topic Re: Has anyone succesfully used Entra-ID accounts/groups in Harmny Endpoint rules? in Endpoint

Has anyone succesfully used Entra-ID accounts/groups in Harmny Endpoint rules?

rasmuswiegman — Fri, 24 May 2024 11:31:40 GMT

Hey All,

We have a couple of customers, who are slowly moving towards Entra ID over On-Prem AD. And that also means joinning machines to Entra and authenticating against Entra...

The result is that users & Machines that are not using on-prem AD, does not get the correct policies applied 😕

Has anyone found a way to correct this?

Rasmus

Re: Has anyone succesfully used Entra-ID accounts/groups in Harmny Endpoint rules?

JonnyRabinowitz — Sun, 26 May 2024 06:56:07 GMT

Below is a description of the relevant functionality as supported on Harmony Endpoint

1) From which release is support for Microsoft Entra ID be available? Windows Client Release E88.00

2) Are there related management changes for this support?

Yes. There is an additional AD scanner type that needs to be defined. This will be available on cloud management at time of E88.00 release

Schedule for on-premise management availability to be confirmed

A sample of the new AD scanner definitions can be seen in the attached powerpoint

3) Some related implementation aspects

Once connected to Entra ID the following operations can be performed

You can import devices, groups, users, and administrative units from Azure Active Directory to Harmony Endpoint Management
Any imported objects appear in Asset Management> Organization Tree > Directories -> Azure Directory

For a deployment where both On-prem AD and Entra ID are configured the data from the on-prem AD is given the highest priority
Multiple Azure AD directories can be defined on Harmony Endpoint management. Device information is taken from where the client is joined

4) Are there any functional limitations with this support

4.1 Hybrid Mode

When working in hybrid mode, there is a both an on-premise AD and Entra ID cloud based component. Data may be synchronized between the two

For hybrid mode two corresponding scanners need defined on HEP management for the on-premise and cloud based components

This enables full client functionality in this configuration

4.2 Standalone / Cloud Only

When moving from on-prem to cloud based AD many authentication related aspects are changing and this can cause issues across some capabilities

In such a configuration there are caveats on the following functionality

Use of Smart Cards together with MEPP package

These are not currently supported

Mac clients

Mac Clients with Entra ID support is not supported currently by Microsoft. Microsoft is providing additional capabilities to allow this. We will look to align when becomes available
Mac Clients can be used in this configuration when working with Intune. Related configuration for this option is outside scope of Harmony endpoint support

Issues with password change for FDE

In pure Entra ID environments (only) a password change cannot be intercepted by the credential provider.
This leads to a limitation that the end user must lock their screen after changing a password for the password change to take effect in FDE/preboot
Without lock screen preboot password is not synced with Windows password. This means that the old password will be in effect in preboot and potentially could cause a locked user.

Re: Has anyone succesfully used Entra-ID accounts/groups in Harmny Endpoint rules?

rasmuswiegman — Mon, 27 May 2024 06:35:02 GMT

Hi Jonny,

Thanks a lot! 🙂

However, the E88 has been realeased a while ago, and I don't see the "Add Azure AD Scanner" anywhere 😕 Is there anything that should be enabled before getting this?

Re: Has anyone succesfully used Entra-ID accounts/groups in Harmny Endpoint rules?

JonnyRabinowitz — Mon, 27 May 2024 06:42:16 GMT

If you do not see the option on the cloud management then please send me the tenant ID and version (can unicast) and may need to schedule upgrade for the management

Re: Has anyone succesfully used Entra-ID accounts/groups in Harmny Endpoint rules?

JonnyRabinowitz — Mon, 27 May 2024 07:02:30 GMT

This is where option should be

Re: Has anyone succesfully used Entra-ID accounts/groups in Harmny Endpoint rules?

LazarusG — Wed, 31 Jul 2024 08:43:47 GMT

I also don't see the entra-id option in my tenant and a customer has the same issue. Is this not available across the board or is it done on a case by case basis?

Is it limited by Checkpoint or MS licensing?

Thanks

Re: Has anyone succesfully used Entra-ID accounts/groups in Harmny Endpoint rules?

JonnyRabinowitz — Wed, 31 Jul 2024 09:16:37 GMT

Hi. I assume you have a cloud based tenant

Is not related to licensing but more dependent on upgrade cycle for your tenant. If wan to unicast your tenant details to me I can check schedule on updates

Re: Has anyone succesfully used Entra-ID accounts/groups in Harmny Endpoint rules?

LazarusG — Wed, 31 Jul 2024 13:36:30 GMT

thanks - mine is a dev tenant as a partner, so not uber critical (thanks for the offer though) - however will all tenants be upgraded in time? appreciate the response!

Re: Has anyone succesfully used Entra-ID accounts/groups in Harmny Endpoint rules?

JonnyRabinowitz — Wed, 31 Jul 2024 13:38:24 GMT

Yes. Over time all tenants get upgraded to latest. I do not know the cycle time by which all tenants are upgraded