Tuesday, 30 May 2017

Intune app-based conditional access to SharePoint Online

App-based conditional access is a new recent addition to the Intune family and is a really useful feature. Only mobile apps that have Intune app protection policies applied to them can access SharePoint resources. This helps to prevent data leakage and protect our data. Let's see how to configure it and what it looks like in the field.

Sign into the Azure portal (https://portal.azure.com)
Choose More services from the left menu, then type Intune in the text box filter.


Choose Intune App Protection and select All Settings in the Intune mobile application management blade.


Choose the SharePoint Online tile. On the Allowed apps blade, choose Allow apps that support Intune app policies option to allow only apps that are supported by Intune app protection policies.


The Allowed apps are listed. Now open the Restricted user groups blade and choose Add user group.


Select the user groups that should receive the policy.

OK, so what does this look like on a device. For testing I'm using an iPhone and the "SharePlus for Office 365 and SharePoint" app.


SharePlus is an unmanaged app that you can use to work with your SharePoint libraries. I've installed it on the iPhone.


SharePlus cannot have Intune app protection policies applied so it will not be possible to authenticate the app to access SharePoint. An error is encountered. It isn't a very clear or intuitive error message but the functionality is perfect. Access is prevented by the app-based CA policy.


Once I remove the per-app CA policy, SharePlus can successfully authenticate with SharePoint Online. This is very cool.

Until next time.......


Stay secure using Skycure integration with Microsoft Intune

Skycure is one of the industry leaders in Mobile Threat Defense and the platform is very effective at proactively protecting mobile devices from a broad range of known and unknown threats.

Skycure can now integrate with Microsoft Enterprise Mobility + Security, which allows enterprises to secure mobile devices by leveraging data from three dimensions – user identity, device identity and real-time risk. This integration with Intune and Azure Active Directory allows administrators to dynamically control mobile access to corporate resources and data based on Skycure’s real-time risk and compliance analysis. It looks like an exciting partnership for Microsoft.


So, how does it work?

You install the Skycure mobile app on Android and iOS devices. The app captures file system, network stack, device and application telemetry, and sends it to the Skycure cloud service to assess the device's risk for mobile threats.

Intune compliance policies now include a rule for Skycure mobile threat defense, which is based on the Skycure risk assessment. If the device is found to be non-compliant, access to resources like Exchange Online and SharePoint Online are blocked. Users on blocked devices receive guidance from the Skycure mobile app to resolve the issue and regain access to corporate resources.

How can I get started?

The solution is supported on Android 4.1 and later and iOS 8 and later.

You will also need the following subscriptions:
  • Azure Active Directory Premium
  • Microsoft Intune
  • Skycure Mobile Threat Defense subscription (get a trial here)

Steps to configure the solution:
  1. Configure Skycure to use Azure Active Directory Single Sign On (SSO) - enter your Azure tenant ID in the Skycure Management console.
  2. Download Skycure iOS app configuration policy - log in to the Skycure Management Console to download the iOS app configuration policy.
  3. Add Skycure apps, Microsoft Authenticator and iOS app configuration policy - add the apps and the policy in the Intune portal.
  4. Deploy Skycure apps, Microsoft Authenticator and iOS app configuration policy - deploy the apps and policy to your users.
  5. Set up Skycure integration with Intune - add Skycure apps into Azure AD to have Single Sign On capabilities. Configure the Intune connector in the Skycure Management console.
  6. Enable Skycure Mobile Threat Defense in Intune - configure the Skycure and Intune integration in the Intune administrator console
  7. Create Skycure Mobile Threat Defense compliance policy in Intune - create Skycure compliance policy in the Intune console and apply to conditional access policy.
You can read more about this exciting new development in the official documentation

Until next time......