Hello,
We have a client that had a particular (but reasonable) Requirement ,
Background: they already have Mas360 enrolled devices with on prem implementation of exchange (via CE) and they are planning to move to the cloud shortly (O365).
Expectation: They want to make sure that the users can only access their MS applications from their enrolled devices (PO mode) and should be blocked from any non enrolled device.
In short the logic is If the application is opened from within the Maas360 container it should work, but if it is outside the container they should not be able to log on.
Issue:
We followed the steps for Conditional Access and SSO and couldn't really get further as we kept getting errors. Authentication kept failing when setting policy to anything other than "allow all devices".
We got the following response for Support (over multiple interactions):
The device seems not a Maas360 managed device, its deviceCompliance attribute has value [UNKNOWN], due to the access policy configured for this application, its access to the app is denied.
Can we confirm with the user if the device involved in the flow captured in the video is a Maas360 managed device ? if it's not a managed device, it's expected the access is denied. To allow the unmanaged device access, the access policy will need to update to allow it. We confirmed that is is a BYOD device on PO
it is an expected behaviour on the PO device if user chooses "Maas360" app based authentication. We have again checked with our team and have been informed that currently there is no other available method for "MaaS360" based auth on PO devices. If customer still wishes for the same, we would request them to raise a RFE (Request for Enhancement) for our Product team to look at a possibility of having this feature in our Solution. Upon putting in a RFE, our Product team will directly communicate with you/customer via the RFE tool. If there is a scope to cater to this requirement, our Product team will convey that information to you via the RFE ticket.
MaaS360 SSO inside PO is restricted by default due to security concerns. It uses the clipboard, so it cannot tell the difference between PO and non-PO apps. All apps even outside the PO profile can authenticate using the MaaS360 app on the device. If the customer is fine with this limitation, then we can enable the back end setting for them."
This basically means that this option will also allow apps such as MS Outlook and Teams to be configured by users outside the work profile, escaping the work container. So this will allow all webview apps even outside the PO container to use Maas SSO. If this is not acceptable to the customer, then they can leverage Azure CA This defeats the purpose of containerization
(conditional access) which doesn't have this limitation. More detailed information for the same can be checked from this below link:
Link: https://www.ibm.com/docs/en/maas360?topic=iaam-integrating-maas360-microsoft-enforce-device-compliance-through-azure-ad-conditional-access
"I want to know if there is any changes to this, needing to depend on MS intunes specifically is awkward.
------------------------------
Deep Mantri
------------------------------