App Protection Policy in Intune App Protection

Intune – Mobile Device Management – App Protection Policy in Intune App Protection

Scenario – We want to securely publish a corporate app (OneDrive) to users who will be using their own mobile ( iOS) devices. We want to protect the corporate data used in the app and establish authentication before accessing it. Users should not be able to copy and paste data directly from the app on to their own device.

We need to create an an App Protection Policy in Intune App Protection.

For more in-depth detail:

https://docs.microsoft.com/en-us/mem/intune/apps/apps-add

https://docs.microsoft.com/en-us/mem/intune/apps/apps-deploy

https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios

Create an App Protection Policy

  1. From the main Intune App Protection Home Screen: Select App protection policies -> Create policy -> iOS/iPadOS

  2. Fill out the Name and Description screen and then click Next.

  3. Select Unmanaged Apps in the Device Types drop down menu and select the Onedrive App in the Public apps section. Click Next

  4. On the Data Protection Screen you can select from several controls on what users can and cannot do with the corporate data that the App access. Work with your IT Security and Data Protection team  to understand what their requirements are. Click Next

  5. The Access Requirements screen allows you to add a layer of authentication to opening the App on the users own device. You can choose between various PIN types and options – again work with your IT Security teams on what they require. Click Next

    or

  6. The Conditional launch screen allows you to be more granular on what conditions the Device and the App have to meet for the App to be launched (Min OS and Max PIN attempts for example). Click Next.

  7. On the Assignments Page Select the Group who you want to apply this policy to and then click Next.

  8. Review your setting on the Review + Create Screen and then click Create

Read More

Intune Company Portal Install On An iPhone Device – MDM

Intune – Mobile Device Management – Intune Company Portal Install On An iPhone Device

Lets focus on BYOD (Bring Your Own Device)

Example Apple – iOS enrolment

BYOD

  • Devices are not wiped during enrolment
  • Device is associated with a user
  • Users can unenroll the device

At this point we should have completed the basics in the Intune configuration portal

  1. Install the “Intune Company Portal” application in the App Store


  1. Open the Intune Company Portal App


2. Sign in or Just select your Office365 account > Continue


3. Begin


4. Continue or Select Can


5. Continue


6. Continue


7. Allow


8. Close


9. Settings > Profile Downloaded


10. Install


11. Enter Passcode


12. Install
 

13. Install

15. Trust

16. Done

 

17. Close settings – Note “Mobile Profile”
18. Back to app and click “Continue Now”

19. Done
—-

Success !!! Device is now enrolled and awaiting apps and policies


Intune – MDM – Device Enrolment – Add an iPhone Device

Intune – Mobile Device Management – Device Enrolment – Add a Device

Lets focus on BYOD (Bring Your Own Device)

Example Apple – iOS enrolment

BYOD

  • Devices are not wiped during enrolment
  • Device is associated with a user
  • Users can unenroll the device

At this point we have already completed the Pre Req’s (See Apple MDM Push Certificate if you haven’t done this already)

Apple Configurator / Devices

https://devicemanagement.microsoft.com

We need to add an iOS device you will need the serial number and device detail in a CSV file to import

CSV format <device serial>,<Detail Owner? Device type)

Add a device

Devices> iOS > Apple Configurator

Have you created a Profile? Create a Profile before adding a device, see this guide

Select a profile and import your CSV file contain all your devices. Then click add.

Success !! Devices Added

Additional info from Microsoft Docs available here

Intune – MDM – Device Enrolment – Create a Profile

Intune – Mobile Device Management – Device Enrolment – Create a Profile

Lets focus on BYOD (Bring Your Own Device)

Example Apple – iOS enrolment

BYOD

  • Devices are not wiped during enrolment
  • Device is associated with a user
  • Users can unenroll the device

At this point we have already completed the Pre Req’s (See Apple MDM Push Certificate if you haven’t done this already)

Now : Create a Profile

You need to create a profile before enrolling a device.

Apple Configurator / Devices

https://devicemanagement.microsoft.com

We need to add a Profile

Profiles > Create


Enrol with User Affinity ( i.e Map the Device to a User) + Auth via company Portal (Example options selected)


Then click “Create”

Success a profile is created


Intune – Apple MDM Push Certificate

Intune – Mobile Device Management – Device Enrolment – Apple MDM Push Certificate

Lets focus on BYOD (Bring Your Own Device)

Example Apple – iOS enrolment

BYOD

  • Devices are not wiped during enrolment
  • Device is associated with a user
  • Users can unenroll the device

MDM push Certificate required

Go to device management https://devicemanagement.microsoft.com

Enrol iOS devices in Intune


Devices > Apple Enrollment > Apple MDM Push Certificate

You will need an Apple ID used on your Device

Step 3 expanded….

Create your MDM push certificate redirects you to login to the Apple portal with your Apple ID

https://identity.apple.com/pushcert/

Click “Create a Certificate

Read, Tick and Accept the terms

Upload your CSR

Download Certificate

Then View Manage Certificates. Note Expiry date!


Now back to step 4.


Enter Apple ID

Step 5


Add your MDM push certificate


Click upload

Success….


Intune – Mobile Device Management – Register and Assign a Intune License

Setting up Intune on your current Office365 subscription.

Things to know..

  1. Check your Pre Reqs/Supported devices
  2. More than 150 licenses for EMS? Check out FastTrack Center Benefit!
  3. DNS registration
  4. Users and Groups
  5. Intune license required
  6. Apps can be assigned to groups to be installed automatically
  7. You can create profiles on devices
  8. Define app policies / and restrictions

Getting started

Signup, Already using Office 365 = You already have an account

Yes, add it to my account

Try now

Continue

Check your email

Assign the license

Editing users (User Management) https://admin.microsoft.com

Add the Intune license

Save

You will now see the license is assigned to the user

What is On-Premises, IaaS, PaaS, SaaS and IaC?

  • Infrastructure as a Service (IaaS)
  • Platform as a Service (PaaS)
  • Software as a Service (SaaS)
  • On-Premise
  • Infrastructure as Code (IaC)

Examples I’ve used

What are the differences?

Infrastructure as Code

So what is IaC, Infrastructure as Code? Standardise Infrastructure, Automate deployment and recreate, well-documented code. Exampled formats such as JSON & ARM templates.

DevOps teams will use IaC to recreate production like environments in dev cycles. Validate and Test deployments, prior to a production deployment. The end result being able to deliver a stable and repeatable environment.

Azure Resource Manager

The alternative to just running scripts. Manage your infrastructure resources in a group by templates. In addition, you apply security (RBAC) and tags, then associate costs to the group.

Secure Connectivity to Azure


05.03.2020 – Stephen Hackers, attended the North East Azure User Group – 14th Meetup. Hosted by Frank Recruitment Group.

The core presentation was on Secure Connectivity to Azure by Matthew Bradley Chief Engineer (Azure) at ClearCloud

The session covered:

VPN Offerings, Service Endpoints, VNet Peering and Private Link

The presentation was focused on educating and sharing experiences in securing connectivity into Azure.

A key point : Security to Azure is required and it doesn’t need to come at a great expense to the business. Build it in to your solution from day 1.

Presentation Notes

VPN offerings:

  • Basic options start at £20 a month roughly (06.03.2020)
  • Bandwith is the key difference between levels
  • Number of S2S tunnels is mostly limited to 30 except basic is 10.

Service Endpoints:

  • No additional cost for VNet Service Endpoints
  • VNet ACLs are not supported across AD tenants
  • Service Endpoints add a system route which takes precedence over other routes

VNet Peering:

  • Traffic between resources is private/isolated. Not encrypted
  • Network address space must not overlap
  • VNet peering doesn’t impose bandwiths

Private Link

  • Connect to Azure without a public IP address
  • Private end points mapped to an instance of PaaS (in Preview)
  • Private Link works a bit like NAT, Private Link endpoint is given a private IP in the VNet of the source
  • IP ranges can overlap

Summary

Small event, around 45 technical Azure focused people attended. Keeping the event simple with one good presentation. There are a great community bunch attending this up and coming North East Azure User Group. Thanks to Frank Recruitment Group for hosting the event and essential beer and pizza. Having a recruitment company hosting, minimal sales pitch was a double win. We did discuss careers a little too at the end (in the optional pub near by).

Looking forward to the next event. For anyone wishing to attend https://www.meetup.com/North-East-Azure-User-Group/

AZ-104 – Azure Administrator Study Guides

Thomas Maurer – Study Guide AZ-104 Azure Administrator

https://www.thomasmaurer.ch/2020/03/az-104-study-guide-azure-administrator/

Richard HooperPixel Robots – Study resources for the AZ-104 Microsoft Certified Azure Administrator

https://pixelrobots.co.uk/2020/02/study-resources-for-the-az-104-microsoft-certified-azure-administrator/

WVD – Windows Virtual Desktop – Admin Tasks, Tips and Useful Blogs

Secured By miniOrange