Now more than ever, the security posture is “How can I make sure my end-users are accessing the right resources on a managed device?” Combining Microsoft Conditional Access to validate the user, in conjunction with Addigy to secure the device, allows Apple admins to make sure corporate assets are being accessed in a secure manner.
Be sure to check out the Addigy Compliance Engine as part off your Conditional Access solution.
Also, see Microsoft Conditional Access via Partner compliance management for Conditional Access that also includes the real time updating of device compliance state from the Addigy Compliance Engine.
High Level Technical Overview
Using Microsoft Defender for Cloud, Azure Conditional Access, and Addigy, only devices and users defined within a Conditional Access policy can access Corporate resources. Addigy can be configured to push out Certificates on managed devices. When the Corporate resource is attempting to be accessed, Azure Conditional Access will a) compare if the user can obtain access and b) if the device’s certificate matches what’s in Microsoft Defender for Cloud.
- Managed PKI Solution, Like SecureW2, DigiCert, or other solution. (We have integrated with SecureW2 here)
- Azure AD (P1 or P2) subscription plan with Conditional Access (Find more information here)
- Microsoft Defender for Cloud Apps (Find more information here and here)
- Valid SCEP Certificate, Root Certificate Authority, and/or Immediate Certificate Authority
- Addigy Account using Addigy MDM
Below we discuss the technical workflow for creating a certificate with SecureW2 (Any certificate authority or SCEP Certificate authority can be used), deploying the certificate with Addigy, setting up Conditional Access in Azure, setting up Conditional Access Policies in Microsoft Defender for Cloud Apps, and validating login.
Creating a Certificate in Certificate Authority
Note: In this example we are using SecureW2
- Create a Certificate in SecureW2 (or desired Certificate Authority Provisioner)
- Specify the parameters of certificate creation:
- Download or Email the certificate to yourself, you should download or receive an email with a P12 certificate file.
Add Certificate(s) to Microsoft 365 Defender (Formerly: Microsoft Defender for Cloud)
- Convert the certificate to a pem file which Microsoft support, by running this command:
openssl pkcs12 -in ~/path/to/cert.p12 -out ~/path/to/exported-cert.pem -nodes -clcerts
- Import the Certificate into Microsoft 365 Defender. Navigate to the portal then Settings (gear in upper right) >System Settings > Settings > Conditional Access App Control > Device Identification and upload your certificate.
Note: Microsoft Defender for Cloud Apps (previously known as Microsoft Cloud App Security) is now part of Microsoft 365 Defender.
- Upload the PEM Certificate file
Create a Conditional Access Policy in Microsoft Azure
- Log into https://portal.azure.com and go to Conditional access.
- Click Home > Conditional Access > Policies and then New Policy
- Enter a name for your policy
- Under Assignments, specify the desired value under Users or workload identities and scope the policy to All or Selected users you want it to apply to:
- Under Assignments again, select the desired value under Cloud apps or actions and scope to All or selected apps. (Do you want this to impact all Microsoft Cloud Apps or specific apps)
- Under Access Control, select the the Session section and check Use Conditional Access App Control and choose Use custom policy… and then click Select
- At the bottom of the page under “Enable policy” select “On” and click “Create” once you have tested and validated the conditional access policy in full.
- If you don’t see the policy after creating it in the Azure Portal, try refreshing or waiting a few minutes.
Add Conditional Access App Control Apps to Microsoft Defender for Cloud
- Log into a service that was added to your policy in step 5 of “Create a Conditional Access Policy in Microsoft Azure” this will be needed to verify Microsoft defender is seeing login attempts,
- Log into https://portal.cloudappsecurity.com/ and click the Gear icon in the upper right then click “Conditional Access App Control” in the dropdown
- You should see the app that you logged into in Step 1. If not please verify your Conditional access policy from the previous step.
Create Access Controls within Microsoft Defender for Cloud Apps
Next we need to build policies in Microsoft Defender for Cloud Apps.
- Setup a Policy under Microsoft Defender for Cloud Apps > Control > Policies > Conditional Access to ensure Conditional Access is applied.
- Changed Activities matching all of the following to: `Device` `Tag` `does not equal` `Valid Client Certificate` and App equals relative Microsoft Services. You can add custom block messages or notifications if desired:
- Now attempt to login with the specified User(s) or Group(s) specified and see if they can login. If they don’t have the certificate deployed to the device they should receive a warning message as below:
- If the user does have the certificate deployed, they will be able to login successfully.
Note, that this uses a single certificate mechanism. However, you can do this with a SCEP implementation to use dynamic certificates if interested.
Using SCEP Certificates and Addigy Variables
You can improve the security of the above workflow by using a SCEP PKI Certificate provider.
- SecureW2 has published a KB article on how to use SCEP Certificates with their PKI Infrastructure. This can be setup following the below guide: https://www.securew2.com/solutions/how-to-deploy-scep-certificates-using-addigy-and-securew2
- It will also require using Addigy Variables in a SCEP Payload, which we document in the below guide: https://support.addigy.com/hc/en-us/articles/4403542462099-Setting-up-an-MDM-Payload-using-Device-Facts-as-variables
Conditional Access is an important feature function for Microsoft and protecting it. This functionality helps to bring vendors close to the Conditional Access Program, but is not the fully functional conditional access that integrates with Microsoft Azure Services.
We have the next generation real-time compliance engine releasing soon, which will provide a much more robust implementation of this that isn’t just certificate based.
If you would like to participate in the next generation real-time compliance engine, please contact email@example.com.