“Managing your devices with VMware Workspace ONE UEM does not mean you need to miss out on leveraging Azure AD Conditional Access”
Not everyone is moving to Intune – there are all sorts of valid reasons you may still be using VMware Workspace ONE UEM for management of mobile devices.
Managing your devices with VMware Workspace ONE UEM does not mean you need to miss out on leveraging Azure AD Conditional Access to enforce secure access to Office 365.
Azure AD Conditional Access acts like a gatekeeper for Azure and Office 365 resources and identities. Every connection is checked for user identity, location, device health and can allow or deny access to Office 365 based on a minimum set of requirements, including blocking access to resources on devices that are not MDM managed or marked as compliant.
Blocking Office 365 access to resources on unmanaged and non-compliant devices allows you to
-
Ensure only known, company purchased devices are accessing company data
-
Block devices that are not patched or updated
-
Ensure there are no blacklisted apps on connecting devices
-
Ensure all devices have a passcode, are encrypted, and are not jailbroken / rooted
-
Block personally owned devices – BYOD
Workspace ONE UEM Integration with Microsoft allows device data such as device compliance state to be passed to Intune and Azure AD. This compliance state can then be used to restrict access to Microsoft apps such as Outlook or OneDrive.
Note – This integration with Azure AD Conditional Access is now available with the following Mobile Device Management solutions
-
VMware Workspace ONE UEM
-
MobileIron Cloud
-
JAMF
-
IBM Maas360
-
Citrix Workspace
-
MobileIron Core
This article is specifically around enabling the integration for VMware Workspace ONE UEM managed devices.
Pre-requisites to enabling Conditional Access Compliance
There are a couple of pre-requites you need in place to be able to get started
-
You need to have an Intune and AAD P1 license for all your connecting users.
We tried setting this up without an Intune license. It didn’t work. We had a look at whether you could get away with a single Intune license to enable the integration. You can’t.
Intune is included in A3, E3 and M365 E3, also in A5, E5 and M365 E5 licensing.
-
The integration requires Reports powered by Workspace ONE Intelligence to be enabled in your VMware Workspace ONE UEM environment
If this is not yet enabled in your environment (Under Monitor > Intelligence) VMware advises the following actions depending on your environment type:
-
Shared SaaS customers & Dedicated SaaS customers
Work with your account representatives to access reports powered by Workspace ONE Intelligence. These deployments do not need to install a Workspace ONE Intelligence Connector server.
-
On-premises customers
Work with your account representative to access reports powered by Workspace ONE Intelligence. These deployments must install a Workspace ONE Intelligence Connector server.
Set up the Integration in VMware Workspace ONE UEM
In the VMware Workspace ONE UEM console navigate to Monitor > Intelligence and check the Opt-in box. You do not need a VMware Workspace ONE Intelligence license to enable this specific integration.
You then need to push the Microsoft Authenticator app to all devices.
The Microsoft Authenticator app and any other apps you are looking to control access to must be pushed as ‘managed’ apps from the MDM.
Set up the Device Partnerships in Azure
You will need to add VMware Workspace ONE mobile compliance as a device partner for iOS and Android in the Azure Portal.
Set up the Workspace ONE Conditional Access App
In VMware Workspace ONE UEM ensure Use Compliance data in Azure conditional access policies for iOS and Android is enabled in Settings > Enterprise Integration > Directory Services.
Note – you do not need to have AD for Identity Services enabled for this compliance integration to work.
This process will ask you to authenticate to Azure with an account that has admin access. Once this authentication is completed successfully the Workspace ONE Conditional Access app will be added into Azure as an Enterprise Application.
The step by step instructions to configure this integration can be viewed via this link.
Once complete you are ready to configure your Conditional Access policies.
Set up the Conditional Access policy
The Conditional Access policy Require device to be marked as compliant can be used to ensure only devices that are marked as compliant from VMware can gain access to Office 365 data.
This means you can block access to any devices that have not enrolled through your internal MDM process.
The Microsoft documentation on configuring Conditional Access can be viewed via this link.
Be careful when setting up Conditional Access policies – blocking access to devices unless they compliant may impact your employees. It is important to communicate any change before implementing it.
Conditional Access has a report only option where you can see the impact of the policy before you enable it in production. You can read about this report only mode via this link.
Conclusion
Microsoft Intune is a part of Microsoft Endpoint Manager and provides the cloud infrastructure, the cloud-based mobile device management (MDM), cloud-based mobile application management (MAM), and cloud-based PC management for your company.
Some companies will choose not to adopt Intune, but that doesn’t mean you shouldn’t leverage modern authorization and conditional access. If you have questions about how to enable conditional access for your VMWare Workspace ONE environment or another MDM, contact us.