Restrict Azure App Proxy applications accessed via Intune Managed Browser

Introduction:

Azure AD App proxy provide secure remote access to on-premises applications .Azure AD Application Proxy provides a simple, secure, and cost-effective remote access solution to all your on-premises applications .For more information about Azure AD proxy ,refer https://docs.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-get-started

Using Azure Active Directory (Azure AD), you can restrict access to web sites on mobile devices to the Intune Managed Browser app. In the Managed Browser, web site data will remain secure and separate from end-user personal data. In addition, the Managed Browser will support Single Sign-On capabilities for sites protected by Azure AD. Signing in to the Managed Browser, or using the Managed Browser on a device with another app managed by Intune, allows the Managed Browser to access corporate sites protected by Azure AD without the user having to enter their credentials. This functionality applies to sites like Outlook Web Access (OWA) and SharePoint Online, as well as other corporate sites like intranet resources accessed through the Azure App Proxy.

Using Azure AD App proxy ,we can publish all our web applications hosted on-premises and allow users to access securely from internet.  Publishing the apps and letting users to access from internet is not enough .You must make sure these apps secure and there  should not be any DLP issues.

In this blog post, we are going to see  ,how to allow users to access these applications in secure manner and ensure there is no DLP issue.when i talk about DLP issues, it is more about restricting users to use Intune managed browser to access these applications and deny to other 3rd party browsers like Chrome,safari, Firefox etc and force them to use Intune Managed Browser.

More about Intune Managed browser:

Have gone through the Technet article about intune browser to see the difference between intune browser and 3rd party browser interms of behaviour, but but i could not get much information . So i started doing some basic testing using intune browser and 3rd party browsers . What i found is that ,Intune browser cannot be used like other browsers and it has lot of restrictions by default in the design .What it means is that ,i can open gmail/onedrive/dropbox using intune browser ,but i  cannot upload any files to it.

Intune Managed browser by default blocks the upload and download action for the websites.

You may see ‘attach’; ‘upload’ or download options on the sites however when you click on them to upload , nothing happens. This I believe is the unspoken/unwritten default behaviour of intune browser.

Back to publishing the apps and making them work via Only the Intune managed browser.

a) Publish an app using Azure AD App proxy. More reference refer to this link –> https://docs.microsoft.com/en-us/azure/active-directory/application-proxy-publish-azure-portal

b) Create a conditional access policy specific for the Azure AD App proxy published link and make sure condition has both “Browser” and “Mobile apps and desktop clients” selected and access is allowed only from “Approved Clients”. As of writing of this blog, Microsoft has made this available to access the app proxy applications only for iOS using Conditional access. Work on Android is in progress. Revisit this blog in March 2018 or talk to your Microsoft representative to get the latest on Android based access control.

For Android users, you have 2 options 1) block access to apps when user try to access using intune or other browser 2) let users to access these apps from any browser (you have DLP loss).

Conditional Access settings:

Cloud Apps:

image

Choose the applications that want to allow users to access

Device Platform:

image

Client Apps:

image

Access control:

 

image

c) Configure Managed Browser app to use app proxy redirection.Go to your Intune browser configuration and add a config  com.microsoft.intune.mam.managedbrowser.AppProxyRedirection= true. Refer to this link –> https://docs.microsoft.com/en-us/intune/app-configuration-managed-browser

What the setting does is it allows the internal links published via Azure AD App proxy and sent as links in emails or via “any intune approved client app” on the device to open directly in Intune Managed browser.

This way even if you cannot resolve internal links on the internet “any Intune approved client app” is smart enough to understand that these links are published via Azure AD App Proxy and should be opened in Intune Browser.

image

End User Experience:

On Android device ,if user try to access application using intune or 3rd party browser ,will see message with prompt ‘Action Blocked’ .This action is not allowed by your organization.

This action not allowed: Your organization only allows you to open work or school data in this app.

Screenshot_20180224-152829

On iOS device ,if user try to access the application using 3rd party browser ,it fail with error code : You can’t get there from here and it direct to use intune managed browser.

image

Hope it helps.

Leave a Reply