Skip to content

Configure Microsoft Intune MDM Integration for Device Approval

Applies To: Accops Workspace Windows Client 7.2.0.1040 and above

Category: Integration & Device Management

Feature Status: Stable

Overview

This guide explains how to configure Microsoft Intune MDM integration for automatic device approval with HySecure Gateway. This feature enables device authentication based on real-time compliance status with Microsoft Intune server, allowing only enrolled and compliant devices to access corporate resources. Device approval occurs automatically during login based on device registration and compliance status with Microsoft Intune, eliminating manual device approval processes and ensuring consistent security policy enforcement.

Prerequisites

  • Gateway Version: HySecure Gateway 7.1 SP1 and above
  • Client Version: Windows (7.2.0.1040) or Mac (7.0.1.1101) Workspace Client
  • Administrative Access: Security Officer or Administrator access to HySecure Management Console
  • Microsoft Intune Access: Global Administrator or Intune Administrator privileges in Microsoft 365 tenant
  • Azure AD Integration: Devices enrolled in Microsoft Entra (Azure AD) and Microsoft Intune
  • Network Connectivity: HTTPS connectivity to Microsoft Graph API endpoints
  • Knowledge Requirement: Understanding of Microsoft Intune device management, Azure AD device registration, and HySecure access control policies

Benefits

  • Automated Compliance Enforcement: Device approval based on real-time Intune compliance status eliminates manual review processes
  • Reduced Administrative Overhead: Automatic device registration and approval reduces IT support workload and improves operational efficiency
  • Enhanced Security Posture: Only compliant, enrolled devices can access corporate resources, ensuring consistent security policy enforcement
  • Enterprise Integration: Seamless integration with existing Microsoft 365 environments leverages current identity and device management investments

Microsoft Intune Integration Components

Device Compliance Validation

  • Description: Real-time verification of device compliance status against Microsoft Intune policies
  • Use Case: Ensure accessing devices meet organizational security standards before gateway access
  • Requirements: Active Intune device enrollment and compliance policies configured

Entra Device ID Authentication

  • Description: Device identification using Microsoft Entra Device IDs for unique device recognition
  • Use Case: Accurate device identification across hybrid and cloud-joined scenarios
  • Requirements: Devices registered with Microsoft Entra (Azure AD) directory

Automated Device Registration

  • Description: Compliant devices automatically appear in HySecure management console without manual intervention
  • Use Case: Streamlined device onboarding for large enterprise deployments
  • Requirements: Proper API connectivity and authentication configuration

Platform Support

Client Platform Version Requirement Intune Support Level Gateway Compatibility
Windows Workspace Client 7.2.0.1040+ Full Support HySecure 7.1 SP1+
Mac Workspace Client 7.0.1.1101+ Full Support HySecure 7.1 SP1+
iOS/Android Clients Any Version Must Bypass Not Supported
Linux Clients Any Version Must Bypass Not Supported

Procedure Part 1: Microsoft Intune Preparation

Step 1: Verify Intune Device Enrollment

  1. Access Microsoft Intune Admin Center
  2. Navigate to admin.microsoft.com and login with Global/Intune Administrator credentials
  3. Select Endpoint Manager or access endpoint.microsoft.com

  4. Navigate to Devices → All devices to view enrolled devices

  5. Verify Device Enrollment Status

  6. Confirm target devices show Enrolled status in Intune console
  7. Verify devices are Azure AD joined or Hybrid Azure AD joined
  8. Check device compliance status shows Compliant for devices requiring access

  9. Document Entra Device IDs for devices requiring HySecure access

  10. Configure Compliance Policies (If Not Already Configured)

  11. Navigate to Devices → Compliance policies
  12. Create or modify compliance policies for Windows and Mac platforms
  13. Define security requirements: encryption, antivirus, OS versions, etc.
  14. Assign policies to appropriate device groups or all users

Step 2: Configure Microsoft Graph API Permissions

  1. Register Application in Azure AD
  2. Navigate to Azure Portal → Azure Active Directory → App registrations
  3. Click New registration and create application for HySecure integration
  4. Configure application name: "HySecure-Intune-Integration"

  5. Set redirect URI if required for authentication flow

  6. Configure API Permissions

  7. Select registered application and navigate to API permissions
  8. Click Add a permission → Microsoft Graph → Application permissions

  9. Add required permissions:

    • Device.Read.All - Read device information
    • DeviceManagementManagedDevices.Read.All - Read Intune managed devices
    • Directory.Read.All - Read directory data for device identification

  10. Grant Admin Consent

  11. Click Grant admin consent for [tenant] to approve permissions
  12. Verify all permissions show Status: Granted for [tenant]
  13. Note Application (client) ID and Directory (tenant) ID for HySecure configuration

Step 3: Generate Client Secret

  1. Create Client Secret
  2. In registered application, navigate to Certificates & secrets
  3. Click New client secret under Client secrets section
  4. Configure description: "HySecure Gateway Integration"

  5. Set expiration: 24 months (recommended for production)

  6. Secure Secret Value

  7. Critical: Copy secret Value immediately (not visible after navigation)
  8. Store secret securely in organizational password management system
  9. Document secret expiration date for renewal planning
  10. Configure monitoring for secret expiration notifications

Procedure Part 2: HySecure Gateway Configuration

Step 1: Configure External Authentication

  1. Access HySecure Management Console
  2. Login as Security Officer or Administrator
  3. Navigate to Settings → Services Config → External Authentication

  4. Select General Configuration section

  5. Configure MDM Integration Settings

  6. External Authentication Type: Select Device Approval
  7. Device Approval Mode: Select MDM as approval mode
  8. Select MDM Provider: Choose Microsoft Intune
  9. Endpoint URL: Enter https://graph.microsoft.com

  10. Endpoint API Version: Select 1 (Microsoft Graph v1.0)

  11. Configure Device Identification

  12. Search Attribute: Select Entra Device ID
  13. Read Timeout (Secs): Configure 30 seconds (recommended)

  14. Connection Timeout (Secs): Configure 10 seconds (recommended)

  15. Configure Authentication Credentials

  16. Authentication Type: Select Basic
  17. MDM Client ID: Enter Application (client) ID from Azure AD app registration
  18. Client Secret: Enter client secret value created in Azure AD
  19. Tenant ID: Enter Directory (tenant) ID from Azure AD
  20. Click Submit to save configuration

Step 2: Test MDM Connectivity

  1. Validate Configuration
  2. Use Test Connection feature if available in HySecure console
  3. Verify successful connectivity to Microsoft Graph API
  4. Confirm authentication credentials are accepted

  5. Check logs for any connectivity or authentication errors

  6. Verify Device Query Capability

  7. Test device lookup using known Entra Device ID
  8. Confirm compliance status retrieval from Intune
  9. Validate response time and data accuracy
  10. Document any connectivity issues for troubleshooting

Procedure Part 3: Device ID Access Control Configuration

Step 1: Create Device ID Access Control Policy

  1. Navigate to ACL Configuration
  2. Login to HySecure Management Console as Security Officer/Administrator
  3. Navigate to Policies → ACL

  4. Click Add or Create New Policy for Device ID policy

  5. Configure Basic Policy Settings

  6. Policy Name: Enter descriptive name (e.g., "Intune-Device-Approval-Policy")
  7. Policy Type: Select Device ID
  8. Device Parameter: Set to Device ID

  9. Policy Description: Document policy purpose and scope

  10. Enable External Authentication

  11. Check External Authentication checkbox
  12. Authentication Server: Select Microsoft Intune from dropdown
  13. This links the ACL policy to the configured MDM integration

Step 2: Configure Authentication Frequency

  1. Select Authentication Mode
  2. Check on every login: Authenticates device with MDM server at every login attempt
    • Use Case: Maximum security for highly sensitive environments
    • Impact: Additional latency for each login, higher API usage

  3. Check for new device: Authenticates only new devices with MDM server

    • Use Case: Balanced security and performance for most environments
    • Impact: Reduced API calls, faster subsequent logins

  4. Configure Policy Priority

  5. Set policy priority if multiple Device ID policies exist
  6. Higher priority policies evaluated first during authentication

  7. Document policy interaction and evaluation order

  8. Save and Activate Policy

  9. Click Submit to save Device ID ACL policy
  10. Verify policy appears in ACL policy list
  11. Test policy activation with sample device

Step 3: Assign Policy to Users/Groups

  1. User-Level Assignment
  2. Navigate to Users → [Username] → Policies
  3. Add created Device ID ACL policy to user's policy assignments

  4. Set policy priority and effective dates if applicable

  5. Group-Level Assignment (Recommended for Scale)

  6. Navigate to Groups → [Group Name] → Policies
  7. Assign Device ID ACL policy to appropriate user groups
  8. Verify policy inheritance for all group members
  9. Document group assignments for audit purposes

Configuration Examples

Example 1: Standard Enterprise Deployment

Configuration:

  • Authentication Mode: Check for new device (balanced approach)
  • Policy Assignment: Applied to "Remote Workers" group
  • Compliance Requirements: Basic security policies (encryption, antivirus, OS updates)
  • Timeout Settings: Read: 30s, Connection: 10s
  • API Permissions: Standard device read permissions

Use Case: Medium to large enterprises with standard security requirements and regular remote access needs

Benefits: Automated device approval with reasonable performance and comprehensive coverage

Example 2: High-Security Environment

Configuration:

  • Authentication Mode: Check on every login (maximum security)
  • Policy Assignment: Applied to "Executive" and "Finance" groups
  • Compliance Requirements: Strict security policies (full disk encryption, advanced threat protection, real-time monitoring)
  • Timeout Settings: Read: 15s, Connection: 5s (faster for frequent checks)
  • API Permissions: Enhanced permissions for detailed device information

Use Case: Financial services, healthcare, or government organizations with strict security requirements

Benefits: Real-time compliance validation with maximum security assurance

Example 3: Hybrid Workforce Model

Configuration:

  • Authentication Mode: Check for new device with periodic re-validation
  • Policy Assignment: Applied based on user role and location
  • Compliance Requirements: Role-specific policies (contractors vs. employees)
  • Timeout Settings: Adaptive based on network conditions
  • API Permissions: Comprehensive permissions for detailed device lifecycle management

Use Case: Organizations with mixed employee types, contractors, and varying access requirements

Benefits: Flexible policy application with role-based device compliance requirements

Device Enrollment and Login Process

First-Time Device Login

Enrollment Workflow:

  1. Device Compliance Check: User attempts login from Intune-enrolled device
  2. Intune Validation: HySecure queries Microsoft Intune for device compliance status
  3. Compliance Verification: System verifies device enrollment and compliance policy adherence
  4. Automatic Approval: Compliant devices automatically approved and added to HySecure device list
  5. Access Granted: User receives gateway access confirmation

Non-Compliant Device Handling:

  1. Compliance Failure: Non-enrolled or non-compliant device login attempt fails
  2. Manual Review Queue: Device appears in HySecure Devices section for admin review
  3. Admin Notification: Administrators notified of non-compliant device access attempt
  4. Resolution Required: Device must achieve compliance before access approval

Subsequent Logins

Streamlined Authentication:

  • New Device Mode: Compliant devices authenticate quickly using cached status
  • Every Login Mode: Real-time compliance verification for each access attempt
  • Performance Optimization: Cached compliance status reduces API calls and improves response time

Verification and Testing

Integration Testing

  1. Compliant Device Test
  2. Use known compliant, Intune-enrolled device for login test
  3. Verify successful authentication and automatic device approval
  4. Check device appears in HySecure Devices section with correct compliance status

  5. Expected Result: Seamless login with automatic device registration

  6. Non-Compliant Device Test

  7. Use device that doesn't meet Intune compliance policies
  8. Attempt login and verify access denial
  9. Confirm device appears in manual approval queue

  10. Expected Result: Access denied with compliance-related error message

  11. Unenrolled Device Test

  12. Use device not enrolled in Microsoft Intune
  13. Attempt login and verify system behavior
  14. Check error messages and admin notifications
  15. Expected Result: Access denied with enrollment requirement notification

API Connectivity Testing

  1. Microsoft Graph API Validation
  2. Test API connectivity using configured credentials
  3. Verify successful device information retrieval
  4. Monitor API response times and error rates

  5. Expected Result: Consistent API connectivity with acceptable response times

  6. Authentication Token Management

  7. Verify OAuth token acquisition and renewal
  8. Test token expiration handling and refresh
  9. Monitor authentication failure rates
  10. Expected Result: Stable authentication with automatic token management

Monitoring and Logging

MDM Integration Event Logging:

  • Successful device approvals: Device ID, compliance status, timestamp, user
  • Failed compliance checks: Device ID, failure reason, compliance issues, timestamp
  • API connectivity issues: Error codes, timeout events, retry attempts
  • Policy application events: User assignments, policy changes, effectiveness

Log Analysis Procedures:

  1. Navigate to HySecure Management Console → Monitoring → External Authentication Logs
  2. Filter by Authentication Type: MDM for Intune-specific events
  3. Analyze device approval success rates and compliance failure patterns
  4. Review API performance metrics and connectivity stability

Performance Monitoring:

  • API response time tracking for Microsoft Graph queries
  • Device compliance check success rates
  • User authentication experience metrics
  • Administrative workload reduction measurements

Security Considerations

API Security

Authentication Security:

  • Client Secret Protection: Store secrets in secure credential management systems
  • Token Management: Implement secure OAuth token handling and refresh procedures
  • API Permissions: Apply principle of least privilege for Microsoft Graph permissions
  • Network Security: Use TLS 1.2+ for all API communications

Access Control:

  • Service Account Security: Dedicated service accounts for API integration
  • Permission Auditing: Regular review of API permissions and access grants
  • Credential Rotation: Scheduled client secret rotation and renewal procedures
  • Activity Monitoring: Comprehensive logging of API usage and authentication events

Device Trust Model

Compliance Validation:

  • Real-Time Verification: Current compliance status validation for critical access decisions
  • Policy Consistency: Alignment between Intune compliance policies and organizational security requirements
  • Device Lifecycle: Handling of device enrollment, compliance changes, and decommissioning
  • Trust Boundaries: Clear definition of trusted device criteria and compliance standards

Risk Management:

  • Compliance Drift Detection: Monitoring for devices falling out of compliance
  • Policy Violation Response: Automated actions for non-compliant device access attempts
  • Incident Response: Procedures for handling compromised or suspicious devices
  • Audit Capabilities: Comprehensive device access and compliance audit trails

Troubleshooting

Common Issues:

API Authentication Failures:

  • Issue: HySecure cannot authenticate with Microsoft Graph API
  • Check: Verify client ID, secret, and tenant ID are correctly configured in HySecure
  • Verify: Confirm Azure AD app registration has required API permissions with admin consent
  • Solution: Regenerate client secret and update HySecure configuration; verify API permissions
  • Prevention: Implement client secret expiration monitoring and automated renewal procedures

Device Compliance Check Failures:

  • Issue: Compliant devices showing as non-compliant or failing authentication
  • Check: Verify device enrollment status and compliance policy assignment in Intune
  • Verify: Confirm Entra Device ID matches between Intune and HySecure device records
  • Solution: Re-enroll device in Intune or update compliance policies; sync device records
  • Prevention: Regular compliance policy review and device enrollment status monitoring

Performance Issues with API Calls:

  • Issue: Slow login times or timeouts during device compliance verification
  • Check: Review API timeout settings and network connectivity to Microsoft Graph endpoints
  • Verify: Monitor Microsoft Graph API service status and rate limiting
  • Solution: Adjust timeout values and implement retry logic; consider caching strategies
  • Prevention: Establish API performance baselines and monitoring alerts

Device ID Mismatch Issues:

  • Issue: Devices not recognized due to Entra Device ID discrepancies
  • Check: Compare device IDs between Intune console and HySecure device records
  • Verify: Confirm device registration method (Azure AD join vs. hybrid join)
  • Solution: Re-register device with Azure AD or update device ID mapping
  • Prevention: Standardize device registration procedures and ID management

Diagnostic Steps

API Connectivity Diagnostics:

# Test Microsoft Graph API connectivity
$headers = @{
    'Authorization' = "Bearer $accessToken"
    'Content-Type' = 'application/json'
}

# Test device query
$deviceId = "your-device-id"
$uri = "https://graph.microsoft.com/v1.0/devices/$deviceId"
Invoke-RestMethod -Uri $uri -Headers $headers -Method GET

Intune Device Verification:

  1. Device Enrollment Status: Verify in Intune admin center
  2. Compliance Policy Assignment: Check policy application and evaluation
  3. Device Registration: Confirm Azure AD device registration
  4. API Permissions: Validate application permissions and consent

HySecure Configuration Validation:

  • Review external authentication configuration settings
  • Verify Device ID ACL policy creation and assignment
  • Check user/group policy assignments
  • Monitor authentication logs for error patterns

Advanced Configuration

API Integration Optimization

Performance Tuning:

  • Connection Pooling: Optimize HTTP connections to Microsoft Graph API
  • Response Caching: Cache device compliance status for improved performance
  • Batch Operations: Group device queries for efficiency when possible
  • Retry Logic: Implement intelligent retry mechanisms for transient failures

Scalability Considerations:

  • Rate Limiting: Respect Microsoft Graph API throttling limits
  • Load Distribution: Distribute API calls across time periods for large user bases
  • Regional Deployment: Consider regional API endpoints for global deployments
  • Monitoring Integration: Implement comprehensive API usage monitoring

Enterprise Integration

Identity Management Integration:

  • Automated User Provisioning: Link with HR systems for automatic policy assignment
  • Group-Based Policy Management: Dynamic policy assignment based on organizational units
  • Conditional Access Integration: Coordinate with Azure AD conditional access policies
  • Lifecycle Management: Automated device and user lifecycle management

Compliance Automation:

  • Policy Template Management: Standardized compliance policy templates
  • Automated Remediation: Integration with device management tools for compliance correction
  • Reporting and Analytics: Comprehensive compliance reporting and trend analysis
  • Risk Assessment: Integration with security risk assessment and response systems

Multi-Tenant Scenarios

Service Provider Deployments:

  • Tenant Isolation: Separate MDM configurations for different customer tenants
  • Cross-Tenant Authentication: Handling devices across multiple Azure AD tenants
  • Policy Inheritance: Tenant-specific policy templates and customizations
  • Administrative Boundaries: Clear separation of administrative access and responsibilities

Notes

  • Platform Limitations: Currently supported only for Windows (7.2.0.1040+) and Mac (7.0.1.1101+) Workspace clients - other platforms must be bypassed
  • Client Secret Management: Client secrets expire and require periodic renewal - implement monitoring and rotation procedures
  • API Dependencies: Feature functionality depends on Microsoft Graph API availability and proper Azure AD configuration
  • Compliance Policy Alignment: Ensure Intune compliance policies align with organizational security requirements and HySecure access standards