First published on CloudBlogs on Jan 05, 2017
This post is the second in a three-part series detailing Conditional Access from Microsoft Enterprise Mobility + Security. Today, the typical employee connects an average of four devices to their corporate network. Usually they’re connecting from their own mobile device or PC, but that’s not always the case. Maybe they use their daughter’s iPad in a pinch, or log on from a friend’s house, or use a hotel kiosk to connect. You might be OK with allowing access in some cases, but in other circumstances you may want to provide access only to certain employees, only to specific data, or only from known and compliant devices. Device-based conditional access from Microsoft Enterprise Mobility + Security (EMS) helps you make sure that only compliant mobile devices and PCs—those that meet the standards you’ve set—have access to corporate data.

Device Compliance

Device compliance policies help you protect company data by making sure the devices used to access your data or sensitive apps comply with your specific requirements or standards. Administrators can set these policies to enforce device compliance requirements before users attempt to access company resources. These can include settings for device enrollment, domain join, passwords and encryption, as well for the OS platform running on the device. You can use compliance policy settings in Microsoft Intune to create a set of rules for and to evaluate the compliance of employee devices. When devices don't meet the conditions set in the policies, the end user is guided though the process of enrolling the device and fixing the issue that prevents the device from being compliant. Conditional access policies are a set of rules that can restrict or allow access to a specific service based on whether the user meets the requirements you define. When you use a conditional access policy in combination with a device compliance policy, only users with compliant devices—in addition to any other rules you’ve set—will be allowed to access the service. Since both policies are applied at the user level, any device from which the user tries to access services will be checked for compliance.

In this scenario, IT has applied a policy that blocks unmanaged devices from accessing and opening files stored on OneDrive for Business. Devices need to be enrolled first, before the location can be accessed.

EMS + Lookout, providing additional mobile endpoint security

Lookout’s deep integration with EMS gives you real-time visibility into mobile device risks, including advanced mobile threats and app data leakage, which can inform your conditional access policies. Lookout provides visibility across all three mobile risk vectors: app-based risks (such as malware), network-based risks (such as man-in-the-middle attacks), and OS-based risks (such as malicious OS compromise). The integration between Lookout and EMS makes it easy to apply this threat intelligence to your conditional access policies. If a device is found to be non-compliant due to a mobile risk identified by Lookout, access is blocked and the user is prompted to resolve the issue with one-step guidance from Lookout before they can regain access. Note that Lookout licenses must be purchased separately from EMS.

Device-based conditional access to on-premises resources

EMS conditional access capabilities help you to secure access to both your cloud and on-premises resources. Our customers often manage broad and complex networks, so with that in mind, we’ve built partnerships with popular network access providers such as Cisco ISE, Aruba ClearPass, and Citrix NetScaler. Now you can extend your Intune conditional access capabilities to work with these networks. Partner network providers can implement checks for Intune-managed and compliant devices as a requirement before allowing user access through either your wireless or virtual private network. When you extend device compliance policies to network providers , you can ensure that only managed and compliant devices will be able to connect to your on-premises corporate network. EMS offers you some great access simplifications: you can still enable secure access to on-premises applications without VPNs, DMZs, or on-premises reverse proxies by leveraging the Azure Active Directory Application Proxy. Best of all, all of this can be done without installing or maintaining additional on-premises infrastructure or opening your company firewall to route traffic through it. Conditional access capabilities will work for this scenario as well.

Additional Resources