We recently addressed the value of incorporating third-party device compliance for companies using Microsoft Intune as their primary MDM. But what should IT teams do if the situation is reversed? The robustness of VMware’s Workspace ONE allows users to tap into the power of Microsoft Entra ID (formerly Azure Active Directory) Conditional Access to enforce secure access to Office 365 on managed devices while keeping employee productivity high.

For a bit of background, the modern security perimeter extends beyond an organization’s network perimeter to include user and device identity. Organizations then use identity-driven signals as part of their access control decisions. Microsoft Entra ID Conditional Access brings signals together, to make decisions, and enforce organizational policies. Conditional Access is Microsoft’s Zero Trust policy engine taking signals from various sources into account when enforcing policy decisions.

Conditional Access policies at their simplest are if-then statements; if a user wants to access a resource, then they must complete an action. For example: If a user wants to access an application or service like Microsoft 365, then they must perform multifactor authentication to gain access.

By incorporating Entra ID Conditional Access policies, every connection is checked for user identity, location, and device health. It can allow or deny access to Office 365 based on a minimum set of requirements, including blocking access to resources on devices that are not MDM managed or marked as compliant.

Blocking Office 365 access to resources on unmanaged and non-compliant devices allows you to:

  • Ensure only known, corporate-owned devices are accessing company data
  • Block devices that are not patched or updated
  • Ensure there are no blacklisted apps on connecting devices
  • Ensure all devices have a passcode, are encrypted and are not jailbroken/rooted
  • Block bring your own (BYO) devices

Workspace ONE UEM Integration with Microsoft allows data such as device compliance state to be passed to Intune and Entra. This compliance state can then be used to restrict access to Microsoft apps such as Outlook or OneDrive.

Before getting started, be sure the following pre-requisites are enabled for Conditional Access Compliance.

  1. Have an Intune and Entra ID P1 license for all connecting users.
  2. Enable Reports powered by Workspace ONE Intelligence in your UEM environment.

Only then can you set up the integration in VMware Workspace ONE UEM, set up the device partnerships in Entra and enable Workspace ONE to use compliance data in Entra ID Conditional Access policies for iOS and Android before setting up the Conditional Access policies.

By using Conditional Access policies, you can apply the right access controls when needed to keep your organization secure. Contact our team for support.