Endpoint Management Integrations
ConcertoGRC integrates with three MDM (Mobile Device Management) providers to sync device inventory, monitor compliance posture, and track encryption and security status across your fleet.
Supported Providers
| Provider | Platform Focus | Connection Method |
|---|---|---|
| Microsoft Intune | Cross-platform (Windows, macOS, iOS, Android) | Microsoft Graph API via admin consent |
| Jamf Pro | Apple devices (macOS, iOS, iPadOS) | API credentials (URL + token) |
| SimpleMDM | Apple devices (macOS, iOS) | API key |
What You Get
Device Inventory
All managed devices are synced into the Endpoint Management module with:
- Device name, model, OS version, and serial number
- Enrollment date and last check-in time
- Assigned user (matched to AccessPersonnel when possible)
Compliance Monitoring
Each device is evaluated against compliance policies you define in ConcertoGRC:
| Check | Description |
|---|---|
| Disk encryption | FileVault (macOS), BitLocker (Windows), device encryption (iOS/Android) |
| Firewall | Host firewall enabled status |
| Passcode | Device passcode/PIN configured |
| OS version | Minimum OS version compliance |
| Last check-in | Stale device detection (no check-in within threshold) |
Dashboard Metrics
The Endpoint Management dashboard provides:
- Overall compliance rate across all devices
- Encryption coverage percentage
- Stale device count (no recent check-in)
- Compliance trend over time
- Per-policy pass/fail breakdown
Setup
Microsoft Intune
Uses the same Microsoft 365 admin consent flow as the identity provider integration.
- Navigate to Integrations and find the Microsoft Intune card
- Click Connect and complete admin consent (if not already connected via Microsoft 365)
- The integration requires the
DeviceManagementManagedDevices.Read.AllGraph API permission - Devices begin syncing on the next scheduled cycle
Jamf Pro
- In your Jamf Pro admin console, create an API role with read-only access to computer and mobile device inventory
- Create an API client with that role and generate credentials
- In ConcertoGRC, navigate to Integrations and find the Jamf Pro card
- Enter your Jamf Pro URL (e.g.,
https://yourcompany.jamfcloud.com) and API credentials - Click Test Connection
SimpleMDM
- In your SimpleMDM admin panel, navigate to Settings → API and generate an API key
- In ConcertoGRC, navigate to Integrations and find the SimpleMDM card
- Enter the API key
- Click Test Connection
Sync Behavior
- Frequency: Every 6 hours
- Deduplication: Devices are matched by serial number; duplicate enrollments update the existing record
- User mapping: Device assigned-user email is matched against AccessPersonnel records
- Compliance evaluation: Compliance policies are evaluated against device attributes after each sync
- Snapshots: Point-in-time compliance snapshots are stored for historical tracking and evidence generation
Compliance Policies
Compliance policies define the rules devices must meet. Create policies from Endpoint Management → Policies:
- Rule-based: Define conditions based on device attributes (encryption enabled, OS version >= X, last check-in within Y days)
- Scope: Apply policies to all devices or filter by platform (macOS, Windows, iOS, Android)
- Remediation: Non-compliant devices are flagged in the dashboard; remediation is handled through your MDM provider
Multiple Providers
You can connect multiple MDM providers simultaneously. Devices from all providers appear in a unified inventory with source filtering. This is useful for organizations that use Intune for Windows/cross-platform and Jamf Pro for Apple-specific management.