JAMF & Entra Integration
- Microsoft Entra
- Platform SSO
- JAMF for our MDM
- No Kerberos for offsite users
This project started out with wanting to provide the users with the ability to be notified when their Network password is about to expire. macOS does have the ability to report password expiration on the local account password , but I wanted to base this off of the Entra server just in case the password dates could differ...the Intune server is my "source of truth"
This idea has grown to offer more than just passwords expiration now. I have it set to:
- Show password last date/time change
- Show password age
- Show network drives
- Retrieve Entra server profile pic
- Retrieve Entra group membership
- Set local admin based on Entra group membership
Everything is done via the MS Graph API, so you will need the following info from your InTune admin:
- Tenant ID
- Client ID
- Client Secret
I store all of my Entra information into the users ~/Library/Application Support/<msinfo>.plist. I put it here as I have multi-usr Macs in my environment and this will make sure all users have their own .plist file.
The basic setup of the file is this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DriveMappings</key>
<array>
<string>smb://dfs11inf2.corp.com/clientserver</string>
<string>smb://dfs10INF1.corp.com/common</string>
</array>
<key>EntraAdminRights</key>
<string>Yes</string>
<key>EntraGroups</key>
<array>
<string>CLIENT TECHNOLOGIES</string>
</array>
<key>PasswordAge</key>
<string>241</string>
<key>PasswordLastChanged</key>
<string>2025-08-13T18:16:13Z</string>
</dict>
</plist>
I use this script to retrieve the password info. This script will also calculate the password age as well. If it doesn't get a valid server response, it will use the local account password change date. https://github.com/ScottEKendall/JAMF-Pro-System-Scripts/blob/main/Maintenance%20-%20InTune%20-%20Passwords.sh.
Once you retrieve the password and create the plist, you can optionally use a JAMF Extended Attribute (EA) field to store the password age: https://github.com/ScottEKendall/JAMF-Pro-EAs/blob/main/Password%20Age.sh.
I store the server mount points (SMB Shares) in the local plist and use this in my JAMF Connect > Options menu to assist the user with mounting their network drives. You will need to modify the script to related a group name to an SMB share.
# This list is based on Entra Group Names
# You need to create a JSON record that has the Entra Group Names and the SMB server path
# GroupName must be the exact name (case sensitive) that is in your Azure/Intune groups
# SMBShare is the full UNC path to your network share
DriveMappings='[
{"GroupName" : "msgraph_group_name",
"SMBShare" : "smb://<sharedrivepath."},
{"GroupName" : "msgraph_group_name",
"SMBShare" : "smb://<sharedrivepath>"}
]'
Script can be found here: https://github.com/ScottEKendall/JAMF-Pro-System-Scripts/blob/main/Maintenance%20-%20InTune%20-%20Groups.sh
I also have a a network drive mount script that will determine if you are on VPN / On-Prem and mount the drives for the user: https://github.com/ScottEKendall/JAMF-Pro-Scripts/tree/main/MountNetworkDrive
If you store profile pictures on your Entra server, you can have them sync to your local account picture so that the user will see their profile picture on their local login screen.
I store the Entra group memberships in the users local folder so I can setup up privileges based on group membership. Script here: https://github.com/ScottEKendall/JAMF-Pro-System-Scripts/blob/main/Maintenance%20-%20InTune%20-%20Groups.sh
I read from the server if a user is a member of a specific group and then you can (optionally) set the local admin rights based on group membership: https://github.com/ScottEKendall/JAMF-Pro-System-Scripts/blob/main/Maintenance%20-%20InTune%20-%20Admin%20Rights.sh
If you find value in my scripts, please consider buying me a coffee to let me know that you find my scripts useful and to help me keep innovating!
