This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
rasmuswiegman
Explorer
3 weeks ago

Has anyone succesfully used Entra-ID accounts/groups in Harmny Endpoint rules?

Hey All,

 

We have a couple of customers, who are slowly moving towards Entra ID over On-Prem AD. And that also means joinning machines to Entra and authenticating against Entra...

The result is that users & Machines that are not using on-prem AD, does not get the correct policies applied 😕

 

Has anyone found a way to correct this?

 

Rasmus

Labels
4 Replies
JonnyRabinowitz
Employee
Employee
3 weeks ago

Below is a description of the relevant functionality as supported on Harmony Endpoint

1) From which release is support for Microsoft Entra ID be available? Windows Client Release E88.00

2) Are there related management changes for this support?

Yes. There is an additional AD scanner type that needs to be defined. This will be available on cloud management at time of E88.00 release

Schedule for on-premise management availability to be confirmed

A sample of the new AD scanner definitions can be seen in the attached powerpoint

3) Some related implementation aspects

  • Once connected to Entra ID the following operations can be performed
    • You can import devices, groups, users, and administrative units from Azure Active Directory to Harmony Endpoint Management
    • Any imported objects appear in Asset Management> Organization Tree > Directories -> Azure Directory
  • For a deployment where both On-prem AD and Entra ID are configured the data from the on-prem AD is given the highest priority
  • Multiple Azure AD directories can be defined on Harmony Endpoint management. Device information is taken from where the client is joined

4) Are there any functional limitations with this support

4.1 Hybrid Mode

When working in hybrid mode, there is a both an on-premise AD and Entra ID cloud based component. Data may be synchronized between the two

For hybrid mode two corresponding scanners need defined on HEP management for the on-premise and cloud based components

This enables full client functionality in this configuration

4.2 Standalone / Cloud Only

When moving from on-prem to cloud based AD many authentication related aspects are changing and this can cause issues across some capabilities

In such a configuration there are caveats on the following functionality

  • Use of Smart Cards together with MEPP package
    • These are not currently supported
  • Mac clients
    • Mac Clients with Entra ID support is not supported currently by Microsoft. Microsoft is providing additional capabilities to allow this. We will look to align when becomes available
    • Mac Clients can be used in this configuration when working with Intune. Related configuration for this option is outside scope of Harmony endpoint support
  • Issues with password change for FDE
    • In pure Entra ID environments (only) a password change cannot be intercepted by the credential provider.
    • This leads to a limitation that the end user must lock their screen after changing a password for the password change to take effect in FDE/preboot
    • Without lock screen preboot password is not synced with Windows password. This means that the old password will be in effect in preboot and potentially could cause a locked user.
Preview file
252 KB
rasmuswiegman
Explorer
3 weeks ago
In response to JonnyRabinowitz

Hi Jonny,

Thanks a lot! 🙂

However, the E88 has been realeased a while ago, and I don't see the "Add Azure AD Scanner" anywhere 😕 Is there anything that should be enabled before getting this?

0 Kudos
JonnyRabinowitz
Employee
Employee
3 weeks ago
In response to rasmuswiegman

If you do not see the option on the cloud management then please send me the tenant ID and version (can unicast) and may need to schedule upgrade for the management

0 Kudos
JonnyRabinowitz
Employee
Employee
3 weeks ago
In response to JonnyRabinowitz

This is where option should be

Preview file
21 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events