When you configure Device Management for Office 365 with ADFS, the client device is directed to the MVISION Cloud Control Point (Reverse Proxy) either through an IDP or CSP initiated redirection. The MVISION Cloud Control Point interrogates the endpoint system for the required client certificate. The client certificate must be signed by the CA public certificate, which is imported into the MVISION Cloud Access Security Manager. If the Endpoint has the client certificate that is signed by the CA, MVISION Cloud considers the endpoint managed and if the Endpoint does not have the client certificate signed by the CA, MVISION Cloud considers the endpoint unmanaged.
MVISION Cloud proxy validates the certificate to identify the managed and unmanaged device. For a managed device, the proxy instructs the client to go directly to Office 365. For an unmanaged device, MVISION Cloud reverse proxy blocks the notification page.
NOTE: Before you configure Device Management for Office 365 with ADFS, make sure to redirect the traffic to MVISION Cloud. By default, ADFS and Office 365 uses WS-Fed authentication for SSO. To introduce MVISION Cloud in between endpoint and Office 365, you need to modify the settings in ADFS to redirect the traffic to MVISION Cloud for certificate validation.
- Access to functional ADFS SSO setup for Office 365.
- Create a client certificate (public and private) using an internal Certificate Authority or PKI system.
- Distribute the client certificate (Cert+Key) to the customer's managed endpoints via an MDM, GPO, or other package management utility.
- Upload the signing certificate (public only) to the MVISION Cloud Access Security Manager. As an optional step, you can configure the Certificate Revocation List (CRL) URL. This allows the MVISION Cloud Access Control pane to query the CRL and determine if the existing certificates are still valid.
- Access to MVISION Cloud admin tenant and existing Office 365 managed service.
Step 1: Configure ADFS
- Log In to the ADFS server and open ADFS Management.
- Expand the Trust Relationships tab and click Relying Party Trusts.
- Click Microsoft Office 365 Identity Platform and open properties. This option is created by default when you establish SSO with Office 365.
- Go to the Endpoints tab and double click the WS-Federation Passive Endpoints URL and modify the trusted URL:
- To get the URL specific to your tenant, contact MVISION Cloud Support.
- Do not forget to append the “=” symbol towards the end of the new URL. This is an important parameter used to redirect the user to MVISION Cloud.
- To apply the settings, click OK.
NOTE: Before you begin to configure device management settings, verify whether your traffic is being redirected to MVISION Cloud Proxy from ADFS. If your traffic is redirected, then you can start with the next step.
Step 2: Configure Device Management for Office 365 in MVISION Cloud
- Log In to MVISION Cloud as admin.
- Go to Policy > Access Control > Device Management.
- Under Establish Domain, enter the Original Domain as Device.
- Under Device Certificates, activate the Enable Certificate Checks and configure these fields:
- Upload Root Certificate (PEM Format). Browse and upload the CA certificate of MDM or CA authority provided by the customer.
- Maximum chain depth. The chain depth number should be equal to the number of certificates in the chain.
- If you have more than one certificate (Root and intermediates), combine all of them to make a certificate chain.
- You don't have to activate the populated Device ID option only if you are performing the certificate checks and not integrating with MDM.
- Publish tab is required only when you are performing SAML proxy with SAML as an authentication protocol. Portal registration should be turned off when you are performing only Certificate validation.
- Click Save Changes.