While using Microsoft Intune you might want to limit access to Apps depending on where the device is located. You can now use geofencing for intune managed devices by using Named locations in Azure Active Directory.
In previous versions of Intune you had access to locations for Compliance Policies but were limited to network details, such as the following list.
- IPv4 Range (eg. 192.168.1.0/24)
- IPv4 Gateway
- IPv4 DHCP server
- IPv4 DNS Servers
- DNS suffixes
You can now use the physical location of the device as a condition for Conditional Access (CA) by creating a Named Location and selecting the country you want to limit to.
To use this feature you need to do the following:
- Sign in to the azure portal and go to your Azure Active Directory
- Go to Conditional Access and click Named locations
- Click New location and type a name for your location, followed by selecting the radio button for Countries/Regions
- Select the countries you want to use. In my example it will be Sweden.
- Click Create att buttom to save the location
Now you will be able to select this location from within Intune and the Conditional Access policies. It is located in Conditions > Locations as seen below. The policy can also be created from Azure Active Directory; the only difference is that some settings are only available there, e.g. creating Named locations.
You can use this for the following examples.
- Require MFA for devices outside a country when accessing company data
- Block devices from accessing company data while inside specific countries
- Publish internal applications using Azure AD and only allow them from inside a country