Categories
Advanced Threat Protection Azure Active Directory Azure AD Deployment EM+S Endpoint Manager Intune mcas mdatp MDM Microsoft Cloud App Security Microsoft Defender Advanced Threat Protection Mobile Device Management Web Application Proxy

Blocking Apps With a Low Reputation

One of the benefits of Microsoft 365 is the interaction across many products and features to create services that otherwise you might not have available to you or need to implement unrelated and unconnected additional software and maybe client agents as well.

Recently announced is an interaction between Windows Defender (client AV and other security protections on Windows 10), Microsoft Cloud App Security – MCAS (cloud based reverse proxy for cloud app protection), Microsoft Defender Advanced Threat Protection (cloud service for analysing activity on end compute devices and determining if the activity could be malicious or warrant further investigation) and Microsoft Endpoint Protection Manager (recently renamed from Microsoft Intune) for pushing the settings needed to enable all of this. This interaction is to take apps that your users are browsing to, read the discovered app score and if the score is too low then to tag the app as unsanctioned and push the URLs for this app to the client (via MDATP) and have Windows Defender block access to the app shortly afterwards.

Client Experience

So lets take a look at what this looks like from the users perspective and then how to set it up. First on the left if Microsoft Edge (either the old or the new version) and Firefox on the right. The action is the viewing of a URL that is unsanctioned. This particular app that I chose is an news agency and I browsed to the site directly. If the site is browsed indirectly (say via an embedded advert or graphic) then a different view will appear.

image image

Making This Work

Now lets see what we needed to put together to make this work. First Intune (Endpoint Manager) for the settings on the client, then MDATP for the interaction with MCAS and then MCAS for the app protection:

Endpoint Manager (Intune)

For this protection feature we need to ensure that you have a Device Configuration policy for Windows 10 or later that sets both Endpoint Protection and Device Restrictions in place. These two policies need to be in place and scoped to all the users that you want to protect.

The first policy is an Endpoint Protection policy, and you may have one of these already configuring Windows Defender on your Windows 10 endpoints. You need to make sure that the Microsoft Defender Exploit Guard and then the Network Filtering policy is set to Enable. This is supported in Windows 10 1709 and later, and I have seen this break outbound network connectivity on Windows 10 version 1703 machines that had the Microsoft Firewall disabled (where it did not break later versions of Windows).

image

Save and apply this policy.

Create a second Device Configuration policy, again for Windows 10 or later and for Device Restrictions this time. For this policy select Microsoft Defender Antivirus and then Enable the Real-Time Monitoring option, the Cloud Delivered Protection option also to Enabled, for Prompt users before sample submission, select Send all data without prompting and for Submit samples consent select Send all samples automatically. These are shown in the following two screenshots, both showing the same set of settings, but as its quite a long list the second picture is scrolled down.

image image

Again save and apply this policy. Now wait for it to download to your client machines, or in the MDM settings on Domains and Accounts, click Sync to speed this process up.

MDATP

Next you need to set up the interaction between MCAS and MDATP. This is done in the Settings > Advanced Features. Here ensure that Custom Network Indicators is enabled. This ensures that machines can be set to allow or block URLs. This feature requires Windows 10 version 1709 and later as well and an up to date version of the antimalware platform. The network protection in block mode, which is also listed as a requirement, is what we have enabled above.

You also need to make sure that the integration with Microsoft Cloud App Security (MCAS) is enabled. Again, a list of client requirements is displayed along with the requirement that you are running EMS E5 licences for all targeted users.

image

If you don’t have the MCAS or EMS E5 licence then you can add the URLs and other indicators directly into MDATP via Settings > Indicators > URLs/Domains. It is here the MCAS pushes the URLs that the client will block against, and so any way of pushing data into the indicators in MDATP will generate the same result.

MCAS

In MCAS we need to set up the pushing of unsanctioned apps to MDATP and configure unsanctioned apps either manually or automatically.

To push the status of unsanctioned apps click the cog to the top right and choose Settings. Select Microsoft Defender ATP and ensure that Block unsanctioned apps is enabled here.

image

Finally we can go to the Discovered Apps portal in MCAS. If you recently enabled the integration between MDATP and MCAS then this list of apps on the Discover > Discovered Apps will be empty. This will populate over time and store up to 90 days of information on the cloud apps your users are browsing.

image

On the report, possibly called the “Win10 Endpoint Users” report, which is client data from MDATP, click on the Score column to sort the list from 0 upward and see the apps that users are browsing that MCAS scores with a low rating. Click the app name to get the stats on why the app gets a low score.

Under the Actions column click the “no entry” sign, which tags an app as unsanctioned. Once you do this, this app will be blocked in Windows 10 that is under the scope of the Intune policy created above within 2 hours (allowing 8 hours for Intune to sync the new settings in the first instance).

To automatically unsanction any app with a low score (for example 0 to 3) then select Policies from the Control menu. Create a new App Discovery Policy by clicking the Create Policy option. This new policy will have a name like “Unsanction Apps With A Low Score” and the policy setting will be Risk Score equals 0-2. It will apply to All Continuous Reports. Decide if you want to be alerted to this app running and finally select Tag app as unsanctioned.

image

Shortly after you create this rule apps that fall into the category will be tagged as unsanctioned. Before you enable this rule it would be wise to check the list of apps with the same score as shown under the Discovery reports that meet your score to ensure that it would not be business impacting immediately (unless you need that to happen). For example at the time of writing this 3,095 apps where shown as scoring #2 and below and 14 apps of score #2 and below that had been viewed by end users in our company over the last 30 days. In the Continuous reports you can click any app and see who is using it and who would be impacted by blocking it.

I recommend individually unsanctioning an app for testing purposes. You can get the URL for the app by clicking the app name in MCAS and then you can browse this from a end user device that is under the scope of your MDATP deployment and your policy Intune deployment. This takes about 2 hours to take effect first time around. The automated rule to tag apps as unsanctioned automatically takes a bit longer and therefore harder to test.

Once users then access these unsanctioned apps they appear as alerts in MDATP as well. On the Alerts Queue you get a “Connection to a blocked cloud application was detected”. For example I got the following during writing this blog because when my screen-shooting software was capturing the above Firefox image it decided to follow the URL and now I see that snagit32.exe was blocked from making a connection to a blocked cloud application

image

image

Categories
exchange online iOS iPad iPhone MDM Mobile Device Management mobile phones Office 365

Renewing Apple APN for Office 365 Mobile Device Management

Office 365 MDM (Mobile Device Management) allows you to manage iOS based Apple devices. Once you have had Office 365 Mobile Device Management is use for a year, the Apple APN certificate that you would have created a year ago for this purpose will expire. If you did not add this renewal date to your calendar when you set up Office 365 MDM, or if you have taken over as administrator from someone else since then you had best check for your renewal dates, as Apple will email the address they have for the certificate at 30 days, 10 days and the day before it expires. Here is the day before it expires email warning – and I got this yesterday. So I had better renew the certificate now then. You of course will not leave it so late!

image

To check your renewal date, login as a Global Admin to the Office 365 Portal. On the old portal visit the Mobile Management tab on the left and the renewal date is shown on the right:

SNAGHTMLe083076

The above is for one of my clients, and the 30 day warning arrived for them today – so I will do them in a few days time.

If you are using the new Office 365 admin portal, then expand Resources > Mobile Management on the left navigation bar (note, at the time of writing, you cannot renew your APNs from the new portal and must use the old – the new portal redirects you back to your starting page all the time and does not start the correct wizard). This opens the same window as shown above. Later versions of the new portal might integrate the page with the portal, but that is not currently active (April 2016):

SNAGHTMLe0b34ae

To renew your certificate click the Manage settings link under the APNs Certificate for iOS devices message to the top right.

You will see the “Set up mobile device management” page:

image

Click Set up to the right of the “Configure an APNs Certificate for iOS devices”. This takes you to the “Install Apple Push Notification Certificate” page. On one of my tenants (possibly with the APNs expired already) clicking Set up took me back to the “Mobile Device Management for Office 365” and I could never get past it. That tenant needed a support call raised to fix.

On the “Install Apple Push Notification Certificate” page click “Download your CSR file” and save the file somewhere you can find shortly.

SNAGHTMLe183115

Click Next once file saved to disk.

SNAGHTMLe1a0325

On the second page of the wizard, click the “Apple APNS Portal” link. As this is a renewal, you need to login to the Apple Developer site with the same credentials used last time. If you have lost these and cannot reset them, then I suspect uploading a new certificate issued to a new ID will work, but I have not tested this.

SNAGHTMLe1cb6db

Once signed in click Renew. If changing issuer account and you have access to the old account, then click Revoke and login with the new account to https://identity.apple.com/pushcert to generate the new APNs certificate.

SNAGHTMLe1eb134

On the Renewal page, upload the saved CSR file from step 1 into the “Vendor-Signed Certificate Signing Request” and click Upload:

SNAGHTMLe1fdded

If you get a prompt about opening or saving a file called renew.json then cancel it and refresh the web browser page to continue the CSR file upload. The Apple web site often issues a JSON file as a download, but that should not happen and is not the file you need. Once the APNs is ready the browser will change back to the Apple Push Certificates Portal home page with a new certificate present (confirm this as the date will be a year from today). Click Download to get the APNs file.

SNAGHTMLe27d904

Upon clicking download you are offered to save a .pem file. This file will be called “MDM_ Microsoft Corporation_Certificate.pem”. If you are a Microsoft Partner and are doing this for multiple customers then rename it to suit the end client.

Close the Apple Push Certificates Portal page and in the previous tab you will find yourself back at step 2. Click Next.

SNAGHTMLe2a4532

In the file upload field, browse for MDM_ Microsoft Corporation_Certificate.pem (or whatever you renamed it to) and upload it to Office 365. The certificate is automatically uploaded. Click Finish and you are done.

Don’t forget to add a calendar appointment for this time next year just in case the reminders from Apple don’t reach you.

Categories
ADFS ADFS 2.0 ADFS 3.0 IAmMEC MDM Mobile Device Management Multi-Factor Authentication OD4B ODFB Office 365 OneDrive OneDrive For Business OWA for Devices

Office 365 MDM (Mobile Device Management) From A Users Perspective

The following list of steps and screenshots are taken during the enrolment process to add an iPhone and an Android phone to Office 365 once the free MDM solution that comes with Office 365 is enabled for the user.

Step Details Image from iPhone Image from Android

1.

Once your IT Administrator enables MDM for your Office 365 account you will get the following email on your device if you already have email configured. It may take 24 hours from the admin configuring MDM for this to arrive. Once this email arrives no further email will arrive from that account any device until the devices are enrolled with the company for management.

01 Initial Email Screenshot_2015-06-29-10-55-47

2.

Click “Enrol your device” link in Step 1 of the email. This will take you to the relevant app store of your device to install the Company Portal (iPhone as shown and Android devices). Windows Phone users will see the Workplace Join settings (not shown)
In the iOS example, the Company Portal app is already installed so we can click Open at the top.

For Android to the right, it shows that the app needs installing from the page they see in the App Store.

02 Clicking Enroll Screenshot_2015-06-29-10-56-20
3. Once the app is installed you are required to login. Enter your Office 365 username.
Upon entering your username you will either be directed to your network to login (if your company uses AD FS to login) or you enter the password here. Step 4 shows the AD FS login page, which will probably have your company logo on it.
If your IT department does not use AD FS you enter your password here (the page will wait for you to enter it)
03 Login Page Screenshot_2015-06-29-10-58-51
4. This is an example AD FS login page with company logo. If you are required to login with other information as well as your password you will be prompted for this as well.

04 ADFS Login Page  
5. Upon login being successful your device will start the enrolment process by connecting to both Office 365 and the device manufacturer to download required secure management info. 05 Enrolling Screenshot_2015-06-29-11-00-07
6. For iOS click Enroll to start the process. For Android you need to click Activate.

The company you are enrolling your phone into will have some rights over some of the data on your phone – for example they will be able to remove the work email account from it if you leave the company.

Enrolment conditions will be enforced based on your companies requirement for using phones to access company data, for example a PIN number of a minimum length (see http://bit.ly/o365mdm for more on this)

06 Notice About Enrolling Screenshot_2015-06-29-11-00-55
7. Enrolment goes through a series of steps with the screen changing a few times automatically. Within a seconds you end up at the “Install” screen. Click Install to add the management profile for the displayed company here.

Android and Windows Phone have less steps to go through.

07 Certificate 1 Screenshot_2015-06-29-11-03-50
8. A unique encryption key is generated for your device when using iOS devices.

For Android, you need to accept the compliance requirements configured by your administrator. If you do not complete these requirements then business applications will not be available on the device.

08 Key Generation 1 Screenshot_2015-06-29-11-20-47
9. You need to click install at the personal settings screen when using iOS devices.

For Android, once compliance requirements are set (in this case a PIN number is entered). Note that for iOS, you have 1 hour to enter a PIN number to become compliant, but not for the Android.

09 Warning Screenshot_2015-06-29-11-22-49
10. You need to confirm that you trust this company for remote management of your device when using iOS devices.

For Android you need to name and install the certificate.

10 Install Trust Screenshot_2015-06-29-11-23-05
11. The management profile is installed and you can click Done when using iOS devices. 11 Profile Installed  
12. Device checks that it is enrolled and what the device settings are and if these settings are compatible with the companies required restrictions on the device.

On Android you may get a prompt about entering a PIN number or other compliance requirements if you did not enter them earlier

12 Checking  
13. Enrolment is confirmed. Notice that my device(s) are displayed and my current device is not compliant with company policy (the red exclamation mark).

For Android devices, the My Devices tab will show your devices, including if there are any compliance issues.

13 Enrolled  
14. Clicking my device in the Company Portal app shows the compliance status of the device. Here the device is still checking compliance 14 Checking Compliance 1st Time  
15 And here the device is shown not to be compliant.

For Android devices not in compliance, it shows an Enrollment update available (if you did not meet compliance requirements during the Company App enrollment process) or if you are not compliance (for example device is not encrypted) then it will show that the device is not in compliance as shown.

15 Not In Compliance Screenshot_2015-06-29-11-36-13
16 Details on compliance state is iOS shows the “This device is not in compliance” message.

Further details on the compliance failure are shown under the message. In this case the iOS device is unable to set up an email profile on the device and the Android devices need a longer password and device encryption

16 Not In Compliance Details Screenshot_2015-06-29-11-36-27
17 Clicking the “Unable to set up email on the device” message shows the full details. In this case the device already has an email profile configured and for the iPhone this needs to be removed and the Company Portal will recreate it. It is this recreated email profile that the iPhone/iPad can manage.

Android and Windows Phone users do not need to delete their email profile and have the device recreate it but Compliance requirements must still be met.

17 Actual Reason for not in compliance Screenshot_2015-06-29-11-37-47
18 For the iPhone/iPad the steps to delete the existing profile are Settings > Mail, Contacts, Calendars > Click the email profile > click Delete Account

For Android, if the device is compliant in the Company App then you need to check Exchange Server to validate this for you so that your email continues to work. Back in the email program view the enrollment email as shown – click hyperlink #2 in the email and sign into the web based Device portal

18 Deleting original email profile Screenshot_2015-06-29-11-57-54
19 Once the account is deleted on the iOS device it is not visible in the list of email accounts.

In this example the iCloud account remains along with two Exchange / Office 365 accounts that are not managed by MDM. You can only have one MDM managed account per device at any given time.

Other compliance settings may be required such as a PIN number. You have 60 minutes in iOS to enable this if required.

19 Seeing list of email profiles - work email is gone  
20 Once the Company App checks for compliance again and if you are compliant, a new email profile for your work appears. Clicking it (called “Office 365 email”) requires entry of your password.

In Android, once the device is shown as compliant in #2 of the email, click the hyperlink for #3 in the email. Click Allow on the certificate prompt if you see one.

20 Work Email Profile Arrives Screenshot_2015-06-29-12-00-26
21 You then see the email profile created. Compare this to the image in Step 19 for the difference.

An Android, you will be informed that your device has successfully authenticated for email.

21 Email Configured Automatically Screenshot_2015-06-29-12-00-40
22 It is possible to rename the email profile. In this case it is via Settings > Email, Contacts, Calendars > Office 365 email > Account and then change the “Description” value 22 Renaming Email Profile  
23 Updated email profile listed 23 Email Profile listed  
24 Email should now sync with your device again. Notice that the email about needing to set up MDM is now missing and has been removed automatically.

On the Android, drag the Inbox screen down to refresh it and your emails will appear.

24 Email available on device, enrollment email not available now Screenshot_2015-06-29-12-01-57
25 Now that the device is compliant (excepting the PIN number, which gives you 60 minutes of grace to complete this step) you can start other Office 365 aware applications. Here we are going to sign into OneDrive and show our OneDrive for Business data 25 Other Apps Screenshot_2015-06-29-12-03-12
26 Your app requires a login 26 Login for other apps Screenshot_2015-06-29-12-03-58
27 Which if you have an AD FS additional login you may also see 27 ADFS Login  
28 Your other app is now working, and in the case of OneDrive for Business did not need configuring 28 Other App Also Working