Protect your corporate data using Microsoft Edge for mobile platforms by info.odysseyx@gmail.com September 25, 2024 written by info.odysseyx@gmail.com September 25, 2024 0 comment 3 views 3 In today’s digital environment, businesses face unprecedented risks from sophisticated threat actors. IT administrators play a critical role in keeping company data secure both internally and externally. At the same time, users demand access to critical information on their mobile devices to remain productive while on the go. Microsoft Intune has features that help administrators create policies that protect company data and mobile users while preserving users’ personal preferences. Microsoft Edge Fully compliant with Microsoft Entra for business on mobile platforms. Conditional Access Policies that can be configured to require Intune Application Protection Policy (APP) allows mobile users to access company data. memo: For those of you specifically interested in Windows, see: aka.ms/Intune/APP/Edge-blog For more information, What is Microsoft Edge for Business on mobile? Edge for Business brings the best of Microsoft to mobile devices by providing a fast and secure browser experience. Recognizing that workers need access to company data anytime, anywhere, Edge for Business enhances security with an enterprise sign-in experience, advanced protection, and privacy features. It also syncs favorites, passwords, and more across desktop and mobile devices. Edge also ensures a consistent and reliable experience designed to protect sensitive company information. Maintain user preferences while improving security posture Intune lets IT admins configure access requirements so that only policy-managed browser apps, such as Edge for Business, can access corporate web content. When an Intune policy is assigned and a user signs in to Edge for Business with their corporate credentials, it becomes a policy-managed browser. If the user doesn’t have Edge installed while signed in, they’ll be prompted to install it the first time they access a corporate web resource. It’s important to note that while an Intune policy can specify that corporate data should only be accessed in the Edge browser, it doesn’t change the user’s default personal browser. Links from corporate policy-managed apps (such as Outlook or Teams) open in Edge, and links from personal apps open in the system default browser. This preserves user preferences and privacy while still protecting corporate web content with policy-managed apps. Managed devices and managed apps Mobile devices enrolled in Intune for mobile device management (MDM) are called “managed devices” and are useful for device management and configuration scenarios. For managed devices, IT administrators can pre-install Edge for Business without user interaction. Additional options can be configured for user convenience or to meet your company’s data security standards. memo: If the device is not enrolled, Intune cannot automatically install Edge in the background. Users can log in to the app using their corporate credentials (e.g. Outlook, Teams, etc.) and receive: Application Protection Policy (APP) Create these “managed apps” in Intune. Regardless of device enrollment, IT admins can use APP to ensure that only APP-protected browsers can access corporate data. Let’s take a look at a few parts of how this works. Intune App Configuration Policy Policy settings that configure apps to only allow sign-in with work or school accounts, and other app behavior experiences, are important for IT administrators to be aware of and set up in a way that aligns with corporate policy. Keep in mind that you should consider the type of device management when creating app configuration policies. Also, Microsoft Edge app configuration policies are not required to specify that Edge should be used for corporate web content, but some settings are useful for considering corporate policy and shaping the user experience. App configuration policies can add useful bookmarks to the browser and set up predefined security controls such as: Manage websites that allow file uploads. examine Manage Microsoft Edge on iOS and Android with Intune In-depth guidance on Edge management is available through: App Configuration Policy. Intune App Protection Policy Because app and settings availability differ, separate app protection policies are required for each platform. Here is a list of settings to review: Setting iOS/iPadOS app protection policies and Setting Android App Protection Policy. One thing to keep in mind when creating a policy is that if you use the “Target policy” option and choose “All apps,” “All Microsoft apps,” or “Core Microsoft apps,” Microsoft Edge will be included. You can see the list of included apps by selecting “View list of targeted apps.” On both mobile platforms, Edge for Business can be configured as a web content handler by configuring the APP setting “Limit transfer of web content to other apps” to Microsoft Edge. Additional app data protection settings can be enabled in the same policy. Configuring Edge with a Web Content Handler at Microsoft Intune Admin CenterChoose App > App Protection Policy. Create a new policy and select a platform (or edit an existing policy). Enter a policy name and select it next. Select one of the app group options from the “Target Policy” drop-down or specify which apps should use Edge as their web content handler. next button. at craftiness Check out the section Restricting transfer of web content to other apps It is set to “Microsoft Edge”. This sets Edge as the designated corporate web content handler browser. Figure 1: Image showing “Limit sending web content to other apps” set to Microsoft Edge. You should set configuration options that align with your company’s data handling policies. For example, many companies restrict whether files can be saved to mobile devices and whether data can be cut/copied/pasted outside of managed apps. Edge is built to be compliant with app protection policies and will honor the settings you specify, ensuring that corporate data handling is consistent across all apps that receive the policy. A consistent and predictable experience helps keep users productive. Setting up Microsoft Entra Conditional Access Policies The next step is enforce An app protection policy created to specify that Edge should serve managed app web content via Microsoft Entra Conditional Access. App protection policies control how data is accessed and shared within managed apps based on policy settings. However, users do not need to access corporate data. only Managed apps. Users can access corporate data by manually entering a URL in an unmanaged browser as long as they can successfully authenticate, without having to force the app to access corporate data. Conditional Access can be set up to require apps used to access company data to: App protection policy has been applied. Make sure that the users targeted by this policy also have an app protection policy assigned to them. Otherwise, they may not meet the criteria for this conditional access policy. memo: Conditional Access requires that you enroll your device in Microsoft Entra using a broker app. For more information, see Using App-Based Conditional Access Policies with Intune. App protection policy required Viewing and editing conditional access policies requires delegated permissions from a Microsoft Entra ID for IT administrators. This is a privilege granted to some IT administrators by Microsoft Entra, which allows them to:Conditional Access Manager“. In the Intune admin center, go to: Endpoint Security > Conditional Access > Policies. Select an existing policy to update it or create a new policy.When creating a new policy, see: Conditional Access Document Check out our guidelines for the setup that’s best for your business. Below Access Control > ApproveChoose Grant access permission. Guarantee App protection policy required If it is checked, click Choose button. Below Policy Activation Choose For report purposes only. This will not force the use of apps to access corporate data via managed apps, but will show apps that are enforced if a conditional access policy is set. ~ in Instead, it is a good idea to verify that the scope and settings are working as intended. If the rule is working as expected, you can always change the “Report Only” rule to “On” later. Click here get Click the button to apply the policy. After verifying that the settings require an App Protection Policy, set the policy to “On.” Figure 2: Conditional Access requires app protection policy permission grant control. Call to Action – Putting it all together Whether you’re looking to implement Zero Trust principles or simply improve your company’s data security posture, restricting access to company data to managed apps on mobile devices is a good idea, as outlined in this blog. Checklist to ensure you’ve covered all the key areas: Create app protection policies with your organization’s data protection requirements in mind. Make sure Microsoft Edge and other applicable apps approved for use are included in your app protection policy. Enables Microsoft Edge to handle web content. Set up a Conditional Access policy to require the use of a policy management app on mobile devices. By implementing Edge for Business on mobile platforms and leveraging Intune’s app protection policies enforced by Conditional Access, organizations can significantly strengthen their data security posture. These measures ensure that corporate data is accessed only through managed apps and browsers, reducing the risk of data breaches and leaks. Stay ahead of potential threats and keep your company’s sensitive information safe while allowing your employees to remain productive. We hope you find this experience useful and easy to set up with Edge and Intune. If you have any questions or feedback, please leave a comment below or tag us. @IntuneSoupTeam About X. Source link Share 0 FacebookTwitterPinterestEmail info.odysseyx@gmail.com previous post Azure Pass Retirements – Microsoft Community Hub next post How to Configure CORS in IIS Using the IIS CORS Module: Step-by-Step Guide You may also like From Zero to Hero: Building Your First Voice Bot with GPT-4o Real-Time API using... October 12, 2024 A Guide to Responsible Synthetic Data Creation October 12, 2024 Capacity Template – MGDC for SharePoint October 11, 2024 Using Azure NetApp Files (ANF) for data- and logfiles for Microsoft SQL Server in... October 11, 2024 Microsoft Community – Do you love stickers?! Do you want to be a part... October 11, 2024 Advanced Alerting Strategies for Azure Monitoring October 11, 2024 Leave a Comment Cancel Reply Save my name, email, and website in this browser for the next time I comment.