (and it's difficult to search), and have done some blog searching through Google but my Google-Fu is failing me, no one seems to have created a blog post around this.
Hi @AndrewD.32307 (Customer) , Thank you for reaching out to the Okta Community!
We'll leave this question open for Community input as well, but the way I'm seeing things is... you'll need to set up a temporary group and an authentication policy that is applied only to that group to bypass the Device Trust while you do the initial enrolement. Once a user/device has been enrolled, you can remove the membership to the temp group and the next time they sign in, they should hit required policy.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--------------------------------
Community members help others by clicking Like or Select as Best on responses. Try it today.
Usually I see it done with the group rule. but if you have an available workflow, you can do some automation. You can use workflows to either remove the user from the group when a device has been added to a user. Another option is Write a group rule that says if custom attribute "registered device" is null, add to 365 bypass group. Create a workflow that runs on "Device Added to User" and populated attribute, user no longer meets rule condition, and is out of the group.