SOLVED

Conditional Access - Intune for Windows and Airwatch for iOS

%3CLINGO-SUB%20id%3D%22lingo-sub-341507%22%20slang%3D%22en-US%22%3EConditional%20Access%20-%20Intune%20for%20Windows%20and%20Airwatch%20for%20iOS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-341507%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20customer%20uses%20Intune%20for%20managing%20Windows%20devices%20and%20Airwatch%20for%20their%20iOS%20phones.%20He%20wants%20to%20allow%20access%20to%20O365%20only%20from%20a%20corporate%20device.%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20make%20Intune%20aware%20that%20Airwatch%20devices%20are%20corporate%20devices%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-341507%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-342569%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20-%20Intune%20for%20Windows%20and%20Airwatch%20for%20iOS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-342569%22%20slang%3D%22en-US%22%3E%3CP%3EBTW%2C%20here%20is%20the%20official%20link%20to%20that%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-au%2Fazure%2Factive-directory%2Fconditional-access%2Fcontrols%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-au%2Fazure%2Factive-directory%2Fconditional-access%2Fcontrols%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CBLOCKQUOTE%3E%0A%3CP%3E%3CSPAN%3EYou%20can%20configure%20conditional%20access%20policies%20that%20are%20device-based.%20The%20objective%20of%20a%20device-based%20conditional%20access%20policy%20is%20to%20only%20grant%20access%20to%20the%20selected%20cloud%20apps%20from%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-au%2Fazure%2Factive-directory%2Fconditional-access%2Frequire-managed-devices%22%20data-linktype%3D%22relative-path%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Emanaged%20devices%3C%2FA%3E%3CSPAN%3E.%20Requiring%20a%20device%20to%20be%20marked%20as%20compliant%20is%20one%20option%20you%20have%20to%20limit%20access%20to%20managed%20devices.%20A%20device%20can%20be%20marked%20as%20compliant%20by%20Intune%20(for%20any%20device%20OS)%20or%20by%20your%20third-party%20MDM%20system%20for%20Windows%2010%20devices.%20%3CSTRONG%3EThird-party%20MDM%20systems%20for%20device%20OS%20types%20other%20than%20Windows%2010%20are%20not%20supported.%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FBLOCKQUOTE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-342553%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20-%20Intune%20for%20Windows%20and%20Airwatch%20for%20iOS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-342553%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3Eyou%20can't%20use%20Airwatch%20enrolled%20mobile%20devices%20(iOS%2FAndroid)%20with%20Conditional%20Access%20except%20for%20Windows%2010%20as%20device%20type.%20You%20can%20raise%20your%20request%20here%20on%20UserVoice.%20There%20are%20people%20already%20asking%20for%20this%3A%26nbsp%3B%20%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F33713527-support-for-3rd-party-emm-solutions-when-requiring%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F33713527-support-for-3rd-party-emm-solutions-when-requiring%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ebest%2C%3C%2FP%3E%0A%3CP%3EOliver%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-341801%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20-%20Intune%20for%20Windows%20and%20Airwatch%20for%20iOS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-341801%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20and%20thank%20you%20for%20your%20reply%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20you%20can't%20enroll%20a%20device%20to%202%20different%20MDM%20solutions%2C%20and%20that%20is%20not%20what%20I%20am%20trying%20to%20do.%3C%2FP%3E%3CP%3EI%20don't%20want%20to%20enroll%20my%20iOS%20devices%20to%20Intune%2C%20I%20just%20want%20Intune%20to%20know%20that%20those%20devices%20are%20the%20only%20one%20authorized%20to%20access%20O365.%3C%2FP%3E%3CP%3EMAM%20policy%20is%20not%20an%20option%20as%20all%20personnal%20devices%20will%20be%20able%20to%20access%20O365.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-341721%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20-%20Intune%20for%20Windows%20and%20Airwatch%20for%20iOS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-341721%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENo.%20You%20cant%20manage%201%20device%20with%202%20MDM%20solution.%20You%20can%20start%20using%20conditional%20access%20policy%20or%20MAM%20policy%20without%20Enrollment.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-614346%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20-%20Intune%20for%20Windows%20and%20Airwatch%20for%20iOS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-614346%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F174439%22%20target%3D%22_blank%22%3E%40Oliver%20Kieselbach%3C%2FA%3E%26nbsp%3BAny%20updates%20to%20this%20thread%3F%20We%20have%20a%20similar%20scenario%20involving%2020K%20AW-managed%20devices...%20End%20goal%20is%20to%20have%20Azure%20AD%20Conditional%20Access%20Policies%20recognize%20them%20as%20%22managed%22%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1485823%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20-%20Intune%20for%20Windows%20and%20Airwatch%20for%20iOS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1485823%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F182664%22%20target%3D%22_blank%22%3E%40Benjamin%20Carpena%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENo%2C%20you%20can%20do%20windows%2010%20and%20IOS%20with%20Intunes%20or%20you%20can%20manage%20W10%20with%20intunes%20and%20IOS%20with%20Airwatch.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.air-watch.com%2Fdownloads%2Fresources%2FAirWatch_Support_for_Office_365_20150724_v421.pdf%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.air-watch.com%2Fdownloads%2Fresources%2FAirWatch_Support_for_Office_365_20150724_v421.pdf%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1485928%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20-%20Intune%20for%20Windows%20and%20Airwatch%20for%20iOS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1485928%22%20slang%3D%22en-US%22%3E%3CP%3EHey%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F708639%22%20target%3D%22_blank%22%3E%40Jeffrey_Goins%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eyes%20that%20changed%20lately.%20At%20the%20start%20time%20of%20the%20thread%20it%20was%20not%20available.%20Now%20there%20is%20a%20private%20preview%20and%20they%20are%20in%20progress%20to%20launch%20this%20feature%20as%20public%20preview%2C%20see%20here%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22set-device-compliance-state-from-third-party-mdm-partners%22%20class%3D%22heading-anchor%22%20id%3D%22toc-hId-1537893527%22%20id%3D%22toc-hId-1537893527%22%3ESet%20device%20compliance%20state%20from%20third-party%20MDM%20partners%3C%2FH3%3E%0A%3CP%3EMicrosoft%20365%20customers%20who%20own%20third-party%20MDM%20solutions%20will%20be%20able%20to%20enforce%20Conditional%20Access%20policies%20for%20Microsoft%20365%20apps%20on%20iOS%20and%20Android%20via%20integration%20with%20Microsoft%20Intune%20Device%20Compliance%20service.%20Third-party%20MDM%20vendor%20will%20leverage%20the%20Intune%20Device%20Compliance%20service%20to%20send%20device%20compliance%20data%20to%20Intune.%20Intune%20will%20then%20evaluate%20to%20determine%20if%20the%20device%20is%20trusted%20and%20set%20the%20conditional%20access%20attributes%20in%20Azure%20AD.%20Customers%20will%20be%20required%20to%20set%20Azure%20AD%20Conditional%20Access%20policies%20from%20within%20the%20Microsoft%20Endpoint%20Manager%20admin%20center%20or%20the%20Azure%20AD%20portal.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Ffundamentals%2Fin-development%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Ffundamentals%2Fin-development%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ebest%2C%3C%2FP%3E%0A%3CP%3EOliver%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi all,

 

My customer uses Intune for managing Windows devices and Airwatch for their iOS phones. He wants to allow access to O365 only from a corporate device.

Is there a way to make Intune aware that Airwatch devices are corporate devices?

7 Replies
Highlighted

Hi,

 

No. You cant manage 1 device with 2 MDM solution. You can start using conditional access policy or MAM policy without Enrollment.

Highlighted

Hi and thank you for your reply,

 

I know you can't enroll a device to 2 different MDM solutions, and that is not what I am trying to do.

I don't want to enroll my iOS devices to Intune, I just want Intune to know that those devices are the only one authorized to access O365.

MAM policy is not an option as all personnal devices will be able to access O365.

Highlighted

Hi,

you can't use Airwatch enrolled mobile devices (iOS/Android) with Conditional Access except for Windows 10 as device type. You can raise your request here on UserVoice. There are people already asking for this:  https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/33713527-support-for-3rd...

 

best,

Oliver

Highlighted
Best Response confirmed by Mathieu Aït Azzouzène (Occasional Contributor)
Solution

BTW, here is the official link to that:

https://docs.microsoft.com/en-au/azure/active-directory/conditional-access/controls

 

You can configure conditional access policies that are device-based. The objective of a device-based conditional access policy is to only grant access to the selected cloud apps from managed devices. Requiring a device to be marked as compliant is one option you have to limit access to managed devices. A device can be marked as compliant by Intune (for any device OS) or by your third-party MDM system for Windows 10 devices. Third-party MDM systems for device OS types other than Windows 10 are not supported.

Highlighted

@Oliver Kieselbach Any updates to this thread? We have a similar scenario involving 20K AW-managed devices... End goal is to have Azure AD Conditional Access Policies recognize them as "managed"

Highlighted

@Benjamin Carpena 

 

No, you can do windows 10 and IOS with Intunes or you can manage W10 with intunes and IOS with Airwatch.

 

http://www.air-watch.com/downloads/resources/AirWatch_Support_for_Office_365_20150724_v421.pdf

 

 

Highlighted

Hey @Jeffrey_Goins,

 

yes that changed lately. At the start time of the thread it was not available. Now there is a private preview and they are in progress to launch this feature as public preview, see here:

 

Set device compliance state from third-party MDM partners

Microsoft 365 customers who own third-party MDM solutions will be able to enforce Conditional Access policies for Microsoft 365 apps on iOS and Android via integration with Microsoft Intune Device Compliance service. Third-party MDM vendor will leverage the Intune Device Compliance service to send device compliance data to Intune. Intune will then evaluate to determine if the device is trusted and set the conditional access attributes in Azure AD. Customers will be required to set Azure AD Conditional Access policies from within the Microsoft Endpoint Manager admin center or the Azure AD portal.

 

https://docs.microsoft.com/en-us/mem/intune/fundamentals/in-development

 

best,

Oliver