I have a question about Conditional Access and MAM/App Protection Policy, I'm not sure if I have understood this properly so here is a ton of detail; -I've got a APP configured in Endpoint Manager - targeted to Android platform, all apps on all devices. Quite basic, forces encryption and a PIN, prevents data egress. Assigned to a usergroup - test.user.CAfuckery - containing only my account. This works - The policy applies when I install Outlook Mobile on a phone and sign into it with my corp account, I have to install (but not configure/sign in to) Company Portal, the restrictions are in place. Great, something worked. -I've got a CA policy configured in Entra - targets the same test.user.cafuckery group, All Cloud apps, Any device/Any location/All client apps. Three Controls apply - Require MFA, Require device to be marked as compliant, Require app protection policy - require one of the controls. Sign-in frequency is set to one day (I hate myself). Edit; I have tried 'Require authentication strength:mutlifactor' instead of 'Require MFA', same outcome. This almost works. On my laptop (entra-joined, intune managed) I am not prompted to sign in every day because it is compliant, but on my phone(s) I am prompted daily for my password. It does not prompt me for second factor (ie; MS Authenticator) and in the sign-in logs (which are very easy to work with thanks Microsoft) I can see the CA policy marked success because of the App Protection Policy being applied. What I am missing here? My guess is that Entra can't test for the APP being applied without using the Company Portal framework on the phone, and so it prompts for password just to initiate a call via the management framework. Is that nonsense? My ambition is to let people use managed solutions (compliant laptops, MAM protected apps on phones) with minimal password/MFA prompting, while enforcing daily (maybe, we will see what I can get away with) MFA challenges on people trying to use their own equipment - over time we want to block this but gently gently. tldr why does APP not satisfy conditional access without prompting for password am I stupid kyojin fucked around with this message at 13:30 on Jan 29, 2024 |
|
# ¿ Jan 29, 2024 13:28 |
|
|
# ¿ May 14, 2024 02:24 |
Cyks posted:Conditional access policies aren’t actually checked until after you’ve successfully signed in, which in your case is by using a username and password. Thanks - do you therefore have a working MAM CA policy, and is it satisfied by an APP policy being applied without prompting the user each sign-in frequency period? I should add - if I complete my daily sign in on Outlook on my phone then the Teams app is also satisfied (and vice versa), so it surely has to be something being brokered by Company Portal. Also on one of my test devices I've signed into CP but it behaves no differently to the others where I have not. The only alternative I can see is using CA to block all apps except APP-capable apps, and then relying on the enforcement from Intune to apply the APP rather than require it in Conditional Access. The issue here is that I can't see a way to match the list of target apps I get in Intune>App Protection Policy>Apps to entries in the CA policy>Target Resources>Exclude Apps list. A random example would be 'RICOH Spaces V2' - listed in Intune as a APP-targeted app, but not available to exclude from the theoretical blanket block CA policy. I haven't bothered testing with 'require approved client app' as this is apparently being retired in place of 'require App Proteciton Policy' which would make sense if the replacement worked. I feel like I must have misunderstood something fundamental with my approach. I suppose the goal is to treat a MAM/APP connection in the same way as a compliant-device connection, so I can then apply a higher authentication burden to everything else.
|
|
# ¿ Jan 29, 2024 15:15 |