Endpoint Security

Search

Microsoft Intune

Microsoft Intune is Microsoft’s MDM solution. Secureframe integrates with Microsoft Intune and pulls in device and app information for Windows and Mac devices. We continuously monitor the configuration of these devices through our tests.

Connecting the integration

You must be an admin of Microsoft Intune to set up this connection
To integrate InTune (Microsoft) with Secureframe, navigate to Integrations and search for “Microsoft InTune” on the “Available Integrations” page. Click “Connect” and follow the steps in the connection form.
More than one InTune (Microsoft) integration can be accommodated within Secureframe by following the same steps above from the "Available Integrations" page.

Configuring Checks (Tests)

Compliance Policies

These policies check and evaluate whether a device meets your organization’s defined security and operational standards, but doesn’t directly configure the device. Instead, these policies will monitor and report on whether the given conditions are met.
We ask that individual policies be created so that we can display compliance status within Secureframe more granularly.

Compliance Policies: Anti-malware Check

MacOS:

  1. Go to https://intune.microsoft.com 
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Compliance”.
  4. Click “Create policy”
  5. In the “Platform” dropdown, select “macOS” and click “Create”.
  6. Name your policy as “MacOS Native Antivirus Enabled” and provide an optional description, then click “Next”.
  7. Under “Compliance settings” expand “System Security”.
  8. For “Gatekeeper”, set the “Allow apps downloaded from these locations” to either “Mac App Store” or “Mac App Store and identified developers”.
  9. Click “Next”.
  10. Optionally determine your actions for non-compliance and click “Next”.
  11. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  12. Under “Review + create” review your settings and click “Create”.

Windows:

  1. Go to https://intune.microsoft.com 
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Compliance”.
  4. Click “Create policy”
  5. In the “Platform” dropdown, select “Windows 10 and later” and click “Create”.
  6. Name your policy as “Windows Native Antivirus Enabled” and provide an optional description, then click “Next”.
  7. Under “Compliance settings” expand “System Security”.
  8. Scroll down to “Antivirus” and set it to “Require”.
  9. Click “Next”.
  10. Optionally determine your actions for non-compliance and click “Next”.
  11. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  12. Under “Review + create” review your settings and click “Create”.

Compliance Policies: Firewall Check

MacOS:

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Compliance”.
  4. Click “Create policy”
  5. In the “Platform” dropdown, select “macOS” and click “Create”.
  6. Name your policy as “MacOS Local Firewall Enabled” and provide an optional description, then click “Next”.
  7. Under “Compliance settings” expand “System Security”.
  8. For “Device Security”, set the “Firewall” to “Enable”.
  9. Click “Next”.
  10. Optionally determine your actions for non-compliance and click “Next”.
  11. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  12. Under “Review + create” review your settings and click “Create”.

Windows:

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Compliance”.
  4. Click “Create policy”
  5. In the “Platform” dropdown, select “Windows 10 and later” and click “Create”.
  6. Name your policy as “Windows Local Firewall Enabled” and provide an optional description, then click “Next”.
  7. Under “Compliance settings” expand “System Security”.
  8. For “Device Security”, set the “Firewall” to “Enable”.
  9. Click “Next”.
  10. Optionally determine your actions for non-compliance and click “Next”.
  11. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  12. Under “Review + create” review your settings and click “Create”.

Compliance Policies: Password Enforcement Check

MacOS:

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Compliance”.
  4. Click “Create policy”
  5. In the “Platform” dropdown, select “macOS” and click “Create”.
  6. Name your policy as “MacOS Password Enforcement Check” and provide an optional description, then click “Next”.
  7. Under “Compliance settings” expand “System Security”.
  8. Under “Password” set the following values:
    1. Require a password to unlock devices = Require
      Password type = Alphanumeric
      Minimum password length = 8 or greater
      Number of non-alphanumeric characters in password = 1 or greater
      Click “Next”.
  9. Optionally determine your actions for non-compliance and click “Next”.
  10. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  11. Under “Review + create” review your settings and click “Create”.

Windows:

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Compliance”.
  4. Click “Create policy”
  5. In the “Platform” dropdown, select “Windows 10 and later” and click “Create”.
  6. Name your policy as “Windows Password Enforcement Check” and provide an optional description, then click “Next”.
  7. Under “Compliance settings” expand “System Security”.
  8. Under “Password” set the following values:
    1. Require a password to unlock devices = Require
      Password type = Alphanumeric
      Password complexity = Require digits and lowercase letters (or better)
      Minimum password length = 8 or greater
      Click “Next”.
  9. Optionally determine your actions for non-compliance and click “Next”.
  10. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  11. Under “Review + create” review your settings and click “Create”.

Compliance Policies: Session Timeout Check

MacOS:

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Compliance”.
  4. Click “Create policy”
  5. In the “Platform” dropdown, select “macOS” and click “Create”.
  6. Name your policy as “MacOS Session Timeout Check” and provide an optional description, then click “Next”.
  7. Under “Compliance settings” expand “System Security”.
  8. Under “Password” set the following values:
  9. Require a password to unlock devices = Require
    Maximum minutes of inactivity before password is required = 15 minutes (or less)
    Click “Next”.
  10. Optionally determine your actions for non-compliance and click “Next”.
  11. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  12. Under “Review + create” review your settings and click “Create”.

Windows:

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Compliance”.
  4. Click “Create policy”
  5. In the “Platform” dropdown, select “Windows 10 and later” and click “Create”.
  6. Name your policy as “Windows Session Timeout Check” and provide an optional description, then click “Next”.
  7. Under “Compliance settings” expand “System Security”.
  8. Under “Password” set the following values:
    1. Require a password to unlock devices = Require
      Maximum minutes of inactivity before password is required = 15 minutes (or less)
      Click “Next”.
  9. Optionally determine your actions for non-compliance and click “Next”.
  10. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  11. Under “Review + create” review your settings and click “Create”.

Configuration Policies

These policies push specific settings / configurations down to devices. Using these kinds of policies will automatically deploy, configure, and enforce various rules set by your organization. Secureframe will use these policies to check to see whether a particular device has been configured in this way to determine if they are compliant.
We ask that individual policies be created so that we can display compliance status within Secureframe more granularly.

Configuration Policies: Anti-malware Check

MacOS

Intune does not support anti-malware configuration policies for MacOS. In order for MacOS to pass the anti-malware check, you will either need to ensure Xprotect is installed on your machine, or consider using a Compliance Policy.

Windows
Note: if you want to use a different non-Defender anti-virus, you will need to set up a Compliance Policy instead. Compliance Policies will support other anti-virus software that is also supported by Windows.

  1. Go to https://intune.microsoft.com 
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Configuration”.
  4. Click “Create > New Policy”.
  5. In the “Platform” dropdown, select “Windows 10 and later”.
  6. Under the “Profile type” dropdown, select “Templates”.
  7. Select “Device restrictions” from the templates section and click “Create”.
  8. Name your policy as “Windows Native Antivirus Enabled” and provide an optional description, then click “Next”.
  9. In “Configuration settings”, scroll down to “Microsoft Defender Antivirus” and expand it. Set the value for the following settings:
    1. Real-time monitoring = Enable
      Behavior monitoring = Enable
      Scan all downloads = Enable
      Monitor file and program activity = Monitor all files
  10. Click “Next”
  11. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  12. Skip the “Applicability Rules” and click “Create”.

Configuration Policies: Firewall Check

MacOS
Microsoft has deprecated the ability to check for firewall compliance using Configuration Policies. To do so you will need to create a Compliance Policy.

Windows

  1. Go to https://intune.microsoft.com  
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Configuration”.
  4. Click “Create > New Policy”.
  5. In the “Platform” dropdown, select “Windows 10 and later”.
  6. Under the “Profile type” dropdown, select “Templates”.
  7. Select “Endpoint protection” from the templates section and click “Create”.
  8. Name your policy as “Windows Local Firewall Enabled” and provide an optional description, then click “Next”.
  9. In “Configuration settings” expand “Windows Firewall” and scroll down to “Network settings”.
  10. Expand “Domain (workplace) network” and set the following value:
    1. Windows Firewall = Enable
    2. Expand “Private (discoverable) network” and set the following value:
    3. Windows Firewall = Enable
    4. Expand “Public (non-discoverable) network” and set the following values:
      1. Windows Firewall = Enable
      2. Windows Firewall rules from the local store = Allow
  11. Click “Next”.
  12. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  13. Skip the “Applicability Rules” and click “Create”.

Configuration Policies: Password Enforcement Check

MacOS:

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Configuration”.
  4. Click “Create > New Policy”.
  5. In the “Platform” dropdown, select “macOS”.
  6. Under the “Profile type” dropdown, select “Templates”.
  7. Select “Device restrictions” from the templates section and click “Create”.
  8. Name your policy as “MacOS Password Enforcement Check” and provide an optional description, then click “Next”.
  9. In “Configuration settings” expand “Password” and set the following values:
    1. Password = Require
    2. Required password type = Alphanumeric
    3. Number of non-alphanumeric characters in password = 1 or greater
    4. Minimum password length = 8
  10. Click “Next”.
  11. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
    Skip the “Applicability Rules” and click “Create”.

Windows

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Configuration”.
  4. Click “Create > New Policy”.
  5. In the “Platform” dropdown, select “Windows 10 and later”.
  6. Under the “Profile type” dropdown, select “Templates”.
  7. Select “Device restrictions” from the templates section and click “Create”.
  8. Name your policy as “Windows Password Enforcement Check” and provide an optional description, then click “Next”.
  9. In “Configuration settings” expand “Password” and set the following values:
    1. Password = Require
    2. Required password type = Alphanumeric
    3. Password complexity = Numbers and lowercase letters required
    4. Minimum password length = 8
  10. Click “Next”.
  11. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  12. Skip the “Applicability Rules” and click “Create”.

Configuration Policies: Session Timeout Check

MacOS

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Configuration”.
  4. Click “Create > New Policy”.
  5. In the “Platform” dropdown, select “macOS”.
  6. Under the “Profile type” dropdown, select “Templates”.
  7. Select “Device restrictions” from the templates section and click “Create”.
  8. Name your policy as “MacOS Session Timeout” and provide an optional description, then click “Next”.
  9. In “Configuration settings” expand “Password” and set the following values:
    1. Password = Require
    2. Maximum minutes of inactivity until screen locks = 10 minutes or less
  10. Click “Next”.
    In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
    Skip the “Applicability Rules” and click “Create”.

Windows:

  1. Go to https://intune.microsoft.com 
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Configuration”.
  4. Click “Create > New Policy”.
  5. In the “Platform” dropdown, select “Windows 10 and later”.
  6. Under the “Profile type” dropdown, select “Templates”.
  7. Select “Device restrictions” from the templates section and click “Create”.
  8. Name your policy as “Windows Session Timeout” and provide an optional description, then click “Next”.
  9. In “Configuration settings” expand “Password” and set the following values:
    1. Password = Require
    2. Maximum minutes of inactivity until screen locks = 15 minutes or less
  10. Click "Next"
  11. In the "Assignments" tab under "Included groups," click "Add all devices" and click "Next"
  12. Skip the Applicability Rules and click "Create"

Helpful resources

Additional considerations on endpoint security, including device scoping, can be found here.

Permissions, Fields Pulled, Controls, and Automated Tests

  1. Click the provided link or navigate to the “Integration” page.
  2. Select the “Available” tab.
  3. Search for the integration.
  4. Click “View Details”.

Frequently Asked Questions (FAQ)

We have two separate M365 tenants with Intune to separately manage our servers and workstation policies. Is it possible to connect both Intune environments to the integration at the same time?

  • Yes, you can proceed with a separate connection.

Do you pull in iOS or Android device information?

  • We do not pull in mobile devices, we are limited by what Intune supports

Do you pull in data for non-corporate devices?

  • Intune only reports on UDIDs or installed apps for corporate devices, so we do not have the ability to run checks on these devices.

How often is the data refreshed for Intune?

  • Intune only allows scans and reports on device data once every 7 days, thus the data refreshes following the same timing in Secureframe

What are the licensing requirements?

  • Only users with an Intune license can enroll their corporate devices

Was this article helpful?

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.