Intune Managed Browser is a web browsing app by Microsoft which lets you safely view and navigate web pages that containing Company information or internal organization web pages. This is the second post of this topic where I’m addressing how to effectively use Managed browser with EMS components and features.
From Part 01 of this post we have discussed topics such as Deploying Managed browser with Intune, restrict cut copy save-as options with Intune app protection policies and enabling SSO to apps through the Managed browser. From this post, I will continue to explain centrally manage configurations such as bookmarks, the home page, whitelisting and blacklisting web pages. Also, let’s see configuring conditional access where corporate apps can access only from Managed browser and use the Azure app proxy.
Set a Managed browser as the default app to open the Corporate Apps.
When you are publishing a corporate web app through Intune Apps, there is a setting to select the Managed Browser is the default to open the link. Which will notify the user to download the managed browser if it’s not already installed. Once installed, the app will be opened through the managed browser and app protection policies applied.
Restrict Corporate Apps to browse only from Managed Browser – Conditional Access
From Part 01, I have discussed how to protect corporate apps through Intune app protection policies, where you can use Managed Browser to restrict Cut, Copy, Save-as, and other options. But what if user access this app from the unprotected browser where not honoring App Protection policies. With the help of Azure Conditional Access, you can block all the unprotected browsers and allow only the Managed Browser to access the corporate apps. Let’s see how we can enable this.
- Log in to the Azure Portal- Azure Active Directory – Conditional Access
- Create a new policy, named the policy and select the relevant users where need to be applied.
- From the device platforms select the relevant Devices type where the policy to be pushed.
- Next, select the relevant cloud / corporate app. The app should be published as an enterprise app and Azure AD integrated.
- From the Access controls, select Require Approved Client app. This will enable the list of Intune to enlighten apps that can access the app. Manage Browser is one of them.
- Tick Enable Policy and Create
- Users can experience following notification when they try to access the app other than the Managed Browser. So, the App Protection Policies are mandatory.
Use of Managed Browser with Azure Application Proxy
Using Application proxy, you can publish internal web apps to the public internet while addressing azure security features. Application proxy converts the internal URL to a publicly accessible URL and the content routed through the app proxy. However, using the Managed Browser, you can still use the internal URL. When browsing, the Managed Browser identifies the internal URL and redirect it through azure app proxy. For Edge and Chrome, you need to install the Managed Browser Extension and select Company Internal URL Redirection ON.
Manage Configuration settings for Managed Browser
When you are pushing Managed Browser to use with the corporate apps, it would be easier if you can push configurations such as Homepage, Bookmarks and allow or block certain URLs. these settings can be configured with Intune App Configurations policies.
Configuring Homepage from Intune app configuration policies.
- Login to the Azure portal – Intune – Client apps – App configuration policies.
- Click Add, Name the policy, select the device enrollment type and select the associated app as Intune Managed Browser.
- Next, in the Configuration settings, Provide the following Key and Value to add the relevant Homepage to the Managed Browser. Refer the screenshot
Key - com.microsoft.intune.mam.managedbrowser.homepage
Value – <Web URL>
- Click Add to create the policy
- Next, you will be prompted to assign the policy, select the relevant group where the configurations need to be pushed.
- In user experience, if you use Microsoft Edge as the browser you will see Homepage as a shortcut, however with Intune Managed Browser in Mobile OS such as iOS and Android you can get the homepage to the start screen of the browser.
Configuring Bookmarks from Intune app configuration policies.
As we configured the homepage from Intune configurations policies, we can configure the bookmarks for Edge and Intune Managed browser, when these settings are pushed from Intune, users cannot delete or modify the bookmarks. This configuration is nice to have when you are published corporate web sites from Azure App Proxy so web apps will be automatically available in their managed browsers as bookmarks.
- Create a new Intune app configuration policy or add a new setting to an existing policy, refer the above steps to create a policy. Here I’m using the same policy.
- Add the following key and the value
Key – com.microsoft.intune.mam.managedbrowser.bookmarks
Value – <Name of the bookmark> | <Web URL>
- if you have multiple bookmarks, separate each with pair of double character ||
In example – Blog | https://www.terminalworks.com/blog||Search| http://www.google.com - you can see the result as follows in iOS Intune Managed browser
Configuring Allow and Block URL’s using Intune app configuration policies.
Using app configuration policies, you can allow or block URLs where you find relevant. This can be done in the same way we followed when adding a bookmark or homepage. You need to specify the URL allowing Key or URL blocking Key with the values which are the relevant URLs. other than mentioning each URL, you can use the * while card sign also.
Key Allow URL’s - com.microsoft.intune.mam.managedbrowser.AllowListURLs
Key Block URL’s - com.microsoft.intune.mam.managedbrowser.BlockListURLs
Value URL’s you can provide as follows.
With this information, I will finish Part 02 of the post Securing corporate web apps using Intune Managed Browser. If you want to read the Part 01 click (here)
Hope this post is useful
Cheers
Asitha De Silva
