Connecting Vanta & Microsoft Endpoint Manager / Intune MDM

  • Updated
Microsoft Endpoint Manager is Microsoft's platform for managing devices. Microsoft Intune is now part of Microsoft Endpoint Manager as its MDM solution. Today, Vanta integrates with Microsoft Endpoint Manager by pulling in device and app info for Windows and MacOS devices. Vanta continuously runs tests on these devices to ensure secure and compliant configuration.

Prerequisites

  • Connection must be completed by the Administrator of Endpoint Manager.

    An easy way to check if your account is an admin is to visit the Microsoft Endpoint Manager admin center and make sure that you can log in. Clicking on My permissions from the tenant admin menu, you should see that you are listed as an administrator with full permissions to Intune:

IntunePermissions.png

Procedure

  • In Vanta:
    • Select Integrations from the left-hand navigation panel
    • Select Available and search for Microsoft Endpoint Manager 
    • Select Connect

Screenshot 2023-08-21 at 10.26.40 am.png

 
  • Click 'Connect Microsoft Endpoint Manager'
    Note: Ensure you have verified that you are an admin of the Office organization. 

Screenshot 2023-08-21 at 10.28.04 am.png

  • When prompted, Login with your Administrator details. You will be show the list of permissions required by the integration to Accept.
 
EndpointManagerPermissions.png
  • Once accepted, you will be prompted to configure the time it takes to ensure security settings are set up for new devices. Vanta will not alert on newly registered computers until the time entered has passed. This is set to 3 hours by default. 

    Note: If multiple MDM integrations are connected, any change made here to the computer setup time will be applied to all MDM integrations.

Screenshot 2023-08-21 at 10.35.15 am.png

Screenshot 2023-08-21 at 10.40.23 am.png

Permissions 

Permission Description Use cases
DeviceManagementManagedDevices.Read.All
Allows the app to read the properties of devices managed by Microsoft Intune, without a signed-in user. With this main permission, Vanta can pull in device info, such as hardware details or installed applications.
DeviceManagementConfiguration.Read.All
 
Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user. With this permission, Vanta can pull in screenlock and antivirus settings.

 

What Can't Vanta Monitor?

  • iOS or Android devices: Today, Vanta does not pull in mobile devices such as iOS or Android. We are also limited by what Intune can support. 

  • Corporate:  Intune collects the phone numbers, app inventory, and UDIDs of corporate-owned devices. Devices that aren't corporate-owned won't report UDID or installed apps, so Vanta won't be able to define a solid identity or run installed software checks on these devices. 

Things to Keep in Mind:

  • Weekly app scans: Because Intune only scans and reports hardware and software inventory once every 7 days, these app updates will also report updates at this cadence in Vanta.

  • Proper licensing: Users can enroll their corporate devices only if they have an Intune license.

  • Compliance vs Configuration Policies: When using Microsoft Endpoint Manager, Vanta will only read in compliance policies and will not read in configuration profiles. See our set up guide for instructions on how to configure compliance policies for Vanta: Microsoft Endpoint Manager - Configuration for Vanta
     
  • Password manager and AV detection. Unlike other MDM providers for MacOS, Microsoft does not provide us with bundle identifiers for MacOS apps. As a fallback, we determine if an app is a password manager or an AV by its app name, which can be less precise.
    • For antivirus, Vanta also checks to see if a device has a compliance policy enforced that requires antivirus.

  • No browser extensions. Like our other MDM integrations, we don't have easy access to see what extensions are installed in an employee's browser(s). One way this could be done in the future is w/ device policies — but that would check for enforcement rather than detecting an actual installation.