UEM Tags

Jamf Protect Documentation
Solution
Application
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US
The UEM policies to apply are identified by UEM tags. A UEM tag in Jamf Security Cloud is equivalent to:

  • An Azure AD Group in Microsoft Intune

  • An Extension Attribute in Jamf Pro

You can assign UEM tags to one or more data usage policy events so that the UEM policies can be applied.

  • The UEM policies are applied when the event occurs.

  • The UEM policies no longer apply when the event ends.

When your UEM service is integrated and a data usage policy is configured, the UEM Signaling option is visible on the Data usage policy page.

UEM Tag Assignment

You can assign UEM tags to the following events:

  • Device reaches the threshold

    The selected UEM tags are applied once the device is on this data usage policy and the device data consumption exceeds the threshold limit. Once the data consumption goes back under the threshold, the selected UEM tags are removed from the device.

  • Device starts using this policy

    The selected UEM tags are applied every time a device is on this data policy. Once the device is no longer on this data policy, the selected UEM tags are removed from the device by the UEM solution.

UEM tags are applied when the assigned data usage policy event occurs. Applying a UEM tag is an automated action.

For Microsoft Intune, it comprises the following steps:

  1. Microsoft Intune adds the device to an Azure AD Group (identified by the UEM tag name).

  2. Microsoft Intune applies all policies that are assigned to the group.

Note:

This works only for devices enrolled in Microsoft Intune. Note that Microsoft Intune or a device platform can have additional constraints for applying UEM Policies.

For Jamf Pro, it comprises the following steps:

  1. Jamf Pro assigns an extension attribute to the device.

  2. Jamf Pro assigns the device to smart device groups that contain the extension attribute in their criteria.

  3. Jamf Pro applies all policies that are assigned to the smart device groups.

Note:

This works only for iOS and iPadOS devices.

UEM Tag Removal

Removing a UEM tag from a device happens after a data usage policy event ends. Removing a UEM tag in your UEM solution is an automated action.

For Microsoft Intune, it consists of the following steps:

  1. Microsoft Intune removes the device from the Azure AD Group (identified by the UEM tag name).

  2. Microsoft Intune stops applying all policies that are assigned to the group.

    Warning:

    Any Azure group can be used as a UEM Tag for data usage policy event assignment, including Azure groups used for enrollment and any other use cases. This can have serious consequences if such groups are used for data usage policy event assignment, because removing a UEM tag also removes a device from the group. This can have a negative impact on any functionality dependent on such groups.

For Jamf Pro, it comprises the following steps:

  1. Jamf Pro removes an extension attribute assignment from the device.

  2. As a consequence, Jamf Pro removes the device from smart device groups that contain the extension attribute in their criteria.

  3. Jamf Pro stops applying all policies that are assigned to the smart device groups.