We are in the process of moving form AD to AzureAD only joined Windows 10 & JAMF/AzureAD managed MacOS Devices.
We have implemented some WGCS policies that restrict access based on the user's AD group.
If we move off AD as our primary directory what options do we have to be able to apply group based access rules in MWGS?
Similar journey and questions here. Documentation appears to be non-existent which is super-frustrating. I have a support case open about configuring MWG/WGCS in hybrid mode to read groups from AzureAD. Not got it working yet but I am hopefully close. In a nutshell - create an AAD app registration, create a corresponding AAD authentication profile in MWG, create a rule to do AAD group lookup, sync to cloud. If i get it working i will post back here.
This really should be documented by McAfee - step by step, clear instructions for busy plate-spinning IT Administrators that do not involve creating a support ticket and spending months arguing about whether it requires a Professional Services engagement or not......
As for MacOS I came here to post something similar - Intune-enrolled MacOS with managed appleID linked to AAD account (probably irrelevant). Company portal providing SSO for all the MS bits. McAfee Agent installed and connected to ePO, MCP deployed via MA, policy applied etc. from ePO. I can see redirection is working to WGCS as i get blocked if i go to something obvious such as an adult site. But I don't see a block page like I do from Windows. I do have the SSL inspection cert deployed via Intune sat in keychain. WGCS will presumably be unable to auth me based on Windows user, as MCP is not providing a Windows user name 🙂 But without the custom block page I can't see what is going on 😞
I am guessing using SAML auth with the MacOS devices and MCP is probably the way to go, although not sure what the user experience will be. Perhaps the Company Portal sso feature can be used to provide SSO? Hoping for some good replies to this thread!
Been working on this over the past couple of week.
the new SAML auth branch is there and I have tried following the doco to set up the SAML but its still not working!
It also looks like any use of SAML will require the user to enter their email address when they open the browser, not a great user experience.
Hoping someone else has had some success and can share their thoughts?
I have raised a Product Enhancement Request for this to support account replication form AzuereAD
Please uptick Kudos so we can get this supported!
As a quick update on this from our side.
As AzureAD joined machines do not provide the group membership and SAML will only work for the browser contexts in which the SAML auth has been provided we have had to:
1) Develop a script to pull the usernames of all users in the AD groups
2) Create a list in MVision Web Policy and upload the list of AD users from the script
3) Use this list of usernames for the access policy as well as the groups - NOTE: as the ruleset scope applies an AND if more than one type is used we have had to customise the scope code to treat the list of users and list of groups as an OR
4) Regularly (weekly currently) rerun the user upload process as we cannot access the API for lsit management - NOTE: we have submitted a request through our account team to access the List management APIS... these really should be provided to all customers if McAfee is not going to provide other automated means to do this.