Call us: (407) 567-0096
Open a ticket
Chat with us
USA flag German flag Spanish flag
BLOG Published on 2019/09/18 by Asitha De Silva in Tech-Tips

Securing corporate web apps using Intune Managed Browser – Part 01

Intune Managed Browser is a web browsing app by Microsoft which lets you safely view and navigate web pages that contain Company information or internal organization web pages. With a managed browser, you can enable following Enterprise Mobility security features:

  • Single sign-on
  • Conditional Access
  • Application configuration settings
  • Azure application proxy integration
  • Application protection policies

Managed browser is available in Android and Apple stores and it supports Android 4+ and iOS 8 and above. When it comes to Windows 10, Microsoft Edge acts as the Managed browser, also Edge can be used in supported mobile Operating systems. My purpose of this article is to explain how effectively we can use the managed browser with EMS components.

In part 01 of this post, let's discuss deploying Managed browser and implementing app protection policies. From Part 02 I’m hoping to explain how to push configurations such as bookmarks, the home page, whitelisting and blacklisting web pages. Also, part two will cover configuring conditional access where corporate apps can access only from Managed browser and use the Azure app proxy.


Deploying a Managed Browser with Intune

Managed browser is a part of Intune, as the first step, you need to deploy it to the endpoints. You can ask users to install it by themselves from app stores or centrally deploy it through Intune. Let’s see how it can be deployed from Intune.

  1. Log in to the Azure Portal - Intune - Client Apps – Apps, click ADD and select the relevant Operating system from the store section.
  2. For iOS, you need to type the app name as “Managed Browser” and select


  3. If you are using Android, you need to get the Play Store link and paste it in App store URL.

    Managed browser - https://play.google.com/store/apps/details?id=com.microsoft.intune.mam.managedbrowser&hl=en


  4. Assign the app to the relevant user group

  5. Download and install the Managed Browser from Intune Company portal.


Intune App Protection Policies with Manage Browser

In my previous posts, I have talked about App Protection policies. Intune App protection policy enables you to protect data on-device applications. You can define the apps and set of policies to control the actions. These protected apps are called managed apps. You can define policies such as prevent cut, copy, save as, screen capture, also you can allow data transfer only within the managed apps.

Not all store app support Intune, it should be written according to Intune understandable format, In Microsoft world, this is called Intune Enlighten app. Managed Browser is a enlighten app, it supports all the app protection policies. When you publish a Company Internal website through Managed Browser you can enable App protection policies such as prevent cut, copy, save as, etc.

  1. Login to Azure portalClient appsApp protection policies - Create a new App Protection policy
  2. Name the policy, select the relevant OS, and select the relevant apps. In this case Managed Browser


  3. Fill your relevant configurations from data protection




  4. Additionally, you can define the Access protection where policy managed apps (Managed browser) are required a PIN to open.


  5. Target the policy to the relevant user group


  6. After policies sync to the targeted user, user can experience the Managed Browser becoming a corporate managed app, and web pages accessed through the Managed browser is protected with app protection policies where user cannot cut, copy, save as, etc.


Offer Single Sign-on to Azure AD integrated apps through Managed Browser  


If you have corporate web apps which are integrated with Azure AD, using the Managed browser or Microsoft Edge, users can take advantage of SSO. This is where users are not required to put their username or password every time when they access these websites. Let’s discuss how to achieve this.

When a device is enrolled with Intune, you need to install the Intune Company portal app and register the device with Intune using Azure AD username and password. After this, the device will be managed by Intune and when you access Azure AD integrated app from Managed browser or Edge, Single sign-on will be used with the User ID where a user registered the device.

If the device is not enrolled with Intune, the same benefit can be achieved by installing Microsoft Authenticator. Microsoft Authenticator is an app used for two-factor authentications. You can register multiple accounts to the authenticator and each MFA requests will direct to the app as notifications where you can approve easily. When you add your corporate credentials to Microsoft Authenticator, you can access Corporate Azure Ad integrated apps with SSO.

Moreover, from Part 02 of this article lets discuss how to use conditional access and app configuration policies to protect corporate data browse through Manage browser. Stay tuned.

Hope this post is useful.

Cheers.

Asitha De Silva



Asitha De Silva

Consultant Cloud Solutions

Expert in architecting and implementing cloud-based infrastructure solutions.

Popular
Volume Activation Management Tool 3.1 – Implementing and Activating
By  Asitha De Silva  -   2015/12/13
Windows File Server 2016 | Map Network Drive for Users and Group Drive using GPO
By  Asitha De Silva  -   2017/12/28
Multiple Password Policies for Domain Users
By  Asitha De Silva  -   2019/11/16
Newsletter

To keep up with the news and updates related to our products, make sure to subscribe to our newsletter!

Copyright © 2024 Terminalworks. All Rights Reserved

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Cookie Policy. Privacy details