Managing Microsoft Edge browser on iOS/Android (Notes from the field)

 

Edge browser for iOS and Andriod has been out since year (First released on Dec 2017) to give you continuous browsing experience from your mobile device to windows device. Microsoft previously had intune managed browser as a secure browser to open Microsoft office and other apps managed by Microsoft Intune. Since Apr 2018 ,there are no updates to Intune managed browser that shows the investment made on intune browser and Microsoft is moving towards Edge browser for mobile devices as a replacement of Intune Managed browser (aka ManBro)

Edge browser is secure ,manageable and provides rich browsing experience. Using a protected browser with Intune policy (Microsoft Edge or Intune Managed Browser), you can ensure company resources are always accessed with corporate safeguards in place. This ties back to your O365 Identity.

Microsoft Edge and Managed Browser have integration with the Intune SDK, so you can apply app protection policies like controlling the use of cut, copy, and paste , preventing screen captures , ensuring corporate links open only within managed apps and browsers.

We plan to move from Intune ManBro to Microsoft Edge browser for our workforce. I have been testing the features of edge browser in comparison with managed browser and also validated end user experience. I am going to list all the test cases and my experience with Edge browser for iOS and Andriod devices. These are my observations from the field and with my interaction with the pilot users we rolled Edge Browser for.

--> Edge browser has huge improvements for AllowListURLs and BlockListURLs feature.Though this configuration does work with intune managed browser but it only works for allowlistURL or blocklistURL with work account and managed browser doesn't support multi-identity .

Edge browser introduced in-private mode that can be configured with personal account which will be used to open non-AllowListURLs and the web pages that are opened in private mode do not get applied with MAM App Protection Policies. This gives you flexibility to access your personal sites and attach files from non-corporate locations. Intune Managed Browser did not provide you this flexibility.

Edge browser can be configured with work account and personnel Microsoft account  (can be outlook.com,live.com,hotmail.com and any other Microsoft) .You cannot use gmail,yahoo or any other account in personal mode. This may change in future.

 

image

-->  AllowListURLs and BlockListURLs lets end users to open the approved URL’s using work account and have flexibility to move the data around the managed apps and remaining non-corporate URL’s in private window which has no access to work account applications like teams,onedrive,outlook etc.

If you are worried about data leakage issues in Edge browser ,then you must configure AllowListURLs .

As an example ,if i allow gmail.com or hotmail.com in allowed URL ,i can then launch gmail.com using work account ,create a new email ,attach the files from corp onedrive. With this ,there is DLP issue.

How do you prevent such activity ? identify the list of URL’s for your business to be opened in work account and rest will be opened in private mode. For e.g. <tenant>.Sharepoint.com in your app configuration policies.

--> If you have internal applications that are published via application proxy to external and you have AllowListURLs configuration ,then you need to allow certain URL’s inorder for users to access these external apps on Andriod device.

What does it mean ? I have internal (on-prem) application that is being published to external ,for ex: cyberark-koneti.msappproxy.net . Koneti is tenant name.

Since i have AllowListURLs configured with list of URL’s including https://*.msappproxy.net/*, when my users browse this application on android device ,they hit with following screen.

Blocked Site.

Your IT Admin has blocked access to this site using your work account .Browse inprivate

image

Why did this happened ?Even though the URL ends with msappproxy.net and is allowed but still URL getting blocked and this happens only for Andriod devices but not iOS.

After troubleshooting and with support from Microsoft ,Andriod behaviour is different for app proxy URL’s and backend URL’s will be getting blocked unless you make some changes to allowlistURLs.

So to fix this ,there are 2 URL’s to be added to AllowListURLs configuration . https://*.akamaized.net/*|https://*.msocdn.com/*

This fix is only for Andriod devices ,for iOS ,without the above URL’s ,it works fine. We are pushing Microsoft to align this behavior for both OSes and make life easy for admins like us.

If you don't have AllowListURLs configuration then you can ignore this point.

--> With AllowListURLs configuration ,all the applications or URL’s that you allow will have access to MAM-protected application but again ,it depends on your MAM policy setting how you transfer the data to other apps.

How does the AllowlistURL configuration looks like that include allowed URLs for a protected browser and also bookmarks ?

To create App configuraiton poliicy , login to https://portal.azure.com ,click on Intune App protection blade, App configuration policies https://portal.azure.com/#blade/Microsoft_Intune_Apps/MainMenu/3 ,click on Add

Choose Associated apps as Edge for iOS and Andriod.

image

In the Configuration settings ,Key in the following information

Name                                                                                                                          Value

com.microsoft.intune.mam.managedbrowser.AppProxyRedirection                       True

com.microsoft.intune.mam.managedbrowser.bookmarks                                        Algosec|https://algosec-koneti.msappproxy.net/algosec/suite/login.html||Diagnostic|about:intunehelp

com.microsoft.intune.mam.managedbrowser.AllowListURLs                                   https://*.apac.asia/*|https://*.akamaized.net/*|https://*.msocdn.com/*|https://*.msappproxy.net/*|https://*.eskonr.com/*

There are few configuration policies that are supported by intune managed browser/Edge : homepage, bookmarks, and allowed and blocked URLs and set edge as default browser (to take over managed browser)

For more information about app configuration ,please read https://docs.microsoft.com/en-us/intune/app-configuration-managed-browser#how-to-specify-allowed-and-blocked-urls-for-a-protected-browser 

 

image

--> If users installed managed Browser or Microsoft Edge on their devices but not not managed by Intune, they cannot access data from other Intune-managed applications. So make sure you create app protection policies that include edge for iOS and Andriod.

--> If you are using conditional access policy ,make sure you have policy that will have grant access with ‘Require approved client app’  because Managed Browser /Edge is now an approved client app for Conditional Access.

Azure AD - Managed Browser conditional access policy

--> While testing edge browser for iOS and Andriod ,i did not observe DLP issues and edge browser works way better compared with Intune managed browser. It was sleek and GUI is quite modern. However, there is still a lot of work ahead for Microsoft to enhance end user experience.

Prompting every time to open links in Private mode probably is not a good idea. This may confuse a lot of users. Since there is already an “AllowURLs” list configured everything else opens in in-private mode. Why does Microsoft prompts users to choose in-private mode?

--> If you are moving from Managed browser to Edge ,make sure you send proper communication to end-users to know how does edge browser works .Mostly the private mode prompt. It is upto user to configure Microsoft account or not but still the URLs not in allowList can be opened in private mode without Microsoft account.

--> The following table summarizes what happens if users have both Edge and Managed browser on mobile device ?

On Android:

  • Managed Browser if both MB and Edge are on the device, unless app config setting “com.microsoft.intune.useEdge” is set to “true” for all Intune managed apps with a policy managed browser required.
  • Microsoft Edge if only Microsoft Edge is on the device and is targeted with policy.
  • Managed Browser if only Managed Browser is on the device and is targeted with policy.

On iOS, for apps that have integrated the Intune SDK for iOS v. 9.0.9+:

  • Managed Browser if both MB and Edge are on the device, unless app config setting “com.microsoft.intune.useEdge” is set to “true” for all Intune managed apps with a policy managed browser required or Microsoft Edge if Microsoft Edge is installed and has recieved policy.
  • Microsoft Edge if only Microsoft Edge is on the device, is targeted with, and has recieved policy.
  • Managed Browser if only Managed Browser is on the device, is targeted with, and has recieved policy.

--> When the user signs-out from Edge browser ,data on the edge browser will be wiped off automatically.

-->  To troubleshoot managed applications and collect logs ,share with Microsoft representative on iOS ,you can still use about:intunehelp command in edge browser that will take you to Intune diagnostic ,where as for Andriod, you need to use company portal to collect the logs.

If you have noticed any other interesting things on edge browser ,do let me know in comments ,i will get it added to this post with credits .

Post Comment