protect your mobile apps with modern authentication and microsoft intune · authentication and...

Michael Bowman, Tarun Chopra

Protect your mobile apps with Modern

Authentication and Microsoft Intune

Objectives

Stay

innovative

CollaborateProtect data

Work

anywhere

Manage access

Employee/end user/

IW goals

IT goals

Easy access

How do you empower users while protecting your most important assets?

Compromised

Credentials

Compromised

Devices

Separate and

Contain

Company

Data

3 big mobile challenges

Strong authentication

6k 63% 80%

99.9%

Multi-Factor Authentication

•Successful authentication (username/password)

•Additional verification using a phone or mobile device

•Easy to configure

•Prevent unauthorized access by requiring another layer of security

Configuring Multi-Factor Authentication

CorporateNetwork

Geo-location

MacOS

Android

iOS

Windows

WindowsDefender ATP

Client apps

Browser apps

Google ID

MSA

Azure AD

ADFS

Employee & PartnerUsers and Roles

Trusted &Compliant Devices

Location

Client apps &Auth Method

Conditions

MicrosoftCloud App Security

Forcepasswordreset

RequireMFA

Allow/blockaccess

Terms of Use

******

Limitedaccess

Controls

Machinelearning

Policies

Real timeEvaluationEngine

SessionRisk

3

40TB

Effectivepolicy

Conditional Access

Enable Modern Auth Support in your Code

• Reach over 1 billion users using one sign in experience

• Securely access user data in any API (e.g. Microsoft Graph)

• Comply with IT policies like device compliance, IT will love you

ADAL SDK Azure Active Directory Authentication Library

• Gives your application access to Microsoft Azure AD capabilities: SSO, MFA support,

Conditional Access support…

• Enables support for Oauth2, Web API integration with user level consent, two-factor

authentication support…

• Free and Open Source Software / Cross-platform

MSAL SDK Microsoft Authentication Library

• Provides a unified developer experience for apps which want to sign in both users

with Azure AD accounts (work and school) and personal Microsoft Accounts.

• Currently preview for Android and iOS

Microsoft Authentication Libraries (MSAL)

Generally available:

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-libraries

Compromised

Credentials

Compromised

Devices

Separate and

Contain

Company

Data

3 big mobile challenges

Protect your data on virtually any device with Intune

Enroll devices formanagement

Provision settings, certs, profiles

Report & measure device compliance

Remove corporatedata from devices

Publish mobileapps to users

Configure andupdate apps

Report appinventory & usage

Secure & remove corporate data within mobile apps

Mobile Application

Management (MAM)

Conditional Access:Restrict which apps can be

used to access email or files

Mobile Device

Management (MDM)

Conditional Access:Restrict access to managed

and compliant devices

Device management options allow:• Configuration of WiFi/VPN profiles• Deployment of applications (e.g. LOB or antivirus)• Remote device wipe• …

Compliance enforcement includes:• PIN enforcement on the device• Device-level encryption• Block Jailbroken/Rooted devices• Minimum OS version• …

IT policies are applied at the app level:

• PIN enforcement

• App-level encryption

• Jailbroken/Rooted device detection

• Multi-Identity Support

• Copy/Paste/Save

• …

App Protection Policies

Intune SDK

App Wrapping Tool

Intune SDK

• Intune SDK enables App Protection Policies (APP)

• Protect and separate corporate apps, data and identities from personal

• Built into Microsoft Office, Edge, and productivity apps

• Built into some 3rd party apps

• You can enable APP in your organizations own apps

• Simple cmd-line tool

• No code changes!

• For LOB apps (can also be used for

Store apps with some caveats)

• Full feature functionality

• For Store & LOB apps

Enable MFA

Solve modern workplace security challenges with conditional access and app

protection policies

Simple, easy to use libraries are available for you custom applications

In Summary

References• Prepare line-of-business apps for app protection policies

https://docs.microsoft.com/en-us/intune/apps-prepare-mobile-application-management#feature-comparison

• Intune App SDK Sample

https://github.com/msintuneappsdk/Taskr-Sample-Intune-Android-App

• How to create and assign app protection policies

https://docs.microsoft.com/en-us/intune/app-protection-policies

Provide a consistent and predictable customer experience across Office 365 services, applications and platforms, for key enterprise requirements.

Best productivity and security• no matter which app you’re using

• no matter which platform you’re on

+

=

150MDevices managed by

ConfigMgr & Intune

1.1BAzure Active

Directory Identities

700MWindows 10 PCs

450BAuthentications

per month

135MOffice 365 MAU