While Intune and Entra ID as a whole provide industry-standard device compliance policies and conditional access policies to govern them, there might be a chance that a subset of your device fleet is managed via a different MDM. In the field when I’m talking with the customers, this is mostly because Microsoft Intune was catching up with other OSes and its forte was managing Windows devices so they went with other vendors. However, now that you have Entra ID capabilities that protect all devices, you may want to use some features to block access to organizational data depending on the device compliance. So technically the compliance policies are pushed via the 3rd party MDM and determine the state and that will be passed on to Entra ID to block or allow access.
There might be a chance where you are adopting Entra ID premium features like Conditional Access policies and you need to make sure resource access via devices is managed depending on the compliance among the other parameters.
What Device OSes are eligible for this?
- Android
- iOS/ iPadOS
- MacOS
By default, Intune is the MDM authority for the devices. However, when you set up a 3rd part compliance partner, it will be the source of the set of devices that you are selecting using the Entra ID groups.
Who are the supported Compliance Partners?
- Addigy
- BlackBerry UEM
- Citrix Workspace device compliance
- IBM MaaS360
- JAMF Pro
- MobileIron Device Compliance Cloud
- MobileIron Device Compliance On-prem
- SOTI MobiControl
- VMware Workspace ONE UEM (formerly AirWatch)
How to add the 3rd party compliance partner?
Intune Config > Assigning users > 3rd Party Compliance App config > Conditional Access Policy > Monitor
Intune Configueration
Intune portal > Tenant Administration > Connectors and Tokens > Partner compliance management
In this example, I’m going to add iOS compliance, so click on Add Compliance partner
Select the partner below and select the platform as iOS
Select the user group/s as needed
And the connection will go as pending activation until the next bit is done.
Configure the 3rd Party Device Compliance Partner
Now it’s time to configure the relevant 3rd party complaint partner. Depending on the vendor, the configuration steps can be varied. As I’m using Jamf for this setup, I will post the relevant URLs.
Microsfoft Guide: https://learn.microsoft.com/en-us/mem/intune/protect/conditional-access-integrate-jamf
Jamf Guide: https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Device_Compliance.html
Depending on the vendor, the ports that need to be opened are different as well. It is advisable to stick to the official vendor documentation for the full context.
Use Restrictions depending on the Compliance
Now that the compliance infor is streaming to Intune, you can use Conditional Access Policies to manage the devices depending on the result.
Under the Grant section of the CA Policy, select the Require device to be marked as compliant and the device will access to corporate resources can be managed accordingly.
Monitor
You can easily view the device compliance of the devices via Entra ID devices.
Entra ID portal and go to > Devices > All Devices
KQL – IntuneDeviceComplianceOrg
Similarly, check the IntuneDeviceComplianceOrg table to query the device info.
IntuneDeviceComplianceOrg | where ComplianceState != ‘Compliant’
If you need to know more about how to use KQL for Intune, please my article below.
Wrapping up
It is great to see this flexibility in Entra ID and Microsoft Intune and the supportability of the features. This can be a great segway to move your devices to and to be fully managed by Intune going forward.
Discover more from EMS Route
Subscribe to get the latest posts to your email.
EMS Route 