Imagine if you could verify several conditions before you let someone into your house. You could not only give someone a key, but see their face, hear their voice, see the environment around them, verify your house is clean before opening the door. Conditional Access provides this level of security before someone joins your network or accesses your data.
Fresh off their experience at Microsoft Ignite, Neil Johnson (Principal Program Manager, Microsoft) and Arnab Biswas (Program Manager, Microsoft) hopped into a Jamf Nation User Conference 2019 session to share the history, current state and future plans for Conditional Access with Jamf Pro.
If you are new to the idea of Conditional Access, the idea is simple. Users are no longer tied to their networks by ethernet cables. This creates a new challenge for IT Admins to ensure devices are secure and only authorized users have access to important company data.
Jamf and Microsoft partnered together in 2017 to solve the issue of securing Macs that are using wireless Internet and are mobile. The solution combines Microsoft Enterprise Mobility + Security (EM+S) conditional access and Jamf Pro Mac management capabilities to ensure that company data can only be accessed by trusted users, from trusted devices, using trusted apps.
Before a user is granted access to a Mac, Microsoft EM+S asks several questions:
- Is this a privileged user?
- Are these credentials found in public?
- Are they trying to access a sensitive app?
- Is this device unmanaged?
- Is malware detected?
- Is the IP detected in Botnet?
- Is there impossible travel happening (ie is a user is logged in simultaneously in France and Australia?)
- Is there an anonymous client?
If any one of these conditions are found to be true, false or in danger, EM+S will not grant access or it will add additional log in processes, like multi factor authentication (MFA). It’s a pretty robust process and using Jamf to push it out makes it even more powerful.
Why use EM+S and Jamf?
Microsoft performed a detailed study of their Microsoft Endpoint Manager (formerly Intune) customers and found the majority were already using Jamf Pro and were very happy with their experience. Microsoft found they could benefit from industry-leading Mac Management from Jamf. They can also pull the rich inventory Jamf already captures to include it in the security review. Device compliance can be evaluated based on:
- Device health: Security Integrity Protection
- Device properties: min/max OS
- System security: password rules, encryption, firewall and Gatekeeper
Intune device compliance is achieved on Jamf managed Macs when leveraging Azure Active Directory Conditional Access. The process is outlined below:
- Mac is managed by Jamf Pro
- Mac is registered with Intune
- Jamf sends macOS device inventory to Intune
- Intune evaluates compliance
- Generates compliance report
- Azure AD enforces Conditional Access
- Allow access to network, apps, etc for compliant devices
- Block access from non-compliant devices
- User-friendly remediation experience provided by Intune and Jamf
Ensuring Conditional Access allows an IT team to know their devices are being managed and that the highest security is being met.