390 likes | 547 Vues
Increase data security and user adoption with Microsoft Intune. Learn about App Protection Policies, Exchange On-premises integration, new features in Intune, and troubleshooting methods. This session covers topics like app encryption, access control, selective wipes, and MDM management options. Ideal for BYOD scenarios, extending app access to partners, and existing MDM solutions users. Stay informed about SDK features, app functionality, and protecting Exchange On-premises. Explore tools and best practices for implementing and troubleshooting Intune App Protection Policies.
 
                
                E N D
Simplify user adoption and increase data security with Microsoft Intune Neil Johnson – Senior Program Manager Matt Shadbolt – Senior Program Manager (@ConfigMgrDogs) BRK3005
Agenda Introduction to Intune App Protection Policies (APP) APP with Exchange On-premises Troubleshooting APP New Features in Intune App Protection Q&A if we have time
Introduction to Intune App Protection Policies (APP) APP policies Familiar Office experience • Seamless “enrollment” into app management • Use for personal and corporate accounts Comprehensive protection • App encryption at rest • App access control – PIN or credentials • Save as/copy/paste restrictions • App-level selective wipe MDM mgmt. by Intune or third-party is optional Might be a good solution for these scenarios: • BYOD when MDM is not required • Extending app access to vendors and partners • Already have an existing MDM solution Corporate apps MDM – optional (Intune or 3rd-party) Personal apps MDM policies
Introduction to Intune App Protection Policies (APP) SDK Managed vs Unmanaged APK D Deploy d Add IPA Required vs Available MDM XML Re Configure tire x Key/Value Pairs APP Protect x x x x x x
Enabling App Protection Policies in LOB apps C:\users\bill • Intune App SDK Xamarin Bindings • APP functionality for Android and iOS apps built with Xamarin and Xamarin.Forms • For store & LOB apps • Intune App SDK • Full APP feature functionality • For store & LOB apps • App Wrapping Tool • Simple cmd-line tool • No code changes • For LOB apps (we have seen it used for store apps with some caveats)
Outlook and Exchange On-premises State of the Nation The Old World… • Legacy issues were related to basic authN and re-use of DeviceID which broke on-premises conditional access • APP SDK need an ADAL token to establish Identity • We couldn’t use APP policies or CA with Outlook The New World… • Exchange now has Hybrid Modern Auth • It uses Azure AD and ADAL for identity, which removes the cached Device ID problem and gives us an identity to use in the APP SDK
Cloud and On-premises Unlocks Mobile application management and conditional access policies for all customers Hybrid Relationship EAS Exchange Server Synchronized Data OutlookDevice API REST Office 365 mailboxes Hybrid Modern Authentication Exchange Online Stateless protocol translator (Azure) Enables Outlook cloud backed features for Exchange Online and Exchange server Drives authentication and authorization methods
Protecting On-premises with APP Demo Speaker name
On-premises HMA specifics Requirements Hybrid Tenant Data synchronization Office 365 Pro Plus licenses Full hybrid relationship with Exchange Online with full directory synchronization Autodiscover and EAS endpoints Internet accessible anonymously Exchange 2013 CU19+ or Exchange 2016 CU8+ Exchange 2010 is not supported in the environment Synchronized on-premises data is stored within the tenant Provides GAL search Provides most capabilities like geographical boundary support, Service Encryption with Customer Key Four weeks of mail data (not configurable) Out of Office settings All calendar data All contacts data Pass-through search
Troubleshooting APP - Requirements • Company Portal Required on Android devices, even if not enrolled with Intune • Azure Authenticator app required on iOS when APP Conditional Access is configured • Identity must be the same across all managed apps on the same device • Application must authenticate end users with AAD via ADAL • Deploy App Configuration Policy ‘IntuneMAMUPN’ with value = {{UserPrincipalName}} for each combination of apps • Requires Intune License
APP First Check-in AAD Authentication & token transfer Intune SDK enforces settings based on policy ContactSyncDisabled = 1, ClipboardSharingLevel = 3, DeviceComplianceEnabled = 1 LOB Intune SDK looks up user account location (scale unit) Intune SDK registers user + app, returns an APP token LOCATION SERVICE APP SERVICE Microsoft Intune Intune SDK queries for policy using APP token User launches LOB app APP policy is delivered to the app
Troubleshooting APP – Policy Refresh • Apps check-in to the APP service every 30 minutes • 30 minute threshold is based on a timer • If the app is active at 30 minutes it’ll check in at 30 minutes • If the app is sleeping at 30 minutes it’ll check in on next focus • If there’s no policy assigned to a user, check-in will occur every 8 hours • If there’s no Intune license is assigned, check-in will occur every 24 hours
Troubleshooting APP - Tools • Troubleshooting Portal • about:intunehelp • APP report • Logs
New Features in Intune App Protection • Edge browser for iOS and Android • Intune Managed Browser APP parity • Multi-user support • SSO • High user rating BRK3006 - Defend against mobile threats and increase user productivity with Intune-managed Edge browser
New Features in Intune App Protection • Protocol exceptions for data transfer • Allows data to transfer to unmanaged apps • For iOS this means URL protocol exceptions (tel://) • For Android this means package name exceptions (com.android.app) • iOS Examples • tel; telpromt • skype • calshow, maps • Android Examples • com.android.phone • com.google.android.aps.messaging, com.android.mms, com.Samsung.android.messaging
New Features in Intune App Protection • App Protection based on management state • Different APP settings based on enrolled vs unenrolled • User could have one or the other, or both • Scenario • Intune MDM enrolled device gets less restrictions • Non-MDM enrolled devices gets more restrictions • Need to use IntuneMAMUPN app config for apps • Need to use the IntuneMAMDeviceID app config for lob apps
New Features in Intune App Protection • Conditional Launch changes • Conditions checked on app launch • Max PIN attempts • Jailbreak detection • Min OS/app/SDK version • Device model for iOS • Device manufacturer for Android • Actions performed on non-compliance • Warn • Block • Wipe
Please evaluate this sessionYour feedback is important to us! From your PC or Tablet visit MyIgniteat http://myignite.microsoft.com From your phone download and use the Ignite Mobile Appby scanning the QR code above or visiting https://aka.ms/ignite.mobileapp