cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Daniel
Level 11
Report Inappropriate Content
Message 1 of 5

Configuring MWGS for AzureAD Joined Devices

We are in the process of moving form AD to AzureAD only joined Windows 10 & JAMF/AzureAD managed MacOS Devices.

We have implemented some WGCS policies that restrict access based on the user's AD group.

If we move off AD as our primary directory what options do we have to be able to apply group based access rules in MWGS?

4 Replies
davei
Level 9
Report Inappropriate Content
Message 2 of 5

Re: Configuring MWGS for AzureAD Joined Devices

Similar journey and questions here.  Documentation appears to be non-existent which is super-frustrating.  I have a support case open about configuring MWG/WGCS in hybrid mode to read groups from AzureAD.  Not got it working yet but I am hopefully close.  In a nutshell - create an AAD app registration, create a corresponding AAD authentication profile in MWG, create a rule to do AAD group lookup, sync to cloud.  If i get it working i will post back here.

This really should be documented by McAfee - step by step, clear instructions for busy plate-spinning IT Administrators that do not involve creating a support ticket and spending months arguing about whether it requires a Professional Services engagement or not......

As for MacOS I came here to post something similar - Intune-enrolled MacOS with managed appleID linked to AAD account (probably irrelevant).  Company portal providing SSO for all the MS bits.  McAfee Agent installed and connected to ePO, MCP deployed via MA, policy applied etc. from ePO.  I can see redirection is working to WGCS as i get blocked if i go to something obvious such as an adult site.  But I don't see a block page like I do from Windows.  I do have the SSL inspection cert deployed via Intune sat in keychain.  WGCS will presumably be unable to auth me based on Windows user, as MCP is not providing a Windows user name 🙂 But without the custom block page I can't see what is going on 😞

I am guessing using SAML auth with the MacOS devices and MCP is probably the way to go, although not sure what the user experience will be.  Perhaps the Company Portal sso feature can be used to provide SSO?  Hoping for some good replies to this thread!

Daniel
Level 11
Report Inappropriate Content
Message 3 of 5

Re: Configuring MWGS for AzureAD Joined Devices

Been working on this over the past couple of week.

the new SAML auth branch is there and  I have tried following the doco to set up the SAML but its still not working!

It also looks like any use of SAML will require the user to enter their email address when they open the browser, not a great user experience.

Hoping someone else has had some success and can share their thoughts?

Daniel
Level 11
Report Inappropriate Content
Message 4 of 5

Re: Configuring MWGS for AzureAD Joined Devices

I have raised a Product Enhancement Request for this to support account replication form AzuereAD

https://community.mcafee.com/t5/Unified-Cloud-Edge-Ideas/Unified-Cloud-Edge-Use-AzureAD-or-ADGroup-R... 

Please uptick Kudos so we can get this supported!

Daniel
Level 11
Report Inappropriate Content
Message 5 of 5

Re: Configuring MWGS for AzureAD Joined Devices

As a quick update on this from our side.

As AzureAD joined machines do not provide the group membership and SAML will only work for the browser contexts in which the SAML auth has been provided we have had to:

1) Develop a script to pull the usernames of all users in the AD groups

2) Create a list in MVision Web Policy and upload the list of AD users from the script

3) Use this list of usernames for the access policy as well as the groups - NOTE: as the ruleset scope applies an AND if more than one type is used we have had to customise the scope code to treat the list of users and list of groups as an OR

4) Regularly (weekly currently) rerun the user upload process as we cannot access the API for lsit management - NOTE: we have submitted a request through our account team to access the List management APIS... these really should be provided to all customers if McAfee is not going to provide other automated means to do this.

 

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community