Intune Managed Browser is a web browsing app by Microsoft which lets you safely view and navigate web pages that containing Company information or internal organization web pages. This is the second post of this topic where I’m addressing how to effectively use Managed browser with EMS components and features.
From Part 01 of this post we have discussed topics such as Deploying Managed browser with Intune, restrict cut copy save-as options with Intune app protection policies and enabling SSO to apps through the Managed browser. From this post, I will continue to explain centrally manage configurations such as bookmarks, the home page, whitelisting and blacklisting web pages. Also, let’s see configuring conditional access where corporate apps can access only from Managed browser and use the Azure app proxy.
Set a Managed browser as the default app to open the Corporate Apps.
When you are publishing a corporate web app through Intune Apps, there is a setting to select the Managed Browser is the default to open the link. Which will notify the user to download the managed browser if it’s not already installed. Once installed, the app will be opened through the managed browser and app protection policies applied.
Restrict Corporate Apps to browse only from Managed Browser – Conditional Access
From Part 01, I have discussed how to protect corporate apps through Intune app protection policies, where you can use Managed Browser to restrict Cut, Copy, Save-as, and other options. But what if user access this app from the unprotected browser where not honoring App Protection policies. With the help of Azure Conditional Access, you can block all the unprotected browsers and allow only the Managed Browser to access the corporate apps. Let’s see how we can enable this.
- Log in to the Azure Portal- Azure Active Directory – Conditional Access
- Create a new policy, named the policy and select the relevant users where need to be applied.
- From the device platforms select the relevant Devices type where the policy to be pushed.
- Next, select the relevant cloud / corporate app. The app should be published as an enterprise app and Azure AD integrated.
- From the Access controls, select Require Approved Client app. This will enable the list of Intune to enlighten apps that can access the app. Manage Browser is one of them.
- Tick Enable Policy and Create
- Users can experience following notification when they try to access the app other than the Managed Browser. So, the App Protection Policies are mandatory.
Use of Managed Browser with Azure Application Proxy
Using Application proxy, you can publish internal web apps to the public internet while addressing azure security features. Application proxy converts the internal URL to a publicly accessible URL and the content routed through the app proxy. However, using the Managed Browser, you can still use the internal URL. When browsing, the Managed Browser identifies the internal URL and redirect it through azure app proxy. For Edge and Chrome, you need to install the Managed Browser Extension and select Company Internal URL Redirection ON.