Remote endpoints unmanaged; Intune–Jamf compliance fed Entra Conditional Access to enforce device?based app access

Overview

A biotech’s rapid hiring wave left many remote endpoints unmanaged or inconsistently configured. Windows and macOS devices were enrolled in different tools, some never enrolled at all, and access to SaaS and VPN relied on passwords rather than on device posture. Helpdesk escalations spiked for onboarding and remediation, while Security lacked a reliable view of the fleet. Intelligex consolidated management with Microsoft Intune and Jamf Pro, standardized compliance policies, and fed device posture into Microsoft Entra Conditional Access. Exceptions flowed through a governed approval path. Noncompliant devices decreased, escalations eased, and Security gained clear visibility—without replacing the company’s identity, collaboration, or endpoint platforms.

Client Profile

• Industry: Biotechnology (research, clinical, and G&A functions)
• Company size (range): Distributed workforce with remote labs, field teams, and corporate staff
• Stage: Mixed Windows and macOS fleet; ad hoc MDM enrollment; identity in Microsoft Entra ID; VPN and key SaaS apps accessed without consistent device checks
• Department owner: IT & Infrastructure (Endpoint Engineering and Identity)
• Other stakeholders: Security Operations, HR/Onboarding, Procurement, Networking/VPN, Helpdesk, Research IT, Internal Audit

The Challenge

Endpoints arrived through different channels with varying setup steps. Some laptops shipped directly to hires, others were repurposed or sourced quickly for contractors. Windows devices might or might not join Intune, and macOS enrollment into Jamf Pro depended on who provisioned the device. Encryption, OS versions, firewall state, and local admin rights varied. Helpdesk saw recurring tickets for Wi?Fi and VPN profiles, browser trust stores, and corporate certificates, with no consistent self?service path.

Access controls assumed trust rather than confirming device posture. Users authenticated to SaaS and VPN based on credentials and MFA, but Conditional Access policies were not tied to compliance signals from the device. BYOD and lab?attached endpoints complicated the picture, and Security lacked a unified inventory with ownership, compliance status, and remediation tracking. Exceptions lived in email threads, and auditors asked for clearer evidence that device standards were enforced.

Why It Was Happening

Root causes were fragmented enrollment and the absence of a canonical compliance model. Devices could bypass automated enrollment paths, and there was no shared rule set for encryption, OS baselines, and threat protection that applied across platforms. Microsoft Entra Conditional Access was configured, but device compliance was not attached to access for key apps. Enrollment relied on instructions and manual follow?up, so posture drifted as people moved teams or changed hardware.

Ownership and timing were misaligned. HR kicked off hires, Procurement shipped devices, Helpdesk guided setup, Endpoint Engineering owned MDM, and Identity owned access policies. Without a pipeline that connected enrollment, compliance, posture signals, and access decisions—with a governed exception path—drift accumulated and remediation depended on tickets.

The Solution

Intelligex implemented a consolidated endpoint posture program anchored on Microsoft Intune for Windows and mobile, Jamf Pro for macOS, and Microsoft Entra Conditional Access for enforcement. Automated enrollment paths were standardized (Windows Autopilot and Apple Automated Device Enrollment), compliance policies were aligned to security standards, and device compliance fed Conditional Access decisions for SaaS and VPN. Self?service portals handled common fixes, and exceptions for research or lab scenarios followed maker?checker approvals. The design leveraged Microsoft Intune, Jamf Pro, the Intune–Jamf compliance connector (Jamf device compliance with Intune), and Microsoft Entra Conditional Access.

• Integrations: Intune for Windows and mobile; Jamf Pro for macOS; Jamf–Intune compliance connector to share macOS posture; Microsoft Entra Conditional Access for enforcement; Apple Business Manager and Windows Autopilot for automated enrollment; VPN and SaaS app scopes updated to honor device compliance.
• Enrollment and provisioning: Standardized zero?touch enrollment for corporate devices; clear BYOD enrollment paths with limited scopes; certificate, Wi?Fi, and VPN profiles delivered via MDM; local admin rights managed by policy.
• Compliance policies: Encryption and secure boot, OS baseline and updates, firewall and disk protection, threat protection signals, screen lock and password policy; platform?specific checks aligned to a common standard.
• Conditional access: Access to critical SaaS and VPN conditioned on compliant or registered devices; per?app controls and network location awareness; step?up or limited access paths for remediation.
• Self?service and remediation: Company Portal and Jamf Self Service workflows for common fixes; automated remediation where safe; guided steps for users with status feedback.
• Exception workflow: Maker?checker approvals for lab instruments, shared kiosks, and research edge cases; time?bound exceptions with rationale and review dates; logging and dashboards for visibility.
• Observability and reporting: Unified device inventory with ownership and posture; dashboards for compliance posture, exception aging, and enrollment gaps; alerts for drift and stale devices.
• Security and privacy: Role?based access to device data; minimal collection for BYOD; alignment with privacy expectations and regional requirements.

Implementation

• Discovery: Cataloged device types, current MDM coverage, and enrollment paths; inventoried access policies and target apps; reviewed helpdesk patterns and common remediation steps; gathered Security requirements and lab constraints; identified exception scenarios.
• Design: Defined automated enrollment and BYOD scopes; authored platform?specific compliance policies and a common standard; mapped device posture to Conditional Access per app and network; designed self?service flows; specified exception categories, approvals, and expirations; planned dashboards and alerting.
• Build: Configured Autopilot and Apple Automated Device Enrollment; implemented Intune and Jamf Pro policies and profiles; enabled the Jamf–Intune compliance connector; built Conditional Access policies and app assignments; created self?service remediation; wired approvals and logging.
• Testing/QA: Ran in shadow mode with pilot cohorts: enforced policies on a subset of users and apps; validated enrollment, compliance, and access flows; tuned remediation steps and exception handling; confirmed privacy and regional settings with stakeholders.
• Rollout: Expanded by cohort and app sensitivity, starting with corporate devices and critical SaaS; moved VPN enforcement after pilot stability; kept legacy access paths as a controlled fallback until posture signals stabilized; enabled mandatory reviews for exceptions after training.
• Training/hand?off: Delivered sessions for Helpdesk, Endpoint Engineering, and Security on enrollment, compliance, and exception handling; provided user?facing guides for self?service; updated SOPs for onboarding, device swaps, and contractor workflows; transferred policy ownership and dashboards to Endpoint Engineering and Security under change control.
• Human?in?the?loop review: Established recurring reviews to assess exception trends, policy tuning, enrollment gaps, and app coverage; decisions recorded with rationale and effective dates.

Results

Endpoints moved into consistent management with automated enrollment and clear platform ownership. Compliance policies enforced encryption, baseline OS versions, and threat protection across Windows and macOS, and device posture informed access to critical SaaS and VPN. Users resolved common issues through self?service, and Helpdesk escalations dropped as remediation became predictable.

Security and operations gained visibility. A unified inventory showed which devices were compliant, which required action, and where exceptions applied. Conditional Access aligned access with device health, and exception approvals were time?bound and traceable. Intune, Jamf, and Entra ID remained the core stack; the addition was a governed posture and access layer that tied enrollment, compliance, and Conditional Access together.

What Changed for the Team

• Before: Devices enrolled inconsistently or not at all. After: Zero?touch enrollment and clear BYOD paths standardized setup.
• Before: Access relied on credentials alone. After: Conditional Access required compliant devices for key apps and VPN.
• Before: Remediation required tickets and screen?shares. After: Self?service portals fixed common issues with status feedback.
• Before: Compliance standards varied by team. After: A common policy set applied across Windows and macOS with platform?specific checks.
• Before: Exceptions lived in email. After: Maker?checker approvals were time?bound and logged with dashboards.
• Before: Security lacked a full device view. After: Unified inventory showed ownership, posture, and drift in one place.

Key Takeaways

• Unify device management; use Intune and Jamf as a coordinated foundation rather than parallel silos.
• Connect posture to access; make Conditional Access dependent on device compliance for sensitive apps and VPN.
• Standardize policies; align encryption, OS baselines, and threat protection under one governance model.
• Design for remediation; provide self?service and automated fixes before routing to Helpdesk.
• Govern exceptions; approve, time?bound, and monitor edge cases to prevent drift.
• Integrate, don’t replace; keep identity, MDM, and collaboration tools and add a posture and access orchestration layer.

FAQ

What tools did this integrate with? Microsoft Intune managed Windows and mobile devices (Intune), Jamf Pro managed macOS (Jamf Pro), and the Jamf–Intune connector shared macOS compliance to drive access decisions (Jamf device compliance with Intune). Microsoft Entra Conditional Access enforced device?based access controls (Conditional Access). Apple Business Manager and Windows Autopilot supported automated enrollment.

How did you handle quality control and governance? Compliance baselines and Conditional Access policies lived under change control with owners, rationale, and effective dates. The exception process required maker?checker approvals with time?bound expirations. All enrollment events, compliance evaluations, access decisions, and approvals were logged, and dashboards tracked posture, drift, and exception aging.

How did you roll this out without disruption? The program ran pilots first, enforcing compliance and access on selected cohorts and apps. Legacy access paths remained as a controlled fallback while remediation and exception handling were tuned. Rollout expanded by app sensitivity and device ownership, and enforcement tightened only after training and stable signals.

How did Conditional Access and device compliance interact? Compliance signals from Intune and Jamf Pro (via the connector) informed Conditional Access. Sensitive apps and VPN required compliant or registered devices; others allowed limited access or remediation paths. Policies considered platform and network context and routed noncompliant users to self?service where possible.

How did you handle BYOD, contractors, and lab devices? BYOD used a scoped enrollment with minimal data collection and access limited to approved apps. Contractors followed the same enrollment and compliance flow as corporate devices where policy required. Lab instruments and shared kiosks requested exceptions through the approval workflow with time?bound access and documented compensating controls.

What did users see during remediation? Users received clear prompts through Company Portal or Jamf Self Service with steps to regain compliance—such as enabling encryption, installing updates, or applying profiles. Status messages indicated progress, and unresolved items opened a guided Helpdesk path with device context included.

How were macOS and Windows kept in sync on standards? A common standard defined encryption, OS, and protection requirements. Platform?specific policies in Jamf Pro and Intune implemented those requirements with equivalent controls, and posture fed a single access decision path through Conditional Access.