Overview
Ensuring that end users are accessing organization data on a trusted organization device is a key component to many best practice device security practices. Combining Microsoft Conditional Access to validate the user, in conjunction with Addigy to secure the device, allows Apple admins to make sure corporate assets are being accessed in a secure manner.
After this article please check out the Addigy Compliance Engine as it is a key part of the Conditional Access solution, and how the macOS devices are calculated as compliant or not.
Also, see Microsoft Conditional Access using Certificates for a workflow for Conditional Access that does not require Microsoft Enterprise Mobility + Security (E3 or E5).
High Level Technical Overview
Using the Addigy Compliance Engine, Azure Conditional Access, and Addigy, only devices registered to users and marked as compliant will be able to access data and apps that are behind a configured Conditional Access policy. When the Corporate Conditional Access controlled resources are attempted to be accessed, Azure Conditional Access will check the Azure Device ID of the device making the request (provided in the access request via the WPJ (Workplace Join) certificate) and its Compliance State as sent over to Azure from Addigy as part of the Partner compliance management integration.
About the beta
Microsoft Conditional Access via Partner compliance management with a new feature and we would love your feedback and ideas on how to improve the feature.
If you would like to participate in the next generation real-time Compliance Engine and Conditional Access beta, please contact product@addigy.com.
Beta Note: At the start of the beta this feature will be 1-1 as in 1 Azure Tenant ID to 1 Addigy Instance. Multi-Tenant (1 Azure Tenant ID per Addigy Organization Policy) is under consideration and research.
Requirements
- Azure AD (P1 or P2) subscription plan with Conditional Access (Find more information here)
- Azure AD Admin rights for integration connection via admin consent experience login
- Domain or Global Admin
- Azure AD Admin rights for integration connection via admin consent experience login
- Microsoft Enterprise Mobility + Security (E3 or E5) for users to preform the WPJ device registration (Find more info here)
- Addigy Account using Addigy MDM
- macOS devices on macOS v10.15 and up
Technical Workflow
Below we discuss the technical workflow connecting Addigy and Azure as part of the Partner compliance management integration, setting up the user one time Conditional Access registration (WPJ (Workplace Join)) workflow in Self Service, and setting up Conditional Access Policies that grant or deny macOS device access based on this device state sent over as part of the registration.
Enabling Partner compliance management for Addigy
The first step needed to allow for the integration connection between Addigy and Azure is to add Addigy as a partner
- Navigate to endpoint.microsoft.com
- Open the Tenant Administration blade (what is a blade?)
- Open the Connectors and tokens blade
- Open the Cross platform > Partner compliance management blade
- Chose Add compliance partner to start the partner wizard
- Select Addigy from the Compliance partner dropdown in the wizard
- Select the macOS platform from the Platform dropdown
- Click Next to advance
- Select you desired user group that will have Workplace Join and Registration ability. If desired this can be a group you define (ex: An organization Department that dynamically updates in Azure AD, a static group of testers you manually add to a user group, or a specific user). In this workflow we will just assign it to All Users that way any member of this Azure AD tenant could preform the registration and have their device become compliant.
- Click Next to advance
- Review your configuration and confirm and save the configuration via the Create button
- The endpoint.microsoft.com session can now be closed as the Addigy partner connection is enabled and waiting for the Addigy side activation and first service heartbeat.
Connecting Addigy to Azure/Intune Partner compliance management
Now with Intune listening for service partner activation we will kick off the Addigy to Azure connection
- Navigate to Account > Integrations > Third Party Add-Ons > Microsoft Intune
- Input your Azure AD Tenant ID in to the Tenant ID box.
Note: Your Tenant ID can be found on the Azure AD portal home screen: - With your Azure AD Tenant ID entered click the Connect button.
Note: At the start of the beta this feature will be 1-1 as in 1 Azure Tenant ID to 1 Addigy Instance. Multi-Tenant (1 Azure Tenant ID per Addigy Organization Policy) is under consideration and research. - When redirected in a new tab to the Azure AD Admin Consent Experience Sign-In preform an Azure AD sign in with an account with proper admin rights to grant domain or global consent to the partner app. After you are signed in click the Accept button to allow the integration.
- The integration will now process and connect the needed services. Once that process is complete the UI will show the following green signifiers that the integration connection was successful. Additionally; endpoint.microsoft.com > Tenant Administration > Connectors and tokens > Cross platform > Partner compliance management will show the Addigy partner listed and with a successful heartbeat as shown in the following example.
Configuring Self Service for End User Registration
The last configuration step needed is to enable end users to preform the registration on device so that they can get their device AAD ID and login.keychain AAD certificate to use for browser and app sign in at Conditional Access posture and prompt.
- In Addigy navigate to Policies
- Select the desired policy
- Click on the Self Service Tab
- Click on the desired Self Service configuration
- Edit the Self Service configuration via the Edit Configuration button
- Under the Integrations section check the box to enable the Intune integrations inside of Self Service (lower left corner of Self Service app)
- Click Save and Review then confirm that change for deployment
- Device will now see the registration workflow option in Self Service after policy deployment
Troubleshooting
- After inputting your Azure Tenant ID and attempting to connect you get an error on the redirect and admin consent sign-in on Azure:
- Cause: The first section of this setup workflow was not completed properly when enabling Partner compliance management for Addigy as a compliance partner. If that is not added the API will not have rights to call out for setup.