Microsoft Defender for Mobile app & Conditional Access policies - The great conundrum!

-

Back in 2022, I had blogged about MDE onboarding for Android and iOS and my experience dealing with Conditional access policies. Recently, I implemented the solution for a customer and experienced similar behavior, so decided to write about it.

Basically, the behavior involves MDE onboarding getting blocked due to enforcing of Conditional Access (CA) policies for conditions like Device compliance state, App Protection Policies (APP). 

Now, according to Microsoft, excluding MDE from CA policies shouldn't be required - 


However, on a different official link, Microsoft also states that -

"Microsoft Defender Mobile app is a security app that needs to constantly be running in the background to report the device security posture. This security posture is used in the Compliance and App Protection policies to secure the managed apps and ensure that corporate data is accessed only in a secured device. However, with restrictive Conditional Access policies such as having Block policies based on certain locations, or enforcing frequent sign ins can result in Defender blocked from reporting posture. If the Defender app fails to report the device posture this can lead to situation where the device is under a threat, leading to vulnerability of corporate data on the device. To ensure seamless protection, we recommend excluding the Defender app from the blocking Conditional Access Policy."

The highlighted lines above are the ones to focus on. MDE still runs as Microsoft Defender Mobile app on iOS and Android devices, which would explain the behavior I have been experiencing lately.



The solution..

Luckily now there is a way to exclude Microsoft Defender for Mobile app from CA policies. It requires excluding the following apps:

1. Xplat Broker App - It is the application responsible for forwarding Defender risk signals to the Defender backend. The App is also used by other platforms like Mac and Linux, so if the policy is same for these platforms, then my advice is to create a separate Conditional Access policy for Mobile OS platforms.

2. TVM app - It is the service that provides the vulnerability assessment for the installed apps on the iOS devices.

Both these apps are not registered in Azure by default and require additional steps for registration which involves creating service principles. At a minimum, you need the following roles and permissions assigned -

Entra roles -

- Application Administrator
- Cloud Application Administrator

Run the following commands to create the service principles -

Import-Module Microsoft.Graph.Applications 

(Note: In case you receive an error stating that module is not found, then run Install-Module to install the module first)

Connect-MgGraph

(Note: In case this is your first time connecting, then you may have to give consent.)


$params = @{
appId = "a0e84e36-b067-4d5c-ab4a-3db38e598ae2"
}

New-MgServicePrincipal -BodyParameter $params

$params = @{
appId = "e724aa31-0f56-4018-b8be-f8cb82ca1196"
}

New-MgServicePrincipal -BodyParameter $params


The applications were created in Azure.



I then excluded the apps in the CA policy in question and was able to finish the MDE enrolment.


Until next time..

Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Configure CloudAPAuthEnabled to support Conditional Access in Google Chrome natively

-
Image
Starting with version 111 of Google Chrome, organizations can leverage conditional access policies natively using  CloudAPAuthEnabled . Before this release, Conditional access policies were only supported on Google Chrome by using additional extensions like Windows Accounts and Office Online . If you want to know more about the use of these extensions, then you can read all about it over here . Let's see the new policy involving  CloudAPAuthEnabled in a little detail and how can organization configure it using enterprise device management solutions. CloudAPAuthEnabled   is a setting that can be configured using the policy  Configures automatic user sign-in for accounts backed by a Microsoft® cloud identity provider .  By setting this policy to 1 (Enabled), users who sign into their computer with an account backed by a Microsoft cloud identity provider or who have added a work or school account to Microsoft Windows, can be signed into web properties using that identity automatical
Read more