GOTCHA! #Intune MAM CA and #Azure AD conditional Bug
After much configuration, and design, I was recently working on Security Hardening SharePoint ONline and Exchange Online using Mobile Application Management (MAM) Policies and Azure AD Device Based Conditional Access. Given requirements for the project, this was the best route to go. We worked with a Microsoft PFE to configure everything and validated it, and seemed legit. However, on normal PC or Mac, changing the user agent string of the browser bypasses both Azure AD conditional access and Intune MAM. The services both do not recognize the device, and therefore, grant permission, instead of deny permission for these points of confusion.
The Azure Tenant is configured with these settings, targeting specific groups for testing, and an exclude for testing, in the New Portal’s AD:
- Targeting against SharePoint Online (and we have another policy for Exchange Online too with same settings):
2. We targeted all platforms, but in the excluded group, we were recommended to exclude iOS and Android, as we wanted to leverage MAM in those areas.
3. We are requiring the device be either compliant or domain joined — we have a separate policy for MFA while on non-trusted Networks:
When all of these are set, and a user is in the CA groups, all they have to do is change the user agent string to bypass the https://device.login.microsoftonline.com service. Case in point, we tested with a User Agent String of (found from http://www.useragentstring.com/pages/useragentstring.php): "Mozilla/5.0 (Linux; U; Android 4.0.2; en-us; Galaxy Nexus Build/ICL53F) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30"
So, fine, this should happen, we allowed it our policies, shame on us. However, there is a fundamental concern here, that Intune MAM-WE policies did not block, or force the Manage browser on an “Android”? The first thought I had, was why is Android 4.0.2 being allowed, when Intune MAM policies are set to block Androids older than 4.1 and for Managed Browser for all SharePoint Online and Exchange Online in our Tenant.
So the neat thing about this behavior is that it even works when you change the user agent to iPad or some other iOS product. I tried raising this as bug to the Microsoft Security Response Center, a month ago now, and basically was told this is how we are configured. I’m publishing this so that other Tenants who are trying to use MAM and Azure AD Conditional Access simultaneously, will have a chance to correct any holes in their security designs that may have been overlooked.