[英]MDM (not Intune) cannot report compliance status (to Azure AD) of a device currenctly being managed
I have succesfully enrolled a Device (Windows 10 Pro Version 1803) to our own MDM by authenticating an Azure AD user. 我通过对Azure AD用户进行身份验证,成功地将设备(Windows 10 Pro版本1803)注册到我们自己的MDM。 Next I have to tell Azure AD that the device is managed by our MDM and that is where the problem happens.
接下来,我必须告诉Azure AD该设备由我们的MDM管理,这就是问题发生的地方。
The patch
that I do is the same like in the documentation https://docs.microsoft.com/en-us/windows/client-management/mdm/azure-active-directory-integration-with-mdm#report-device-compliance-to-azure-ad 我做的
patch
与文档https://docs.microsoft.com/en-us/windows/client-management/mdm/azure-active-directory-integration-with-mdm#report-device-相同。 遵守对Azure的广告
The error I got is Resource 'xyz' does not exist or one of its queried reference-property objects are not present . 我得到的错误是资源'xyz'不存在或其查询的引用属性对象之一不存在 。
What I have done so far is: 到目前为止我所做的是:
OnPremise
App, set its Terms Of Use URL, Discovery URL, generate a secret. OnPremise
应用程序,设置其使用条款URL,发现URL,生成一个秘密。 Also configured MDM User scope to Some
and selected a group
where my users are member of. Some
并选择了我的用户所在的group
。 Bearer Token
and extract the Device ID (eg xyz ), which is the same as the one on the Azure AD portal once the device succesfully managed. Bearer Token
并提取设备ID(例如xyz ),该设备ID与设备成功管理后的Azure AD门户上的设备ID相同。 PATCH https://graph.windows.net/mytenant.onmicrosoft.com/devices/xyz?api-version=1.0 HTTP/1.1 Authorization: Bearer eyJ0eXAiO……… Accept: application/json Content-Type: application/json { "isManaged":true, "isCompliant":true }
But I got the error described above. 但是我得到了上面描述的错误。
I have tested as well different Device Ids such as 我已经测试了不同的设备ID,例如
the one Windows 10 shows on Settigns => System => About. 一个Windows 10在Settigns上显示=> System => About。
Or the one that is present on the element ContextItem attribute DeviceID on the Request Security Token request during enrollment. 或者在注册期间请求安全性令牌请求上的元素ContextItem属性DeviceID上存在的那个。
The bearer token
I use on the patch
above is retrieved from microsoft graph when the registered MDM app (using its credentials such as appid, secret, etc) authenticates it self to Azure AD. 当注册的MDM应用程序(使用其凭据,例如appid,secret等)自我验证Azure AD时,我从上面的
patch
使用的bearer token
是从微软图中检索的。
Whould you please help me to find the source of this error, or maybe give me some hints in order to solve this. 你能不能帮我找到这个错误的来源,或者给我一些提示来解决这个问题。 I'd apreciate it a lot.
我很喜欢它。
Thanks in advance. 提前致谢。
The deviceId
of a Device object in Azure AD is often confused with the object's objectId
attribute. Azure AD中Device对象的
deviceId
经常与对象的objectId
属性混淆。 (The latter is known as objectId
in Azure AD Graph, and as id
in Microsoft Graph. In both cases, deviceId
is a different property.) (后者在Azure AD Graph中称为
objectId
,在Microsoft Graph中称为id
。在这两种情况下, deviceId
都是不同的属性。)
In a GET request for a single Device object with Azure AD Graph: 在使用Azure AD Graph的单个Device对象的GET请求中:
GET https://graph.windows.net/{tenant-id}/devices/{object-id}
The field identified by {object-id}
is not the deviceId
attribute of the Device object, it's the objectId
attribute. {object-id}
标识的字段不是 Device对象的deviceId
属性,而是objectId
属性。
If you don't already have the Device object's objectId
value, but you do have the deviceId
, you can use either Azure AD Graph or Microsoft Graph to do the appropriate lookup. 如果您还没有Device对象的
objectId
值,但确实有deviceId
,则可以使用Azure AD Graph或Microsoft Graph进行相应的查找。 With Azure AD Graph: 使用Azure AD Graph:
GET https://graph.windows.net/{tenant-id}/devices?$filter=deviceId eq '{device-id}'
With Microsoft Graph, you would use: 使用Microsoft Graph,您将使用:
GET https://graph.microsoft.com/v1.0/devices?$filter=deviceId eq '{device-id}'
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.