The Microsoft Intune Managed Browser

Microsoft_ManagedBrowserBefore I’ll start with the second part of the my blog post about multi-identity in the managed Outlook app, I thought it would be wise to make a side-step to the Microsoft Intune Managed Browser first. The main reason for that is that the Microsoft Intune Managed Browser can also have a managed browser policy configured. That policy can have a direct impact on the end-user experience when opening links from the Outlook app.

The good thing, for this blog post, is that the Microsoft Intune Managed Browser doesn’t use multiple identities. It’s either managed, or not. This blog post will describe the behavior of the Microsoft Intune Managed Browser. During the second part, of my post about multi-identity in the managed Outlook app, this behavior will also be shown.

Configuration

During this blog post I’ve used the same general managed app policy configuration, as I’ve used for the managed Outlook app, and I’ve used an allow list for the managed browser policy configuration. Both configurations are shown in the pictures below. These pictures are all taken from a Microsoft Intune hybrid environment, but the settings, that can be configured, are identical to the settings that can be configured in a Microsoft Intune standalone environment.

Managed Browser policy

iOS Android
iOS_BrowserPolicy Android_BrowserPolicy

General policy

iOS Android
iOS_AppManagementPolicy_thumb4 Android_AppManagementPolicy_thumb5

Behavior

The behavior of the Microsoft Intune Managed Browser doesn’t show any real anomalies, or unexpected things. Even though, there are no real anomalies, I’ll still go through the settings, and more importantly, the experience of the end-user. It’s always good to know what kind of behavior should be expected exactly.

Managed Browser policy

Let’s start with nothing a couple of important things about the end-user experience based on the managed browser policy configuration.

The Microsoft Intune Managed Browser will only allow URLs that are an exact match to the URL in the configured allow list. That means that even if something simple as https:// is missing, in the URLs of the configured allow list, the website might not be accessible. The same is applicable for sub-domains, different pages and different folders. Not specified, is not accessible.

A very important advice here is to use the * –wildcard.

This same behavior is also applicable to URLs that are opened from any of the managed apps. That an URL is opened from a managed app doesn’t mean that it’s accessible through the Microsoft Intune Managed Browser.

General policy

Now let’s go to the end-user experience based on the general policy configuration. As this policy simply applies to the app, the behavior should be as expected.

Setting Experience
Restrict web content to display in the Managed Browser The end-user will experience that every URL will open in the Microsoft Intune Managed Browser.
Prevent Android backups (Android only)1 The end-user will not experience anything special.
Prevent iTunes and iCloud backups (iOS only)1 The end-user will not experience anything special.
Allow app to transfer data to other apps The end-user will experience that data can only be transferred to other managed apps.
Allow app to receive data from other apps The end-user will experience that data can be received from all other apps.
Prevent “Save As The end-user will experience that the “Save As” option is missing.
Restrict cut, copy, and paste with other apps The end-user will experience that content and URLs can only be copied and pasted to other managed apps.
Require simple PIN for access (including number of attempts before PIN reset) The end-user will experience that a PIN is required for access.
Require corporate credentials for access The end-user will experience that corporate credentials are required for access.
Require device compliance with corporate policy for access The end-user will experience that there is no access when the device is jailbroken (iOS) or rooted (Android).
Recheck the access requirements after timeout and offline grace period2 The end-user will not experience anything special.
Encrypt app data3 The end-user will not experience anything special.
Block screen capture(Android only) The end-user will experience that the screen capture option can’t be used.

1 This setting would make sure that the backup of the Microsoft Intune Managed Browser is disabled, but, by default, the Microsoft Intune Managed Browser already doesn’t perform online backups.
2 This setting will make sure that the access requirements for the Microsoft Intune Managed Browser are checked again after the specified timeout and grace period.
3 This setting will make sure that all data associated with the Microsoft Intune Managed Browser will be encrypted. On iOS the data is encrypted at rest using the device level encryption of iOS and on Android the data is encrypted during file I/O operations via encryption provided by Microsoft.

More information

For more information about controlling the managed browser, please refer to the following links:

4 thoughts on “The Microsoft Intune Managed Browser”

  1. Great Article ! A quick question for a customer that is looking to go the EMS route.

    How do we ensure that an employee can ONLY access an internal web-based application (URL based) ONLY through the Intune Managed Browser – AND NOT THROUGH ANY OTHER NATIVE BROWSER on their device.

    For eg : While I enable this policy via Intune – can the emplyee open his local chorme or safari – put in the local intranet website address – and get access ? How do we ensure that it is ONLY through the managed browser – will he be able to get access

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.