I
Intune_Support_Team
In today's digital landscape, companies face unprecedented risks from sophisticated threat actors. IT admins play a crucial role in keeping company data secure internally and externally. At the same time, users demand access to sensitive information on their mobile devices while on the go to remain productive. Microsoft Intune has functionality to help administrators create policies to protect company data and its mobile users, while preserving the users’ personal preferences. Microsoft Edge for Business on mobile platforms seamlessly respects Microsoft Entra Conditional Access policies which can be configured to require Intune application protection polices (APP) before mobile users can access corporate data.
Note: For those specifically interested in Windows, please refer to our aka.ms/Intune/APP/Edge-blog for more insights.
What is Microsoft Edge for Business on mobile? Edge for Business delivers fast, secure browser experience, bringing the best of Microsoft to mobile devices. Recognizing the need for workers to access company data from anywhere at any time, Edge for Business enhances security with enterprise sign-in experience, superior protection, and privacy features. It also synchronizes favorites, passwords, and more across both desktop and mobile devices. Furthermore, Edge ensures consistent and reliable experience, designed to safeguard sensitive company information.
Using Intune, IT admins can configure access requirements so that only a policy-managed browser app, like Edge for Business, may access corporate web content. When Intune policy is assigned and users sign into Edge for Business with their corporate credentials, it becomes a policy-managed browser. While signed in, if users don’t have Edge installed, they’ll be prompted to install it on the first access attempt to company web resources. Importantly, while Intune policies may specify company data must be accessed only from the Edge browser, it doesn’t change the user’s preferred default personal browser. Links from company policy-managed apps (e.g. Outlook or Teams) will open in Edge, while links from their personal apps will open in the system default browser. This preserves user preferences and privacy, while allowing the company’s web content to be protected by a policy-managed app.
A mobile device enrolled in Intune for mobile device management (MDM) is referred to as a “managed device” and is helpful for device management and configuration scenarios. For managed devices, IT admins can pre-install Edge for Business without user interaction. Additional options can be configured for user convenience or to align with the company’s data security standards.
Note: If the device isn’t enrolled, Edge can’t be installed silently in the background from Intune.
Users can sign into apps with their company credentials (such as Outlook, Teams, and others) and receive application protection policies (APP) from Intune, making these “managed apps”. Regardless of device enrollment, IT admins can use APP to ensure only the APP-protected browser accesses corporate data.
Let’s examine some of the parts on how this works.
Policy settings which configure the app to allow sign in from only work or school accounts and other app behavior experiences are important for IT admins to be aware of and set configurations in a manner consistent with company policy. Keep in mind the device management type needs to be accounted for when creating an app configuration policy. Additionally, a Microsoft Edge app configuration policy isn’t required to specify that Edge should be used for company web content handling, but some settings are useful when considering your company policies and shaping user experience. App configuration policies can add useful bookmarks in the browser, and establish pre-defined security controls, such as managing which websites allow file uploads.
Review Manage Microsoft Edge on iOS and Android with Intune for in-depth guidance on managing Edge via app configuration policies.
A separate app protection policy is required for each platform as apps and setting availability varies. For the list of settings review: iOS/iPadOS app protection policy settings and Android app protection policy settings. When creating the policy, one thing to keep in mind is that Microsoft Edge IS included when you use the “Target policy to” option and select “All Apps”, “All Microsoft Apps”, or “Core Microsoft Apps”. The included apps list can be viewed by selecting “View a list of apps that will be targeted”.
For either of the mobile platforms, Edge for Business can be configured as the web content handler by configuring the APP setting “Restrict web content transfer with other apps” to Microsoft Edge. Additional app data protection settings can be enabled in the same policy.
Figure 1: An image showing the “Restrict web content transfer with other apps” set to Microsoft Edge.
Make sure to set configuration options in alignment with your company’s data handling policies. For example, many companies elect to restrict whether files may be saved onto mobile devices as well as setting whether data can be cut/copy/paste outside of managed apps. Since Edge is built to respect app protection policy, and complies with settings you specify, the handling of company data will be consistent across apps receiving the policy. A consistent and predictable experience helps keep users productive.
The next step is to enforce the app protection policy that was created to specify that Edge should handle managed app web content through Microsoft Entra Conditional Access. App protection policies control how data is accessed and shared within the managed app based on the policy settings. However, it doesn’t require users to access company data from only managed apps. Without enforcing which apps may be used to access company data, users could manually type in a URL in a non-managed browser to access company data as long as they could successfully authenticate.
Conditional Access can be set to require that the app being used to access the company data has an app protection policy applied. Make sure that the app protection policy is also assigned to users targeted by this policy, otherwise the criteria for this Conditional Access policy might not be met.
Note: Conditional Access requires that the device be registered in Microsoft Entra, which is done using a broker app. Learn more in Use app-based Conditional Access policies with Intune.
Require app protection policy
To view and edit, Conditional Access policies require a delegated right from Microsoft Entra ID for IT admins. This is a privileged right, granted from Microsoft Entra for select IT admins called “Conditional Access Administrator”.
Figure 2: An image of the Require app protection policy grant control in Conditional Access.
Whether you’re looking to implement Zero Trust principles or to simply improve your company’s data security posture, ensuring that access to company data is restricted to managed apps on mobile devices is a great step to take as outlined in this blog.
A checklist to ensure you have covered all the key areas:
By implementing Edge for Business on mobile platforms and leveraging Intune's app protection policies enforced by Conditional Access, your organization can significantly increase its data security posture. These measures ensure that corporate data is accessed only through managed apps and browsers, reducing the risk of data breaches and exfiltration. Stay ahead of potential threats and keep your company's sensitive information secure while enabling your employees to remain productive.
We hope you find these experiences useful and easy to set up with Edge and Intune. If you have any questions or feedback, please leave a comment below, or tagging @IntuneSuppTeam on X.
Continue reading...
Note: For those specifically interested in Windows, please refer to our aka.ms/Intune/APP/Edge-blog for more insights.
What is Microsoft Edge for Business on mobile? Edge for Business delivers fast, secure browser experience, bringing the best of Microsoft to mobile devices. Recognizing the need for workers to access company data from anywhere at any time, Edge for Business enhances security with enterprise sign-in experience, superior protection, and privacy features. It also synchronizes favorites, passwords, and more across both desktop and mobile devices. Furthermore, Edge ensures consistent and reliable experience, designed to safeguard sensitive company information.
Preserving user preferences while improving security posture
Using Intune, IT admins can configure access requirements so that only a policy-managed browser app, like Edge for Business, may access corporate web content. When Intune policy is assigned and users sign into Edge for Business with their corporate credentials, it becomes a policy-managed browser. While signed in, if users don’t have Edge installed, they’ll be prompted to install it on the first access attempt to company web resources. Importantly, while Intune policies may specify company data must be accessed only from the Edge browser, it doesn’t change the user’s preferred default personal browser. Links from company policy-managed apps (e.g. Outlook or Teams) will open in Edge, while links from their personal apps will open in the system default browser. This preserves user preferences and privacy, while allowing the company’s web content to be protected by a policy-managed app.
Managed devices vs managed apps
A mobile device enrolled in Intune for mobile device management (MDM) is referred to as a “managed device” and is helpful for device management and configuration scenarios. For managed devices, IT admins can pre-install Edge for Business without user interaction. Additional options can be configured for user convenience or to align with the company’s data security standards.
Note: If the device isn’t enrolled, Edge can’t be installed silently in the background from Intune.
Users can sign into apps with their company credentials (such as Outlook, Teams, and others) and receive application protection policies (APP) from Intune, making these “managed apps”. Regardless of device enrollment, IT admins can use APP to ensure only the APP-protected browser accesses corporate data.
Let’s examine some of the parts on how this works.
Intune app configuration policies
Policy settings which configure the app to allow sign in from only work or school accounts and other app behavior experiences are important for IT admins to be aware of and set configurations in a manner consistent with company policy. Keep in mind the device management type needs to be accounted for when creating an app configuration policy. Additionally, a Microsoft Edge app configuration policy isn’t required to specify that Edge should be used for company web content handling, but some settings are useful when considering your company policies and shaping user experience. App configuration policies can add useful bookmarks in the browser, and establish pre-defined security controls, such as managing which websites allow file uploads.
Review Manage Microsoft Edge on iOS and Android with Intune for in-depth guidance on managing Edge via app configuration policies.
Intune app protection policies
A separate app protection policy is required for each platform as apps and setting availability varies. For the list of settings review: iOS/iPadOS app protection policy settings and Android app protection policy settings. When creating the policy, one thing to keep in mind is that Microsoft Edge IS included when you use the “Target policy to” option and select “All Apps”, “All Microsoft Apps”, or “Core Microsoft Apps”. The included apps list can be viewed by selecting “View a list of apps that will be targeted”.
For either of the mobile platforms, Edge for Business can be configured as the web content handler by configuring the APP setting “Restrict web content transfer with other apps” to Microsoft Edge. Additional app data protection settings can be enabled in the same policy.
Configuring Edge as the web content handler
- In the Microsoft Intune admin center, select Apps > App protection policies.
- Create a new policy and select the platform (or edit an existing policy).
- Enter a policy name and select Next.
- In the “Target policy to” drop-down, select one of the app group options or specify which apps should use Edge as the web content handler, then click the Next button.
- In the Functionality section, ensure that Restrict web content transfer with other apps is set to “Microsoft Edge”. This will set Edge as the specified company web content handler browser.
Figure 1: An image showing the “Restrict web content transfer with other apps” set to Microsoft Edge.Make sure to set configuration options in alignment with your company’s data handling policies. For example, many companies elect to restrict whether files may be saved onto mobile devices as well as setting whether data can be cut/copy/paste outside of managed apps. Since Edge is built to respect app protection policy, and complies with settings you specify, the handling of company data will be consistent across apps receiving the policy. A consistent and predictable experience helps keep users productive.
Microsoft Entra Conditional Access policy settings
The next step is to enforce the app protection policy that was created to specify that Edge should handle managed app web content through Microsoft Entra Conditional Access. App protection policies control how data is accessed and shared within the managed app based on the policy settings. However, it doesn’t require users to access company data from only managed apps. Without enforcing which apps may be used to access company data, users could manually type in a URL in a non-managed browser to access company data as long as they could successfully authenticate.
Conditional Access can be set to require that the app being used to access the company data has an app protection policy applied. Make sure that the app protection policy is also assigned to users targeted by this policy, otherwise the criteria for this Conditional Access policy might not be met.
Note: Conditional Access requires that the device be registered in Microsoft Entra, which is done using a broker app. Learn more in Use app-based Conditional Access policies with Intune.
Require app protection policy
To view and edit, Conditional Access policies require a delegated right from Microsoft Entra ID for IT admins. This is a privileged right, granted from Microsoft Entra for select IT admins called “Conditional Access Administrator”.
- In the Intune admin center navigate to Endpoint Security > Conditional Access > Policies.
- Select an existing policy to update or create a new policy.
If creating a new policy, refer to the Conditional Access documentation for guidance on the settings most appropriate for your company. - Under Access controls > Grant, select Grant access.
- Ensure Require app protection policy is checked, then click the Select button.
- Under Enable policy select Report-only. This won’t enforce the use of apps to access the company data through managed apps but will show those that would be enforced if the Conditional Access policy were set to On instead. It’s good practice to ensure the scope of the enforcement and settings work as you intend. You can always change a “Report-only” rule to “On” later if the rule works the way you expect.
- Click the Save button to commit the policy.
- Turn “On” the policy once you’ve validated the settings to require app protection policies.
Figure 2: An image of the Require app protection policy grant control in Conditional Access.A call to action – put it all together
Whether you’re looking to implement Zero Trust principles or to simply improve your company’s data security posture, ensuring that access to company data is restricted to managed apps on mobile devices is a great step to take as outlined in this blog.
A checklist to ensure you have covered all the key areas:
- Create app protection policies with your organization’s data protection requirements in mind.
- Ensure Microsoft Edge and other applicable apps you have approved for use are included in your app protection policies.
- Enable Microsoft Edge for web content handling.
- Set Conditional Access policies to require mobile devices to use policy-managed apps.
By implementing Edge for Business on mobile platforms and leveraging Intune's app protection policies enforced by Conditional Access, your organization can significantly increase its data security posture. These measures ensure that corporate data is accessed only through managed apps and browsers, reducing the risk of data breaches and exfiltration. Stay ahead of potential threats and keep your company's sensitive information secure while enabling your employees to remain productive.
We hope you find these experiences useful and easy to set up with Edge and Intune. If you have any questions or feedback, please leave a comment below, or tagging @IntuneSuppTeam on X.
Continue reading...