How to Manage and Configure Intune Managed Browser for DLP (An alternate solution to app configuration with allow block URL)

Introduction:

Intune Managed Browser app lets you safely view and navigate web pages that might contain company information and provides a secure web-browsing experience for Microsoft office and other apps managed by Microsoft Intune. This browser help your IT administrator protect company information without restricting your regular web browsing or app experience.

Intune Managed Browser is not like other browsers (Chrome ,Firefox and other 3rd party browsers ) .This is unique browser that does not let you upload any files ,which means you can open gmail,onedrive or any cloud hosting provider in intune browser but cannot let you upload any files .How does it matter to me with this .? Well ,If you are using Microsoft Intune as mobile device management solution ,you must plan and configure the MAM policies (Data control) for Intune browser. 

Below is the scenario that will help you to understand about data leakage from intune browser and how it helps to avoid configuring  allow /block URL’s for end users from my experience.

If you configure MAM Policy (data control) with your required application settings for all intune supported applications including Intune Managed browser ,you will experience data leakage issues with managed browser unless you configure allow/block URL’s using App Configuration .Why do i hit DLP Issues with managed browser ? Ok, If you configure MAM policy with following setting (Policy managed apps or with past in),you are allowing data to copy from onedrive, teams,outlook etc to Intune managed browser .I can open intune managed browser ,open gmail/onedrive ,copy the data from intune apps to any of these un managed sites to leak the data.

OR you can configure allow or Block list of URL’s but how many URL’s do you configure ? There could be tons of URL’s which user might want to access which is impossible to configure with allow or block action.

So what is the solution then ? If you really care about DLP ,then i see  only 1 possible solution that can minimize/no DLP issues .

image

 

The solution which am going to talk about will eliminate the need of configuring allow/block list of URL and allow users to open all the links from the managed applications using browser automatically and decline copy/paste option from these managed apps to intune managed browser. I don't see a reason for user to copy the data from managed apps to intune managed browser except open the links. feedback via comments section.

Solution:

When you configure MAM policy for iOS ,Android, do not choose intune managed browser .We will create separate MAM policy for iOS and Android OS.

Create MAM policy for iOS/Andriod with following settings (MAM_iOS_IntuneBrowser) for Managed Browser application.

Targeted Apps ,choose Managed Browser

Policy Settings: Look out for the primary settings that are arrowed.

 

image

With this configuration ,we allow users to open any links from the managed applications to intune managed browser but restrict cut copy paste .

If you want to allow block list of URL’s ,i blogged about it previously here http://eskonr.com/2017/12/configure-bookmarks-allow-and-block-urls-for-the-managed-browser-using-intune/

Until Next!

 

 

Leave a Reply