Security

last person joined: 20 minutes ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Intune & Endpoint repository

This thread has been viewed 39 times
  • 1.  Intune & Endpoint repository

    Posted Sep 20, 2021 07:18 PM
    HI,
      When I remove a managed device from Intune I notice it does not remove it from endpoints is that normal behaver for the Intune extension? If so is there anything can be done to remove those devices?

    ------------------------------
    Kelly L
    ------------------------------


  • 2.  RE: Intune & Endpoint repository

    Posted Sep 20, 2021 08:18 PM
    Yes as of now it's expected, unless there is an option of making an API call towards CPPM for deleting endpoints from MDM, endpoints will be deleted based on the CPPM cleanup intervals as CPPM will not have a track of as to which endpoints are deleted from the MDM server.
    Hence, instead of deleting the endpoint, you can alter the attributes like is managed, or is compromised etc while leveraging those in policies.

    ------------------------------
    SANDEEP YADAV
    Global Escalation Center, ACCP
    ------------------------------



  • 3.  RE: Intune & Endpoint repository

    Posted Sep 22, 2021 08:17 PM
    Would there be a way to look up in Active Directory by email address pulled from the Intune endpoint confirm if the user account is disabled. I added the attribute userAccountControl attribute to my source it seems to work followed this guide. Not sure how to rolemap this I would like to verify the user account email on our AD is not disabled. According to the guide it says when the account is disabled the userAccountControl is 66050.  

    https://community.arubanetworks.com/blogs/arunkumar1/2020/10/20/how-to-check-if-an-ad-account-is-disabled-in-clearpass-with-the-useraccountcontrol-attribute

    ------------------------------
    Kelly L
    ------------------------------



  • 4.  RE: Intune & Endpoint repository

    Posted Sep 24, 2021 02:00 PM
    Create a New AD Source
    Update the Authentication Filter Query using 

    (&(userPrincipalName=%{Endpoint:Intune Email Address})(objectClass=user))


    Enable Authorization under the MAC Auth Service, and add the new Source.
    Update the role mapping policy like in the below screenshot, here we are checking if the userDn exist which will confirm user Account Exists ( we are using endpoint email to pull the data ) + we are verifying that the UAC is not 66050 ( Disabled 


    Here I am making an assumption that the email address is stored in userPrincipalName on AD, if not then you can update the filter query with the attribute which is storing the email address of the user

    ------------------------------
    SANDEEP YADAV
    Global Escalation Center, ACCP
    ------------------------------



  • 5.  RE: Intune & Endpoint repository

    Posted 29 days ago
    That works I had to adjust the return value for accounts that are disabled was 514 instead of 66050.  I had to change to Authorization:ADserver:Email  EXISTS instead of userDN .  Easy to figure out what value it was returning from access tracker after I found a known disabled account on our AD. 

    Thanks

    ------------------------------
    Kelly L
    ------------------------------