u/intheloopdoor

Google Workspace Enterprise our my IdP, and we use Google login for everything in our company.

I bought the full Jamf stack (Jamf Pro / Jamf for macOS / Jamf for Mobile / basically all Jamf tools). Our macOS devices will be fully enrolled in Jamf, and mobile devices like iPhone/iOS and Android devices will be BYOD with Jamf.

I already watched Jamf 100 / Jamf 140 on YouTube and read the Jamf KB and Google docs, but I still want to validate the correct/supported design.

I already enrolled all macbooks on Apple Business Manager. I already installed and pushed Jamf with success.

I am just struggling with: I am not able to send signals form Jamf MDM to Google IdP.

My goal is very simple: when a user enters their Google username/password for Gmail, Docs, Calendar, etc., I want Google IdP / Context-Aware Access to check only one extra thing from Jamf MDM: device posture = true/false. Nothing else.

My questions (and my unsecure answers if is helpful for someone):

Is Chrome + Endpoint Verification the only supported way on macOS? Is that needed only once for initial registration, or must Chrome + Endpoint Verification stay installed/running all the time? For iPhone/iOS BYOD (and Android BYOD), where there is no equivalent Chrome + Endpoint Verification flow, how is this supposed to work? ===> My answer: "Yes, this is the only way and you must use Google Chrome and Endpoint verification on MacOS all time. For mobile you dont have Endpoint verification but you use GMail native app in replacement to send signals."

Is there any native Jamf Pro / Jamf MDM → Google Workspace / CAA integration that sends only the compliance signal without depending on Chrome? ===> My Answer: "No. Endpoint verification in MacOS asks to Jamf MDM true/false signal posture. Jamf MDM cant send directly to Google signals."

For a new employee / brand new Mac, how do you avoid the chicken-and-egg problem on the first Google login? What is the correct onboarding flow? ===> I dont know this, I am lost here.

Can Jamf still provide a supported true/false compliance signal to Google Workspace for those BYOD devices? ===> "No. But I dont undestand why or how."

I’m mainly trying to understand the official/supported way to configure this successfully end-to-end.

Thanks!

Google Workspace Enterprise our my IdP, and we use Google login for everything in our company.

I bought the full Jamf stack (Jamf Pro / Jamf for macOS / Jamf for Mobile / basically all Jamf tools). Our macOS devices will be fully enrolled in Jamf, and mobile devices like iPhone/iOS and Android devices will be BYOD with Jamf.

I already watched Jamf 100 / Jamf 140 on YouTube and read the Jamf KB and Google docs, but I still want to validate the correct/supported design.

I already enrolled all macbooks on Apple Business Manager. I already installed and pushed Jamf with success.

I am just struggling with: I am not able to send signals form Jamf MDM to Google IdP.

My goal is very simple: when a user enters their Google username/password for Gmail, Docs, Calendar, etc., I want Google IdP / Context-Aware Access to check only one extra thing from Jamf MDM: device posture = true/false. Nothing else.

My questions (and my unsecure answers if is helpful for someone):

1. Is Chrome + Endpoint Verification the only supported way on macOS? Is that needed only once for initial registration, or must Chrome + Endpoint Verification stay installed/running all the time? For iPhone/iOS BYOD (and Android BYOD), where there is no equivalent Chrome + Endpoint Verification flow, how is this supposed to work? ===> My answer: "Yes, this is the only way and you must use Google Chrome and Endpoint verification on MacOS all time. For mobile you dont have Endpoint verification but you use GMail native app in replacement to send signals."
2. Is there any native Jamf Pro / Jamf MDM → Google Workspace / CAA integration that sends only the compliance signal without depending on Chrome? ===> My Answer: "No. Endpoint verification in MacOS asks to Jamf MDM true/false signal posture. Jamf MDM cant send directly to Google signals."
3. For a new employee / brand new Mac, how do you avoid the chicken-and-egg problem on the first Google login? What is the correct onboarding flow? ===> I dont know this, I am lost here.
4. Can Jamf still provide a supported true/false compliance signal to Google Workspace for those BYOD devices? ===> "No. But I dont undestand why or how."

I’m mainly trying to understand the official/supported way to configure this successfully end-to-end.