Introduction:
Customers can allow access from the intune-enabled apps and block access from non-intune apps by restricting access via the authentication system. For example, if they are using Azure Active Directory, "AD Conditional Access" would allow restricting access and authentication to policy-managed apps. Specifically, their App Protection policy should restrict data sharing within Policy-managed apps, and the AD Conditional Access policy should only "Grant access" to "Require approved client app" and "Require app protection policy". This will ensure that authentication will occur in Edge, and the auth data can only be shared with the Intune version of our application.
Here are steps for the Azure AD case:
Step 1: Ensure the instance is doing SSO authentication with Azure AD. If the SSO hasn't be configured with Azure AD, please read the setup guide here.
Step 2: Create an App Protection policy for Android and another for iOS restricting data sharing to within Policy-managed apps w/ these settings:
- "Send org data to other apps" : "Policy managed apps"
- "Receive data from other apps": "Policy managed apps"
- Public apps: make sure both Edge and the ServiceNow Intune apps are listed
Step 3: Create an App Config policy including both iOS and Android versions of the app. Add these settings: "SNAuthenticationBrowserAndroid" set to "Edge" and "SNAuthenticationBrowseriOS" set to "Edge".
Step 4: Create an AD Conditional Access policy w/ these settings:
- "Cloud apps or actions": Under cloud apps, include the ServiceNow app(s)
- "Conditions":
- "Device platforms": "android" and "iOS"
- "Client apps (Preview)": "Browser"
- "Grant": check "Grant access", then select "Require approved client app" and "Require app protection policy"
