Security

HI,
  When I remove a managed device from Intune I notice it does not remove it from endpoints is that normal behaver for the Intune extension? If so is there anything can be done to remove those devices?

------------------------------
Kelly L
------------------------------

Yes as of now it's expected, unless there is an option of making an API call towards CPPM for deleting endpoints from MDM, endpoints will be deleted based on the CPPM cleanup intervals as CPPM will not have a track of as to which endpoints are deleted from the MDM server.
Hence, instead of deleting the endpoint, you can alter the attributes like is managed, or is compromised etc while leveraging those in policies.

------------------------------
SANDEEP YADAV
Global Escalation Center, ACCP
------------------------------

Original Message:
Sent: Sep 20, 2021 07:18 PM
From: Kelly Levine
Subject: Intune & Endpoint repository

HI,
  When I remove a managed device from Intune I notice it does not remove it from endpoints is that normal behaver for the Intune extension? If so is there anything can be done to remove those devices?

------------------------------
Kelly L
------------------------------

Would there be a way to look up in Active Directory by email address pulled from the Intune endpoint confirm if the user account is disabled. I added the attribute userAccountControl attribute to my source it seems to work followed this guide. Not sure how to rolemap this I would like to verify the user account email on our AD is not disabled. According to the guide it says when the account is disabled the userAccountControl is 66050.  

https://community.arubanetworks.com/blogs/arunkumar1/2020/10/20/how-to-check-if-an-ad-account-is-disabled-in-clearpass-with-the-useraccountcontrol-attribute

------------------------------
Kelly L
------------------------------

Original Message:
Sent: Sep 20, 2021 08:18 PM
From: Sandeep Yadav
Subject: Intune & Endpoint repository

Yes as of now it's expected, unless there is an option of making an API call towards CPPM for deleting endpoints from MDM, endpoints will be deleted based on the CPPM cleanup intervals as CPPM will not have a track of as to which endpoints are deleted from the MDM server.
Hence, instead of deleting the endpoint, you can alter the attributes like is managed, or is compromised etc while leveraging those in policies.

------------------------------
SANDEEP YADAV
Global Escalation Center, ACCP

Original Message:
Sent: Sep 20, 2021 07:18 PM
From: Kelly Levine
Subject: Intune & Endpoint repository

HI,
  When I remove a managed device from Intune I notice it does not remove it from endpoints is that normal behaver for the Intune extension? If so is there anything can be done to remove those devices?

------------------------------
Kelly L
------------------------------

Create a New AD Source
Update the Authentication Filter Query using 

(&(userPrincipalName=%{Endpoint:Intune Email Address})(objectClass=user))


Enable Authorization under the MAC Auth Service, and add the new Source.
Update the role mapping policy like in the below screenshot, here we are checking if the userDn exist which will confirm user Account Exists ( we are using endpoint email to pull the data ) + we are verifying that the UAC is not 66050 ( Disabled 


Here I am making an assumption that the email address is stored in userPrincipalName on AD, if not then you can update the filter query with the attribute which is storing the email address of the user

------------------------------
SANDEEP YADAV
Global Escalation Center, ACCP
------------------------------

Original Message:
Sent: Sep 22, 2021 08:17 PM
From: Kelly Levine
Subject: Intune & Endpoint repository

Would there be a way to look up in Active Directory by email address pulled from the Intune endpoint confirm if the user account is disabled. I added the attribute userAccountControl attribute to my source it seems to work followed this guide. Not sure how to rolemap this I would like to verify the user account email on our AD is not disabled. According to the guide it says when the account is disabled the userAccountControl is 66050.  

https://community.arubanetworks.com/blogs/arunkumar1/2020/10/20/how-to-check-if-an-ad-account-is-disabled-in-clearpass-with-the-useraccountcontrol-attribute

------------------------------
Kelly L

Original Message:
Sent: Sep 20, 2021 08:18 PM
From: Sandeep Yadav
Subject: Intune & Endpoint repository

Yes as of now it's expected, unless there is an option of making an API call towards CPPM for deleting endpoints from MDM, endpoints will be deleted based on the CPPM cleanup intervals as CPPM will not have a track of as to which endpoints are deleted from the MDM server.
Hence, instead of deleting the endpoint, you can alter the attributes like is managed, or is compromised etc while leveraging those in policies.

------------------------------
SANDEEP YADAV
Global Escalation Center, ACCP

Original Message:
Sent: Sep 20, 2021 07:18 PM
From: Kelly Levine
Subject: Intune & Endpoint repository

HI,
  When I remove a managed device from Intune I notice it does not remove it from endpoints is that normal behaver for the Intune extension? If so is there anything can be done to remove those devices?

------------------------------
Kelly L
------------------------------

That works I had to adjust the return value for accounts that are disabled was 514 instead of 66050.  I had to change to Authorization:ADserver:Email  EXISTS instead of userDN .  Easy to figure out what value it was returning from access tracker after I found a known disabled account on our AD. 

Thanks

------------------------------
Kelly L
------------------------------

Original Message:
Sent: Sep 24, 2021 01:59 PM
From: Sandeep Yadav
Subject: Intune & Endpoint repository

Create a New AD Source
Update the Authentication Filter Query using 

(&(userPrincipalName=%{Endpoint:Intune Email Address})(objectClass=user))


Enable Authorization under the MAC Auth Service, and add the new Source.
Update the role mapping policy like in the below screenshot, here we are checking if the userDn exist which will confirm user Account Exists ( we are using endpoint email to pull the data ) + we are verifying that the UAC is not 66050 ( Disabled 


Here I am making an assumption that the email address is stored in userPrincipalName on AD, if not then you can update the filter query with the attribute which is storing the email address of the user

------------------------------
SANDEEP YADAV
Global Escalation Center, ACCP

Original Message:
Sent: Sep 22, 2021 08:17 PM
From: Kelly Levine
Subject: Intune & Endpoint repository

Would there be a way to look up in Active Directory by email address pulled from the Intune endpoint confirm if the user account is disabled. I added the attribute userAccountControl attribute to my source it seems to work followed this guide. Not sure how to rolemap this I would like to verify the user account email on our AD is not disabled. According to the guide it says when the account is disabled the userAccountControl is 66050.  

https://community.arubanetworks.com/blogs/arunkumar1/2020/10/20/how-to-check-if-an-ad-account-is-disabled-in-clearpass-with-the-useraccountcontrol-attribute

------------------------------
Kelly L

Original Message:
Sent: Sep 20, 2021 08:18 PM
From: Sandeep Yadav
Subject: Intune & Endpoint repository

Yes as of now it's expected, unless there is an option of making an API call towards CPPM for deleting endpoints from MDM, endpoints will be deleted based on the CPPM cleanup intervals as CPPM will not have a track of as to which endpoints are deleted from the MDM server.
Hence, instead of deleting the endpoint, you can alter the attributes like is managed, or is compromised etc while leveraging those in policies.

------------------------------
SANDEEP YADAV
Global Escalation Center, ACCP

Original Message:
Sent: Sep 20, 2021 07:18 PM
From: Kelly Levine
Subject: Intune & Endpoint repository

HI,
  When I remove a managed device from Intune I notice it does not remove it from endpoints is that normal behaver for the Intune extension? If so is there anything can be done to remove those devices?

------------------------------
Kelly L
------------------------------