Microsoft Intune integration with Device Posture
Microsoft Intune classifies a user’s device as compliant or registered based on its policy configuration. During user login into Citrix Workspace, device posture can check with Microsoft Intune about the user’s device status and use this information to classify the devices within Citrix Cloud as compliant, non-compliant (partial access), or even deny access to the user login page. Services like Citrix DaaS and Citrix Secure Private Access in turn use device posture’s classification of devices to provide contextual access (Smart Access) to virtual apps and desktops, and SaaS and Web apps respectively.
To configure Microsoft Intune integration
Intune integration configuration is a two-step process.
Step1: Integrate device posture with Microsoft Intune service. This is a one-time activity that you do to establish trust between Device Posture and Microsoft Intune.
Step 2: Configure policies to use Microsoft Intune information.
Step 1: Integrate device posture with Microsoft Intune
- To access the Integrations tab, use one of the following methods:
- Access the URL https://device-posture-config.cloud.com on your browser, and then click the Integrations tab.
- Secure Private Access customers - On the Secure Private Access GUI, on the left side navigation pane, click Device Posture, and then click the Integrations tab.
-
Click the ellipsis button, and then click Connect. The admin is redirected to Azure AD to authenticate.
The following table lists the Microsoft Intune API permissions for integration with the Device Posture service.
| API name | Claim value | Permission name | Type |
|---|---|---|---|
| Microsoft Graph | DeviceManagementManagedDevices.Read.All | Read Microsoft Intune devices | Application |
| Microsoft Graph | DeviceManagementServiceConfig.Read.All | Read Microsoft Intune devices | Application |
After the integration status changes from Not Configured to Configured, admins can create a device posture policy.
If the integration is not successful, the status appears as Pending. You must click the ellipsis, button and then click Reconnect.
Step 2: Configure device posture policies
-
Click the Device Scans tab and then click Create device policy.
- Enter the name for the policy and set the priority.
- Select the platform for which this policy is created.
- In Select Rule, select Microsoft Endpoint Manager.
- Select a condition, and then select the MEM tags to be matched.
- For Matches any of, an OR condition is applied.
- For Matches all of, an AND condition is applied.
Note:
You can use this rule with other rules that you configure for device posture.
-
In Then the device is: based on the conditions that you have configured, select one of the following.
- Compliant (full access is granted)
- Non-compliant (Restricted access is granted)
- Denied login
For more details about creating a policy, see Configure device posture policy.