Notice: Please visit this post if you are interested in AAD device compliance and AAD conditional access: https://airwatchhk.wixsite.com/euc852/post/demo-of-wso-uem-ad-device-compliance-integration
Taking the best of the breed approach? Want to enjoy both the Azure AD and Workspace ONE UEM benefits? This article walk you through how to setup Azure AD Conditional Access using the device compliance status from Workspace ONE UEM.
This conditional access is applicable to both iOS and Android.
A. Topology
This is a high level diagram of how things are put together. Workspace ONE Intelligence acts as the bridge to pass device status to Azure AD. You will neede to have Intelligence service enabled for your UEM as part of the setup.
B. Integration
Requirements:
1. Workspace ONE UEM 2008+
2. Workspace ONE Intelligence (free tier)
3. Azure AD Premium + Intune licenses (EM+S/MS365)
References:
VMware Official Document
Microsoft Official Document
Step by Step Tutorial
MAFT Authenticator shared device mode
C. Azure AD device registration
Devices must be managed by Workspace ONE UEM. In addition, devices must also be registered to Azure AD for conditional access. Please note that devices are not managed by Intune in this case.
A device which is neither not managed by WSO UEM nor not registered to AAD will be treated as a non-authorized device and will get blocked as expected by AAD conditional access.
Enrolling a device to Workspace ONE UEM is not in the scope of this article. Please refer to the below link for device enrollment procedures.
Let’s get to AAD device registration. There are two ways to get a device registered to Azure AD. You will need to have MSFT Authenticator app installed to your iOS and Android to register to Azure AD. It is just like a WSO Intelligent HUB is required to get a device enrolled to WSO UEM.
Registration option A: add a web clip to a device so user can get device registration initiated by clicking the web clip link. User is required to get himself authenticated the same way to get authenticated to Office 365 portal to get his device registered to Azure AD.
iOS link to invoke Azure AD device registration: airwatch://conditionalaccess?partner=microsoft
When user gets to click to above link, MSFT Authenticator app will launch and user will be taken directly to the device registration screen.
The following is the UEM screen to a the above link as a webclip.
This is the Android link to invoke Azure AD device registration: awagent://com.airwatch.androidagent?component=conditionalaccess&partnertype=microsoft
Registration option B:User will have to open up MSFT Authenticator, choose device registration under setting menu to bring up office365 login page. Provide credential to authenticate to get a device registered.
D. Monitoring device status on Intune
You can see all registered devices by navigating to Azure Portal -> Azure AD -> Devices
E. Device status sychronization
The first sync button should be used when administrator make changes to intune device partner compliance blade. Admins needs to come to UEM and sync it.
So this does not need to be sync in a regular basis unless you have made change on Azure side.
Workspace ONE UEM triggers synchronization instantly as soon as compliant status or management status changes on a device.
The “res-sync” button is to send device data information to Azure. We provided manual control just in case admin wants to initiate a synchronisation manually
F. Shared Device Mode Requirements (iOS only)
Reference: https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-ios-shared-devices
For an app to do AAD conditional access , the app has to present a device ID. The device ID is kept by the MS Authenticator app.
Only apps implemented with MSAL libraries can obtain a device ID from Authenticator.
This is the instruction from MS if we want to get Authenticator to share ID to SafariViewController based app on iOS.
On UEM console, we need to create a SSO Extension profile and add a config key to Authenticator app.
In addition, in Authenticator app config page, enable sharedDeviceMode.
Now, the MSFT Authenticator is in sharedDeviceMode. The next step is to add a Configuration Key: AppAllowList.
This key allow you to specify non-MSAL libraries apps to obtain device ID from Authenticator. For example, if you want to allow Workspace ONE Content app to obtain device ID from authenticator, you can add com.air-watch.content.locker to the list.
This article lists out all App keys applicable to Authenticator
F. Miscellaneous
In case you find Office 365 apps ask for re-authentication very frequent like almost every hour, you can adjust the frequency in Intune
留言