locked
Can internet web browser access be blocked? RRS feed

  • Question

  • Our goal is to use Intune (hybrid) to provide secure acces to on-premises and SaaS (including Office365) applications for all our employees (BYO scenario WP8.1, W10M, IOS, Android).

    For devices connecting from the internet (i.e. connecting to ADFS 3.0 through the WAP in our DMZ) we want to require those devices to be enrolled and compliant with our policies (i.e. not-rooted/jailbreaked, PIN code, encrypted storage)

    We have set up ADFS 3.0, WAP, Azure AD with AADConnect including device writeback and have set up an Intune subscription.

    The docs.microsoft.com article "Restrict access to email and O365 services with Microsoft Intune" Conditional access flow shows that devices which are note targeted with a policy are allowed access.

    To us this seems to be a security loophole.

    Can Conditional Access allow access to registered compliant devices and block web browser access at the same time?

    Sunday, May 29, 2016 8:52 PM

Answers

  • Intune is not an access method and does not block traffic or communication. Using policies, Intune can restrict access to certain enlightened web services, like Exchange Online and SharePoint Online, as well as on-premises Exchange based upon the enrollment and compliance state of devices.This has nothing to do with controlling traffic or providing access to anything else. Intune does this because these services also use Azure AD (or on-prem Exchange directly in the case of on-prem Exchange) and can thus block access to these services. Also, these services do not rely on a web browser.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Sunday, May 29, 2016 11:55 PM