1️⃣ Microsoft Intune Integration
Presented by: Abhi Das, Kayla Handy, Noelle Gotthardt, Dave Randall
Originally aired on August 4, 2023 @ 3:00 AM - 3:30 AM EDT
Join our product and engineering teams as they discuss what products have shipped today during Cloudflare One Week!
Read the blog posts:
Visit the Cloudflare One Week Hub for every announcement and CFTV episode — check back all week for more!
English
Transcript (Beta)
Hi everyone. Welcome to Cloudflare TV. Just a quick introduction.
We have Dave Randall, senior PM from Microsoft Endpoint Manager and Intune, we have Noelle Gotthardt from the Product Management Team at Cloudflare, we have Kayla Handy from the Systems Engineering Team from Cloudflare, and myself, Abhi Das, from the Special Projects Team at Cloudflare.
Just as a quick background for the companies and product, Cloudflare is fundamentally a network.
We started building a network of data centers present in 250 plus cities around the globe.
It brings together Zero Trust services, application services, network security services and developer services built on that network and the edge.
It's also built using our own developer platform for unparalleled cost efficiency and pace of innovation.
On the other hand, Microsoft, everyone knows Microsoft, but Microsoft Endpoint Manager specifically helps deliver the modern workplace and modern management to keep your devices and data secure.
Whether those devices are in the cloud or on premises.
Endpoint Manager also includes services and tools that you use to manage and monitor mobile devices, desktop computers, virtual machines, embedded devices and servers.
So topic for today.
As you know, all our lives have been so boring for the past three, two or three years, nothing has changed.
And so jokes apart, today, employees are highly mobile, no longer residing inside an office, protected by a secure perimeter.
The fundamental shift that has happened is where and how people work has caused enterprises to rethink legacy tools like VPNs or hardware boxes, and has caused them to move away from the traditional castle-and-moat approach to a more Zero Trust model of security.
So in this context, we are very, very excited to announce our latest integration today with Microsoft Intune.
The integration combines the power of Cloudflare's expansive network and Zero Trust suite with the power of Microsoft Intune.
So let's kick it off.
Maybe you can start with Noelle, our Product Management Team here.
Can you walk us through, Noelle, what is Zero Trust in general?
We keep hearing this term point everywhere and why it is important these days.
Yeah, that's a great question and we actually get asked it a lot of the time and so it's it's fun to be able to deliver the answer and share about what Zero Trust is.
So, the original concept and the model that security was built around is the idea of the castle and the moat.
You put all of your valuable corporate assets inside the castle, and then your firewall is the moat that you create to protect your castle and keep everything malicious out and keep everything protected that's inside.
And then when you want to let someone access some of those assets, you poke a hole in the network with a VPN and you basically create a drawbridge over the moat to get into your network.
But there's actually quite a lot of challenges that this presents from both security and performance.
So the first challenge is that once an attacker gets over the drawbridge, then they're free to roam the castle.
And we've seen in many different security attacks and breaches that once someone is into the network, they start poking around and moving laterally.
And so that challenge can be a huge security flaw.
The second challenge is that there's now this rise of cloud in SAS.
So you built this castle with this great firewall around it, and then meanwhile you sort of move over to the SAS model and all of your valuable data isn't even sitting within the castle anymore.
It's not sitting in your private network.
It's off on these cloud providers and so you don't get to protect it yourself.
You're sort of hoping that the castle down the street has really good walls and moats and everything to protect it.
But you don't get to see it or put it into place yourself.
And so that can be kind of scary for many companies.
And ultimately, it sort of takes away from the fact that you're building all of...
you're building this infrastructure to protect data that's not even sitting inside your walls.
And then the third challenge is the rise of this remote workforce.
And so, again, you're sort of building the castle and the moat and then everyone who has to go to work, they used to go inside the castle to do all their work, so they were inside the walls, but now they're all remote.
So not only are your assets not inside the castle, but the people who are accessing them also aren't really inside the castle anymore.
They're not going to their desks and plugging into their Ethernet.
They're connecting remotely.
And so how do you extend all of this, all of these protections to the assets and the people who are no longer sort of going to this physical location and plugging in?
And so the core idea of Zero Trust and what we want to develop a new security model around is how do we make it so that we're extending these perimeters and solidifying them for all of these remote assets, basically.
And so in my mind, for this model and how we sort of draw the comparison with the castle and the moat is I would think about it more of like you get to draw the map of all the resources and where they are.
You have different cloud providers and you have people in different places and you're redrawing the map.
And then anytime that anyone wants to access any of your resources or one of your employees wants to access a resource, you get to verify identity and you get to verify that someone is allowed to access that resource.
So Zero Trust is really about verifying identity on every request and therefore sort of not just naturally trusting, "Hey, you made it inside the castle.
We believe you that you should have access." Instead, it's like, "Okay, well, we don't know where everything is, so we're always going to make sure that you have valid requests and that you properly authenticate before you access anything of ours." Makes sense.
Thank you for clarifying. I guess there's one problem that all of us can sort of relate to in terms of working from home.
So in that same context, where does Cloudflare Access and Gateway fall in and how do we approach Zero Trust in the context of this change?
Great question.
So Cloudflare Access was actually sort of how we started out in the Zero Trust space, and it actually was one of the products that Cloudflare built to solve one of our own problems and then turned into a product because it helped so many other companies.
And so it was really our modern VPN replacement.
Sort of mentioning before, VPN pokes a hole into your network and then routes traffic back and forth.
And once it sort of is inside the network, there's not a lot of protections inside.
And so, again, as we sort of redraw that map, access is effectively the bouncer that sits in front of every door to access your resources.
So if I want to go to a SAS tool that's behind a company's Access, then I have to verify with Access that I have the right identity and then it can also verify, it can use hard key authentication as well as device posture authentication to make sure that I have the proper identity and device posture, to make sure that I can access company resources.
So basically, Access is the bouncer to protect the things that you want to protect as a company.
Meanwhile, Gateway really is the bodyguard that you are putting with each employee.
So employees are now remote and they're going to start accessing different things, they're going to start trying to get to corporate resources.
And so you want to make sure that all of the traffic that reaches your employee is safe and is not malicious and you're trying to protect them as they're sort of out remotely.
And so how do you do that? So Gateway collects all of that traffic and it verifies that it's supposed to be going towards your employee and makes sure that nothing harmful's reaching it.
And so it filters all of that traffic that is trying to reach your corporate device and over all ports and protocols, makes sure that your device is protected.
And then I think the last thing you sort of mentioned is how do we really approach Zero Trust overall?
And I think that kind of goes back to that first part that you asked me is, like or the first part that I mentioned is that we built our Access product to solve a problem that we had.
And I think that Zero Trust is really about solving customer problems. We heard problems that companies didn't really like VPNs.
They're slow, they require a lot of back calling of traffic, they're not the most secure.
How do we build something that makes these problems easier?
And then the same with Gateway.
We had companies who wanted to protect their remote resources.
How do they do that more efficiently?
And so we really think of Zero Trust as like, in this growing environment of SAS and remote work, how do we continue to validate identity and provide solutions that solve these problems for teams?
Thank you for clarifying.
Super interesting.
So maybe Dave, moving over to you.
So Microsoft is a huge company, billions of dollars of revenue, one of the largest cloud providers in the space.
I was curious, how does Microsoft view Zero Trust in general and where does Microsoft Endpoint Manager or Intune fit in that story?
Yeah, good question Abhi.
So Microsoft's really been supporting the Zero Trust story for several years now.
And in fact, Intune was one of the first offerings from Microsoft that incorporated device posture as a key criteria for conditional access.
And conditional access is part of Microsoft's technology to verify explicitly, which is, of course, one of the three guiding principles of Zero Trust.
And we all recognize that the shift to remote work was monumental in 2020.
Although many people have returned to the office, the Zero Trust principles and those who had either adopted Zero Trust technologies or were on their way, were in a much better position to support both office-based and remote work.
And it's not just the fact that users were outside the corporate network.
The risks still exist around identity, device health and, of course, enforcing least privilege.
So using tools to manage your devices such as Intune can help with both device health and compliance.
Keeping both applications and the operating system up to date is pretty straightforward with Intune, but you can couple that with a Cloudflare Access to prevent devices that have out-of-date operating systems or apps that may contain CVIs from accessing your corporate resources until they're remediated.
Now, also, from an identity perspective, just simply enabling MFA, or multi-factor authentication, can reduce the effectiveness of identity attacks by about 99%.
And beyond MFA, identity-based risk posture criteria can also contribute to risk signals for conditional access or for Cloudflare access.
At this point, let me say a little bit about partners.
Now we know that Microsoft customers adopt a variety of technologies based on their own organization's requirements, and not all those solutions are Microsoft, which is fine.
And in order to meet customers where they are on their security journey, the Microsoft Intelligent Security Alliance, or MISA, was formed to acknowledge and support the security vendors that integrate deeply with Microsoft products.
So I'm really excited that Cloudflare is part of MISA and plays a key role in helping customers with their Zero Trust journey.
Now, I know I've mentioned Microsoft's Conditional Access a couple of times, but I also want to recognize that Cloudflare Access customers can take advantage of many of the same device risk and identity risk signals for their managed devices or identities.
Thank you for clarifying, Dave.
Super interesting and great to see sort of that one plus one equals three synergy here.
So on that same note, what sort of prevalent customer use cases that you are seeing from an Intune standpoint, especially in the past two, three years, changes?
Yeah.
So thanks for asking. Several years back, you know, Intune was primarily seen as an MDM, or a mobile device manager.
The mobility teams were used to controlling company data access using Exchange ActiveSync, if you remember that, and they needed more robust tooling.
And so Intune really has its roots in the traditional MDM space and that certainly continues to be a primary use case for customers.
Now that said, customers have also been managing their Windows fleet, primarily using configuration manager.
But again, remote work has moved many Windows devices away from the corporate network into home locations or connecting to risky networks that really shouldn't be trusted.
Secondly, I won't say that BYOD is relatively new. It's not a new term anymore.
But if you think back to the start of 2020, enterprises really needed to onboard a lot more personal devices because users wanted more flexibility in getting remote work done.
So Intune's MAM, or Mobile Application Management, without enrollment provided enterprises with better application protection controls for users' personal devices accessing company resources.
So I'd say that's kind of use case number two.
And then thirdly, beyond both MDM and MAM, of course, the security landscape continues to evolve with new threats and new vulnerabilities, and customers really need visibility to security-related information alongside their device health and device configuration settings.
Visibility to telemetry and security signals alongside their device information helps inform IT professionals and it really arms them with the information needed to respond to devices that have fallen out of compliance for whatever reason.
So this use case continues to be critical to customer security story today. Awesome.
Thank you for walking us through, Dave. Yeah.
So we have been all talking about the integration and now maybe let's move to Kayla, who actually built this integration.
So Kayla, do you want to sort of walk us through the dashboard of how it looks like and what kind of use case is covered?
Yeah, of course.
So I'll talk a little bit about how we designed this system from a technical perspective, and then we'll take a tour of the Zero Trust dashboard so you can kind of see it in action.
So a bit of a history lesson.
We started with device postures, but we basically started with basic device information.
So think in this scenario, you would have your employees register their devices with a work team and those devices would send us information about themselves.
So think Mac address, serial number, just kind of basic device information.
And then as an admin, you could write a device posture rule based on that device information.
So for instance, I have ten employees.
I have a list of the ten serial numbers that I know are their computers.
Only allow access to this tool for these ten serial numbers.
So that would kind of be an example of that.
Like Dave mentioned earlier, we also know that our customers have a variety of technologies in their security arsenal based on their organization's history and their requirements and such, so we decided to build deeper integrations with some of these third party providers, such as Microsoft Endpoint Manager.
And this allows us to get information about a device from that third party, that maybe only that third party knows, and then an admin can write a device posture role on our side using that information.
So in this instance, say your company is integrated with Intune, so you would have all of your devices, all of your employees' devices registered with Intune.
You'd also have them registered with a WARP team. And then we would call out to the Intune API, get the device information for all of your employees, and then evaluate the device posture rule based on the information we got from Intune.
So to get into some of the more nitty-gritty tech details about this integration, it is built off of Cloudflare Worker.
Not sure how familiar you are with Cloudflare Workers, but they're a great product.
It literally took us just a matter of days to get this up and into prod. So this Cloudflare Worker serves as a background processor and it periodically takes the third party credentials that we have stored and it calls out, that an admin has provided to us previously.
And then we call out to that third-party service like Intune using those credentials based on that account, on behalf of that account.
And so we call out to them and we're like, Hey, give us all the devices that you have for this account.
And then we reach into our own database of devices and we match them based on a common field.
For Intune, it's serial number, I think actually for all of our integrations so far it's serial number, but it could be a different field as long as it matches in both databases.
So we reach out, we find all the matches, and then we send the device information from the matches to our existing posture worker, which goes through the normal flow of pulling all of the device posture rules from Workers KV.
And then we evaluate those rules for each device and then store the results of those checks.
So whether that device passed or failed that check and should be allowed access or not.
So I'm going to share my screen and we can get into a bit of a real-world demo so you can see what it looks like from the UI.
So this is the Zero Trust dashboard and this is how it looks.
So this is the home screen.
You would come over here to the Settings and down to Devices and then down here to Device posture providers and you would add a new one.
So in this case, we'd be adding Microsoft Endpoint Manager.
It takes you over here. And this, the right-hand side of the screen gives you all the information how to pull these fields that we need to create the integration on your behalf.
So in this case, we need the ID, the secret, the customer ID, and then you can also select a polling frequency that tells us how often you want us to reach out to Intune to get refreshed device information.
For the sake of time, I've already created that integration for us just because I didn't want to give away all the secrets and IDs on the screen.
But this would be the one that I created earlier for us.
And you might have noticed this neat little Test button that basically just takes your credentials, calls out to the third-party service, one of their APIs, and make sure that those credentials are valid.
So if you ever think they're expired or your integration isn't working for whatever reason, you can go and make sure, yeah, actually we can reach Intune.
It's not a credentials thing.
So you would create this integration and this is basically just giving us access to call out to this service on your behalf.
And then you can come over here to My Team and Devices and up here in this Device Posture tab.
So the first device postures I was talking about earlier, the basic checks, you can come here and you can see that their application checks, file checks, make sure the firewall is running.
So you have these basic ones and these special third-party integrations come down here in the service provider checks.
So we don't currently have any on this account.
You would come here to add one.
So you can see we've integrated with CrowdStrike and Microsoft Endpoint Manager.
So we would come here and select this one and then just go ahead and create a new rule.
So for Microsoft Endpoint Manager, we grabbed the compliance state field and you would come over here and select that you want all your devices to be compliant and go ahead and save that rule.
And so this will be your rule down here.
So that's you creating the rule, which is all great.
Now you need to apply that rule to access your gateway so it's actually enforced.
So if you want it on an Access application, you'd come over here.
These are just a couple of applications we already have.
So I will just go ahead and add here.
And you can basically come here and add a rule that says. Microsoft Endpoint Manager, and then you can use the rule that you just created, and that's for an Access application.
If you want to add it to Gateway, come over here to the Gateway Policies.
So let's say we want to add it to an HTTP policy.
You'll come over here and in the Build an Expression block, there is a field called Passed Device Posture Checks, and this would basically be ensuring that, and that would be the rule we created, that any devices accessing that you're putting behind this policy have passed this device posture check.
Another thing that we have added, which I'll just point out real quick.
Let's do it on this dashboard, because this is actually...
So we'll search for my device real quick.
So we knew when we created these device postures that admins, that sometimes they would fail, and admins are going to need to know this information.
So in the Device Details view, you can actually come down here and see which device posture checks your device has passed and which ones it's failed.
And so you can see this one I passed.
Given that you needed an operator or a version greater than 10.1.5, and I do have that.
And then you can see here that I failed this test because we needed this to be running and mine's false.
So this is the value from the device and this is what the rule is actually calling for.
So you can see that's why I failed, because that value is wrong. And then you'll see the integration device posture checks down here and you'll see the same kind of instance.
If it was "This rule was not checked" it was probably because this device is not actually registered with Intune yet.
So that's a kind of cool little check so you can self serve and know which devices passed and which ones failed and kind of figure out that knowledge.
So that's a bit from our dashboard.
Super cool.
It looks so intuitive, you know, meaning the labeling and everything looks so understandable.
Normally you would imagine that these are very complicated processes only that we can understand.
So that was pretty cool to see.
I also wanted to check how easy the Graph API that you mentioned was to integrate because normally a lot of complexities when you are kind of integrating between two APIs, between two different organizations.
Maybe, Kayla, you can start and Dave, you can jump in if there's any details.
Yeah, sure.
So it actually was super easy for us. We built a couple of integrations before and we built it using Cloudflare Workers to be reusable because we knew we were going to have several integrations down the line that our customers were going to request.
But the Graph API, we just plug and play and we were able to get that up and running in prod and just a couple of days.
And it was great that the Graph API and our device database both have the serial number in common.
So it's, as long as you have that common field, then we're able to use the API seamlessly.
Yeah.
I'm really glad that worked easily for you Kayla. I know one of the things that we do is the entire Microsoft Graph Schema is published.
And I noticed when you're pulling down the dropdown value for all of the different compliance reasons, that can be dynamically updated on our side and you'll automatically be able to pick up those new values.
So one of the core tenets of our Graph API for Intune is that anything that you can do in the UI and by the UI, I mean in this case the Intune console, you have an API that sits behind that.
So even though the compliance information is available in the Intune console, partners like Cloudflare also have an API to be able to get visibility to exactly that same information and pull it programmatically.
So customers of both Microsoft Intune and Cloudflare also have those same APIs available.
And I'm glad it was easy for the integration to happen because customers can use that for their own automation or reporting as well, so that they can extend their own internal business processes to grab information from Intune, to couple that exactly with the type of integration that you've got.
Sounds great.
So along the same path, what do you think is sort of ahead of this integration, meaning what else we can do in the future or for the audience who are listening, what they should be looking for?
So Kayla, maybe you can start and then Dave, if you could jump in if there's any details.
Sure.
So as far as this specific integration, as you can see from the dashboard demo, we have rules based on compliance state right now.
Intune obviously has a bunch of different fields and so if there's any field that is relevant to you, that a customer would like, just reach out to us, tell us your use case, and it's easy enough for us to incorporate that as long as customers want it.
So for this specific integration, that would be a great path forward.
A couple of future optimizations, as far as all of our third-party integrations, are to incorporate like a smart polling interval and to further integrate with our in-house notification service.
So you saw in the demo that you could specify how often you wanted our API to reach out to the Intune API, but based on the rate limit for that API and how many devices you have, because we utilize batching and everything, but if you have a million devices, then we can't poll Intune every one minute.
So kind of doing back-of-the-napkin math, even as devices come online, that you don't have to change that polling interval yourself, we can do the math for you so that you stay within the rate limit for that 24-hour period or whatever the rate limit happens to be for that API.
And another thing is we have a notification service we would like to hook into more so that we can alert you if, say, a certain threshold like number of your devices are not compliant, if your credentials are bad.
Instead of using that test button where you have to manually click it, we can tell you, Hey, none of these are going to work because we can't reach that API any longer.
So we would like to incorporate further with that service.
And from my perspective, like Kayla said in the very beginning, of new capabilities, there's a lot of data that's stored about individual devices, inventory information.
And so I would encourage you, if you're an Intune customer, to think about the specific information that's critical for you to understand the security posture of your device, or if you have other criteria, and forward those on to Cloudflare, because we do have the ability to retrieve that information dynamically for all the devices, or done on-polling exactly the way that the integration is done.
So I think those are great opportunities for growth in this integration.
Sounds good.
Seems like we've covered a lot of ground in a short time, and I feel like we're kind of reaching towards the end of the slot.
So just a quick few housekeeping item.
Feel free to check out the Intune blog that we released today at the Cloudflare blog, just Google Intune and Cloudflare blog.
You will find the first link, read the blog and if you're already a joint customer, try it out and kind of feel it out how the integration looks to you.
Also at the end of the blog, there's a form.
Feel free to put in any sort of additional integration or any other feedback that Dave was mentioning that you might have or any other integration that we can do in general with Microsoft would be very helpful as well.
And in addition to that, we have not just Intune integration, we have a bunch of other integrations with Microsoft.
Just Google Microsoft and Cloudflare. You'll get a tech partnership page with Microsoft, which lists all the integrations with Microsoft in general, along with detailed docs and blogs on that page.
So feel free to check it out. But I think that's it.
Sort of reaching towards the end of our slot here.
I wanted to thank everyone here for taking the time and walking our audience through the details of this integration and this exciting launch.
Thank you, everyone.
Thank you Abhi, for hosting.
Bye.