Microsoft Endpoint Manager is Microsoft's platform for managing devices. Microsoft Intune is now part of Microsoft Endpoint Manager as its MDM solution. Today, Vanta integrates with Microsoft Endpoint Manager (and Intune) by pulling in device and app info for Windows and MacOS devices. Vanta continuously runs tests on these devices to ensure secure and compliant configuration.

Connecting

At https://app.vanta.com/connections, listed under Mobile device management tools, you are able to connect, if you are a Microsoft Endpoint Manager admin. After connecting, you'll also be able to mark certain computers as in or out-of-scope.
 

Creating the Connection

  •  Select Intune on Connections



Intune_1.png

 
  • Accept permissions
 
Intune_2.png
 
  • Configure Scope

Intune_3.png

 

Permissions 

Permission Description Use cases
DeviceManagementManagedDevices.Read.All
Allows the app to read the properties of devices managed by Microsoft Intune, without a signed-in user. With this main permission, Vanta can pull in device info, such as hardware details or installed applications.
DeviceManagementConfiguration.Read.All
 
Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user. With this permission, Vanta can pull in screenlock and antivirus settings.

 

What Can't Vanta Monitor?

 
  • MacOS or Windows: Today, Vanta does not pull in mobile devices such as iOS or Android. We are also limited by what Intune can support. 

  • Corporate:  "Intune collects the phone numbers, app inventory, and UDIDs of corporate-owned devices. "Devices that aren't corporate-owned won't report UDID or installed apps, so Vanta won't be able to define a solid identity or run installed software checks on these devices. 

Things to Keep in Mind:

  • Weekly app scans: Because Intune only scans and reports hardware and software inventory once every 7 days, these app updates will also report updates at this cadence in Vanta.
  • Proper licensing: Users can enroll their corporate devices only if they have an Intune license. 
  • Password manager and AV detection. Unlike other MDM providers for MacOS, Microsoft does not provide us with bundle identifiers for MacOS apps. As a fallback, we determine if an app is a password manager or an AV by its app name, which can be less precise.
    • For antivirus, Vanta also checks to see if a device has a compliance policy enforced that requires antivirus.
  • No browser extensions. Like our other MDM integrations, we don't have easy access to see what extensions are installed in an employee's browser(s). One way this could be done in the future is w/ device policies — but that would check for enforcement rather than detecting an actual installation.