Microsoft Endpoint Manager
|Operating systems||WARP mode required||Zero Trust plans|
|macOS, Windows, Linux||WARP with Gateway||All plans|
Cloudflare Zero Trust can integrate with Microsoft Endpoint Manager and Intune to require that users connect to certain applications from managed devices. Our service-to-service posture check identifies devices based on their serial numbers.
Device posture with Microsoft Endpoint Manager requires:
- An Intune license
- Microsoft Endpoint Manager managing the device
- Cloudflare WARP client deployed on the device
1. Obtain Microsoft Graph settings
The following values are required:
- Client secret
- Application (client) ID
- Direct (tenant) ID
To retrieve those values:
- Log in to your Microsoft Dashboard.
- Go to App Registrations and select New Registrations.
- Copy the
Application (client) IDvalue to a safe place. This will be your Client ID.
- Copy the
Directory (tenant) IDvalue to a safe place. This will be your Customer ID.
- Go to Certificates & Secrets and select New client secret.
- Fill in a description and how long the secret should be valid.
- After completing the form, immediately copy the resulting secret. This will be your Client Secret.
- Go to API Permissions and select Add permission.
- Select Microsoft Graph.
- Select Application permissions.
- If the permission status shows Not granted, select Grant admin consent.
2. Add Intune as a service provider
- Go to Settings > WARP Client.
- Scroll down to Device posture providers and select Add new.
- Select Microsoft Endpoint Manager.
- Give your provider a name. This name will be used throughout the dashboard to reference this connection.
- Enter the Client ID, Client secret and Customer ID as you noted down above.
- Select a polling frequency for how often Cloudflare Zero Trust should query Microsoft Graph API for information.
- Select Save.
3. Configure the posture check
- In Zero Trust, go to Settings > WARP Client > Service provider checks.
- Select Add new.
- Select the Microsoft Endpoint Manager provider.
- Configure a device posture check and enter any name.
- Select Save.
Next, go to Logs > Posture and verify that the service provider posture check is returning the expected results.
Device posture attributes
The Microsoft Endpoint Manager device posture check relies on information from the Microsoft Graph API. Refer to Microsoft’s ComplianceState and List managedDevices documentation for a list of properties returned by the API.
To learn more about how to control ComplianceState, refer to Microsoft’s compliance policies guide.