question

DenysDmytrenko-7135 avatar image
0 Votes"
DenysDmytrenko-7135 asked DenysDmytrenko-7135 commented

Bypass MFA for Apple DEP+Intune enrollment at on-prem ADFS 2016

Hello there,

Looking for an advise on how to best overcome the following limitation.
We're trying to enroll Mac devices with DEP enrollment and Intune. When binding the Mac to a user during install, it tries to log on and verify membership and licenses.
This is known issue: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/17163317-mfa-doesn-t-work-with-apple-dep-with-intune (it's marked as release in progress since 2018 but it doesn't seem to have progressed ever since)
In our scenarion we have a trust between Office365\Azure and our on-prem ADFS 2016 (Farm in 4.0 mode)
So all authentications are forwarded from Intune to on-prem ADFS, where we enforce MFA (DUO). Now, since DEP with Intune doesn't support MFA (still!), we need a way to bypass MFA but only for auth requests coming from DEP\Intune enrollment.
Before this task, we had a following Access Control Policy for Azure\Office365 trust

  • Permit all, except from a security group with our active real-users (Group X)

  • Permit users from Group X and require MFA

What I gathered from failed auth attempts from DEP is that it uses Endpoint "/adfs/services/trust/2005/usernamemixed" so I tried to a few ways to bypass auth requests with this endpoint in claims but it seems I can't build the right rule.

So I have two questions:

  • Is there any other way you suggest to overcome the outlined issue?

  • How can I modify the original ACP rule to:

  • Permit all, except from a security group with our active real-users (Group X)

  • Permit users from Group X and require MFA

  • Bypass MFA for users from Group X if they have a specific claim in request (Endpoint Path equals "/adfs/services/trust/2005/usernamemixed")

Any help is much appreciated.
















adfs
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

piaudonn avatar image
0 Votes"
piaudonn answered DenysDmytrenko-7135 commented

Note that if you are using ADFS for your Azure AD integration only to be able to use DUO, you might be able to do without ADFS. You could use Azure AD Connect Seamless SSO and use the Azure AD/DUO integration.

We can create such rule. It would use the "legacy" way to do it and not the current Access Control Policies. But it would affect other clients. Enterprise Active Sync can use the same endpoint, and so are other legacy applications. So by white-listing this scenario you might allow others.
Ideally we would do everything is Azure AD in Conditional Access Policies. That is the recommended way. Anything else than this is really a gadget workaround with security risks.

That said, in order to minimize the exposure as much as we can, we can try to fine tune the exclusion to a User Agent String, or other connection metadata. In order to do this, you will need to capture all the claims you get on one of this request and share it here. In order to have all the claims of your request in the eventlogs, you will need to enable the verbose audit. You will find the info here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging.


· 8
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, thanks for taking time to help us with this.
I have gathered verbose logs, which I'm not comfortable sharing in a public post. How can I safely share it with you?
Thank you.

0 Votes 0 ·
piaudonn avatar image piaudonn DenysDmytrenko-7135 ·

You can sanitized the logs, replace IP addresses by x.x.x.x and usernames by XXXX. If you don't find a way to do it, you can find me on LinkedIn.

0 Votes 0 ·

There are quite a few log events for a single login attemp.
I sent you an invite in LinkedIn.
Thanks.

0 Votes 0 ·

Hi there.

Any luck with those logs?

Thank you.

0 Votes 0 ·
piaudonn avatar image piaudonn DenysDmytrenko-7135 ·

I looked at them right away, I emailed you right away too :) that the logs we need is the security logs (with verbose audit). Those are the ones which contain the user agent strings and other connection artifacts.


0 Votes 0 ·

Hi Pierre,


I did send extended logs to you some time ago, and re-sent it just now, please check if you received them?


Thank you!


0 Votes 0 ·
piaudonn avatar image piaudonn DenysDmytrenko-7135 ·

My bad! You did! I'll have a look!

0 Votes 0 ·

Hi Pierre,

Just in case, I sent you some new logs this morning.

Thank you.

0 Votes 0 ·