Zero Trust building blocks - Leverage Microsoft Intune endpoint Compliance with F5 BIG-IP APM Access
Use case summary
Let's walk through a real life scenario, we have company A that's building its Zero Trust strategy and of course it will be great to make use of existing solutions to reach our target.
Microsoft Intune introduces a great source of intelligence and compliance enforcement for endpoints, combined with F5 BIG-IP Access Policy Manager (APM) integrated with AzureAD this extends the enforcement to the endpoints accessing Company A resources whether it's a SAAS or locally hosted.
Below is the flow of some use cases that leverage how F5 BIG-IP APM and Microsoft Intune pave the way to achieve Zero Trust strategy.
- We've an endpoint Managed by Microsoft Intune.
- Microsoft Intune contains device compliance policy to determine the conditions at which the machine to be considered compliant and the configuration profile determine the configurations for specific applications in our case (F5 Access VPN).
- We have the following use cases,
- User tries to access web application through F5 BIG-IP APM, BIG-IP is already integrated with Microsoft Intune and Azure AD.
- F5 BIG-IP APM acts as SP, that directs user request to AzureAD for authentication and compliance check.
- If the user successfully authenticate and pass compliance policy, user will be redirected back to the application with SAML assertion response otherwise the user will be denied to acces.
- User tries to access web application through F5 BIG-IP APM, BIG-IP is already integrated with Microsoft Intune and Azure AD.
A demo was created by our awesome Access guru Matt_Dierick
-
- User tries to use SSL VPN to access corporate resources,
- User click on F5 Access VPN connection pushed to the endpoint via configuration profile at Microsoft Intune.
- User selects the proper authentication method (Username&Password, Smart Card or Certificate based Authentication).
- Once user successfully authenticate and pass compliance check, a temporary certificate is pushed to the machine.
- The temporary certificate is used to authenticate with F5 BIG-IP APM and then the user is granted access to SSL VPN connection.
- User tries to use SSL VPN to access corporate resources,
A demo was created for this use case as well by our awesome Access guru Matt_Dierick , as Microsoft Intune portal got updated, we may now perform the endpoint management related tasks through endpoint.microsoft.com portal instead of portal.azure.com, make sure to follow Microsoft documentations for any new updates.
Conclusion
In conclusion to the highlighted use cases, we can see that we can make use of existing solutions and extend their capabilities with the ease of integration to acheive our organization Zero Trust strategy.
F5 BIG-IP in general allows the organization to decouple client side connection from server side, which simplifies further services integration to boost organization security posture.
F5 BIG-IP APM allows us to integrate with different parties to extend their capabilties whether they endpoint compliance, risk factor or IDaaS to use such insights for securing application or network access.
In addition to corporate related secure access, if we have customers accessing applications and need integration with Google or other Open ID Connect (OIDC) provider, you can make use of F5 BIG-IP APM OIDC integration to that 3rd party for customers' access.
Additional resources
Configuring Access Policy Manager for MDM applications
BIG-IP Access Policy Manager: Third-Party Integration
OAuth and OpenID Connect - Made easy with Access Guided Configurations templates