MS Intune Security Migration

Posted on April 22, 2019 by Emintzer

I have been to a few Microsoft events that highlight how to secure company date on mobile devices. For Android devices, Android for Work allows you to segment company data while allowing the phone OS to interact with the data. For iOS devices, you can access company data through applications like Outlook but can still configure those same applications to access personal data, if you wish. The best part, is that when the company is done with the device (such as employees leaves and the devices go with them) then the company can retire them, which removes company data while keeping personal data (pictures, notes, their Angry Birds app, etc.) intact. It all looks and sounds great during those demos at Microsoft.

The problem I found is that my deployment was not as easy as advertised. Microsoft has documentation but I found it to be lacking. So, I am going to document my configuration to help someone else get it done quickly. There are some things to know before starting. People will need to use the Microsoft approved apps for accessing company data – you can find the list at https://aka.ms/supportedmamapps. For iOS, the built-in apps cannot be used as they copy data to the device – disabling the user account would mean only new data would not be accessible and that is not good enough. Because of this, contact sync needs to be handled by Outlook, which is a one-way sync so any contact updates have to be handled within Outlook. One thing to note is that this breaks the security rules as contacts are copied to the local phone store; however, this needs to be done if you want to see names instead of numbers when getting a call or text. I have worked directly with Microsoft on this and could not find a way around it. Also to note is that the iOS device needs to be on version 12 or later but this should already be the case as there are other security reasons to be on the latest code.

There are two places this configuration was performed: Intune and Azure Conditional Access (CA). Let’s start with the CA policies as a few are needed.

Custom Configuration Policies
  • Create a new policy and give it a name – this one is for enforcing the modern authentication apps and Intune. I applied this to a specific group as not all of my users are allowed to enroll mobile devices.
    • Cloud Apps: choose Office 365 Exchange Online and Office 365 SharePoint Online – you should see notes on the bottom that this will include other apps once those are chosen.
    • Conditions: choose Android and iOS under device platforms and Modern Authentication Clients under Client Apps.
    • Access Controls: choose Grant Access and check both “Require device to be marked as complaint” and “Require approved client app.” Make sure to choose “Require all the selected controls.”
  • Create a new policy and give it a name – this one is for blocking any ActiveSync clients as these copy data to the device. Assign it to the same users. This needs to be a separate policy or it will not work as expected.
    • Cloud Apps: choose Office365 Exchange Online.
    • Conditions: choose Android and iOS under device platforms and Exchange ActiveSync Clients under Client Apps.
    • Access Controls: Block Access
  • Create a new policy and give it a name – this one is for blocking any other applications. Assign it to the same users. Once again, this needs to be a separate policy or it will not work as expected.
    • Cloud Apps: choose Office 365 Exchange Online and Office 365 SharePoint Online.
    • Conditions: choose Android and iOS under device platforms and Other Clients under Client Apps.
    • Access Controls: Block Access.

These have to be three different rules because Azure conditional access policies do not work well when trying to be combined. From a logical standpoint, this does not make sense to me other than to say that you need to keep your policies simple. Of course, I have a concern that too many policies will eventually cause issues but that is a different topic.

Let’s move on to the Intune configuration. I am going to assume that you already have the basic configuration completed and can register your mobile devices as that would take up too much space. The first configuration policy needed is for the device restrictions.

iOS Device Configuration Policies
  • Create a Device Restrictions policy for Android Enterprise. Give it a name and assign it to the same users as before.
    • Work Profile Settings: Block copy and paste between work and personal profiles. Under Data Sharing Between Work and Personal Profiles, choose Apps in work profile can handle sharing requests from personal profile.
    • Device Password: these settings should coincide with your company’s configuration. My preference is to use a minimum 6 character password and 10 failed attempts before wiping devices.
  • Create a Device Restrictions policy for iOS devices. Give it a name and assign it to the same users as before.
    • Password: these settings should match the Android Enterprise one you just created. However, there are some extra settings so take a look.
    • App Store, Doc Viewing, Gaming: set Viewing corporate documents in unmanaged apps to Block.
    • Cloud and Storage: set Managed Apps Sync to Cloud to Block.
  • Create a Custom policy for iOS. Give it a name and assign it to the same users as before.
    • You will need to create an Intune Custom Profile Settings XML file to upload to this policy. See below on how to do this.

Refer to https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Use-Intune-custom-profile-settings-with-the-iOS/ba-p/298453 on how to create the Profile Settings XML. Here is a picture of mine – notice the highlighted line where you should enter the company name.

Custom Configuration XML

Make sure you have your compliance policies setup. I am not including this configuration as it is part of the basic setup. There are still a couple of items left. First is the App Protection Policy that you can find under Client Apps.

  • Create a policy for Android and name it. Target all app types and assign to the same users as before.
    • Target Apps: Check all the apps your company uses. If you are unsure then check the app – better to be safe than sorry.
    • Properties
      • Data Protections: Block Backing Org Data to Android Backup Services. Choose Policy Managed Apps for Send Org Data to other apps. Choose All Apps for Receive Data from other apps (unless you want to block this). Block Save Copies of Org Data. Choose Policy managed apps with past in for Restrict, Cut, Copy and Paste between apps. Disable Screen capture and Google Assistant. Require Encrypt Org Data and Encrypt Org Data on Enrolled Devices. Enable App Sync with Native Contact App. Set any other settings that you like.
      • Conditional Launch: Block access to Jailbroken Devices. Set the minimum OS version to 8.0 (or later if preferred). Change your offline grace period if you like.
  • Create a policy for iOS and name it. Target all app types and assign to the same users as before.
    • Target Apps: Check all the apps your company uses. If you are unsure then check the app – better to be safe than sorry.
    • Properties
      • Data Protection: Block Backup Org Data to iTunes and iCloud Backup. Choose Policy Managed Apps with OS sharing for Send Org Data to other apps. Choose All Apps for Receive Data from other apps (unless you want to block this). Block Save Copies of Org Data. Choose Policy managed apps with past in for Restrict, Cut, Copy and Paste between apps. Require Encrypt Org Data. Enable Sync App with Native Contacts App. Set any other settings that you like.
      • Conditional Launch: Block access to Jailbroken Devices. Set the minimum OS version to 12.0 (or later if preferred). Change your offline grace period if you like.

The last thing you will need is an Application Configuration Policy. Assign this to the same users as before and target the Outlook application. Make the following settings under Configuration. Spelling is key for these entries so it is easy so feel free to copy from this table (Note: a couple of lines wrapped here but they should not in your configuration):

Name Value
IntuneMAMUPN {{UserPrincipalName}}
IntuneMAMAllowedAccountsOnly Enabled
com.microsoft.intune.mam.AllowedAccountUPNs {{userprincipalname}}
com.microsoft.outlook.ContactSync.AddressAllowed True
com.microsoft.outlook.ContactSync.EmailAllowed False

Now, go ahead and enroll devices. Use the Microsoft apps so your users can access company data while you feel a little more secure that the same data is secured better.

This entry was posted in Microsoft. Bookmark the permalink.