This section contains information describing the process for setting up Ivanti EPMM to Microsoft Azure Tenant.
A growing number of organizations are using Microsoft's productivity apps on mobile devices, such as Microsoft 365, OneDrive, etc. These kind of deployments give device users access to their organization's resources using various devices and apps from anywhere and using only their credentials. If the credentials get compromised, any unauthorized person can also login and get complete access to the organization's data. Just focusing on who can access the organization's resources is no longer sufficient; IT administrators must know how and from which device the organization's resource is accessed from. They have to make sure that data is accessed from the devices that meets the corporate compliance policy and have these corporate policies on each and every device. Administrators should also be able to block access to unauthorized devices by defining conditional access policies.
Using Microsoft's Intune device compliance APIs allow organizations to update the device compliance status in the Microsoft Azure Active Directory (AAD.) Using conditional access from AAD, if the device is non-compliant, administrators can block the device from accessing apps. By connecting Ivanti EPMM to the AAD, administrators will be able to use the device compliance status of Ivanti EPMM's managed devices for conditional access to Microsoft 365 apps.
Ivanti EPMM customers must have a valid subscription to Microsoft Intune and assign a Microsoft Intune license to device users supported by this integration.
Please also see: Microsoft licensing for Microsoft 365 App services.
Ivanti EPMM - Administrators will need Ivanti EPMM version 220.127.116.11 or supported newer versions.
If you do not have a link to your Ivanti EPMM instance, contact your Ivanti Customer Success Manager.
- Ivanti Mobile@Work for Android (client) – version 8.0 or supported newer versions.
Supported OS versions
Android 8.0 or supported newer versions
The Microsoft website states:
Office for Android (including Outlook for Android) can be installed on tablets and phones running any of the supported versions of Android and have an ARM-based or Intel x86 processor. Starting on July 1, 2019, support will be limited to only the last four major versions of Android.
For more information on supported OS versions, see Microsoft 365 Office resources.
Unsupported OS versions
Behavior if unsupported device OS versions is used:
Device users can complete the device registration for AAD and are able to authenticate Microsoft apps (Outlook).
Multiple Ivanti EPMM support
If you have multiple Ivanti EPMMs connected to the same Azure tenant, you should not disconnect from a single Ivanti EPMM from Azure tenant. Your options are:
Disconnect from all Ivanti EPMMs
Disable compliance policy for AAD compliance integration from a specific (single) Ivanti EPMM so that it does not upload device data to Azure
Be sure to disable the compliance policy prior to disconnecting Ivanti EPMM.
For additional help with this feature, contact Ivanti Technical Support.
From the Ivanti EPMM administrator's point of view
Below lists the process from the Ivanti EPMM administrator's perspective.
- Administrator applies Intune licenses to device users. See Apply the Intune license to device users.
- Administrator logs into Azure Portal.
- Administrator adds Ivanti EPMM as an Azure compliance partner. See Adding Ivanti EPMM as a compliance partner.
- Administrator creates the Conditional Access policy for the apps. See Creating a conditional access policy in Microsoft Endpoint Manager.
- Administrator sets up the connection between Ivanti EPMM and Azure. This allows client devices to report compliance status to Azure. See Connecting Microsoft Azure to Ivanti EPMM.
- Administrator creates the device compliance policy in Ivanti EPMM. See Creating a partner device compliance policy.
When the device checks in, the device compliance status is sent to the Azure portal.
The Conditional Access policy goes into effect. Depending upon whether the device is compliant or not, the access to the app(s) is granted or denied.
Administrator can disconnect from Azure. See De-provisioning of the Azure tenant.
Ivanti recommends the administrator run tests on each and every Microsoft app: Outlook, Word, Excel, Powerpoint, OneDrive, etc.
From the device user's point of view
Below lists the process from the device user's perspective.
- Device user's device is enrolled with Ivanti Mobile@Work. See Installing Ivanti Mobile@Work for iOS and Android.
Log into the AAD account. This requires the Authenticator app to be installed on the device (see Required client device user action and use cases.)
If Authenticator is available on device, device user logs into AAD account using their Microsoft credentials.
If Authenticator is not installed on the device, device user is guided to install the Authenticator and then log in using their Microsoft credentials.
Note the following:
- If the device is compliant, device user can access Microsoft 365 apps.
If the device is not compliant, an error displays stating the app cannot be opened.