Network access control (NAC) integration with Intune
Intune integrates with network access control partners to help organizations secure corporate data when devices try to access on-premises resources.
How do Intune and NAC solutions help protect your organization resources?
NAC solutions check the device enrollment and compliance state with Intune to make access control decisions. If the device isn't enrolled, or is enrolled and not compliant with Intune device compliance policies, then the device should be redirected to Intune for enrollment, or for a device compliance check.
If the device is enrolled and compliant with Intune, the NAC solution should allow the device access to corporate resources. For example, users can be allowed or denied access when trying to access corporate Wi-Fi or VPN resources.
Devices that are actively syncing to Intune can't move from Compliant / Noncompliant to Not Synched (or Unknown). The Unknown state is reserved for newly enrolled devices that haven't been evaluated for compliance yet.
For devices that are blocked from access to resources, the blocking service should redirect all users to the management portal to determine why the device is blocked. If the users visit this page, their devices are synchronously reevaluated for compliance.
NAC and conditional access
NAC works with conditional access to provide access control decisions. For more information, see Common ways to use conditional access with Intune.
How the NAC integration works
The following list is an overview on how NAC integration works when integrated with Intune. The first three steps, 1-3, explain the onboarding process. Once the NAC solution is integrated with Intune, steps 4-9 describe the ongoing operation.
- Register the NAC partner solution with Azure Active Directory (AAD), and grant delegated permissions to the Intune NAC API.
- Configure the NAC partner solution with the appropriate settings including the Intune discovery URL.
- Configure the NAC partner solution for certificate authentication.
- User connects to corporate Wi-Fi access point or makes a VPN connection request.
- NAC partner solution forwards the device information to Intune, and asks Intune about the device enrollment and compliance state.
- If the device isn't compliant or isn't enrolled, the NAC partner solution instructs the user to enroll or fix the device compliance.
- The device tries to reverify its compliance and enrollment state when applicable.
- Once the device is enrolled and compliant, NAC partner solution gets the state from Intune.
- Connection is successfully established which allows the device access to corporate resources.
Use NAC for VPN on your iOS devices
NAC for Cisco Legacy AnyConnect, F5 Access Legacy, and Citrix VPN is supported without needing to enable NAC in the VPN profile.
NAC for Citrix SSO is also supported. To enable NAC for Citrix SSO for iOS:
- Use Citrix Gateway 12.0.59 or higher.
- Users must have Citrix SSO 1.1.6 or later installed.
- Integrate NetScaler with Intune for NAC as described in the Citrix product documentation.
- On the Base VPN settings configuration, for Enable Network Access Control (NAC), select the check-box for I agree.
When you use Citrix SSO for iOS, the VPN connection is disconnected every 24 hours for security reasons. The VPN can immediately be reconnected.
Network access control is not currently supported for the following VPN clients on iOS:
- Cisco AnyConnect
- F5 Access
We're working with our partners to release a NAC solution for these newer clients. When we have solutions ready, we will update this article with additional details.
Send feedback about: