Microsoft Intune (formerly Windows Intune) is a Microsoft cloud-based unified endpoint management service for both corporate and BYOD devices. It extends some of the "on-premises" functionality of Microsoft Endpoint Configuration Manager to the Microsoft Azure cloud.
Connecting the Integration
To integrate InTune(Microsoft) with Secureframe, navigate to Integrations and search for “Microsoft InTune” on the “Available Integrations” page. Click “Connect” and follow the steps in the connection form.
More then one InTune(Microsoft) integration can be accommodated within Secureframe by following the same steps above from the "Available Integrations" page.
Configuring Checks (Tests)
To ensure InTune accurately monitors and reports the compliance status of devices to Secureframe, users must configure their devices appropriately. There are numerous checks that need to be configured. The steps are listed below:
Anti-malware Check
Here are step by step instructions for Intune (Mac and PC) for Anti-malware enforcement for user endpoints. After confirming you are set up correctly, an integration sync is required (or wait until the nightly sync).
Windows:
- Go to https://endpoint.microsoft.com/
- Click on "Devices" from left sidebar menu.
- On "Devices" page menu, Scroll down the inner sidebar to "Policy" section and click on "Configuration Profiles".
- Click "Create Profile".
- In "Platform dropdown", select "Windows 10 and later" option.
- In "Profile type" select "Templates" option.
- Select "Device Restrictions" from Template names section and click create button.
- Name your policy as "Windows Native Antivirus Enabled", provide any description(optional) and click "Next".
- In "Configuration Settings" tab, Scrolldown to "Microsoft Defender Antivirus" and expand it. Set the value for following checkboxes as below:
- Real-time monitoring => Enable
- Behavior monitoring => Enable
- Scan all downloads => Enable
- Monitor file and program activity => Monitor all files
- Click "Next"
- In "Assignments" tab, In "Included groups" section, click "Add all devices", and click "Next".
- Skip the "Applicability Rules" and click "Create" button
Mac:
Install Gatekeeper or Xprotect on your machine
Linux:
This test does not apply to Linux devices.
Firewall Check
Here are step by step instructions for Intune (Mac and PC) for Firewall acceptance.After confirming you are set up correctly, an integration sync is required (or wait until the nightly sync).
Windows:
- Go to https://endpoint.microsoft.com/
- Click on "Devices" from left sidebar menu.
- On "Devices" page menu, Scroll down the inner sidebar to "Policy" section and click on "Configuration Profiles".
- Click "Create Profile".
- In "Platform dropdown", select "Windows 10 and later" option.
- In "Profile type" select "Templates" option.
- Select "Endpoint protection" from Template names section and click create button.
- Name your policy as "Local Firewall Enabled", provide any description(optional) and click "Next".
- In "Configuration Settings" tab, Scrolldown to "Microsoft Defender Firewall" and expand it. Expand Network Settings.
- Expand "Domain (workplace) network", Set the value for following checkboxes as below:
- Microsoft Defender Firewall Microsoft Defender Firewall => Enable
- Expand "Private (discoverable) network", Set the value for following checkboxes as below:
- Microsoft Defender Firewall (Private networks) => Enable
- Expand "Public (non-discoverable) network", Set the value for following checkboxes as below:
- Microsoft Defender Firewall (Public networks) => Enable
- Microsoft Defender Firewall rules from the local store (Public networks) => Allow
- Click "Next".
- In "Assignments" tab, In "Included groups" section, click "Add all devices", and click "Next".
- Skip the "Applicability Rules" and click "Create" button.
Mac:
- Go to https://endpoint.microsoft.com/
- Click on "Devices" from left sidebar menu.
- On "Devices" page menu, Scroll down the inner sidebar to "Policy" section and click on "Configuration Profiles".
- Click "Create Profile".
- In "Platform dropdown", select "macOS" option.
- In "Profile type" select "Templates" option.
- Select "Endpoint protection" from Template names section and click create button.
- Name your policy as "Local Firewall", provide any description(optional) and click "Next".
- In "Configuration Settings" tab.
- Expand "Firewall", Set the value for following checkboxes as below:
- Enable Firewall => Yes
- Click "Next".
- In "Assignments" tab, In "Included groups" section, click "Add all devices" & "All users", and click "Next".
- Skip the "Applicability Rules" and click "Create" button.
Your Mac setting should look similar to this:
Linux:
Note: Intune's API does not allow us to pull firewall status for Linux devices. Upload a screenshot showing this setting applied and click “ ignore” on the respective failing Linux test results.
Screen lock check
Here are step by step instructions for Intune (Mac and PC) for Screen Lock acceptanceAfter confirming you are set up correctly, an integration sync is required (or wait until the nightly sync.
Windows:
If Password Check has been configured:
- Go to https://endpoint.microsoft.com/
- Click on "Devices" from left sidebar menu.
- On "Devices" page menu, Scroll down the inner sidebar to "Policy" section and click on "Configuration Profiles".
- Find the previously configured "Window Password Enforcement" and access the profile.
- In "Configuration Settings" tab, Scrolldown to "Password" and expand it. Set the value for following checkboxes as below:
- Maximum minutes of inactivity until screen locks => 15
- Click "Next".
- In "Assignments" tab, In "Included groups" section, click "Add all devices", and click "Next".
- If "Applicability Rules" appears skip and finalize change.
If Password check has not configured:
- Go to https://endpoint.microsoft.com/
- Click on "Devices" from left sidebar menu.
- On "Devices" page menu, Scroll down the inner sidebar to "Policy" section and click on "Configuration Profiles".
- Click "Create Profile".
- In "Platform dropdown", select "Windows 10 and later" option.
- In "Profile type" select "Templates" option.
- Select "Device Restrictions" from Template names section and click create button.
- Name your policy as "Session Timeout", provide any description(optional) and click "Next".
- In "Configuration Settings" tab, Scrolldown to "Password" and expand it. Set the value for following checkboxes as below:
- Maximum minutes of inactivity until screen locks => 15
- Click "Next".
- In "Assignments" tab, In "Included groups" section, click "Add all devices", and click "Next".
- Skip the "Applicability Rules" and click "Create" button.
Mac:
- Go to https://endpoint.microsoft.com/
- Click on "Devices" from left sidebar menu.
- On "Devices" page menu, Scroll down the inner sidebar to "Policy" section and click on "Configuration Profiles".
- Click "Create Profile".
- In "Platform dropdown", select "macOS" option.
- In "Profile type" select "Templates" option.
- Select "Device Restrictions" from Template names section and click create button.
- Name your policy as "Session Timeout", provide any description(optional) and click "Next".
- In "Configuration Settings" tab, Scroll down to "Password" and expand it. Set the value for following checkboxes as below:
- Maximum minutes of inactivity until screen locks => 15
- Click "Next".
- In "Assignments" tab, In "Included groups" section, click "Add all devices", and click "Next".
- Skip the "Applicability Rules" and click "Create" button.
Note: Intune's API does not allow us to pull session timeout status for Linux devices. Upload a screenshot showing this setting applied and click “ ignore” on the respective failing Linux test results.
Password check
Here are step by step instructions for Intune (Mac and PC) for Password acceptanceAfter confirming you are set up correctly, an integration sync is required (or wait until the nightly sync)
Windows:
If Screen Lock Check has been configured:
- Go to https://endpoint.microsoft.com/
- Click on "Devices" from left sidebar menu.
- On "Devices" page menu, Scroll down the inner sidebar to "Policy" section and click on "Configuration Profiles".
- Find the previously created "Session Timeout" and access the profile.
- In "Configuration Settings" tab, scroll down to "Password" and expand it. Set the value for following checkboxes as below:
- Password => Require
- Minimum password length => 8
- Required password type => Alphanumeric
- Password complexity => Select either: "Numbers, lowercase and uppercase letters required" or "Numbers, lowercase and uppercase letters required and special characters required"
- Click "Next".
- In "Assignments" tab, In "Included groups" section, click "Add all devices", and click "Next".
- If "Applicability Rules" appears skip and finalize change.
If Screen Lock check has not been configured:
- Go to https://endpoint.microsoft.com/
- Click on "Devices" from left sidebar menu.
- On "Devices" page menu, Scroll down the inner sidebar to "Policy" section and click on "Configuration Profiles".
- Click "Create Profile".
- In "Platform dropdown", select "Windows 10 and later" option.
- In "Profile type" select "Templates" option.
- Select "Device Restrictions" from Template names section and click create button.
- Name your policy as "Windows Password Enforcement", provide any description(optional) and click "Next".
- In "Configuration Settings" tab, scroll down to "Password" and expand it. Set the value for following checkboxes as below:
- Password => Require
- Minimum password length => 8
- Required password type => Alphanumeric
- Password complexity => Select either: "Numbers, lowercase and uppercase letters required" or "Numbers, lowercase and uppercase letters required and special characters required"
- Click "Next".
- In "Assignments" tab, In "Included groups" section, click "Add all devices", and click "Next".
- Skip the "Applicability Rules" and click "Create" button.
Mac:
- Go to https://endpoint.microsoft.com/
- Click on "Devices" from left sidebar menu.
- On "Devices" page menu, Scroll down the inner sidebar to "Policy" section and click on "Configuration Profiles".
- Click "Create Profile".
- In "Platform dropdown", select "macOS" option.
- In "Profile type" select "Templates" option.
- Select "Device Restrictions" from Template names section and click create button.
- Name your policy as "Password Enforcement", provide any description(optional) and click "Next".
- In "Configuration Settings" tab, scroll down to "Password" and expand it. Set the value for following checkboxes as below:
- Password => Require
- Minimum password length => 8
- Required password type => Alphanumeric
- Number of non-alphanumeric characters in password (special characters) => 1 or greater
- Click "Next".
- In "Assignments" tab, In "Included groups" section, click "Add all devices", and click "Next".
- Skip the "Applicability Rules" and click "Create" button.
Note: Intune's API does not allow us to pull password policy status for Linux devices. Upload a screenshot showing this setting applied and click “ ignore” on the respective failing Linux test results.
Helpful resources
Additional considerations on endpoint security, including device scoping, can be found here.
Permissions, Fields Pulled, Controls, and Automated Tests
- Click the provided link or navigate to the “Integration” page.
- Select the “Available” tab.
- Search for the integration.
- Click “View Details”.
Frequently Asked Questions (FAQ)
We have two separate M365 tenants with Intune to separately manage our servers and workstation policies. Is it possible to connect both Intune environments to the integration at the same time?
- Yes, you can proceed with a separate connection.
Comments
0 comments
Please sign in to leave a comment.