Corporate Network/VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2025 02:57 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-23-2025 05:59 AM
1. IP-Restricted Login for Desktop Users
To restrict desktop access to users connected via the corporate intranet/VPN, use IP Access Control in ServiceNow.
Steps:
Define Allowed IP Ranges:
Identify the IP ranges for your corporate network/VPN.
Navigate to System Security > IP Access Control > IP Ranges.
Create a new IP range for each corporate network/VPN subnet.
Example:
Start IP: 192.168.1.1
End IP: 192.168.1.254
Create an IP Access Control Rule:
Go to System Security > IP Access Control > Rules.
Create a new rule:
Name: Corporate Network Access
Type: Allow
IP Ranges: Select the IP ranges created earlier.
Roles: Assign roles that should have access (e.g., itil, snc_internal).
Condition: Leave blank to apply to all users.
Block All Other IPs:
Create a second rule to block all other IPs:
Name: Block Non-Corporate IPs
Type: Deny
IP Ranges: Leave blank (applies to all IPs not explicitly allowed).
Roles: Assign the same roles as above.
Test the Configuration:
Attempt to log in from both corporate and non-corporate IPs to verify the rules work as expected.
2. Mobile Access with Microsoft Intune and NowMobile
To ensure mobile access is restricted to devices enrolled in Microsoft Intune and authenticated via Azure AD, follow these steps:
Steps:
Enable Azure AD Authentication:
Set up Azure AD as an OAuth provider in ServiceNow:
Navigate to System OAuth > Application Registry.
Create a new OAuth provider for Azure AD.
Configure the Client ID, Client Secret, and Token URL from your Azure AD app.
Configure Conditional Access in Azure AD:
In the Azure AD portal, create a Conditional Access Policy:
Users: Select the users or groups who should access ServiceNow.
Cloud Apps: Select the ServiceNow app.
Conditions:
Device Platforms: Include iOS and Android.
Client Apps: Include Mobile Apps and Desktop Clients.
Grant Access: Require Device to be marked as compliant (enrolled in Intune).
Integrate NowMobile with Azure AD:
Ensure NowMobile is configured to use Azure AD for authentication.
In ServiceNow, navigate to Mobile > Administration > Mobile Settings.
Enable Azure AD as the authentication method.
Test Mobile Access:
Attempt to log in to NowMobile from a device enrolled in Intune and verify access.
Attempt to log in from a non-compliant device to ensure access is blocked.
3. Additional Security Measures
Multi-Factor Authentication (MFA):
Enable MFA for both desktop and mobile users to add an extra layer of security.
Use Azure AD MFA or ServiceNow’s built-in MFA.
Session Management:
Configure Session Timeout and Inactivity Timeout in ServiceNow:
Navigate to System Security > Session Management > Session Settings.
Logging and Monitoring:
Enable Audit Logs to track login attempts and access violations.
Use ServiceNow’s Security Operations module to monitor for suspicious activity.
4. Summary of Configuration
Desktop Users:
Allow access only from corporate IP ranges using IP Access Control.
Mobile Users:
Restrict access to devices enrolled in Microsoft Intune using Azure AD Conditional Access.
Authenticate mobile users via Azure AD and ensure they use NowMobile.
5. Testing and Validation
Desktop:
Verify users can log in only when connected to the corporate network/VPN.
Mobile:
Verify users can log in only from Intune-enrolled devices.
Ensure non-compliant devices are blocked.