Conditional access is a combination of policies and configurations from the products and services which are part of Enterprise Mobility + Security (EMS). This will allow ITPros to set granular access control to keep corporate data secure, while giving users rich experience that allows them to do their best work from any device, and from any location.
At Microsoft, to manage devices and control access to corporate resources, we use Intune and Azure Active Directory (AAD). From Intune, we deploy compliance policies and from AAD we enforce required conditions on required apps.
To configure standard policies on devices, we use device restriction policies to configure password requirements and other security policies. To validate the device compliance status, we have policies to validate device password status, OS version, and device health status. Conditional access is then enforced for Office 365 apps in AAD.
Enrollment experience for the user
To access work email, corporate wireless network, internal apps and to use VPN services, users need to enroll their devices into Microsoft Intune.
Users can enroll devices before accessing any Corporate resources by downloading the company portal app from company portal website.
users can access any corporate resource which has conditional access enforcement and they will redirect automatically to download company portal.
After enrollment, during first login authentication, users will be forced to change the login password if the organization has a password compliance policy targeted.
If the device already is enrolled and for some reason the user is required to rebuild the device, it is recommended to unenroll the device before rebuilding it.
users need to approve management profile by going to Apple menu > System Preferences, click Profiles.
Best practices to improve user experience MacOS
If users don’t select “always allow during the authentication”, Keychain will prompt authentication multiple times.
If the device is enrolled multiple times, AAD will accumulate multiple records for that device and cause issues with device compliance status intermittently, It is recommended to cleanup non-active AAD records frequently.
Users should be made aware that they may have different experience with authentication for different app as keychain access requirements are different.
If any user having access issues due to conditional access policies, then it is recommended to collect details from the more info tab during the error message. This will help to investigate more accurately sing-in logs in AAD.
Encourage users not to unenroll reenroll device. This might corrupt require keys in Keychain.
Hopefully this post has given you some ideas on how to implement conditional access on Mac devices and improve organizational security.