Intune Configuration

Background

Twingate integrates with Intune so that admins can set it as a requirement to sign in to Twingate or access private Resources. When Intune is selected as a trust method within Device Security, it can be incorporated into Security Policies. Only Mac and Windows devices that are verified through the Intune integration will be considered satisfying the Trusted Profile and be allowed to access private Resources.

How it works

Twingate integrates with Intune by using the Intune API to pull a list of devices managed under a specific customer’s tenant. The Twingate Client returns the device serial number and matches it to the list of serial numbers from Intune. If a device is verified to be managed by Intune, has reported to Intune within the last 7 days, and is classified by Intune as Compliant or In-grace period, it will be considered Intune-verified in Twingate.

Generate an Azure Client ID and Secret

  • In your Azure portal, go to Azure Active Directory
  • Go to App registrations
  • Create a new registration. This will take you to the App registration page.
  • Go to API permissions
  • Add a permission: choose Microsoft Graph, then Delegated permissions
  • Select DeviceManagementManagedDevices.Read.All
  • Add another permission: choose Microsoft Graph, then Application permissions
  • Select DeviceManagementManagedDevices.Read.All
  • Click on Grant admin consent for…
  • Go back to the App registration Overview page
  • Click on Client credentials
  • Create a new client secret
  • Save the Value. You’ll need this later and won’t be able to access it again.
  • Return to the App registration Overview page
  • Save the Application (client) ID and Directory (tenant) ID values

Configuring the Intune integration in Twingate

1. In Twingate, navigate to Settings and then select Device Integration

2. Select Connect next to Intune and input your Intune credentials

3. After the integration is configured, the Device Integrations page will show the current status of the integration

Incorporating Intune into Security Policies

After the Intune integration has been set up, it can be configured into Device Security Trusted Profiles.

For macOS and Windows, create a Trusted Profile and require Intune as a Trust Method. Only devices that are managed by Intune, reported within the last 7 days, and classified by Intune will satisfy the requirements of this Trusted Profile. This Trusted Profile can now be incorporated into Security Policies.

Troubleshooting

After the Intune integration is set up, the Device Integrations page will show the status as “Waiting to sync”. During this time, devices may be missing the correct Intune verification state. After a few minutes, the Device Integration page will show the most recent sync time and devices will correctly show their state on their device details page.

A device can be listed as Intune not verified for the following reasons:

  • The device is not managed by Intune
  • Its Intune Compliance State is not Compliant or In-grace period
  • The device has not reported back to Intune in the past 7 days
  • We’ve been unable to retrieve a serial number from the device
  • We’ve been unable to retrieve Intune data from the device

In the case of a recoverable error (e.g. the Intune API is unresponsive), the Intune integration will show that it has failed to sync and the time of the last successful sync. The Device Integrations page will reflect the time of last successful sync. When we are able to reach the Intune API, the errors will be resolved automatically.

In the case of an unrecoverable error (e.g. the Intune credentials are no longer valid is deleted or the permissions have been altered), the Intune integration will stop attempting to connect. Admins will be notified via email that the Intune integration needs attention. For these errors, we recommend reconfiguring the integration and inputting new API client information.

Last updated 29 days ago