Microsoft Endpoint Manager is Microsoft’s platform for managing devices. Microsoft Intune is now part of Microsoft Endpoint Manager as its MDM solution. Today, Vanta integrates with Microsoft Endpoint Manager (and Intune) by pulling in device and app info for Windows and MacOS devices. Vanta continuously runs tests on these devices to ensure secure and compliant configuration.
This article contains the following topics:
Connecting
Permissions
What we can monitor
Limitations
FAQ
This article contains the following topics:
Connecting
Permissions
What we can monitor
Limitations
FAQ
Connecting
Connecting Vanta to Microsoft Endpoint Manager is simple. At https://app.vanta.com/connections, listed under "Mobile device management tools", you are able to connect when you are a Microsoft Endpoint Manager admin. After connecting, you’ll also be able to mark certain computers as in or out-of-scope.
Step 1: Select Intune on “Connections”
Step 2: Accept permissions
Step 3: Configure Scope
Permissions
| Permission | Description | Use cases |
DeviceManagementManagedDevices.Read.All
|
Allows the app to read the properties of devices managed by Microsoft Intune, without a signed-in user. | With this main permission, Vanta can pull in device info, such as hardware details or installed applications. |
DeviceManagementConfiguration.Read.All
|
Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user. | With this permission, Vanta can pull in screenlock and antivirus settings. |
Devices
Today, the devices we can monitor must have the following criteria:
- MacOS or Windows: Today, Vanta does not pull in mobile devices such as iOS or Android. We are also limited by what Intune can support.
- Corporate: “Intune collects the phone numbers, app inventory, and UDIDs of corporate-owned devices.“ Devices that aren’t corporate-owned won’t report UDID or installed apps, so Vanta won’t be able to define a solid identity or run installed software checks on these devices.
- Weekly app scans: Because Intune only scans and reports hardware and software inventory once every 7 days, these app updates will also report updates at this cadence in Vanta.
- Proper licensing. Users can enroll their corporate devices only if they have an Intune license.
- Password manager and AV detection. Unlike other MDM providers for MacOS, Microsoft does not provide us with the bundle identifiers for MacOS apps. As a fallback, we determine if an app is a password manager or an AV by its app name, which can be less precise.
- For antivirus, Vanta also checks to see if a device has a compliance policy enforced that requires antivirus.
- No browser extensions. Like our other MDM integrations, we don’t have easy access to see what extensions are installed in an employee’s browser(s). One way this could be done in the future is w/ device policies — but that would check for enforcement rather than detecting an actual installation.
- If my customer previously was using Workstation Agent and will now connect Intune, will both results show up as separate machines in Vanta and the computers page?
- Yes. We recommend removing the Vanta Agent on an Intune machine (employee can install or admin can deprovision in Intune).
- For Windows 10, how do I let Vanta detect Antivirus through compliance policies?
- In Compliance Policies, ensure you have a policy that requires antivirus, or create one.
Assign the policy to a Windows device. When that Windows device has an antivirus installed, and when this policy state becomes compliant or remediated, Vanta will show that the device has Antivirus installed.