While using Microsoft Intune, you might want to limit access to Apps depending on where the device is located. You can now use Intune geofencing with managed devices using Named locations in Azure Active Directory.
But the question is, can you really call this Intune geofencing? No, not really.
Intune geofencing doesn’t exist as such, but we can use features that are similar but broader in scope. Named Locations allow you to specify countries and regions that you want to manage.
In previous versions of Intune, you had access to locations for Compliance Policies but were limited to network details, such as the following list.
- IPv4 Range (eg. 192.168.1.0/24)
- IPv4 Gateway
- IPv4 DHCP server
- IPv4 DNS Servers
- DNS suffixes
You can now use the device’s physical location as a condition for Conditional Access (CA) by creating a Named Location and selecting the country you want to manage.
Conditional Access is a framework of rules that you design to secure your data while giving your users access to what they need.
You can use conditions like location, device state, authentication methods, and more to specify how apps are accessed.
The most common condition, in addition to location, is Multi-Factor Authentication.
To use this feature, you need to do the following:
- Sign in to the azure portal and go to your Azure Active Directory
- Go to Conditional Access and click Named locations
- Click New location and type a name for your location, followed by selecting the radio button for Countries/Regions
- Select the countries you want to use. In my example it will be Sweden.
- Click Create att buttom to save the location
Now you will be able to select this location from within Intune and the Conditional Access policies. It is located in Conditions > Locations, as seen below. You can also create the Condition Access policy from Azure Active Directory; the only difference is that some settings are only available there, e.g., creating Named locations.
You can use this for the following examples.
- Require MFA for devices outside a country when accessing company data
- Block devices from accessing company data while inside specific countries
- Publish internal applications using Azure AD and only allow them from inside a country
Since you can’t select an area on a map, I wouldn’t call this Intune Geofencing. However, this brings us as close as currently possible without using other products.
I believe that Microsoft will add some sort of Intune geofencing in the future, as it would be very useful for certain public services.
If you really want to use Geofencing and MDM, I would take a look at Cisco Meraki or AirWatch. Both can specify an area on a map and assign policies to them.