Skip to content

KB012: Configure Microsoft Intune MDM Integration

Last Updated: July 22, 2025

Applies To: HySecure Gateway 7.1 Service Pack 1 and above

Category: Device Management & Security

Overview

This guide explains how to configure device approval through the Microsoft Intune MDM server as an external authentication source. This feature enables automatic device approval for HySecure gateway access based on device registration status with Microsoft Intune MDM server, streamlining device management through existing MDM infrastructure.

Prerequisites

  • HySecure Gateway 7.1 Service Pack 1 or higher.

  • Security Officer or Administrator access to the HySecure management console.

  • Microsoft Intune MDM environment is configured and operational.

  • Azure Active Directory with device registration.

  • Network connectivity between the HySecure gateway and Microsoft Intune.

  • Understanding of Entra Device ID attributes.

Platform Support

Supported Clients

Platform Minimum Version MDM Support
Windows Workspace Client 7.2.0.10xx and above Full Support
Mac Workspace Client 7.0.1.1101 and above Full Support
Other Platforms Various Requires Bypass Configuration

Platform Limitations

  • Mobile Clients: iOS and Android require bypass configuration.

  • Linux Client: Linux-based clients must be bypassed.

  • Legacy Clients: Older client versions must be bypassed.

  • Browser Access: HyLite portal requires a separate bypass configuration.

Part 1: Azure AD App Configuration

Register the HySecure Gateway as an application and provide API permissions.

Part 2: Configure External Authentication

Step 1: Access External Authentication Settings

  1. Log in to HySecure Management Console

    • Log in as Security Officer.

    • Navigate to Settings > Services Config > External Authentication.

  2. Access General Configuration

    • Locate the General Configuration section.

    • Prepare Microsoft Intune connection details.

Step 2: Configure MDM Integration Settings

  1. Set External Authentication Type

    • External Authentication Type: Select Device Approval.

    • Device Approval Mode: Choose MDM as the approval mode.

    • Select MDM Provider: Choose Microsoft Intune.

  2. Configure Endpoint Details

    • Endpoint URL: Enter Microsoft Intune's API URL.

    • Endpoint API Version: Select 1 (API version).

    • Search Attribute: Choose Entra Device ID.

  3. Set Connection Parameters

    • Read Timeout (Secs): Configure data reception timeout on established connection.

    • Connection Timeout (Secs): Set connection establishment timeout.

    • Recommended Values: Read Timeout: 30, Connection Timeout: 15.

Step 3: Configure Authentication Settings

  1. Select Authentication Type

    • None: Connection without authentication (testing only).

    • Basic: Recommended for production environments.

  2. Configure Basic Authentication (Recommended)

    • MDM Client ID: Enter Azure AD App's Client ID.

    • Client Secret: Enter Azure AD App's Client Secret.

    • Tenant ID: Enter Azure Active Directory Tenant ID.

  3. Test and Save Configuration

    • Click Test Connection to verify configuration.

    • Verify successful connectivity to Microsoft Intune.

    • Click Submit to save configuration.

Part 3: Create Device ID Access Control

Step 1: Access Access Control Configuration

  1. Navigate to ACL Policies

    • Log in to the HySecure management console as Security Officer/Administrator.

    • Navigate to Policies > ACL.

    • Create a new or modify the existing Device ID policy.

  2. Configure Basic ACL Settings

    • Access Control Name: Provide descriptive name (e.g., "Intune MDM Device Approval").

    • Description: Enter a detailed description of the policy’s purpose.

    • Access Control Type: Select Device ID.

Step 2: Configure Device ID Policy Parameters

  1. Set Device Parameter

    • Device Parameter: Select Device ID.

    • Enable External Authentication: Check this option.

    • Authentication Server: Choose Microsoft Intune from the dropdown.

  2. Configure External Authentication Settings

    • Locate Authentication with External Server section.

    • Configure device authentication frequency based on requirements.

Step 3: Set Authentication Frequency

Choose one of the following authentication frequencies:

Option A: Check on Every Login

  • Use Case: Maximum security with real-time validation.

  • Behavior: Authenticates device with MDM server at every login.

  • Performance: Higher network usage, slower login times.

  • Security: Highest level of device validation.

Option B: Check for New Device

  • Use Case: Balanced security and performance.

  • Behavior: Authenticates only new devices with the MDM server.

  • Performance: Reduced network usage, faster subsequent logins.

  • Security: Device approval based on device status in HySecure.

Configuration:

  • Select an appropriate frequency option.

  • Click Submit to save ACL configuration.

Monitor Authentication Flow

Log Information Includes:

  • Authentication success/failure events.

  • Device approval/denial decisions.

Accessing Logs:

  1. Navigate to Reports > Logs > Activity Logs.

  2. Filter logs by searching devices approved by an external authenticator.

  3. Review device approval workflow.

  4. Monitor for authentication patterns.

Platform Bypass Configuration

Unsupported Platform Handling

Platforms Requiring Bypass:

  • iOS mobile devices

  • Android mobile devices

  • Linux-based devices

  • Legacy client versions

  • Browser-based access (HyLite portal)

Browser Access Bypass

HyLite Portal Considerations:

  • MDM validation is not supported for browser access.

  • Contact Accops support for bypass configuration.

  • Backend configuration required for HyLite portal exemption.

HySecure Connectivity Test:

  1. Check external authentication configuration.

  2. Test connection to Microsoft Intune endpoint.

  3. Verify authentication credentials.

  4. Review connection timeout settings.

Note

  • Ensure stable network connectivity to Microsoft Intune.
  • Regular monitoring of Azure AD app credential expiration.
  • Test configuration changes in the non-production environment.

Contact Support: support@accops.com for integration assistance.