CoreyU
Contributor
Contributor

Airwatch and conditional access with Azure AD and Intune

Hi all,

Is it possible for Airwatch to integrate with Azure AD policies and intune. We want our mobile users to be able to use Microsoft Teams but it will be locked down. From looking at the Conditional Access Policies inside Azure active directory we see we can grant access for Require device to be marked as compliant.(it says device must be InTune compliant) So we need a device that is enrolled in Airwatch to be compliant with intune so the device has access with azure active directory. I hope I am explaining this correctly.

Is this possible?

Thanks

13 Replies
MarkSchwantje
Enthusiast
Enthusiast

Corey,

Currently there is no way for an AirWatch managed device to be marked as Intune compliant, so you won't be able to use that condition. I've heard that AirWatch and Microsoft established a partnership that would eventually bring about that functionality; it would work similar to how Jamf works. However, I heard these rumors last year, and I still haven't seen anything related to these enhancements.

What we ended up doing is enabling the Microsoft Office apps with per-app VPN over the WS1 Tunnel solution. We then configured an Azure AD Conditional Access rule that blocks access from anything coming from an IP address that is not the IP address of our Tunnel server. This ensures that only AW managed devices are able to use the apps to access O365 resources.

0 Kudos
Ichijima
Contributor
Contributor

Hi

Azure AD conditional access using Workspace ONE UEM (AirWatch) is a preview feature.

Use compliance data in Azure AD Conditional Access policies by integrating Workspace ONE UEM with Mi...

I was surprised to find this document at the end of March 2020.

But,I haven't actually used this feature, so I'm not sure how it works.

We expect more information using this feature.

Thanks

0 Kudos
CoreyU
Contributor
Contributor

Hi Mark,

Was it hard getting it going with the per-app VPN? Was there any documentation you followed for this?

Thanks

0 Kudos
CoreyU
Contributor
Contributor

Hi Ichijima,

I looked at that document and contacted VMware support today on it and they said that These are Microsoft preview APIs, so integration will fail. As of now, we are not aware, when MS is planning on fixing this as MS hasn't provided this information to us.

I have a ticket into MS support to see what they have to say.

As when trying to add the VMware Workspace One mobile compliance in the Azure AD it only has Airwatch and not the WS1 UEM. I think our tenant needs to be flighted(not sure what that means).

I guess I wait to hear what MS says.

Thanks

These are Microsoft preview APIs, so integration will fail.
As of now, we are not aware, when MS is planning on fixing this as MS hasn't provided this information to us.

chengtmskcc
Expert
Expert

We recenlty implemented VMware Access (or IDM) to offer mobile SSO when accessing O365 apps. Part of the change requires that device be MDM enrolled and compliant before it can access corporate data through any of these apps. So far it's been working well for us. I suppose what everyone has shared here is when you don't have IDM implemented?

0 Kudos
MarkSchwantje
Enthusiast
Enthusiast

Hi,

It depends on if you already have something that can provide per-app VPN functionality, like WS1 Tunnel. If so, it is not that difficult to implement. If you don't have something that can provide per-app VPN already, you'll have to investigate that first.

I didn't really follow any documentation; but I can give you some guidance if you really want to pursue it.

Mark

0 Kudos
MarkSchwantje
Enthusiast
Enthusiast

Hi

Azure AD conditional access using Workspace ONE UEM (AirWatch) is a preview feature.

Use compliance data in Azure AD Conditional Access policies by integrating Workspace ONE UEM with Mi...

I was surprised to find this document at the end of March 2020.

But,I haven't actually used this feature, so I'm not sure how it works.

We expect more information using this feature.

This is great news; looks like they are finally making progress on this. Based on that link, it seems to require that you are using Workspace ONE Intelligence - is that right? Our UEM console (1907) does not even have the option that they are referring to (Navigate to Monitor > Intelligence, check the Opt-in box).

0 Kudos
ArsenBandurian
VMware Employee
VMware Employee

Sorry for the thread necro, but in case you missed it, here are some details on how the Compliance API works with WS1 UEM.

There are still limitations on the AAD side related to _identfying_ the device (WS1 send compliance info for all devices to AAD, but AAD doesn no know _which_ device is coming to it, unless you implement some workarounds) - you can read this all in the blog.

https://digitalworkspace.one/2020/05/12/compliance-api-msft/

Uemtesting1
Contributor
Contributor

Hi Mark,

did you do this for iOS only or for Android as well? We had no issues running this on iOS but on Android, we find that Azure does not pick up the tunnel URL. I know on iOS we had to add login.microsoftonline.com to Safari managed domains, but not sure if we need something similar for Android? 

0 Kudos
MarkSchwantje
Enthusiast
Enthusiast

Hi,

I specified the "login.microsoftonline.com" domain for All Apps in the Device Traffic Rules for VMware Tunnel in Settings. The Office apps on Android use this as well as Chrome, which I configured for per-app VPN.

Mark

0 Kudos
Uemtesting1
Contributor
Contributor

Thanks Mark.

Did the same i.e. configured the iOS and Android office apps to go via the per-app Tunnel. Additionally, configured Chrome in the Work Profile to go via the Tunnel and added login.microsoftonline.com for Safari to go via the Tunnel.

This was fine on iOS. On Android, I found that when I tried to go to login.microsoftonline.com via the managed Chrome browser, Azure picked up my tunnel IP. However, when I tried to login to Word in the Work Profile, Azure picked up the device IP and not the Tunnel IP.

I also tried by manually adding Chrome and Word to the Device Traffic Rules configured to Tunnel login.microsoftonline.com.

Any ideas or suggestions?

0 Kudos
MarkSchwantje
Enthusiast
Enthusiast

Strange that it works for Chrome but not the Office apps. I'm not sure I'll be able to help. We are using the Work Managed Device mode for enrollment of all of our corporate owned Android devices, which is the only type of devices that we allow per-app VPN functionality. For BYOD, we do utilize Work Profile mode, but I've never configured per-app VPN for those devices.

0 Kudos
Uemtesting1
Contributor
Contributor

Right okay. I’ve ensured that default work profile browser was set to chrome (just to be sure) as well.

no worries, shall keep at it and post back when/if we get it to work. 

thank you 

0 Kudos