Use compliance data in Azure AD Conditional Access policies by integrating Workspace ONE UEM with Microsoft

The title says it all! The feature has been available for a while in a closed preview status, but with 2008 it has moved to Public Preview! Similarly, Microsoft moved the APIs on their side to Public Preview as well, listing VMware Workspace ONE as the ONLY (currently) supported EMM.

Needless to say, we are waiting for MS to move the APIs to fully supported status, so that we could announce the same on our side!

Requirements:

  • WS1 UEM 2008+
  • WS1 Intelligence enabled (free tier – just ensure it’s enabled)
  • MS AAD Premium + InTune licenses (included in EM+S / MS365)

Docs:

My sandbox is still on 2007, but should we updated soon. Once updated I will post an in-depth. In the meantime you can see an awesome and detailed overview from our resident expert Sascha Warno.

What do you think about this feature?

4 thoughts on “Use compliance data in Azure AD Conditional Access policies by integrating Workspace ONE UEM with Microsoft

Add yours

  1. Hello Arsen,

    I have tested this new feature recently and it seems to work very well with MS applications (Outlook, OneDrive…).
    Now VMware needs to make their applications compatible to work within the compliance rule. Indeed applications configured in the rule have to support MSAL library.

    Other points :
    – Compliance status of devices are reported through MS Authenticator. Need to roll out.
    Don’t forget to deploy Intune Portal for Android devices.
    – Administrators need to work to transmit the compliance status of the entire fleet on Azure Ad to be able to set this feature with minimal impacts for the existing enrolled compliant devices.

    Best regards

    Like

    1. Hi, Gokan. Thanks for sharing your experience!

      Now VMware needs to make their applications compatible to work within the compliance rule. Indeed applications configured in the rule have to support MSAL library.
      This is in progress. Some apps already have it.

      Don’t forget to deploy Intune Portal for Android devices.
      You don’t really need this one. You can do with Authenticator as well – both apps will be able to register the device in AAD.
      You might need Company Portal for integration with Intune MAM, but that it a different story.

      Administrators need to work to transmit the compliance status of the entire fleet on Azure Ad to be able to set this feature with minimal impacts for the existing enrolled compliant devices.
      That is true. If you have a large fleet, you’d want to wait until everything is in sync before enforcing CA for these devices.
      The idea is that in most cases there will be no CA for them whatsoever, so you could wait, or you could use the CA policies in “Report only” mode.

      Like

    1. You somehow missed most of the key points about this feature in your article, including the understanding when it works and when it does not (incl with Intune). Again, the docs page says that this is a public tech preview, the UI says it 8s tech preview, you never list in your article any issues with it – what’s your problem?

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: