Corporate Network/VPN

Mansor2
Tera Contributor
Hello,
If the below use cae be done. 
We are working on to setup IP restricted login access - within Corporate Network/VPN only for both Desktop and Mobile. 
Example - Desktop: Users can only access ServiceNow if they are connected via Intranet
                  Mobile: Device enrolled in Microsoft Intune x NowMobile (authenticated with Azure AD).
 
 
Not sure if this the right article, can someone help answer how this can be achived with a docs link would be great. 
 
Regards
 
 
1 REPLY 1

Murtaza Saify
Tera Contributor

1. IP-Restricted Login for Desktop Users

To restrict desktop access to users connected via the corporate intranet/VPN, use IP Access Control in ServiceNow.

Steps:

  1. Define Allowed IP Ranges:

    • Identify the IP ranges for your corporate network/VPN.

    • Navigate to System Security > IP Access Control > IP Ranges.

    • Create a new IP range for each corporate network/VPN subnet.

      • Example:

        • Start IP: 192.168.1.1

        • End IP: 192.168.1.254

  2. Create an IP Access Control Rule:

    • Go to System Security > IP Access Control > Rules.

    • Create a new rule:

      • Name: Corporate Network Access

      • Type: Allow

      • IP Ranges: Select the IP ranges created earlier.

      • Roles: Assign roles that should have access (e.g., itil, snc_internal).

      • Condition: Leave blank to apply to all users.

  3. Block All Other IPs:

    • Create a second rule to block all other IPs:

      • Name: Block Non-Corporate IPs

      • Type: Deny

      • IP Ranges: Leave blank (applies to all IPs not explicitly allowed).

      • Roles: Assign the same roles as above.

  4. Test the Configuration:

    • Attempt to log in from both corporate and non-corporate IPs to verify the rules work as expected.


2. Mobile Access with Microsoft Intune and NowMobile

To ensure mobile access is restricted to devices enrolled in Microsoft Intune and authenticated via Azure AD, follow these steps:

Steps:

  1. Enable Azure AD Authentication:

    • Set up Azure AD as an OAuth provider in ServiceNow:

      • Navigate to System OAuth > Application Registry.

      • Create a new OAuth provider for Azure AD.

      • Configure the Client ID, Client Secret, and Token URL from your Azure AD app.

  2. Configure Conditional Access in Azure AD:

    • In the Azure AD portal, create a Conditional Access Policy:

      • Users: Select the users or groups who should access ServiceNow.

      • Cloud Apps: Select the ServiceNow app.

      • Conditions:

        • Device Platforms: Include iOS and Android.

        • Client Apps: Include Mobile Apps and Desktop Clients.

      • Grant Access: Require Device to be marked as compliant (enrolled in Intune).

  3. Integrate NowMobile with Azure AD:

    • Ensure NowMobile is configured to use Azure AD for authentication.

    • In ServiceNow, navigate to Mobile > Administration > Mobile Settings.

    • Enable Azure AD as the authentication method.

  4. Test Mobile Access:

    • Attempt to log in to NowMobile from a device enrolled in Intune and verify access.

    • Attempt to log in from a non-compliant device to ensure access is blocked.


3. Additional Security Measures

  1. Multi-Factor Authentication (MFA):

    • Enable MFA for both desktop and mobile users to add an extra layer of security.

    • Use Azure AD MFA or ServiceNow’s built-in MFA.

  2. Session Management:

    • Configure Session Timeout and Inactivity Timeout in ServiceNow:

      • Navigate to System Security > Session Management > Session Settings.

  3. Logging and Monitoring:

    • Enable Audit Logs to track login attempts and access violations.

    • Use ServiceNow’s Security Operations module to monitor for suspicious activity.


4. Summary of Configuration

  • Desktop Users:

    • Allow access only from corporate IP ranges using IP Access Control.

  • Mobile Users:

    • Restrict access to devices enrolled in Microsoft Intune using Azure AD Conditional Access.

    • Authenticate mobile users via Azure AD and ensure they use NowMobile.


5. Testing and Validation

  • Desktop:

    • Verify users can log in only when connected to the corporate network/VPN.

  • Mobile:

    • Verify users can log in only from Intune-enrolled devices.

    • Ensure non-compliant devices are blocked.