Forum Discussion
Q: Restricting access to Business Web Application/Non-Enterprise Application
Hi all,
We are in the middle of moving our on-prem infrastructure to Intune and more specifically, building out conditional access policies. All but one of our business applications have been straightforward with the process to limit access unless certain conditions are met from an authentication, device, or location compliance perspective.
The one business application we are needing to find a solution for is a web-based application that we do not control outside of user administration and limited-customization. Typically this would be fine if SSO was leveraged, but this web application, unfortunately and not without several conversations with the developers due to the sensitive nature of the data being stored, does not have SSO on their roadmap.
Users can access this application from any web browser using their username and password credentials and an application specific 2FA process using SMS code. There is no connection between our MS tenant and this web application. Due to the sensitive nature of the information stored within this application and the availability of this application from any device with a web browser has raised my antenna with security concerns. Especially in the case of a user downloading information from this site on their BYOD mobile device as they would may need to do in the course of their duties, but if they left the organization, we have no way of wiping that data through the removal of the work profile like we do with all other work data through Intune device compliance measures.
We can limit what devices are allowed to connect to work resources (Complaint) and access work applications (all but one, and they need to be compliant to do so), but is there a way to not allow the personal profile of any BYOD device that is compliant, from accessing or logging into this specific URL in any browser from the personal profile web browser?
Hi Buckets84!
To restrict access to the web application from personal profiles on BYOD devices, you can configure a policy in Intune that blocks access to that specific URL in personal browsers. This can be done by setting up an application or URL block on devices that are enrolled in Intune, ensuring that only corporate profiles or managed devices can access the site.
If you need more details on how to block access to a specific URL on personal browsers of BYOD devices i'll leave you the steps:
Go to the Microsoft Endpoint Manager admin center and create a device configuration profile for the platform you're using. In the profile settings, look for options like "Web filtering" or "Block access to specific URLs" and add the URL of the business application you want to restrict. Assign this profile to the devices you want to manage, ensuring it applies to BYOD devices. After applying the policy, test access to the URL from a personal device to ensure it’s blocked while still available on managed devices.
Another option is to consider using a mobile application management (MAM) policy to limit data access and prevent data leakage. This will ensure sensitive information remains protected even if the device is personal.
Let me know how it goes.
Regards
