Your organization may be interested to block access to corporate resources (Like E-Mail, SharePoint, etc.) based on Software Updates compliance of the device.
What does it mean for the end user? Simply put, they should have the most recent patches installed on their devices. This eventually helps organizations to meet/increase their compliance goals they have set as the end-users of those non-compliant devices will contact the helpdesk to access corporate resources by remediating their devices.
Organizations today are looking for an integrated endpoint management platform which can ensure all devices whether owned by the business or personally owned stay secure, are managed and always up to date.
This demands the most secure desktop and mobile experiences without compromising user flexibility. Configuration Manager Co-Management opens the gateway to interconnect the investments made on-premise while attaching it with the power of modern cloud-based solutions like Microsoft 365 & unlock its full potential.
A co-managed device gives you the flexibility to use the solution that works best for your organization by allowing it to be managed concurrently with both Configuration Manager and Intune.
Lean more about co-management here: http://aka.ms/comanagement
In this scenario, you continue to use ConfigMgr for deploying Software Updates however you use Intune to validate the Compliance of the Device and eventually use Conditional Access to block access to Corporate Resources depending on the compliance of the device.
Here’s a high-level view:
You must have Co-Management configured with the Compliance policies Slider moved to Intune/Pilot.
In this post I do not intend to walk you through its configuration/setup. Please refer to this Tutorial to Enable Co-Management.
Additionally, a CMG (Cloud Management Gateway) would allow the management of devices outside corporate network.
We will create a Compliance Policy to validate the installation of the required updates.
In my case I chose 7 days.
Note: This can be only deployed to a User Collection. Make sure the target users have an Intune license.
Learn more about AD User Discovery: https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/configure-discovery-methods#bkmk...
Learn more about Azure AD User Discovery: https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/configure-discovery-methods#azur...
Note: The default compliance evaluation schedule is every 23 hours.
Next we create an Intune Device Compliance policy to honor ConfigMgr Compliance rule.
Login to a Windows 10 device which is Co-Managed with Intune. For validation you may push newer updates or remove an existing update.
From here you can create a Conditional Access policy to block access to the corporate resources of your choice.
Choose the desired users, cloud apps and conditions.
When you try to access one of the Cloud resources (example corporate email), you will be denied access.
Typically, you will check the device under Intune Portal to identify the offending Device Compliance policies. In this case we already know the cause, ensure the required updates are installed.
Once the updates are installed, when you check the Compliance button in Software Center, you may temporarily see the screen below.
If you look at the corresponding Compliance policy, it will show Compliant.
All you need is to close the Software Center and Reopen.
Click Check Compliance button one more time and the device should appear Compliant
Intune Portal will also reflect compliance and will restore access to corporate resources.
Thanks,
Arnab Mitra
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.