Conditional Access allows (IT) to provide you (the end user) with access to corporate resources based on a set of conditions and if you meet those conditions I'll let you in. If you don't meet those conditions, or perhaps meet only one or two, I will have additional steps for you to take before I unlock the front door and invite you in for dinner. You can best think of Conditional Access as an "If/Then" statement. For example, if you are coming from a device that is un-managed (and using an un-approved application), then allow access but require you to enroll the device in MDM (i.e. managed) and download the approved application for accessing email ,more info graphical representation ,click here.
If you are financial or insurance or other organization that have lot of security requirements with data breach using Intune,then this post is for you.
At the time of writing this blog post ,Intune does not provide MAM (it is more about controlling the data DLP) to protect the data in the apps like team,onedrive,outlook etc on Mac Devices. If user using onedrive using work account on Mac device ,there is no way you can protect the data while on windows 10 ,you can use WIP (windows information protection).
Since there is no DLP policies to protect data on Mac Devices ,you will have to find way to block access to mac users trying to connect o365 applications. To block this ,you can use conditional Access (azure AD premium subscription is required). I recently blogged about how to block unsupported OS using conditional access http://eskonr.com/2018/01/how-to-restrict-to-access-to-o365-from-unsupported-os-like-ubuntu-centos-using-conditional-access/
But there are cases like i have got,that you will get request from your customer asking for ,hey ,we have few senior executives,directors,CTO,CEO who are using Mac devices and they want to access email,teams .Can you do something for these guys ?
hm...if you get request something like this ,you must tell customer about the DLP issues and intune support for Mac devices. If customer is happy with the security breach ,then you are ready to provide solution to mac users .
How do we allow set of users to access o365 using mac devices while blocking others ?
We are going to use conditional Access to accomplish this task.
To achieve this task ,you are required to create 3 different conditional access (yes it is 3 ,that is what i have got it worked ,if you have better thing,post it via comment section) .
First ,gather the list of users or create AD security group in your on-prem AD /azure AD . I would prefer to go with On-prem AD and easy to add users later who would access Mac devices.
Once you have user group (O365-Mac-users) ,we can start create Conditional Access.
1.Conditional access (Global-Block-UnSupprtOS-AllLoc-AllClouldApps)—This CA will block all users to access all cloud apps for mac devices except the mac users (AD sec groups).
2.Conditional access (Global-Block-UnsuppOSExceptMacOS-AllLoc-AllApps)—This CA will block all unsupported OS except windows,ios, android (these already in use so must exclude) and Mac OS (this is going be use in now)
3.Conditional Access (Global-Allow-MacOS-AllLoc-outlook-teams)—This CA will allow Mac users (AD group created above) to access teams and outlook (if you want all intune supported apps, you can do so in this CA).
Now ,lets look into the settings for each Conditional Access.
1.Conditional access (Global-Block-UnSupprtOS-AllLoc-AllClouldApps:
Users and groups: Include all users and exclude the Mac users (AD security group ) that we created earlier.
Cloud apps: Select All cloud apps
Device platform : All platforms (including unsupported) but exclude Android,iOS,Windows . if you don't exclude then you are blocking all these devices.
Grant : Block Access with required one of the controls.
2.Conditional access (Global-Block-UnapprovedOSExceptMacOS-AllLoc-AllApps:
Users and groups: Mac user group
Cloud apps: All cloud apps
Device platforms: Include all platforms and in exclude ,select ios ,Andriod,Windows and Mac . This will allow all platform's except unsupported like Ubuntu ,Linux etc.
Block access with require one o the controls.
3.Conditional Access (Global-Allow-MacOS-AllLoc-outlook-teams):
We have reached to the final CA that does the trick to allow Mac users to use cloud apps.
Users and groups : add Mac user group that we created earlier.
Cloud apps : choose apps that you want to give access like teams,exchange online etc.
Conditions: device plat form ,include Mac OS Only.
For client apps ,choose mobile apps and desktop clients
Access control ,grant with require device to be marked as compliant and require one of the selected controls.
With this ,users who are part of the AD security group that we created earlier can access teams ,outlook after they enrol Mac Device (due to compliant policy ,what ever policy you set).
You can also use what if in Conditional access to verify what settings are applied to user .
Hope it helps!