MobileIron Technical Guide: Secure Authentication To Office 365 On MobileIron Core

Please find below a new technical guide from MobileIron on configuring Microsoft Office365 services certificate based authentication and more!

• MobileIron Technical Guide-Secure Authentication to Office 365 on MobileIron Core

Summary
As more enterprises make the move to Office 365 services, enabling secure authentication to your devices secured by MobileIron should be a top priority.

In the Office 365 suite, there are many different services that require setup prior to configuring your MobileIron secured devices with secure authentication.

In this guide, we'll walk through such technologies as iOS SSO, Office 365 cert-based authentication(CBA), and Azure AD enrollment for Windows 10 to secure Office 365 across iOS, Android, MacOS and Windows 10.

This guide assumes that the organization has solved device and application compliance with MobileIron Access previously.

This is the first guide of a two part series.

The second guide walks through enabling application and data loss protection policies across their devices secured by MobileIron to access Office 365 services.

__________________________________________________________

The annual MobileIron Live Conference for 2017 in San Francisco just finished and each year provides very high technical detail of presentation documents which you can find below

You can also find all documents and videos for the MFC 2017 on the MobileIron Community site

• https://community.mobileiron.com/community/mfc/mfc-2017/content

Documents

• Windows 10 Security and Management Made Easier with Sample Powershell Scripts
• Migrating to MobileIron Cloud
• Accelerate to Modern Desktop Security & Management
• Modern Authentication and Single Sign-On
• The Mobile Threat Landscape and the State of Mobile Security
• Tunnel for iOS & 3rd Party Apps - Best Practices
• Securing Cloud Services on Mobile Endpoints
• Android Overview
• MobileIron Access Workshop
• MobileIron Monitor: Deep-Dive and Live Demo
• Single Sign-On Workshop
• DEP & VPP Best Practices and Troubleshooting
• MobileIron IOT Architecture and Strategy
• Technical Workshop: Securing Office 365 with MobileIron
• How MobileIron Can Help with GDPR Compliance
• Android for Enterprise Best Practices & Deep Dive Troubleshooting
• Rountable: App Deployment Strategy Lifecycle Strategy
• MobileIron Bridge Workshop (Windows Out-of-the-Box Experience Part 1)
• Integrating with Microsoft Enterprise Mobility + Security
• Roundtable MobileIron's Secure Development Lifecycle
• MobileIron Core Delivers New UI for Easier Windows 10 Management
• Tunnel for Windows 10
• Roundtable: Delegated Administration
• Making Sense of the Mobile Certification & Compliance Landscape
• Rountable: Modern Computing Center of Excellence (MCCOE)
• Advanced Core Performance Troubleshooting
• Windows Out-of-the-Box Experience Part 2
• Delivering a Unified User Experience Across Modern Operating Systems
• MobileIron DEP Roundtable
• Best Practices for Deploying MobileIron Cloud Sentry in Amazon Web Services and Azure with O365
• MobileIron Cloud Demo
• Inside MobileIron Access Security
• Securing and Managing Apps Using AppConfig.org and MobileIron AppConnect
• BYOD Best Practices
• Windows 10 TCO - Lenovo and MobileIron Framework to Save up to 80%
• Android Security Tech Talk
• Updates on macOS Security and Management

Videos

• Opening Keynote: Strategy
• Thursday Opening Keynote: Strategy
• Closing Keynote: The Digital Transformation of Finanz Informatik
• Windows Out-of-the-Box Experience Part 2
• MobileIron Bridge Workshop (Windows Out-of the-Box Experience Part 1)
• Windows 10 Security and Management Made Easier with Sample Powershell Scripts
• Windows 10 TCO - Lenovo and MobileIron Framework to Save up to 80%
• MobileIron Core Delivers New UI for Easier Windows 10 Management
• Accelerate to Modern Desktop Security & Management
• Delivering a Unified User Experience Across Modern Operating Systems
• Tunnel for Windows 10
• Tunnel for iOS & 3rd Party Apps - Best Practices
• MobileIron Monitor: Deep-Dive and Live Demo
• Migrating to MobileIron Cloud
• Best Practices for Deploying MobileIron Cloud Sentry in Amazon Web Services and Azure with O365
• Android Overview
• Securing and Managing Apps Using AppConfig.org and MobileIron AppConnect
• Android Security Tech Talk
• Android for Enterprise Best Practices & Deep Dive Troubleshooting
• DEP & VPP Best Practices and Troubleshooting
• Advanced Core Performance Troubleshooting
• Technical Workshop: Securing Office 365 with MobileIron
• MobileIron Access Workshop
• The Mobile Threat Landscape and the State of Mobile Security
• Making Sense of the Mobile Certification & Compliance Landscape
• Modern Authentication and Single Sign-On
• Securing Cloud Services on Mobile Endpoints
• MobileIron Cloud Demo
• Integrating with Microsoft Enterprise Mobility + Security
• How MobileIron Can Help with GDPR Compliance
• MobileIron IOT Architecture and Strategy
• Updates on macOS Security and Management
• Afternoon Kick-Off: Cloud Security
• Day 2 Keynote: Product Direction
• Day 3 Keynote: MobileIron and IoT

FYI, you can perform cert based auth directly from device for ActiveSync to Office365 without the requirement for an ADFS Server

All you need to do is upload the Root CA Certificate (and intermediate if you have 2 CA Servers) into

Windows Powershell and run as administrator
Type “Install-module azuread” and hit enter, then Y and A
Type “Connect-AzureAD” and hit enter
Type “Get-AzureADTrustedCertificateAuthority” and hit enter (should be no results as you have not added Root Certs yet
Type $cert=Get-Content -Encoding byte " C:\Temp\LocalCA.cer ” (.cer file location of Root CA Cert)
Type “$new_ca=New-Object -TypeName Microsoft.Open.AzureAD.Model.CertificateAuthorityInformation”
Type “$new_ca.AuthorityType=0”
Type “$new_ca.TrustedCertificate=$cert”
Type $new_ca. crlDistributionPoint = “http://server.contoso.com/certsrv/RootCA-server.crl”
Type “New-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $new_ca”
Type “Get-AzureADTrustedCertificateAuthority” and hit enter (should be the Root Cert you just uploaded)
You can now create a user/device certificate with the users Email Address in the Subject and Subject Alternative Name to use for authentication for ActiveSync email to “outlook.office365.com”

Cert based auth for ActiveSync won’t work if you enable MFA for the user in the MFA portal

You will need to create a conditional access policy with the following attributes to still enforce MFA requirement for all other services/applications except ActiveSync

Assignments
Include users in the scope of your test
Include all cloud apps
Include any location. Note that here is where you can exclude an IP whitelist created in the MFA portal by clicking on the exclude tab and selecting ‘MFA Trusted IPs’

Access controls:
Grant access
Require multi-factor authentication

What this accomplishes is:

If an application identifies itself as supporting modern authentication… we will require MFA.
If an application does not identify itself as supporting modern authentication… we will not require MFA.

It should be noted again that this approach is less secure and would also allow other legacy clients such as older versions of Outlook (prior to 2016) to bypass MFA

https://www.mdsny.com/its-not-you-its-me/