Block unsanctioned apps – MCAS + MDATP + Intune configuration

This article will describe how to block unsanctioned apps in Intune together with MDATP and MCAS.

Situation:

• Azure AD Joined MEM Intune managed devices
• Devices are enrolled in Microsoft Defender Advanced Threat Protection
• Microsoft Cloud App Security is enabled

Target:

• We wanna block access to unsanctioned apps, for demo purposes I chose Twitch.tv

Microsoft Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft’s robust cloud service:

• Endpoint behavioral sensors: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system and sends this sensor data to your private, isolated, cloud instance of Microsoft Defender ATP.
• Cloud security analytics: Leveraging big-data, machine-learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products (such as Office 365), and online assets, behavioral signals are translated into insights, detections, and recommended responses to advanced threats.
• Threat intelligence: Generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Microsoft Defender ATP to identify attacker tools, techniques, and procedures, and generate alerts when these are observed in collected sensor data.

More info on MDATP here. Moving to the cloud increases flexibility for employees and IT alike. However, it also introduces new challenges and complexities for keeping your organization secure. To get the full benefit of cloud apps and services, an IT team must find the right balance of supporting access while maintaining control to protect critical data. Microsoft Cloud App Security is a Cloud Access Security Broker that supports various deployment modes including log collection, API connectors, and reverse proxy. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your Microsoft and third-party cloud services. Microsoft Cloud App Security natively integrates with leading Microsoft solutions and is designed with security professionals in mind. It provides simple deployment, centralized management, and innovative automation capabilities.

• Discover and control the use of Shadow IT: Identify the cloud apps, IaaS, and PaaS services used by your organization. Investigate usage patterns, assess the risk levels and business readiness of more than 16,000 SaaS apps against more than 80 risks. Start managing them to ensure security and compliance.
• Protect your sensitive information anywhere in the cloud: Understand, classify, and protect the exposure of sensitive information at rest. Leverage out-of-the box policies and automated processes to apply controls in real-time across all your cloud apps.
• Protect against cyberthreats and anomalies: Detect unusual behavior across cloud apps to identify ransomware, compromised users or rogue applications, analyze high-risk usage and remediate automatically to limit the risk to your organization.
• Assess the compliance of your cloud apps: Assess if your cloud apps meet relevant compliance requirements including regulatory compliance and industry standards. Prevent data leaks to non-compliant apps, and limit access to regulated data.

More info on MCAS here.  

1. Configure MDATP

Navigate to the Microsoft Defender Security Center. Click on Settings.

Click on ‘Advanced Features’. Put ‘Custom network indicators on ON’ and put ‘Microsoft Cloud App Security on ON’.

2. Configure MCAS

Navigate to the Cloud App Security dashboard. Click on ‘Settings’.

Click on ‘Settings’ again.

Click on ‘Microsoft Defender ATP’, and select ‘Block unsanctioned apps’.

Click on ‘Discover’, and then click on ‘Discovered apps’. Search for ‘Twitch’. Click on ‘Tag as unsanctioned’.

3. Configure MEM Intune (MDATP configuration profiles)

There are some prerequisites that have to be met. More info here. In short, prerequisites are:

• Microsoft Cloud App Security license
• Microsoft Defender ATP license
• Windows 10 version 1709 (OS Build 16299.1085 with KB4493441), Windows 10 version 1803 (OS Build 17134.704 with KB4493464), Windows 10 version 1809 (OS Build 17763.379 with KB4489899) or later Windows 10 versions
• Windows Defender Antivirus
  • real-time protection enabled
  • cloud-delivered protection enabled
  • Network protection enabled and configured to block mode

Navigate to the MEM Intune dashboard. Click on ‘Devices’, then on ‘Configuration profiles’ and at last click on ‘Create profile’.

Give your profile a name, choose ‘Windows 10 and later as platform’, choose ‘Device restrictions’ as profile type.

Click on ‘Microsoft Defender Smartscreen’ and put the settings like in the screenshot below.

Click on ‘Microsoft Defender Antivirus” and put the settings like those marked in the screenshot below.

Now let’s create another profile. Click on ‘Devices’, then on ‘Configuration profiles’ and at last click on ‘Create profile’.

Give your profile a name, choose ‘Windows 10 and later as platform’, choose ‘Endpoint protection’ as profile type.

Click on ‘Microsoft Defender Exploit Guard’, then on ‘Network Filtering’ and put the ‘Network protection mode’ on ‘Enable’.

4. Now let’s test it!

Open the site https://www.twitch.tv in different browsers. You’ll see it will get blocked.

Happy testing!

More articles on MDATP:

• MDATP & Chocolatey – We Belgians love our Chocolate(y’s)
• Block unsanctioned apps: MCAS + MDATP + Intune configuration
• Create security task in Intune from MDATP to take action on exploits
• Ransomware protection (controlled folder access) setup with Intune