App Protection Policy in Intune App Protection

Intune – Mobile Device Management – App Protection Policy in Intune App Protection

Scenario – We want to securely publish a corporate app (OneDrive) to users who will be using their own mobile ( iOS) devices. We want to protect the corporate data used in the app and establish authentication before accessing it. Users should not be able to copy and paste data directly from the app on to their own device.

We need to create an an App Protection Policy in Intune App Protection.

For more in-depth detail:

https://docs.microsoft.com/en-us/mem/intune/apps/apps-add

https://docs.microsoft.com/en-us/mem/intune/apps/apps-deploy

https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios

Create an App Protection Policy

  1. From the main Intune App Protection Home Screen: Select App protection policies -> Create policy -> iOS/iPadOS

  2. Fill out the Name and Description screen and then click Next.

  3. Select Unmanaged Apps in the Device Types drop down menu and select the Onedrive App in the Public apps section. Click Next

  4. On the Data Protection Screen you can select from several controls on what users can and cannot do with the corporate data that the App access. Work with your IT Security and Data Protection team  to understand what their requirements are. Click Next

  5. The Access Requirements screen allows you to add a layer of authentication to opening the App on the users own device. You can choose between various PIN types and options – again work with your IT Security teams on what they require. Click Next

    or

  6. The Conditional launch screen allows you to be more granular on what conditions the Device and the App have to meet for the App to be launched (Min OS and Max PIN attempts for example). Click Next.

  7. On the Assignments Page Select the Group who you want to apply this policy to and then click Next.

  8. Review your setting on the Review + Create Screen and then click Create

Read More

What is On-Premises, IaaS, PaaS, SaaS and IaC?

  • Infrastructure as a Service (IaaS)
  • Platform as a Service (PaaS)
  • Software as a Service (SaaS)
  • On-Premise
  • Infrastructure as Code (IaC)

Examples I’ve used

What are the differences?

Infrastructure as Code

So what is IaC, Infrastructure as Code? Standardise Infrastructure, Automate deployment and recreate, well-documented code. Exampled formats such as JSON & ARM templates.

DevOps teams will use IaC to recreate production like environments in dev cycles. Validate and Test deployments, prior to a production deployment. The end result being able to deliver a stable and repeatable environment.

Azure Resource Manager

The alternative to just running scripts. Manage your infrastructure resources in a group by templates. In addition, you apply security (RBAC) and tags, then associate costs to the group.

Secure Connectivity to Azure


05.03.2020 – Stephen Hackers, attended the North East Azure User Group – 14th Meetup. Hosted by Frank Recruitment Group.

The core presentation was on Secure Connectivity to Azure by Matthew Bradley Chief Engineer (Azure) at ClearCloud

The session covered:

VPN Offerings, Service Endpoints, VNet Peering and Private Link

The presentation was focused on educating and sharing experiences in securing connectivity into Azure.

A key point : Security to Azure is required and it doesn’t need to come at a great expense to the business. Build it in to your solution from day 1.

Presentation Notes

VPN offerings:

  • Basic options start at £20 a month roughly (06.03.2020)
  • Bandwith is the key difference between levels
  • Number of S2S tunnels is mostly limited to 30 except basic is 10.

Service Endpoints:

  • No additional cost for VNet Service Endpoints
  • VNet ACLs are not supported across AD tenants
  • Service Endpoints add a system route which takes precedence over other routes

VNet Peering:

  • Traffic between resources is private/isolated. Not encrypted
  • Network address space must not overlap
  • VNet peering doesn’t impose bandwiths

Private Link

  • Connect to Azure without a public IP address
  • Private end points mapped to an instance of PaaS (in Preview)
  • Private Link works a bit like NAT, Private Link endpoint is given a private IP in the VNet of the source
  • IP ranges can overlap

Summary

Small event, around 45 technical Azure focused people attended. Keeping the event simple with one good presentation. There are a great community bunch attending this up and coming North East Azure User Group. Thanks to Frank Recruitment Group for hosting the event and essential beer and pizza. Having a recruitment company hosting, minimal sales pitch was a double win. We did discuss careers a little too at the end (in the optional pub near by).

Looking forward to the next event. For anyone wishing to attend https://www.meetup.com/North-East-Azure-User-Group/

AZ-104 – Azure Administrator Study Guides

Thomas Maurer – Study Guide AZ-104 Azure Administrator

https://www.thomasmaurer.ch/2020/03/az-104-study-guide-azure-administrator/

Richard HooperPixel Robots – Study resources for the AZ-104 Microsoft Certified Azure Administrator

https://pixelrobots.co.uk/2020/02/study-resources-for-the-az-104-microsoft-certified-azure-administrator/

Azure Administrator – Tasks and Guides

Your one stop shop for the Azure Administrator resource pool of tasks.

Task
Set the tenant, subscription, and environment for cmdlets to use in the current session.
Plan virtual networks
Configure Azure Multi-Factor Authentication settings
Create DNS records in a custom domain for a web app
Add your custom domain name using the Azure Active Directory portal
Create a route-based VPN gateway using the Azure portal
Connect virtual networks with virtual network peering using the Azure portal
Troubleshoot password hash synchronization with Azure AD Connect sync
Manage device identities using the Azure portal
How to manage the local administrators group on Azure AD joined devices
Azure Load Balancer For RDP
Create a virtual network (classic) with multiple subnets
Point-to-Site VPN routing
Back-end health and diagnostic logs for Application Gateway
All things Azure and Sysadmin stuff
Set up Disaster Recovery for Azure IaaS VMs
Migrate AWS S3 buckets to Azure blob storage
Azure Security Center: Learning the ropes (resources)
Copy Files to Azure VM using PowerShell Remoting
How to manage Azure VMs with Windows Admin Center
Conditional Access rules for Admin MFA
Tag @stephenhackers on Twitter with your Azure blog pages

OMS – Azure Automation

What is OMS? .
Is it.. System Center Online rebranded?
OMS is used to gather logs centrally and make decisions upon this information.

What can you do with Operations Management Suite (OMS)?
PaaS application which is running on Azure
Use it to manage on prem or azure based VMs

How do you create and OMS setup
Ideal concept, Log all the information to a storage account. OMS will trawl the logs to make use of the information. The default agent in a VM has the information to transfer to a storage account and passing it to OMS.

Grab solutions from a portal.

  • Check status of patches
  • Change management
  • Log queries
  • Identify weakness in the environment

How you access OMS
OMS workspace is accessed via a web browser to view the information.

OMS Pricing
OMS free version holds data for upto 7 days
OMS costs for per machine monitoring

Identify Weakness or Issues.
For example No End Point security on VMs might be flagged
A recommendation to install a 3rd party tool.
Example : Deep Security – Trend Micro. An Azure recommended product for end point protection appears on the list in the filtered market place

Azure and Containers

What is a container?
A container is a live and running copy of an image which may have been customised.
An image is a read only copy of an image before it was running as a container

How do you implement containers in Azure

Two options, containers we deploy ourselves and containers Microsoft manage
Container can be running on Windows 2016 or Linux OS
CPU and Ram assigned to each individual container

Containers Limited security risk?
Microsoft offers Hyper-V running containers for those concerned
Azure container covers this way.
Others offer shared application containers.

Notes around Docker?
A docker file is like a script to build the container which takes a source and makes an app on an image, which makes a container as its running.

Docker has other tools: Docker toolbox, Docker client and Kitematic (GUI client)

How to Install Docker for Windows

https://docs.docker.com/docker-for-windows/install/

Quick install guide :
1) Navigate to https://docs.docker.com/docker-for-windows/install/#download-docker-for-windows
2) 
On the Install Docker for Windows page, click Get Docker for Windows (Stable).
3) When prompted whether to run or save Docker for Windows Installer.exe, click Run.
4) Once the installation completed, click Close and log out.
<https://github.com/MicrosoftLearning/20533-ImplementingMicrosoftAzureInfrastructureSolutions/blob/master/Instructions/20533D_LAB_AK_07.md>

Note
When you make a mistake deploying a docker-machine .. Ie.. Forget to enter a region… But the machine builds and you enter an error state.
Start again by removing the docker-machine

Launch CMD as admin : docker-machine rm “machine name”

 

Kubernetes
Kubernetes a management tools to for Docker. An alternative Docker Swarm for large scale
Deploy Kubernetes cluster for Linux containers

From <https://docs.microsoft.com/en-us/azure/container-service/kubernetes/container-service-kubernetes-walkthrough>

https://docs.microsoft.com/en-us/azure/aks/intro-kubernetes

DCOS getting started with Kubernetes

https://kubernetes.io/docs/getting-started-guides/dcos/

Set Up Your Microsoft Azure Environment With PowerShell

Step 1 : Install Command Line Tool For PowerShell

https://azure.microsoft.com/en-in/downloads/

Step 2: Launch PowerShell as Administrator

Type in the following

# get the Azure RM module installed first

Install-Module AzureRM

# import the module for use

Import-Module AzureRM

 

Step 3: Getting started with IaaS & PowerShell scripts

#Create a resource group

New-AzureRmResourceGroup -Name Project1ResourceGroup -Location “West Europe”

#Create a new subnet and store in a variable

$Project1Subnet1 = New-AzureRmVirtualNetworkSubnetConfig -Name Project1Subnet1 -AddressPrefix “10.0.1.0/24”

#Create new network and add the subnet stored in variable

$virtualNetwork = New-AzureRmVirtualNetwork -Name ProjectNetwork -ResourceGroupName Project1ResourceGroup -Location “West Europe” -AddressPrefix “10.0.0.0/16” -Subnet $Project1Subnet1

#add additional subnet to the network

Add-AzureRmVirtualNetworkSubnetConfig -Name Project2Subnet2 -VirtualNetwork $virtualNetwork -AddressPrefix “10.0.2.0/24”

$virtualNetwork | Set-AzureRmVirtualNetwork

 

GitHub

Sign up to GitHub.. Create your own repository https://github.com/

Git Hub Desktop to grab a bunch of files… Full Git hub desktop to sync https://desktop.github.com/

Microsoft Azure PaaS – Web Apps, Storage and Site Recovery

PaaS / App Service

Check out the Azure App Service gallery of applications

Most Web Apps would use Autoscaling

When deploying web apps, consider integration and deployment options.. GitHub, DropBox, Visual Studio etc

Additional features include Azure WebJobs or Functions (functions for background tasks)

How you connect to the web apps could be a hybrid connection or VPN

Azure virtual network is available for the web apps ( standard upwards)

Authentication and Authorization ( Azure AD is optional, but there are easy connections to Facebook, Amazon, Google etc )

 

Mobile Services to Mobile apps

Logic APP

Work flow is built in to Office 365

If you get twiter post… Send mail. Etc flow

 

Traffic Manager

Traffic Manager has a cost (multi region coverage)

Load-Balancing single sites (free)

 

Storage

Planning and Implementing storage, backup and recovery methods

Blob storage, Table storage, Queue storage, or File Storage

 

Content Delivery Network

Videos / Office 365 back end Skype Business runs on it to handle to mass meetings, converting the presenters meeting to MP4 video and distribute via CDNs

CDNs cached copies in multi regions

1st connection costs

2nd onwards uses the cached copy

 

Backups

Use your own method, Use Azure backup, backup on prem, backup in the Azure

All done via DPM

Backing up VMs in Azure is fast. Incremental is the option and then its one option to do a full restore of a VM

DPM will dedupe the OS section of the VM in Azure, Hyper-V and vSphere VMs

 

Azure Site Recovery

Orchestration, replication and failover.

Switched off replica server in IaaS

Replicate , VMware VMs, Physical, Hyper-V VMs, Hyper-V hosts

Documentation on the setup of VMware VMs to Azure using Azure Site Recovery

https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-setup-replication-settings-vmware

Site Recovery concept to migrate to Azure

https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-migrate-to-azure

Secured By miniOrange