Updated 10/20/2023: With the July (2307) service release, we've added MAC address support to the Compliance Retrieval service. See the announcement to learn more: What's new in Microsoft Intune | Compliance Retrieval service support for MAC address endpoints. Customers who haven’t migrated to one of the partner products listed below should do so before March 31, 2024.
Many customers use network access control (NAC) partner solutions to manage access to their on-premises resources. Our networking partners use the Intune NAC service to integrate Intune device compliance checks into their NAC solutions. This integration allows a NAC solution to receive a device’s enrollment and compliance state from Intune to manage access control.
In June 2021, we released the Compliance Retrieval service. This service will replace the Intune NAC service, offering improved security and reliability for our customers. We are working with our partners to help transition existing NAC solutions to this new framework, and to ensure you receive the support you need.
What improvements does the Compliance Retrieval service include?
The new service includes changes to improve the security, reliability, and privacy of the NAC service. For example, it uses lookup by Intune device ID only, which removes the dependency on internal identifiers, such as serial numbers, which are not consistently accessible. It also eliminates MAC address identifiers, which are problematic because devices can have multiple or randomized MAC addresses. The new service is also streamlined to return only enrollment and compliance data from Intune. Any other device data not related to access control is eliminated from this service.
Note: While the Compliance Retrieval service does not currently support querying for devices on MAC address identifiers, we are working to add this functionality in the future. This capability is now available! See the note at the top of our post, or the announcement here: What's new in Microsoft Intune | Compliance Retrieval service support for MAC address endpoints to learn more. We recommend moving to certificate-based authentication where the Intune device ID is included in the certificate where possible.
What do I need to do to accommodate the new service?
If you’re using Intune device ID, you must use certificate-based authentication for NAC-enabled networks with the new service. You will also need to include the Intune device ID in the subject alternative name (SAN) of your certificate profiles. To do this, add a Uniform Resource Identifier (URI) attribute with the format defined by your NAC provider, for example: IntuneDeviceId://{{DeviceID}}.
Work directly with your NAC provider after they adopt the new service to understand what other changes are needed to accommodate the Compliance Retrieval service.
Which NAC partner solutions are using the new service?
Each NAC partner is working with Intune on their own migration schedule and instructions, so timelines and specific instructions will vary based on product. Currently, the following partner products use the Compliance Retrieval service:
- Cisco ISE 3.1 and higher.
- Citrix Gateway 13.0-84.11 and higher.
- Citrix Gateway 13.1-12.50 and higher.
- F5 BIG-IP Access Policy Manager 14.1.5.2 and higher.
- F5 BIG-IP Access Policy Manager 15.1.7 and higher.
- F5 BIG-IP Access Policy Manager 16.1.3.1 and higher.
- F5 BIG-IP Access Policy Manager 17.0 and higher.
- Ivanti Connect Secure 9.1R16 and higher.
- Aruba ClearPass with Microsoft Intune Extension v6 and later.
- Forescout eyeExtend Microsoft Module v1.0.1 and later.
We recommend you migrate to these new offerings as soon as possible. For detailed instructions, refer to product documentation from your NAC provider. We’ll continue to update this post as more partners add support for the Compliance Retrieval service.
Will the Compliance Retrieval service replace the original Intune NAC service?
Yes, we will stop supporting the Intune NAC service at the end of 2023. Our networking partners are working to move off the Intune NAC service. If you have questions about your specific use case, contact your NAC solution provider.
When do I need to transition to the new service?
We will take down the original Intune NAC service at the end of 2023 to give our partners and customers time to transition to the Compliance Retrieval service and/or adopt the Microsoft Graph solution. Work with your NAC partner to determine what changes you need to make and when to maintain NAC availability.
How does this affect my users?
Users should not notice any changes with the new service. However, if you don’t make the required modifications to your environment, it might affect user access to corporate resources on NAC-enabled networks. Work with your NAC partner to understand what changes are needed for your environment and get them implemented prior to the end of service for the Intune NAC Service.
We will continue to update this post as we continue to transition away from the Intune NAC service. If you have questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.
Post updates:
05/09/22: Updated with NAC partner products that now use the Compliance Retrieval service.
09/12/22: Added additional NAC partner products that use the Compliance Retrieval service
10/18/22: Updated the end of support timeline from December 31, 2022, to December 31, 2023, and added another NAC partner product that now uses the Compliance Retrieval service.
02/21/23: Updated to include F5 BIG-IP Access Policy Manager 14.1.5.2 and higher & F5 BIG-IP Access Policy Manager 15.1.7 and higher.
07/31/23: MAC address is now supported for the Compliance Retrieval service.
10/20/23: Updated the end of support timeline from December 31, 2023, to March 31, 2024, and added another Forescout eyeExtend Microsoft Module v1.0.1 and later as NAC partner product that now uses the Compliance Retrieval service.
