Jamf and Entra ID Lab with Apple Devices

This lab shows how to build a small Apple management environment using Jamf Pro, Microsoft Entra ID, and six test devices. Jamf Pro can integrate with Microsoft Entra ID for user and group lookups, authentication, and scoping, while Apple Business Manager federates with Entra so users can use their Microsoft credentials on assigned Apple devices.

Lab overview

In this environment, you will manage a mix of Apple hardware:

  • 2 Mac computers

  • 2 iPads

  • 2 iPhones

The goal is to manage the devices in Jamf, connect identity to Entra ID, and validate enrollment, sign-in, app deployment, and policy assignment across macOS, iPadOS, and iOS.

Requirements

To get started, you will need:

  • A Jamf Standard Cloud-hosted or Jamf Premium Cloud-hosted tenant.

  • A Microsoft Entra administrator account with enough permissions to grant consent to the Jamf app.

  • Apple Business Manager or Apple School Manager to federate with Entra ID.

Step by step

1. Create lab users

Create a few lab users and groups in Microsoft Entra ID (like "IT Admins" and "Lab Users"). This allows Jamf to use your directory data for inventory, authentication, and scoping.

2. Connect Jamf to Entra ID

Connect Jamf Pro to Microsoft Entra ID in the Jamf admin portal. Jamf uses Microsoft Graph in a read-only way for directory workflows, meaning Jamf Pro will not write data back to your Entra ID tenant.

3. Configure Apple federation

Set up federation between Apple Business Manager and Entra ID. This allows your lab users to use their Entra username and password as a Managed Apple Account on their assigned Apple devices.

4. Enroll the devices

Enroll the 2 Macs, 2 iPads, and 2 iPhones into Jamf Pro. Assign each device to one of your lab users. Using a simple naming standard (like MAC01, IPAD01, IPHONE01) will make the lab easier to navigate.

5. Create baseline profiles

Create configuration profiles in Jamf for Wi-Fi, passcode rules, and basic restrictions. For the Macs, deploy the Microsoft Company Portal app if you plan to test Microsoft registration or compliance workflows.

6. Configure Platform SSO for macOS

Set up Platform SSO on the Macs for Microsoft Entra ID. This requires choosing an authentication method, deploying the Company Portal, and pushing a profile that contains the Platform SSO settings from Jamf.

7. Deploy apps and policies

Deploy a few test apps to all six devices to confirm they receive the correct payloads. This allows you to test real-world admin tasks like profile assignment, app rollouts, and user-based scoping.

8. Test device compliance (Optional)

If you want to test Entra-based compliance for macOS, configure Jamf’s newer Device Compliance integration. Microsoft deprecated Jamf’s older macOS Conditional Access support in early 2025, making Device Compliance the modern path for this scenario.

Validation

To verify your lab is working:

  • Check that Jamf can successfully see your Entra users and groups.

  • Confirm that Managed Apple Accounts work after federation.

  • Verify the Macs receive the Company Portal and Platform SSO settings.

Note: If you enable Jamf Device Compliance for the Macs, instruct your test users to start device registration from the Jamf Self Service app rather than opening the Company Portal directly, as direct registration can cause an onboarding error.