Corporate Network/VPN

Mansor2 · ‎02-22-2025

Hello,

If the below use cae be done.

We are working on to setup IP restricted login access - within Corporate Network/VPN only for both Desktop and Mobile.

Example - Desktop: Users can only access ServiceNow if they are connected via Intranet

Mobile: Device enrolled in Microsoft Intune x NowMobile (authenticated with Azure AD).

Not sure if this the right article, can someone help answer how this can be achived with a docs link would be great.

Regards

Murtaza Saify · ‎02-23-2025

To restrict desktop access to users connected via the corporate intranet/VPN, use IP Access Control in ServiceNow.

Define Allowed IP Ranges:
- Identify the IP ranges for your corporate network/VPN.
- Navigate to System Security > IP Access Control > IP Ranges.
- Create a new IP range for each corporate network/VPN subnet.
  - Example:
    - Start IP: 192.168.1.1
    - End IP: 192.168.1.254
Create an IP Access Control Rule:
- Go to System Security > IP Access Control > Rules.
- Create a new rule:
  - Name: Corporate Network Access
  - Type: Allow
  - IP Ranges: Select the IP ranges created earlier.
  - Roles: Assign roles that should have access (e.g., itil, snc_internal).
  - Condition: Leave blank to apply to all users.
Block All Other IPs:
- Create a second rule to block all other IPs:
  - Name: Block Non-Corporate IPs
  - Type: Deny
  - IP Ranges: Leave blank (applies to all IPs not explicitly allowed).
  - Roles: Assign the same roles as above.
Test the Configuration:
- Attempt to log in from both corporate and non-corporate IPs to verify the rules work as expected.

To ensure mobile access is restricted to devices enrolled in Microsoft Intune and authenticated via Azure AD, follow these steps:

Enable Azure AD Authentication:
- Set up Azure AD as an OAuth provider in ServiceNow:
  - Navigate to System OAuth > Application Registry.
  - Create a new OAuth provider for Azure AD.
  - Configure the Client ID, Client Secret, and Token URL from your Azure AD app.
Configure Conditional Access in Azure AD:
- In the Azure AD portal, create a Conditional Access Policy:
  - Users: Select the users or groups who should access ServiceNow.
  - Cloud Apps: Select the ServiceNow app.
  - Conditions:
    - Device Platforms: Include iOS and Android.
    - Client Apps: Include Mobile Apps and Desktop Clients.
  - Grant Access: Require Device to be marked as compliant (enrolled in Intune).
Integrate NowMobile with Azure AD:
- Ensure NowMobile is configured to use Azure AD for authentication.
- In ServiceNow, navigate to Mobile > Administration > Mobile Settings.
- Enable Azure AD as the authentication method.
Test Mobile Access:
- Attempt to log in to NowMobile from a device enrolled in Intune and verify access.
- Attempt to log in from a non-compliant device to ensure access is blocked.

Multi-Factor Authentication (MFA):
- Enable MFA for both desktop and mobile users to add an extra layer of security.
- Use Azure AD MFA or ServiceNow’s built-in MFA.
Session Management:
- Configure Session Timeout and Inactivity Timeout in ServiceNow:
  - Navigate to System Security > Session Management > Session Settings.
Logging and Monitoring:
- Enable Audit Logs to track login attempts and access violations.
- Use ServiceNow’s Security Operations module to monitor for suspicious activity.

Desktop Users:
- Allow access only from corporate IP ranges using IP Access Control.
Mobile Users:
- Restrict access to devices enrolled in Microsoft Intune using Azure AD Conditional Access.
- Authenticate mobile users via Azure AD and ensure they use NowMobile.

Desktop:
- Verify users can log in only when connected to the corporate network/VPN.
Mobile:
- Verify users can log in only from Intune-enrolled devices.
- Ensure non-compliant devices are blocked.