Endpoint Security

Search

Microsoft Intune

Microsoft Intune is Microsoft’s MDM solution. Secureframe integrates with Microsoft Intune and pulls in device and app information for Windows and Mac devices. We continuously monitor the configuration of these devices through our tests.

Connecting the integration

Step 1: Navigate to the Integration

  1. Go to the Integrations page in Secureframe.
  2. Search for Microsoft Intune in the "Available Integrations" list.
  3. Click Connect.

Step 2: Select Account Type

When prompted to select an account type:

  • Select Worldwide (most common) for standard Microsoft 365 tenants, or
  • Choose U.S. Government GCC High if your organization uses the Microsoft 365 Government cloud.
    Note: You must be logged in as a Microsoft Intune admin to set up this connection. If you are not logged in as an admin, the connection will fail due to authentication errors.

Step 3: Start the Connection

  • After selecting your account type, click Start Connection.
    You will be redirected to Microsoft’s login page. Sign in with your Intune admin credentials and approve the required permissions.

Step 4: Complete Setup

  • After authentication, the integration will finalize the connection and begin syncing device data into Secureframe.
  • You can now proceed to configure compliance and configuration policies as outlined in the next sections.

Configuring Checks (Tests)

Understanding Compliance and Configuration Policies

In Microsoft Intune, it's essential to distinguish between compliance policies and configuration policies:

  • Compliance Policies: These policies assess whether a device meets your organization's defined security and operational standards without directly configuring the device. They monitor and report on the device's adherence to specified conditions.

  • Configuration Policies: These policies actively configure device settings to align with organizational requirements, such as enforcing password complexity or enabling encryption.

For effective monitoring and management within Secureframe, it's recommended to create individual compliance policies for each specific check (e.g., separate policies for antivirus status, firewall status, etc.). This approach allows Secureframe to display compliance statuses more granularly, facilitating precise tracking and remediation.

By implementing distinct policies for each compliance aspect, you ensure that each device's adherence to specific security standards is accurately evaluated and reported.

To get more Intune information, users can head to their Intune dashboard:

  • Devices > All devices then click on the device name of the devices in question.
  • Once viewing the device, they can go to Monitor > Device compliance or Monitor > Device configuration and there it will list all of the policies and their current statuses. 

Important Note: The individual policies are required for us to display the configuration information accurately in Secureframe. 

Compliance Policies

These policies check and evaluate whether a device meets your organization’s defined security and operational standards, but doesn’t directly configure the device. Instead, these policies will monitor and report on whether the given conditions are met.
We ask that individual policies be created so that we can display compliance status within Secureframe more granularly.

Compliance Policies: Anti-malware Check

MacOS:

  1. Go to https://intune.microsoft.com 
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Compliance”.
  4. Click “Create policy”
  5. In the “Platform” dropdown, select “macOS” and click “Create”.
  6. Name your policy as “MacOS Native Antivirus Enabled” and provide an optional description, then click “Next”.
  7. Under “Compliance settings” expand “System Security”.
  8. For “Gatekeeper”, set the “Allow apps downloaded from these locations” to either “Mac App Store” or “Mac App Store and identified developers”.
  9. Click “Next”.
  10. Optionally determine your actions for non-compliance and click “Next”.
  11. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  12. Under “Review + create” review your settings and click “Create”.

Windows:

  1. Go to https://intune.microsoft.com 
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Compliance”.
  4. Click “Create policy”
  5. In the “Platform” dropdown, select “Windows 10 and later” and click “Create”.
  6. Name your policy as “Windows Native Antivirus Enabled” and provide an optional description, then click “Next”.
  7. Under “Compliance settings” expand “System Security”.
  8. Scroll down to “Antivirus” and set it to “Require”.
  9. Click “Next”.
  10. Optionally determine your actions for non-compliance and click “Next”.
  11. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  12. Under “Review + create” review your settings and click “Create”.

Compliance Policies: Firewall Check

MacOS:

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Compliance”.
  4. Click “Create policy”
  5. In the “Platform” dropdown, select “macOS” and click “Create”.
  6. Name your policy as “MacOS Local Firewall Enabled” and provide an optional description, then click “Next”.
  7. Under “Compliance settings” expand “System Security”.
  8. For “Device Security”, set the “Firewall” to “Enable”.
  9. Click “Next”.
  10. Optionally determine your actions for non-compliance and click “Next”.
  11. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  12. Under “Review + create” review your settings and click “Create”.

Windows:

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Compliance”.
  4. Click “Create policy”
  5. In the “Platform” dropdown, select “Windows 10 and later” and click “Create”.
  6. Name your policy as “Windows Local Firewall Enabled” and provide an optional description, then click “Next”.
  7. Under “Compliance settings” expand “System Security”.
  8. For “Device Security”, set the “Firewall” to “Enable”.
  9. Click “Next”.
  10. Optionally determine your actions for non-compliance and click “Next”.
  11. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  12. Under “Review + create” review your settings and click “Create”.

Compliance Policies: Password Enforcement Check

MacOS:

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Compliance”.
  4. Click “Create policy”
  5. In the “Platform” dropdown, select “macOS” and click “Create”.
  6. Name your policy as “MacOS Password Enforcement Check” and provide an optional description, then click “Next”.
  7. Under “Compliance settings” expand “System Security”.
  8. Under “Password” set the following values:
    1. Require a password to unlock devices = Require
      Password type = Alphanumeric
      Minimum password length = 8 or greater
      Number of non-alphanumeric characters in password = 1 or greater
      Click “Next”.
  9. Optionally determine your actions for non-compliance and click “Next”.
  10. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  11. Under “Review + create” review your settings and click “Create”.

Windows:

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Compliance”.
  4. Click “Create policy”
  5. In the “Platform” dropdown, select “Windows 10 and later” and click “Create”.
  6. Name your policy as “Windows Password Enforcement Check” and provide an optional description, then click “Next”.
  7. Under “Compliance settings” expand “System Security”.
  8. Under “Password” set the following values:
    1. Require a password to unlock devices = Require
      Password type = Alphanumeric
      Password complexity = Require digits and lowercase letters (or better)
      Minimum password length = 8 or greater
      Click “Next”.
  9. Optionally determine your actions for non-compliance and click “Next”.
  10. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  11. Under “Review + create” review your settings and click “Create”.

Compliance Policies: Session Timeout Check

MacOS:

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Compliance”.
  4. Click “Create policy”
  5. In the “Platform” dropdown, select “macOS” and click “Create”.
  6. Name your policy as “MacOS Session Timeout Check” and provide an optional description, then click “Next”.
  7. Under “Compliance settings” expand “System Security”.
  8. Under “Password” set the following values:
  9. Require a password to unlock devices = Require
    Maximum minutes of inactivity before password is required = 15 minutes (or less)
    Click “Next”.
  10. Optionally determine your actions for non-compliance and click “Next”.
  11. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  12. Under “Review + create” review your settings and click “Create”.

Windows:

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Compliance”.
  4. Click “Create policy”
  5. In the “Platform” dropdown, select “Windows 10 and later” and click “Create”.
  6. Name your policy as “Windows Session Timeout Check” and provide an optional description, then click “Next”.
  7. Under “Compliance settings” expand “System Security”.
  8. Under “Password” set the following values:
    1. Require a password to unlock devices = Require
      Maximum minutes of inactivity before password is required = 15 minutes (or less)
      Click “Next”.
  9. Optionally determine your actions for non-compliance and click “Next”.
  10. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  11. Under “Review + create” review your settings and click “Create”.

Configuration Policies

These policies push specific settings / configurations down to devices. Using these kinds of policies will automatically deploy, configure, and enforce various rules set by your organization. Secureframe will use these policies to check to see whether a particular device has been configured in this way to determine if they are compliant.
We ask that individual policies be created so that we can display compliance status within Secureframe more granularly.

Configuration Policies: Anti-malware Check

MacOS

Intune does not support anti-malware configuration policies for MacOS. In order for MacOS to pass the anti-malware check, you will either need to ensure Xprotect is installed on your machine, or consider using a Compliance Policy.

Windows
Note: if you want to use a different non-Defender anti-virus, you will need to set up a Compliance Policy instead. Compliance Policies will support other anti-virus software that is also supported by Windows.

  1. Go to https://intune.microsoft.com 
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Configuration”.
  4. Click “Create > New Policy”.
  5. In the “Platform” dropdown, select “Windows 10 and later”.
  6. Under the “Profile type” dropdown, select “Templates”.
  7. Select “Device restrictions” from the templates section and click “Create”.
  8. Name your policy as “Windows Native Antivirus Enabled” and provide an optional description, then click “Next”.
  9. In “Configuration settings”, scroll down to “Microsoft Defender Antivirus” and expand it. Set the value for the following settings:
    1. Real-time monitoring = Enable
      Behavior monitoring = Enable
      Scan all downloads = Enable
      Monitor file and program activity = Monitor all files
  10. Click “Next”
  11. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  12. Skip the “Applicability Rules” and click “Create”.

Configuration Policies: Firewall Check

MacOS
Microsoft has deprecated the ability to check for firewall compliance using Configuration Policies. To do so you will need to create a Compliance Policy.

Windows

  1. Go to https://intune.microsoft.com  
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Configuration”.
  4. Click “Create > New Policy”.
  5. In the “Platform” dropdown, select “Windows 10 and later”.
  6. Under the “Profile type” dropdown, select “Templates”.
  7. Select “Endpoint protection” from the templates section and click “Create”.
  8. Name your policy as “Windows Local Firewall Enabled” and provide an optional description, then click “Next”.
  9. In “Configuration settings” expand “Windows Firewall” and scroll down to “Network settings”.
  10. Expand “Domain (workplace) network” and set the following value:
    1. Windows Firewall = Enable
    2. Expand “Private (discoverable) network” and set the following value:
    3. Windows Firewall = Enable
    4. Expand “Public (non-discoverable) network” and set the following values:
      1. Windows Firewall = Enable
      2. Windows Firewall rules from the local store = Allow
  11. Click “Next”.
  12. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  13. Skip the “Applicability Rules” and click “Create”.

Configuration Policies: Password Enforcement Check

MacOS:

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Configuration”.
  4. Click “Create > New Policy”.
  5. In the “Platform” dropdown, select “macOS”.
  6. Under the “Profile type” dropdown, select “Templates”.
  7. Select “Device restrictions” from the templates section and click “Create”.
  8. Name your policy as “MacOS Password Enforcement Check” and provide an optional description, then click “Next”.
  9. In “Configuration settings” expand “Password” and set the following values:
    1. Password = Require
    2. Required password type = Alphanumeric
    3. Number of non-alphanumeric characters in password = 1 or greater
    4. Minimum password length = 8
  10. Click “Next”.
  11. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
    Skip the “Applicability Rules” and click “Create”.

Windows

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Configuration”.
  4. Click “Create > New Policy”.
  5. In the “Platform” dropdown, select “Windows 10 and later”.
  6. Under the “Profile type” dropdown, select “Templates”.
  7. Select “Device restrictions” from the templates section and click “Create”.
  8. Name your policy as “Windows Password Enforcement Check” and provide an optional description, then click “Next”.
  9. In “Configuration settings” expand “Password” and set the following values:
    1. Password = Require
    2. Required password type = Alphanumeric
    3. Password complexity = Numbers and lowercase letters required
    4. Minimum password length = 8
  10. Click “Next”.
  11. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  12. Skip the “Applicability Rules” and click “Create”.

Configuration Policies: Session Timeout Check

MacOS

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Configuration”.
  4. Click “Create > New Policy”.
  5. In the “Platform” dropdown, select “macOS”.
  6. Under the “Profile type” dropdown, select “Templates”.
  7. Select “Device restrictions” from the templates section and click “Create”.
  8. Name your policy as “MacOS Session Timeout” and provide an optional description, then click “Next”.
  9. In “Configuration settings” expand “Password” and set the following values:
    1. Password = Require
    2. Maximum minutes of inactivity until screen locks = 10 minutes or less
  10. Click “Next”.
    In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
    Skip the “Applicability Rules” and click “Create”.

Windows:

  1. Go to https://intune.microsoft.com 
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Configuration”.
  4. Click “Create > New Policy”.
  5. In the “Platform” dropdown, select “Windows 10 and later”.
  6. Under the “Profile type” dropdown, select “Templates”.
  7. Select “Device restrictions” from the templates section and click “Create”.
  8. Name your policy as “Windows Session Timeout” and provide an optional description, then click “Next”.
  9. In “Configuration settings” expand “Password” and set the following values:
    1. Password = Require
    2. Maximum minutes of inactivity until screen locks = 15 minutes or less
  10. Click "Next"
  11. In the "Assignments" tab under "Included groups," click "Add all devices" and click "Next"
  12. Skip the Applicability Rules and click "Create"

Helpful resources

Additional considerations on endpoint security, including device scoping, can be found here.

Permissions, Fields Pulled, Controls, and Automated Tests

  1. Click the provided link or navigate to the “Integration” page.
  2. Select the “Available” tab.
  3. Search for the integration.
  4. Click “View Details”.

Frequently Asked Questions (FAQ)

We have two separate M365 tenants with Intune to separately manage our servers and workstation policies. Is it possible to connect both Intune environments to the integration at the same time?

  • Yes, you can proceed with a separate connection.

Do you pull in iOS or Android device information?

  • Yes, we can pull in mobile devices (iOS and Android), but not in all situations. This depends on how device profiles are configured in Intune.
    • Please note that we currently do not support compliance checks for mobile devices.

Do you pull in data for non-corporate devices?

  • Intune only reports on UDIDs or installed apps for corporate devices, so we do not have the ability to run checks on these devices.

How often is the data refreshed for Intune?

  • Intune only allows scans and reports on device data once every 7 days, thus the data refreshes following the same timing in Secureframe

What are the licensing requirements?

  • Only users with an Intune license can enroll their corporate devices

For the "Firewall enforcement for user endpoints (Microsoft Intune)" test, why are some of my users showing "local firewall is not enabled for device, when I know they are?

  • Because we pull in compliance information fromcompliance or configuration policies, we may not have the same status as what is displayed in the Endpoint security section of Intune.
  • With that said, we recommend you review the following in your intune to confirm:
    • Devices > All devices then click on the device name of the devices in question.
    • Once viewing the device, they can go to Monitor > Device compliance or Monitor > Device configuration and there it will list all of the policies and their current statuses. 

Was this article helpful?

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.