Introduction:
The Microsoft Surface Hub is an all in one multi-touch screen solution that empowers people, groups and organizations to connect and collaborate effortlessly. The Surface Hub is a wall-mounted or roller-stand-mounted device with either a 55-inch (140 cm) 1080p or an 84-inch (210 cm) 4K 120 Hz touchscreen with multi-touch and multi-pen capabilities, running the Windows 10 operating system.[3] The devices are targeted for businesses to use while collaborating and videoconferencing. More information about surface hub https://docs.microsoft.com/en-us/surface-hub/manage-surface-hub
Managing surface hub (allowing office 365 applications )using intune is very straight forward. All you need is enroll the surface hub either automatic or manual way.
Manual enrollment:
To configure manual enrollment
- On your Surface Hub, open Settings.
- Type the device admin credentials when prompted.
- Select This device, and navigate to Device management.
- Under Device management, select + Device management.
- Follow the instructions in the dialog to connect to your MDM provider.
Automatic enrollment via Azure Active Directory join:
Surface Hub now supports the ability to automatically enroll in Intune by joining the device to Azure Active Directory. For more information, see Enable Windows 10 automatic enrollment.
Problem:
If you are using conditional access and you allow BYOD windows 10 devices with compliant then mostly you don't need to look at this post as this post explains about ,what if you don't allow BYOD devices and only allow hybrid azure AD join devices to connect to office 365 ?
If your org do not allow BYOD (bring your own device a.k.a personnel windows 10 devices which are not domain joined) then you will have conditional access policy with setting below.
What are the reasons for not allowing BYOD windows 10 for now (At the time of writing this post) ?
Windows 10 has different editions like pro,enterprise ,home etc. If you allow BYOD windows 10 with compliant in conditional access policy, you must create WIP (windows information protection) to be applied to enrolled devices to protect your org data . I have couple of blog post on WIP for windows 10
So far good that ,you can create & apply WIP (windows information protection) when the device is enrolled but if your users are using windows 10 Home edition ,then WIP policies cannot be applied even though the device enrollment success and conditional access allow to access onedrive,team ,outlook etc hence there is DLP issue.
The only possible way to prevent enrolling of windows 10 home edition is to create device compliance policy with Bitlocker .since bitlocker do not work on home edition ,all Windows 10 pro & enterprise users can enroll the device ,enable bitlocker & start accessing o365 applications on BYOD but there is dependency of managing these BYOD device bitlocker keys by organisation.
Organisation do not want to take the responsibility of managing these BYOD bitlocker keys and more over,home users are not aware of all these bitlocker stuff hence Customer decided to block BYOD for now and enable only Domain joined computers (Hybrid Azure AD join).
If this is the case for windows 10 Home ,then when do customer allow BYOD devices to get benefit from office 365? When Microsoft bring up something in conditional access policy with editions that detect if the enrolled windows 10 device is home, pro or enterprise .
So having conditional access policy with hybrid azure AD join ONLY ,how do we allow surface hub which is in workgroup for users to access office 365 applications ?
Surface hub device cannot be joined to domain hence hybrid azure AD join will not work .If you allow compliant and apply the policy to all users then user cannot login to any windows 10 ,especially home edition and leak the data.
Without compromising the security policies what is defined (hybrid Azure AD Join) ,how do we allow only the surface hub device to access office 365 applications by all users when they login ?
Solution:
We got solution to manage surface hub by assigning static IP address and then create named location with this IP address ,exclude name location in trusted location and apply the policy to all users.
With this ,we are trusting the surface hub with static IP address and let users connect to office 365 from this device ONLY .
1. Login to Azure portal conditional access blade https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies
2. Click on Named location on the left pane
3.Click on New location
4. Enter the Name and IP address (must be in CIDR format)
Make sure you check ‘Mark as trusted location’ ,click on Create
5. We now have trusted location that we don't want to apply conditional access policy on this for all users.
6. Now we will exclude this trusted location in conditional access policy that is created for Hybrid Azure AD join.
Go to Hybrid azure AD join conditional access policy ,Click on conditions, Locations,exclude (you must have this enabled else you cannot get it going) ,click on exclude
Choose the named location that we created above to exclude from Hybrid Azure AD join policy
7.Click on Done, Done and save the policy.
With this setting, we now allow surface hub to access office 365 apps without applying conditional access policy only to this device .
Now login to surface hub and enroll the surface device manually using the steps given above .
Troubleshooting:
If you have any issues while accessing office 365 apps like teams on surface hub by any user ,check the sign-in logs from Azure AD portal ,see what is stopping them to access and take necessary action.
If the access is being stopped by conditional access policy ,then review the policies what is applied to user using what-If
Hope it helps!
Additional details:
2 Comments
Although this works I'm still hoping there will be a better Conditional Access solution popping up for the Surface Hubs with the introduction of the HUB 2S (as the current OS build is still on 1703). We are using proxies to connect to the internet and as such whitelisting based on IP-addresses is not sustainable in my opinion.
Hi Frank,
thats true but hoping to expect some changes in the conditional access policy for hub to make things easier.
Thanks,
Eswar