Integrating MaaS360 with Microsoft to enforce device compliance through Azure AD Conditional Access

How To

Summary

Microsoft Azure AD Conditional Access ensures that only trusted users from compliant and managed devices can access Microsoft-approved apps and services.

Objective

This integration allows the syncing of device compliance information to an Azure AD tenant to support using MaaS360 Device Trust information in Azure AD Conditional Access rules. This integration is enabled by the Microsoft Endpoint Manager Partner Compliance Management capability. See https://docs.microsoft.com/mem/intune/protect/device-compliance-partners.

With this feature, MaaS360 uses the MS Graph API to sync device compliance information to Azure Active Directory (Azure AD) allowing the MaaS360 Device status to be used in Azure AD Conditional Access rules. Azure AD Conditional Access allows administrators to control and manage access to data (both personal data and the organization’s data) from BYOD and organization-owned devices.

Note: The Azure AD Conditional Access integration must be enabled in your MaaS360 Portal. Contact Customer Service or your Account Manager for activation.

Environment

Azure AD conditional access requires an Azure AD Premium subscription.
Device registration and user participation for device compliance require a Microsoft Intune license. The Intune license must be assigned to target device users.
You must have the Microsoft Authenticator app installed on iOS and Android devices. Push this app as a managed app from the MaaS360 App Catalog. The Microsoft Authenticator app is required to register the device in Azure AD.
A valid subscription to Microsoft Intune. The Microsoft Intune licenses must be assigned to users supported by this integration.
Grant Access enforces your specified conditions to gain access to your applications, it does not inherently block all other applications.
The most restrictive policy is enforced in scenarios where multiple Conditional Access policies are in scope.
Using the Block Access control will block MaaS360 Enrollments. There is no method to exclude MaaS360 from this restriction.

Configuration scope

You can configure this integration using one of the following methods:

Configure for all users

With this configuration, all devices in the organization are prompted to register. This configuration method only works on devices that complete the registration process.
Configure specific groups

With this configuration, you must configure Azure Visibility, which provides visibility for user group associations. For more information, see https://www.ibm.com/docs/en/maas360?topic=maas360-configuring-azure-ad-integration.

You can only configure this service for Azure AD groups that are managed by MaaS360. See step 4 in https://www.ibm.com/docs/en/maas360?topic=maas360-configuring-azure-ad-integration.

Steps

Onboarding workflow

1. Go to https://endpoint.microsoft.com and sign in to your Microsoft Azure account using your Azure credentials. The Azure Portal is displayed.

2. From the Microsoft Endpoint Manager admin center, select Tenant administration > Connectors and tokens > Partner compliance management.

3. Click Add compliance partner.

The Create Compliance Partner screen is displayed.

Go to the Basics tab and select IBM MaaS360 from the compliance partner list. Choose Android from the platform list, and then click Next.
In the Assignments tab, select Included groups > Assign to > All users, and then click Next.
In the Review + create tab, review the settings and then click Create.

A message displays that the compliance partner was successfully created (tenant metadata is created on Intune). The Partner compliance management preview displays the partner-managed Android devices for IBM MaaS360.

4. To configure partner-managed iOS devices, repeat step 5, but choose iOS in step a. Click Refresh on the Partner compliance management preview page and then go to step 7.

5. Log in to the MaaS360 Portal with your administrator username and password credentials.

6. From the MaaS360 Portal Home page, go to Setup > Azure Integration.

7. Enable the Device compliance status sync for Android and iOS check box, provide the Tenant ID (the unique identifier for the Azure Active Directory instance) and the Client ID for the Azure account that is enabled with the Intune license.

For detailed steps on registering the MaaS360 app in the Azure AD tenant and generating the Client ID (Application ID), see https://www.ibm.com/docs/en/maas360?topic=authentication-registering-maas360-app-in-azure-ad-tenant.

For more information, see https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app.

8. Click Configure. You are prompted to sign in to the Microsoft Azure Portal.

9. Select your Azure AD account from the list. The Permissions requested message for the unverified MaaS360 Azure Device Compliance Data Update is displayed.

10. Review the message and click Accept to allow the MaaS360 app permissions to specific resources from all users in your organization.

If authentication is successful, the following message is displayed: Registration is successful. Window will automatically close in 5 seconds, and you are redirected back to the MaaS360 Portal.

If the following message is displayed: Registration has failed. Window will automatically close in 5 seconds, review the settings that you configured in step 1 to step 7.

11. Go to Setup > Azure Integration. Under the Device compliance status sync for Android and iOS section, click Select groups.

The Select user groups screen is displayed.

12. From this screen, select the user groups that you want to configure:

If you want to configure the service for all users, type All users in the Select Azure AD user group name field. The All users user group is automatically populated in the drop-down list.

Select the user group and click Save.
If you want to configure specific Azure user groups, when you start typing the name of the group in the Select Azure AD user group name field, suggestions from the list of MaaS360 Managed Azure AD groups are displayed in the drop-down list.

Select the groups and click Save. Note: You can configure up to 10 groups.

You can only configure Azure AD groups that are managed by MaaS360. To view a list of groups, select Users > Groups.

For more information, see step 4 in https://www.ibm.com/docs/en/maas360?topic=maas360-configuring-azure-ad-integration.

Related Information

Conditional Access Policy Control

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSYSXX","label":"IBM MaaS360"},"ARM Category":[{"code":"a8m0z000000070YAAQ","label":"COMPLIANCE"},{"code":"a8m0z0000000712AAA","label":"INTEGRATIONS"}],"ARM Case Number":"","Platform":[{"code":"PF003","label":"Android"},{"code":"PF014","label":"iOS"}],"Version":"All Version(s)"}]

Tips