Conditional access for browsers

This week I’ll provide an overview about the latest addition to conditional access, which is conditional access for browsers. It’s a feature that many have been waiting for and a feature that is indeed a pretty welcome addition to conditional access. This post will provide the basics about conditional for browses, the configuration of conditional access for browsers and the end-user experience with conditional access for browsers. It will also be the introduction for something much better next week.

Introduction

Conditional access allows IT organizations to manage access to corporate email, files and other resources based on customizable conditions that ensure security and compliance. The addition of conditional access for browsers addresses the backdoor that still existed for end-users connecting to the Outlook Web App (OWA) and end-users using browser access to SharePoint and OneDrive for Business. It’s now possible to restrict Outlook Web App (OWA) and browser access to SharePoint and OneDrive for Business when accessed from a browser on iOS and Android devices. Access is only allowed from the following supported browsers, on compliant devices, while unsupported browsers are simply blocked:

  • Safari (iOS);
  • Chrome (Android);
  • Managed Browser (iOS and Android).

Note: Keep in mind that this does not block access via the OWA app. More about that in my post next week.

Configuration

Now let’s have a look at the configuration of conditional access for browsers. The configuration is the same for Microsoft Intune standalone and Microsoft Intune hybrid, as the configuration is part of the conditional access policies. It’s actually nothing more than one simple checkbox that belongs to one specific setting. That specific setting is Block non-compliant devices on the same platform as Outlook in the Exchange Online Policy and Block non-compliant devices on the same platforms as OneDrive for Business in the SharePoint Online Policy. That specific setting can be configured as shown below for Exchange Online and SharePoint Online.

Exchange Online SharePoint Online
OWAExchangeOnline OFBSharePointOnline

End-user experience

Now it’s time to look at the end-user experience, which is the most important part of this feature. Below I’ve got examples for compliant and non-compliant devices and supported and unsupported browsers. In all examples I’m trying to access https://outlook.office.com.

Android

Here is an example on an Android device using the supported Chrome browser and using the unsupported Firefox browser. The left column shows the non-compliant examples and the right column shows the compliant examples. Notice the clear message in the unsupported browser about using supported browsers for access.

Non-compliant Compliant
Screenshot_20160708-203644 Screenshot_20160710-181822
Screenshot_20160708-203757 Screenshot_20160708-204830

iOS

Here is an example on an iOS device using the supported Safari browser and using the unsupported Firefox browser. The left column shows the non-compliant examples and the right column shows the compliant examples. I haven’t been able to receive the same clear messages yet, as shown on my Android device, but the access is definitely blocked.

Non-compliant Compliant
IMG_0058 IMG_0056
IMG_0059 IMG_0057

Windows 10

I’ve also managed to successfully test conditional access for browsers on Windows 10, with Internet Explorer and Microsoft Edge, in combination with Microsoft Intune standalone and Microsoft Intune hybrid. Even in combination with Windows 10, fully managed by ConfigMgr. More about those awesome scenario’s once it’s listed as a supported platform with supported browsers.

More information

Fore more information about conditional access for browsers with Exchange Online and SharePoint Online, please refer to:

Store accounts and the Microsoft Intune Company Portal app

CompanyPortalAppLogo_thumb9In this blog post I will answer a question that I get, with a lot of customers, and that’s if it’s required for end-users to have an account for the app store, of their platform, to download the Microsoft Intune Company Portal app. The app store that I mean here is can be the Google Play app store, the Apple app store,  the Windows Phone app store or the Windows app store. All these stores match with their platform and require their own store account to download apps.

Before I can answer the initial question, I first have to answer another question. That question is if it’s required to use the Microsoft Intune Company Portal app, simply because a store account is not required if the Microsoft Intune Company Portal app is not required. In this post I’ll try to answer both of these questions by providing tables for a nice overview of the requirements per platform. In general this is applicable for both Microsoft Intune standalone and Microsoft Intune integrated with ConfigMgr 2012.

Microsoft Intune Company Portal app

Now let’s start with the first question, is the Microsoft Intune Company Portal app required? In almost all the scenario’s the answer to this question will be, yes. Also, keep in mind that the advised scenario for every platform is to install the Microsoft Intune Company Portal app  and to enroll the mobile device. To be complete the following table lists the functional requirements for the Microsoft Intune Company Portal app  for every platform.

 Platform Enrollment and policies Application deployment
Android Yes Yes
iOS Yes1 Yes
Windows Phone 8.0 No Yes
Windows Phone 8.1 No Yes
Windows No Yes

1 It is possible to enroll iOS devices without using the Microsoft Intune Company Portal app. That can be achieved by either using portal.manage.microsoft.com on an iOS device, or by using the corporate device enrollment feature with Microsoft Intune standalone.

Store account

That brings me to the second question, is the store account required to get the Microsoft Intune Company Portal app? Well, this also differs per platform. To make it easy I can say that it’s required for the non-Microsoft platforms. The following table provides a quick overview per platform, including the alternatives for the Microsoft platforms.

Platform Store account required Alternative
Android Yes N/A
iOS Yes N/A
Windows Phone 8.0 No Microsoft Intune Company Portal app for Windows Phone
Windows Phone 8.1 No Microsoft Intune Company Portal app for Windows Phone 8.1
Windows No Microsoft Intune Company Portal app for Windows 8.1

Conclusion

At this moment the best method for end-users to enroll their device is to use the Microsoft Intune Company Portal app, if possible. In case the Microsoft Intune Company Portal app is not required for the enrollment, like with Microsoft platforms, it’s still advised to install the Microsoft Intune Company Portal app to better manage devices and applications.

Back to the original question, this would mean that, at this moment, a store account is always required for non-Microsoft platforms. For Microsoft platforms it depends on how the Microsoft Intune Company Portal app is deployed. Like I mentioned in my previous post, I like to use the Microsoft Intune Company Portal app for the Microsoft App store, if possible, and in that case a store account is required.