What is Device Trust?
Imagine you are a parent working from home and your child accidentally spills a drink on your work laptop. You have urgent work to be submitted so you choose to complete the same on your home computer that the child occasionally uses. What if your child’s PC has a virus or a malware that you are not aware of? How will it affect your corporate data and applications?
This is where Device Trust comes into play. Device trust, as the name suggests is the process of verifying if the device has all the capabilities to be trusted before allowing access to enterprise applications or resources. Building this trust often requires an MDM such as Intune or Jamf that can be used to enforce policies and inform other systems that a device is trustworthy and compliant with security policies. However, we get questions all the time from people who understand how to build Device Trust, but don’t know how to share that information with other systems. In this article, we will explain how you can use Device Trust within Intune, and use this trust for network and application access.
Using Intune Device Trust
If you have a lot of Windows devices it is very easy to manage them all using Intune. Intune is a Mobile Device Management (MDM) platform that serves as a central system that naturally fixes device compliance policies in your corporate environment. Enhancing these device compliance policies with Microsoft Entra’s Conditional Access policies moves all your corporate resources to a safety zone by enforcing strict access control rules. Conditional access policies are if-then policies that allow or block access when the mentioned rules are not adhered to.
You can also access the same Conditional Access blade from Microsoft Intune Admin Center and set the device compliance status to ‘Require device to be marked as compliant’ under Grant access control.
Intune supports various compliance policies, a few common ones being
- Requiring a minimum os version
- Use of a password or PIN that meets certain complexity and length requirements
- A device being at or below a threat level as determined by mobile threat defense software you use
There is another simple way of doing device trust for achieving a zero-trust framework, which is by using Intune’s Managed Device Certificates and combining them with the required compliance policies. Let’s see what these certificates are and how they are important to build device trust.
What are Intune Mobile Device Management Certificates?
When you enroll your endpoint devices into Intune using any one of the methods, it installs a Mobile Device Management (MDM) certificate on the enrolling device. This MDM certificate issued by Intune CA communicates with Intune and starts enforcing organizational compliance policies.
Your MDM certificate can be viewed by going to Machine store of your computer. Having this certificate means your device is trusted by your organization and has passed through all their device compliance policies.
This certificate is how Intune validates internally and communicates to other systems, that this is a device managed by Intune and can be trusted. In the next section, we will show how this certificate is used, along with compliance information, in a Conditional Access Policy.
Device Trust in Intune with Managed Certificates
In order to create a Conditional Access Policy that leverages Device Trust in Intune, we first need to configure a Device Compliance policy for all your managed devices in the Compliance option of Manage Device in Intune.
After setting up all your policies here, you can now mandate all your users to use only trusted devices for accessing corporate resources by making appropriate conditional access policies. Goto Endpoint Security -> Conditional Access and make a new policy by selecting group of users and application to which this policy must be applied to. Then in Grant Access Control check ‘Require device to be marked as compliant’ and select ‘Require all the selected controls’.
With this setup, you are making sure that your confidential corporate resources are being accessed with a trusted device holding an appropriate Intune managed certificate. But what happens when you plan to use Intune along with other MDMs? Read on.
Device Trust with platforms other than Intune
It is not always possible to have only Windows devices in your network. We’ve helped over a thousand organizations set up Device Trust, and we almost always see environments using various other MDMs like Jamf, Kandji, Google, etc, to manage Apple and Google devices.
It is easily possible to integrate other MDM’s compliance status with Intune in two ways. You can either use Intune compliance partner and sync the third-party MDM’s compliance with it or issue client certificates to those managed devices and require it to be present in your Conditional Access policies. You can add digital certificates in those MDM profiles to confirm compliance, for example you can tell Jamf to mark devices that contain client certificates from a CA as compliant. Then make Jamf send this compliance status to Intune. After which you can use Intune’s device compliance policy and accordingly assign conditional access policies.
Also, you can have a third-party MDM integrated with an IDP like Kandji + Okta and have the same Intune compliance policy assigned to those endpoints.
Is it possible to use the Intune MDM Certificate for Microsoft Entra CBA?
As we discussed before, MDMs manage end-user devices by putting in digital certificates on them in their machine stores. Recently, we got a few customers checking with us if Microsoft Intune MDM certificates could be used in their Microsoft Entra Certificate-based Authentication platform for user authentication.
As seen above, the Intune MDM certificate is mostly used to identify a device is managed by Intune and communicate its compliant with policies.. While it does this role well, it’s still a certificate, and is easy to think that this certificate could be used in Microsoft Entra for certificate-based authentication.
However, this is not the case. This is because Intune’s MDM certificate resides in Machine store of devices. Microsoft Entra’s CBA requires a X.509 user certificate to be in the User certificate store. This mismatch of certificate location makes it impossible for the Intune MDM certificate to be used for Microsoft Entra CBA.
In conclusion, Intune provides an excellent foundation to report device compliance and build Device Trust that can be communicated to other systems.
If your organization uses an MDM such as Intune, SecureW2 can integrate with your infrastructure directly to automatically enroll end-users for certificates through our gateway APIs. This ensures that the managed devices on your certificates can self-enroll for certificates without any input from the end-users themselves, avoiding any potential misconfigurations. If you’d like to see exactly how your network would look with SecureW2, we’d be happy to demonstrate. Set up a free demo with our team to see firsthand how easy it can be to go passwordless.
