Forum Discussion
Using Microsoft Defender for Cloud Apps to block apps on managed devices.
Greetings,
I have been tasked to work with Microsoft Defender for cloud apps and to block the usage of the Firefox browser on all endpoints within my estate apart from a few users who require it.
I have tried to unsanctioned app feature. This only displays a warning prompt but users can still proceed with using and interacting with the application.
We have already configured web content filtering and works fine. I already looked up other articles relating to downloading a block script but that applies to other security appliances such as firewalls which we don't want to get into.
Is there a convenient way to block certain apps usage by solely using Microsoft Defender for Cloud Apps or is this platform only used for monitoring purposes and cannot really block the app by unsanctioning it?
4 Replies
HiCrestonV ,
the unsanctioned tagging works in conjunction with MDE to enforce web app blocking by leveraging Network Protections custom indicators list. This occurs by MDCA automatically adding the domains/urls to the list upon tagging an app unsanctioned.
I recommend confirming that you have custom indicators enabled and are Enforcing App Access, here.
Finally, also doesn’t hurt to check you have the integration between MDE and MDCA turned on in Advanced Features, see here.
Let me know if this helps or if you still experience the issue.
Best regards,
Dylan
Hi DylanInfosec
Thanks for your reply on my post.
I can confirm both Custom indicators and MDE and MDCA integration are switched on and working as they should. I can also see the urls that have been added automatically to custom indicators are populated with the unsanctioned apps.
Yet we are not able to fully block a installed application. We continue to receive a notification from windows security of the block on the (Mozilla firefox) installed application on our endpoints and we also get alerts and incidents of users trying to access the installed app on our Defender for endpoint admin console but the users are still able to continue using the application.
We wanted to know if its possible to completely block the app usage and not be able to interact or open the app.
I look forward to hearing back from you.
Kind regards,
Creston Vaz
Doh, my apologies, I think I may have had a few similar posts up at the same time hence my response not being to direct in response to your question.
As you stated, Defender for Cloud Apps does integrate but to block Cloud Apps and not to prevent Mozilla Firefox, a desktop application from opening. You will have to utilize something like Defender Application Control. You could also try Custom indicators by File hash and/or Certificate. These can then be assigned to specified Device Groups to block access to those Device Groups specified and allow others to use these applications.
This will be a game of whack-a-mole though and you might consider a different approach down the line such as allowing Firefox but managing the browser settings via Intune.
Best regards,
Dylan
Hi Dylan,
Thanks for your reply.
I have confirmed both (Custom indicators and Integrate MDE and MDCA) are turned on. I can also confirm that the indicator list are populated with the urls for the apps that have been marked as unsanctioned.
When we launch the app > we do get a notification from windows security stating that the app content is blocked from viewing but users are still able to access the application and use the application as normal. We are also able to see the alerts and incidents being generated from accessing unsanctioned apps in our Defender admin portal page but the installed application is not blocked.
I've been trying to search for articles for this but can't seem to find any. So am not sure if Defender for cloud apps only work in blocking websites or if it also works with blocking using applications that are installed on end user devices.
Any help on this would be appreciated.
Thanks!
Creston
