Enable compliant network compliance using conditional access & Global Secure Access client for macOS - Putting it all together!

-

Back in January, 2024, when I first wrote about my experience working with Global Secure Access (GSA) for Android OS, GSA was still in preview. Since then, most of the configuration in GSA has been moved into GA, including support for macOS, and this is what I will be covering in this blog.

First a quick refresher on what GSA is really all about. Global Secure Access (GSA) is Microsoft’s unified Security Service Edge (SSE) solution that combines Microsoft Entra Internet Access and Microsoft Entra Private Access, giving identity-aware access control (for internet, SaaS, and private resources) without relying solely on VPNs.

Using GSA one can guard against threats like token replay by leveraging a combination of compliant network and conditional access policies.

A compliant network check is a conditional access control that one can configure so that access to resources is only allowed when the client is connected via the Global Secure Access infrastructure (i.e. traffic is routed through the GSA client or a configured remote network). This means that the connections must originate from a compliant network via GSA rather than just IP addresses or named locations. If you have macOS devices in your environment, then you can implement similar level of controls just like Windows OS and other supported OS platforms. The steps at a high-level involve -

1. Enabling CA Signaling through Adaptive Access in GSA
2. Enabling Named Location 'All Compliant Network'
3. Deploying the GSA client for macOS with proxy configuration on an Intune managed device.
4. At least one Traffic Forwarding Profiles
5. Setting up Conditional Access policy for compliant network

Of course there are some pre-requisites that must be put in place, especially for macOS -

1. Microsoft Entra ID licensing supporting Global Secure Access. 
2. A minimum of Global Secure Access Administrator, Conditional Access Administrator Azure roles.
3. A Mac device with an Intel, M1, M2, M3, or M4 processor running macOS version 13 or later.
4. A device registered to a Microsoft Entra tenant using Company Portal.
5. A Microsoft Entra tenant onboarded to Global Secure Access.
6. SSO experience based on the user signed in to Company Portal to support Microsoft Enterprise single sign-on (SSO) plug-in for Apple devices.

Enable Global Secure Access signaling for Conditional Access

1. Navigate Entra admin center and access Global Secure Access > Settings > Session management\ Adaptive access and enable CA signaling for Entra ID.



2. Next step is to verify that “All Compliant Network locations” named location is present under Conditional Access. Note - One can optionally configure it as Trusted location.



GSA client for macOS in Intune

On managed macOS devices, it has never been easier to deploy the GSA client than now. Here are the steps -

1. Navigate to Entra admin center and access GSA > Connect > Client Download and acquire the .pkg macOS client installer.


2. Access Apps > macOS > Create and select macOS app (PKG)


3. Select the .pkg file from before and pretty much use the default values. Note - Pre and Post install scripts are optional. I didn't have any requirements so I haven't use them. Also, detection rules will automatically populate, but you have the option to configure your own.



4. Assign it to a group of devices or users.

GSA proxy configuration in Intune

Both system extensions and GSA application proxy configuration profile need to be configured for managed macOS devices. Let's see how this can be done using Intune. 

1. In the Microsoft Intune admin center, select Devices > Manage devices > Configuration > Policies > Create > New policy.
2. Create a profile with a Platform of macOS and a Profile type set to Settings catalog. Select Create.
3. Configure the following extensions -



4. Assign to a group of users or devices as normal.
5. Again , in the Microsoft Intune admin center, select Devices > Manage devices > Configuration > Policies > Create > New policy.
6. Create a profile with a Platform of macOS and a Profile type set to Template > Custom. Select Create.
7. On the Configuration settings tab, enter a Custom configuration profile name.
8. Keep Deployment channel set to "Device channel."
9. Upload an .xml file that contains the following data:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadUUID</key>
<string>87cbb424-6af7-4748-9d43-f1c5dda7a0a6</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft Corporation</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.globalsecureaccess</string>
<key>PayloadDisplayName</key>
<string>Global Secure Access Proxy Configuration</string>
<key>PayloadDescription</key>
<string>Add Global Secure Access Proxy Configuration</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>04e13063-2bb8-4b72-b1ed-45290f91af68</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadOrganization</key>
<string>Microsoft Corporation</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.globalsecureaccess</string>
<key>PayloadDisplayName</key>
<string>Global Secure Access Proxy Configuration</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>TransparentProxy</key>
<dict>
<key>AuthenticationMethod</key>
<string>Password</string>
<key>Order</key>
<integer>1</integer>
<key>ProviderBundleIdentifier</key>
<string>com.microsoft.globalsecureaccess.tunnel</string>
<key>ProviderDesignatedRequirement</key>
<string>identifier "com.microsoft.globalsecureaccess.tunnel" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
<key>ProviderType</key>
<string>app-proxy</string>
<key>RemoteAddress</key>
<string>100.64.0.0</string>
</dict>
<key>UserDefinedName</key>
<string>Global Secure Access Proxy Configuration</string>
<key>VPNSubType</key>
<string>com.microsoft.globalsecureaccess</string>
<key>VPNType</key>
<string>TransparentProxy</string>
</dict>
</array>
</dict>
</plist>


10. Assign to the same group of users or devices from deployments above.

Enable GSA Traffic Forwarding Profile

It is important to configure at least one traffic forwarding profile. This is because Global Secure Access resources are automatically excluded from the Conditional Access policy when Compliant Network is enabled in the policy. There's no explicit resource exclusion required. These automatic exclusions are required to ensure the Global Secure Access client is not blocked from accessing the resources it needs.

1. Navigate to Entra admin center and access Global Secure Access > Connect > Traffic forwarding.
2. Enable and configure at least one traffic forwarding profile.



Compliant Network Conditional Access Policy

The compliant network Conditional Access policy can be used to protect Microsoft services and third-party applications that are integrated with Entra ID single sign-on. 

1. Sign in to the Microsoft Entra admin center.
2. Browse to Protection > Conditional Access > Policies and select New policy.
3. Give your policy a name.
4. Under Assignments, select the relevant Users or workload identities.
5. Under Target resources > Cloud apps > Include > Select All Cloud apps, or as required. Note. It is recommended to exclude Microsoft Intune and enrolment apps to ensure the policy doesn't block enrolment process of devices.



6. Under Network select 'Any network or location' and exclude 'All Compliant Network locations'.


7. Under Conditions> Device platforms > Include> macOS and exclude the rest..


8. Under Grant controls, select block action.


Note - Test it first in report-only mode before turning it ON in your tenant.

Testing Compliant Network configuration

Once the policies are enforced, the GSA client and proxy configuration should seamlessly apply.



To test for compliant network configuration, the GSA client can be paused. The end user will have to provide the credentials to pause the client.



Once paused and with SSO experience already enabled through Company Portal, when the user tries to access any Microsoft 365 service on Safari, the access will be blocked.


This is evident in the Entra ID sign in logs as well.



Once the GSA client is resumed, the access to M365 services will be granted as the network will be evaluated as compliant.



Final thoughts

Please note that Conditional Access policies can be quite powerful; if misconfigured, you might inadvertently block access to important services (like Intune enrollment, authentication flows, etc.). Therefore, always test in pilot groups. Also, if you disable CA signaling later, ensure you remove or adjust any CA policies that reference Compliant Network so users aren’t unintentionally blocked.

Until next time..

Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){              ...
Read more

Fixing Tamper Protection Blob Error 65000 using Microsoft Intune

-
Image
I recently encountered an issue with enabling Tamper protection as part of the implementation of Defender for Endpoint in one of customer's tenant and considering how unusual the behavior was and how I didn't encounter this before, I decide to blog my experience. If you have been battling with the same issue, then this blog may just help you. There are multiple ways to enable Tamper protection as part of MDE. One can enable at a tenant level using Defender portal or do it using Intune. I normally choose the Intune, especially when dealing with endpoints to maintain uniformity with other Defender policies being managed by Intune. However, in this particular instance, the issue started cropping randomly on some endpoints where tamper protection would not enable and throw an error code 65000, as show below. Additionally, the status in Defender will report as Unknown instead of reporting Active or something else like EDR in block mode to suggest that Defender Antimalware is running...
Read more

Removing OEM configured bookmarks from Edge

-
Image
I believe most will agree when I say that OEM branded configuration on Windows devices can be both unwanted and frustrating to remove. Especially when you provisioning devices using Autopilot and want to apply organization's configuration policies. I recently encountered an issue with Lenovo Windows 11 devices that came pre-installed and configured with things that the customer didn't want. While the procurement process gets worked out with the supplier to provide a clean image, I still needed to address these unwanted items. One of the items were pre-configured Edge bookmarks that had no place in the bookmarks that I was putting in place. It was obvious that they had to go.  The bookmarks are located under  C:\Users\<Userprofile>\AppData\Local\Microsoft\Edge\User Data\Default If you open it then you can match contents with what shows up in the favorites on Edge. Solution I created a simple 1 line script to delete the Bookmarks file as part of the Autopilot provisioning ...
Read more