Di MAM ce n’è uno solo… Davide Salsi (MVP) Marco Moioli (Microsoft)

Marco • Cloud Solution Architect @ Microsoft • Lavoro con i partner italiani su tematiche di Security, Identity e Compliance • Co-Founder Microsoft Intune Italian User Group, Microsoft Security Italian User Group, Azure Virtual Desktop & Windows 365 Italian User Group

Davide • User Endpoint Solution Architect @ 4wardPRO • Design e implementazione di soluzioni per la gestione ed il provisioning degli endpoint • Microsoft MVP, Enterprise Mobility • Co-Founder Microsoft Intune Italian User Group

Agenda  Overview  Novità Microsoft Intune  Protezione delle applicazioni aziendali  Accesso alle risorse con Microsoft Tunnel

The world of today 72% of organizations reported increased complexity within their IT environment over the past two years. 2 68% of organizations have experienced one or more endpoint attacks that compromised data and/or their IT infrastructure. 1 Complex IT management Growing Security Risks Economic Uncertainty 75% of organizations are pursuing security vendor consolidation in 2022, up from 29% in 2020. 3 1. “The Third Annual Study on the State of Endpoint Security Risk, ” Ponemon Institute, January 2020. 2. Solarwinds IT trends report, June 2022 3. Gartner Survey Shows 75% of Organizations Are Pursuing Security Vendor Consolidation in 2022, Press Release, September 2022

People are working in more places, with more flexibility and more devices How do you secure your endpoint estate? How do you reduce complexity of IT workloads? How do you ensure protection, while enabling workforce flexibility and productivity? Technology must keep us connected and productive while reinforcing our security posture in an increasingly sophisticated and complex world.

Microsoft is recognized as a leader for UEM tools 2022 Gartner® Magic Quadrant™ for Unified Endpoint Management Tools 2023 OMDIA UNIVERSE

Microsoft Intune Plan 1 Computer management Mobile device management Mobile application management Microsoft Intune

Microsoft Intune Suite New Microsoft Intune Suite helps simplify security solutions - Microsoft Security Blog

Microsoft Intune Suite New Microsoft Intune Suite with Privilege Management, Advanced Analytics, Remote Help & App VPN

App protection policies

Microsoft Intune app protection policies Microsoft Intune iOS/iPadOS devices (iPhones, iPads, iPods)* Android devices Windows devices [iOS] [Android] [Windows] Personal Corporate Other apps Device Storage Personal Data Corporate Data

What do app protection policies provide? Additional data protection for existing LoB apps without a need to update the apps. Data protection Ability to wipe corporate data from devices while leaving personal data alone. Wipe Audit reports Use of audit reports for tracking issues and remedial actions. Data separation Separation between personal and corporate data without requiring employees to switch environments or apps.

What do app protection policies provide? Multi-identity awareness Targets protection ONLY to corporate account Personal and unmanaged accounts aren’t affected Data protection Encrypts corporate data Controls data transfer mechanisms between managed and unmanaged apps Controls transfer of web content Selective wipe of corporate data – whether it be admin, user, or offline initiated Access requirements Controls access to corporate data via PIN, biometrics, or credentials Provides inactivity timers Conditional launch Validates device health: Jailbreak/Rootkit, mobile threat defense Validates OS variables like OS version, Android patch version Validates app variables like app version or SDK version Validates device model or manufacturer

App protection policies for unmanaged devices App protection policies App protection policies Intune SDK Microsoft Intune protected apps Intune App Wrapping Tool Intune SDK Personal Corporate Other apps Device Storage Personal Data Corporate Data Intune MAM Service MAM policies

App protection policies for managed devices App protection policies (APP) can work on managed devices protecting selected public applications* or line-of-business (LoB) applications** APP are provided to the device by MEM Intune Mobile Application Management (MAM) dervice Mobile Device Management (MDM) of the device can be done by MEM Intune or 3rd party Intune SDK Microsoft Intune protected apps Intune App Wrapping Tool Intune SDK Personal Corporate Other apps Device Storage Personal Data Corporate Data Intune MAM Service MAM policies MDM policies MDM (Intune or 3rd party)

App protection policies delivery to the device [iOS] In the iOS, each app is sandboxed, and cross-process usage is prevented Office and Edge apps have the full Intune SDK embedded Other apps can have Intune SDK embedded too (and many do) Authenticator app is required for conditional access scenarios [Android] Android allows cross-process execution Company Portal app (CP) includes the Intune SDK Apps include a stub SDK Enables an architecture where some SDK changes can be made (e.g., FIPS, 256-bit encryption) without requiring any changes to the apps Company Portal handles Conditional Access scenarios

Data protection Data protection settings in the app protection policy determines how corporate data can be processed on the devices and in the apps to which the policy was applied Data Transfer section determines  Backups of corporate data  Sending corporate data to other apps  Copying corporate data to other locations  Transferring telecommunication data to dialer apps  Restrictions on cut / copy / paste user activities  Use of third party / approved keyboards Encryption section determines encryption of corporate data stored on the device device by the app Functionality section determines  Syncing corporate contacts  Printing corporate data  Web transfers to other apps  Restricting data notification

Data protection: Example 1 – restricting cut / copy / paste Restrict cut, copy, and paste between apps Specify restrictions on data cut or copied from or pasted to apps protected with an app protection policy All apps Blocked Policy managed apps Policy managed apps with paste in Cut and copy character limit for any app Number of characters of corporate data that may be cut or copied Microsoft Endpoint Manager with app protection policy All apps Policy managed apps Policy managed apps with paste in Blocked

Data protection: Example 2 – notifications Org data notifications Specify how corporate data is shared using OS notifications for corporate accounts by apps protected with an app protection policy Blocked Blocked org data Allow Microsoft Endpoint Manager with app protection policy Blocked Blocked org Data Allow

Access requirements Access requirements settings of an app protection policy determine what a user needs to provide to access apps to which the policy was applied PIN for access settings enforce use of an App PIN and provide ability to set  Requirements for an App PIN (type, complexity, length)  Use of biometrics instead of an App PIN  Lifetime of an App PIN  Use of an App PIN versus a Device PIN Work or school credentials for access setting allows the use of corporate credentials instead of (or additionally to) an App PIN Recheck the access requirements setting defines how often a user is prompted for an App PIN or corporate credentials when using an app

Access requirements: Examples of ‘PIN for access’ and ‘PIN reset after number of days’ settings App protection policy → Access requirements → PIN for access → Require App protection policy → Access requirements → PIN reset after number of days

Use of an app-level PIN versus a device-level PIN App protection policy enforces an app-level PIN for access to apps to which the policy is applied • [iOS] Each app has its own App PIN • [Android] The App PIN is shared by all MEM-managed apps Device-level PIN (aka “Device passcode”) protects access to the whole device • It can be enforced through configuration policies on device enrolled to Microsoft Endpoint Manager When both app-level PIN and device-level PIN are enforced by Microsoft Endpoint Manager, then the App PIN when device PIN is set setting in Access Requirements can be used to define if an App PIN is still needed to access the app protected by the App Protection Policy App-level Device-level

Conditional launch Conditional launch settings of an app protection policy are conditions with criteria (values) of either app or device-based on which user access to the app on the device is decided, as well as what actions should be taken if these conditions are met. App conditions section determines • Maximum allowed attempts to enter App PIN • Grace period for running the app offline • Minimum version of the app • [iOS] Minimum version of the Intune SDK Device conditions section determines  Access from jailbroken/rooted devices  Minimum version of the OS  [Android] Minimum patch version  [iOS] Model of the device  [Android] Manufacturer(s) of the device  [Android] SafetyNet device attestation  [Android] Require threat scan on apps  [Android] Minimum version of Company Portal app  Maximum threat level allowed for the device

Conditional launch: Example 1 - Jailbroken/Rooted setting App Protection Policy → Conditional Launch → Jailbroken/Rooted → Block

Conditional launch: Example 2 - Block and Wipe actions [iOS] App Protection Policy → Conditional launch → Device model → Block [Android] App Protection Policy → Conditional launch → Device manufacturer → Wipe

MAM Tunnel

Modern Work On-premises

Microsoft Tunnel Supporto multi- piattaforma MDM/MAM Easy Setup

Componenti Componente Microsoft Intune Soluzione che gestisce il Tunnel Gateway e i dispositivi Azure Active Directory Soluzione utilizzata per l’autenticazione Server Linux Piattaforma su cui è in esecuzione il container (Podman o Docker) Container Motore dove è in esecuzione il Tunnel Gateway e il management agent Management Agent Agent utilizzato per applicare le configurazioni necessarie sul Tunnel Gateway Authentication Plugin Plugin utilizzato per l’autenticazione con Azure Active Directory Certificato pubblico Certificato utilizzato per l’encryption del canale di comunicazione tra il server Tunnel e i device IP/FQDN pubblico Indirizzo IP pubblico o FQDN pubblico con il quale viene esposto il servizio Microsoft Tunnel

Architettura

Requisiti Requirements/Feature Android iOS App - Company Portal (non necessario sign-in) - Defender for Endpoint - Nessuna app necessaria Funzionalità - Per-app VPN - Device wide VPN - Auto-launch: avvio automatico VPN all’avvio dell’app - Per-app VPN - Auto-launch: avvio automatico VPN all’avvio dell’app - No Device wide VPN - Supporto per utilizzo Trusted Root CA interna Requisiti per LOB app - Intune App SDK - Integrazione Microsoft Authentication Library (MSAL) integration - Intune App SDK - Integrazione Microsoft Authentication Library (MSAL) - Tunnel for MAM SDK Microsoft Edge - Identity switch: VPN si avvia quando si utilizza un account aziendale e si disconnette quando si utilizza un account personale o in modalità In-Private - Supporto Device-wide e Per-App VPN - Identity switch: VPN si avvia quando si utilizza un account aziendale e si disconnette quando si utilizza un account personale o in modalità In-Private

Demo

No content

Troubleshooting mst-cli command-line tool

Link utili Intune MAM What is app management in Microsoft Intune? | Microsoft Learn Supported Microsoft Intune apps | Microsoft Learn Tunnel Microsoft Tunnel for Mobile Application Management | Microsoft Learn Monitor Microsoft Tunnel | Microsoft Learn