Wednesday, 27 March 2024

macOS management with Intune - activation lock

Back to main macOS page

You can set up Find My on your Mac so you can locate it and protect it if it’s ever lost or stolen. You can also share your location with others. When you add your Mac to Find My, Activation Lock is automatically turned on. After it's enabled, the user's Apple ID and password must be entered before anyone can:

  • Turn off Find My Mac
  • Erase the device
  • Reactivate the device

While Activation Lock helps secure Apple devices and improves the chances of recovering a lost or stolen device, this capability can present you, as an IT admin, with many challenges. For example:

  • A user sets up Activation Lock on a device. The user then leaves the company and returns the device. Without the user's Apple ID and password, there's no way to reactivate the device.
  • You want to reassign some devices to a different department during a device refresh in your organization. You can only reassign devices that don't have Activation Lock enabled.

To help solve these problems, Apple introduced the ability to disable Activation Lock for supervised devices (macOS 10.15 or later), without the user's Apple ID and password. Supervised devices generate a device-specific Activation Lock bypass code, which is stored on Apple's activation server. Intune supports this feature.


First I want to check the current Activation Lock status on my test Mac. For that we need System Information. Click on Alt (or Options) at the same time as the Apple logo to expose System Information on the menu. Then look in the hardware section. I've highlighted where the Activation Lock status should be, but it's not there. Why is that? It's because my Mac doesn't support the feature. Activation Lock is available on all Apple silicon Macs. But on devices that use Intel chips the feature is restricted to models with an Apple T2 Security Chip, running macOS Catalina or later. So as an example, a non-T2 Intel Mac—such as the MacBook Air (2017)—will not support Activation Lock. You can see from the screenshot that my device has a Dual-Core Intel Core i5.

We can still see how this is supposed to work. On the test device I've turned on Location Services (System Preferences > Security & Privacy > Enable Location Services). This is a requirement for Find My Mac.

Find My Mac can be found in the Applications list.


Find My Mac will want to use location services. It will be turned on but cannot enable activation lock on my test device.

Have a look at the hardware properties of the device in Intune. Under Conditional Access we can see that the device is supervised. We can also see that the Activation lock bypass code field is not populated. 

There are two methods to disabling Activation Lock on devices:
  • Manually entering the Activation Lock bypass code on the device
  • Using the Disable Activation Lock device action

Let's use the device action and click Disable action lock.


We have to accept the warning about disabling action lock. Click Yes.


That would then disable action lock on the device. As expected it has failed on my test Mac device.

I hope this helps. Until next time......

Tuesday, 19 March 2024

macOS management with Intune - Gatekeeper

Back to main macOS page

Next up we'll talk about Gatekeeper. By default, Gatekeeper helps to ensure that all macOS installed software has been signed by the App Store or signed by a registered developer and notarized by Apple. It verifies that the software is free of known malicious content and hasn’t been altered.

We'll start with a macOS configuration profile. Navigate to Devices > macOS > Configuration Profiles and select Create new policy.


Choose Templates as the Profile type and select Endpoint Protection.


Enter a name for the policy and click Next.


We'll see two settings to configure. You are given the following options for "Allow apps downloaded from these locations"
  • Not configured (default)
  • Mac App Store
  • Mac App Store and identified developers
  • Anywhere
This is to limit the apps a device can launch, depending on where the apps were downloaded from. The intent is to protect devices from malware, and allow apps from only the sources you trust.



I've chosen Mac App Store for now. There is a second setting to configure "Do not allow user to override Gatekeeper". This prevents users from overriding the Gatekeeper setting, and prevents users from Control-clicking to install an app. When enabled, users can't Control-click any app to install it. I want this so I've selected Yes.


I'm assigning this policy to my group of Mac devices.


Select Create. The policy will then be assigned.


In Intune, I can see that the policy has been successfully deployed to my test device.


I can see that each of the two settings was successfully applied to the device.


On the device you can navigate to System Preferences > Profiles. There are two new profiles. The first one disallows apps by identified developers.


The second one disallows the opening of untrusted apps i.e. not downloaded from the Mac App Store. 


Navigate to System Preferences > Security and Privacy and we can see the configuration. Only allow apps downloaded from the App Store. The setting is greyed out and cannot be changed, even by an administrator on the device.


See what happens when launching an app that was downloaded from the Internet. It can't be opened because it was not downloaded from the App Store. That's what we want.

I hope this helps. Until next time.....

Friday, 8 March 2024

First look at Microsoft Entra Private Access

Flexible work arrangements and accelerating digital transformation have changed the way we need to secure access. Organizations need an easier, more agile approach to protecting access to all applications and resources. Traditional network security approaches like VPNs don’t scale to these modern demands, they don’t give end users a good experience, and they grant excessive access to the entire corporate network. All it takes is one compromised user account, infected device, or open port for an attacker to access and laterally move anywhere inside your network. Neither identity nor network security controls alone can fully protect all access points. Even if you’ve adopted modern but disjointed access solutions you may leave security gaps that skilled adversaries can exploit. So, you still need to integrate them to address these challenges.

Microsoft's identity-centric Security Service Edge (SSE) solution helps organizations secure access to any app or resource, from anywhere. Conditional Access policies can be enforced that consider identity, device, application, and now network conditions with any application or website. 

The Microsoft SSE solution contains two products announced last year, Microsoft Entra Internet Access and Microsoft Entra Private Access.

This model is built on Zero Trust principles. It helps to verify each identity and uses risk-based context, giving users access only to applications, resources, and destinations they need to do their job. With Identity and Network Access solutions working together, organizations can bridge the gaps across multiple tools in one place and configure unified identity and network access controls with Conditional Access in Microsoft Entra.

Microsoft Entra Internet Access is an identity-centric Secure Web Gateway (SWG) for SaaS apps and internet traffic that extends Conditional Access policies to protect against malicious internet traffic, unsafe or non-compliant content, and other threats from the open internet. For example, you can block access to all external destinations for your high-risk users or non-compliant devices except limited URLs needed by the user to recover. 

I will concentrate on Microsoft Entra Private Access for this blog post. You are probably familiar with Application Proxy in Microsoft Entra, which thousands of organizations use to access private web apps today. Microsoft Entra Private Access is an even better solution and is currently in Preview. It is a complete, identity-centric Zero Trust Network Access (ZTNA) solution that shares the same application connectors but offers so much more, to help organizations simplify and secure access to any private resource, port, or protocol.

For the Entra Private Access blog post we'll concentrate on the following high level steps. Try it in your lab.

  • Prerequisites
  • Enable Global Secure Access
  • Enable Traffic Forwarding
  • Install the Connector
  • Create Connector group
  • Create and publish a private application
  • Assign user/group to private application
  • Install the Global Secure Access client 
  • Test and verify private access
  • Logs
  • Mobile devices
  • Conditional Access

Prerequisites

Ok, as always there are some prerequisites to get this working.

  • Admin user with one of the following roles: Global Secure Access Administrator, Application Administrator, Security Administrator
  • Server to install connector (essentially the application proxy, you'll need local admin rights)
  • A server with RDP enabled plus a fileshare
  • Test user with Entra ID P1 license (M365 E3 does the trick 😀😀) (see note below *)
  • Test client:
    • Windows 10/11 64-bit
    • Entra ID or hybrid joined
    • Internet connection with no LAN or VPN connection to the private application
    • Ability to install the Global Secure Access agent (via Intune or local admin)
Note *: Entra Private Access is currently a public preview feature so Entra P1 license is the only requirement. This will change when the feature becomes generally available. There will be an additional license cost.

Enable Global Secure Access

The first step is enable Global Secure access for the tenant. 


Launch the Microsoft Entra Admin Center (https://entra.microsoft.com) and navigate to Global Secure Access (Preview) >  Get Started. Click Activate.

Global Secure Access is now enabled and you can click Get Started to review the documentation for the next steps.

Enable Traffic Forwarding

Traffic forwarding enables you to configure the type of network traffic to tunnel through the Microsoft Entra Private Access service. You set up profiles to manage how specific types of traffic are managed. Private access traffic can be forwarded to the service by connecting through the Global Secure Access desktop client.

Navigate to Global Secure Access (Preview) > Connect > Traffic Forwarding


Check the box for Private Access profile.

Install the Connector

Next we download and install the Connector to link Entra to the on-premises resources. This time we navigate to Global Secure Access (Preview) > Connect > Connectors


Click Download connector service > Accept terms & Download


We can see that the downloaded file is the installation for the application proxy connector.


Install the connector and sign in to Entra with your admin account when prompted.


The service is installed on the server.


You'll see the connector active in the Entra Admin Center.

Create Connector group

Connector groups are used to assign specific connectors to applications. They give you more control and let you optimize your deployments.


Click New Connector Group > enter a name and associate with the connector.

Create and publish a private application

Now for the services, I want to add a private application for RDP (3389) to a specific server (192.168.10.19). I'll also add access to a fileshare (445) on the same server. Remember we could only use application proxy for web apps before.

Navigate to Global Secure Access (Preview) > Applications > Enterprise Applications


Click New Application > Enter a name and select a Connector Group. Ensure that Enable access with Global Secure Access client is checked.


Click Add application segment to add the service details. In this case I've chosen RDP (3389) to the IP address 192.168.100.19. I could have also chosen a fully qualified domain name here. In fact you can do both.


The application is ready to be assigned.


You can also use port 445 to give private access to a fileshare.

Assign user/group to private application

Now we need to assign the enterprise application to a user or group. Navigate to Global Secure Access (Preview) > Applications > Enterprise Applications


Select the application and choose Assign users and groups

Click Add user/group and select who needs to access the application.

Install the Global Secure Access client

Navigate to Global Secure Access (Preview) > Connect > Client Download


The client is available for Windows, Android, iOS and macOS. In this case we want Windows. Download and install the client on the test device. You can automate the installation to managed devices using Intune.


Global Secure Access Client is installed. 


You'll see it connected in the system tray. Make sure you've signed in with a licensed user.

Have a look at the properties.

Test and verify private access

Now let's see if the solution works.


We can see that the test device is Entra joined.


We can also see that we're not on the same network as the private server and that it is not accessible.

However RDP is working, happy days.


I can also get to the fileshare over port 445.

Logs

Now let's look at the logs to prove it. Navigate to Global Secure Access (Preview) > Monitor > Traffic logs


We can filter by destination IP address and see that it is being accessed by my test user over the internet.

Clicking on one of the logs brings up the activity details. You can see source and destination IP addresses and destination port, verifying that the connection was made over the internet.

Let's try another test and turn off the proxy.

We can see that the connector is not available........

......and neither is RDP. That is expected behaviour.

Mobile devices

Can we use Entra Private Access on mobile devices?


Sure we can. The Global Secure Access client is built in to Microsoft Defender for iOS and Android so it's very straightforward.

Conditional Access

We can also assign conditional access rules to the Global Secure Access client. The first thing we need to do is allow signals from the client to be used by conditional access. This is one of the features of adaptive access.


In the Entra Admin Center, navigate to Global Secure Access (Preview) > Global settings > Session management/Adaptive access. Select the toggle to Enable Global Secure Access signaling in Conditional Access.


You'll now find new Global Secure Access controls when creating conditional access policies.

I hope this blog post helps you. Until next time......