You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title: Use Microsoft Intune MAM on devices that run the Azure mobile app
3
+
description: Learn about setting and enforcing app protection policies on devices that run the Azure mobile app.
4
+
ms.date: 06/17/2024
5
+
ms.topic: conceptual
6
+
ms.custom:
7
+
- build-2024
8
+
---
9
+
10
+
# Use Microsoft Intune mobile application management (MAM) on devices that run the Azure mobile app
11
+
12
+
[Microsoft Intune mobile application management (MAM)](/mem/intune/apps/app-management) is a cloud-based service that allows an organization to protect its data at the app level on both company devices and users' personal devices, such as smartphones, tablets, and laptops.
13
+
14
+
Since the Azure mobile app is an Intune-protected app, app protection policies (APP) can be applied and enforced on devices that run the Azure mobile app.
15
+
16
+
## App protection policies and settings
17
+
18
+
Intune [app protection policies (APP)](/mem/intune/apps/app-protection-policy) are rules or sets of action that ensure an organization's data remains safe. Administrators use these policies to control how data is accessed and shared. For an overview of how to create an app protection policy, see [How to create and assign app protection policies](/mem/intune/apps/app-protection-policies).
19
+
20
+
Available app protection settings are continuously being updated and may vary across platforms. For details about the currently available settings, see [Android app protection policy settings in Microsoft Intune](/mem/intune/apps/app-protection-policy-settings-android) and [iOS app protection policy settings](/mem/intune/apps/app-protection-policy-settings-ios) devices.
21
+
22
+
## User management
23
+
24
+
With Intune MAM, you can select and assign groups of users to include and exclude in your policies, allowing you to control who has access to your data in Azure Mobile. For more information on user and group assignments, see [Include and exclude app assignments in Microsoft Intune](/mem/intune/apps/apps-inc-exl-assignments).
25
+
26
+
An Intune license is required in order for app protection policies to apply correctly to a user or group. If an unlicensed user is included in an app protection policy, the rules of that policy won't be applied to that user.
27
+
28
+
Only Intune-targeted users and groups will be subject to the rules of the app protection policy. To ensure data remains protected, verify that the necessary groups and users were included in your policy during creation.
29
+
30
+
Users that are out of compliance with their MAM policy or Conditional Access policy may lose access to data and resources, including full access to the Azure mobile app. When a user is marked as out of compliance, the Azure mobile app may initially try automated remediation to regain compliance. If automatic remediation is disabled or unsuccessful, the user is signed out of the app.
31
+
32
+
You can use [Microsoft Entra Conditional Access policies in combination with Intune compliance policies](/mem/intune/protect/app-based-conditional-access-intune) to ensure that only managed apps and policy-compliant users can access corporate data.
33
+
34
+
## User experience
35
+
36
+
When Intune-licensed Azure mobile app users are targeted with an Intune MAM policy, they are subject to all rules and actions dictated by their policy. When these users sign in to the Azure Mobile app, policy rules are retrieved and enacted immediately, before allowing access to any corporate data.
37
+
38
+
For example, a user's MAM policy may specify a 6-digit PIN requirement. When that user first signs into the Azure mobile app, they see a message from Intune MAM that describes their current device state and asks them to set an access PIN.
39
+
40
+
:::image type="content" source="media/intune-management/intune-intro-message.png" alt-text="Screenshot of an introductory message from Intune MAM in the Azure mobile app."::: :::image type="content" source="media/intune-management/intune-pin-prompt.png" alt-text="Screenshot of Intune MAM prompting the user to set up a PIN in the Azure mobile app.":::
41
+
42
+
After the user sets up their PIN, they'll be prompted to enter that PIN every time they sign in. The PIN must be entered in order to use the Azure mobile app.
43
+
44
+
:::image type="content" source="media/intune-management/intune-pin-enter.png" alt-text="Screenshot of Intune MAM prompting the user to enter their PIN in the Azure mobile app.":::
45
+
46
+
If a user is marked as out of compliance with their policy (following any remediation steps), they'll be signed out of the app. For example, a user might switch to a different policy-protected account that was marked as out of compliance. In this case, the app signs them out and displays a message notifying the user that they must sign back in.
47
+
48
+
:::image type="content" source="media/intune-management/intune-sign-in-required.png" alt-text="Screenshot of Intune MAM requiring a user to sign back in to the Azure mobile app.":::
49
+
50
+
## Next steps
51
+
52
+
- Learn more about the [Microsoft Intune](/mem/intune/fundamentals/what-is-intune).
53
+
- Download the Azure mobile app for free from the [Apple App Store](https://aka.ms/azureapp/ios/doc), [Google Play](https://aka.ms/azureapp/android/doc), or [Amazon App Store](https://aka.ms/azureapp/amazon/doc).
Copy file name to clipboardExpand all lines: articles/confidential-computing/confidential-containers-aks-security-policy.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,15 +11,15 @@ ms.date: 11/13/2023
11
11
12
12
# Security policy for Confidential Containers on Azure Kubernetes Service
13
13
14
-
As described by the Confidential Computing Consortium (CCC), *"Confidential Computing is the protection of data in use by performing computation in a hardware-based, attested Trusted Execution Environment (TEE)."* AKS Confidential Containers are designed to protect Kubernetes pods data in use from unauthorized access from outside of these pods. Each pod is executed in a Confidential Virtual Machine (CVM) protected by the [AMD SEV-SNP TEE](https://www.amd.com/content/dam/amd/en/documents/epyc-business-docs/white-papers/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf) by encrypting data in use and prevent access to the data by the Host Operating System (OS). Microsoft engineers collaborated with the [Confidential Containers](https://github.com/confidential-containers) (CoCo) and [Kata Containers](https://github.com/kata-containers/) open-source communities on the design and implementation of the Confidential Containers.
14
+
As described by the Confidential Computing Consortium (CCC), *"Confidential Computing is the protection of data in use by performing computation in a hardware-based, attested Trusted Execution Environment (TEE)."* AKS Confidential Containers are designed to protect Kubernetes pods data in use from unauthorized access from outside of these pods. Each pod is executed in a Utility VM (UVM) protected by the [AMD SEV-SNP TEE](https://www.amd.com/content/dam/amd/en/documents/epyc-business-docs/white-papers/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf) by encrypting data in use and prevent access to the data by the Host Operating System (OS). Microsoft engineers collaborated with the [Confidential Containers](https://github.com/confidential-containers) (CoCo) and [Kata Containers](https://github.com/kata-containers/) open-source communities on the design and implementation of the Confidential Containers.
15
15
16
16
## Security policy overview
17
17
18
-
One of the main components of the [Kata Containers system architecture](https://github.com/kata-containers/kata-containers/blob/main/docs/design/architecture/history.md#kata-2x-architecture) is the [Kata agent](https://github.com/kata-containers/kata-containers/blob/main/docs/design/architecture/README.md#agent). When using Kata Containers to implement Confidential Containers, the agent is executed inside the hardware-based TEE and therefore is part of the pod's Trusted Computing Base (TCB). As shown in the following diagram, the Kata agent provides a set of [ttrpc](https://github.com/containerd/ttrpc) APIs allowing the system components outside of the TEE to create and manage CVM-based Kubernetes pods. These other components (for example, the Kata Shim) aren't part of the pod's TCB. Therefore, the agent must protect itself from potentially buggy or malicious API calls.
18
+
One of the main components of the [Kata Containers system architecture](https://github.com/kata-containers/kata-containers/blob/main/docs/design/architecture/history.md#kata-2x-architecture) is the [Kata agent](https://github.com/kata-containers/kata-containers/blob/main/docs/design/architecture/README.md#agent). When using Kata Containers to implement Confidential Containers, the agent is executed inside the hardware-based TEE and therefore is part of the pod's Trusted Computing Base (TCB). As shown in the following diagram, the Kata agent provides a set of [ttrpc](https://github.com/containerd/ttrpc) APIs allowing the system components outside of the TEE to create and manage Confidential-based Kubernetes pods. These other components (for example, the Kata Shim) aren't part of the pod's TCB. Therefore, the agent must protect itself from potentially buggy or malicious API calls.
19
19
20
20
:::image type="content" source="media/confidential-containers-security-policy/security-policy-architecture-diagram.png" alt-text="Diagram of the AKS Confidential Containers security policy model.":::
21
21
22
-
In AKS Confidential Containers, the Kata agent API self-protection is implemented using a security policy (also known as the Kata *Agent Policy*), specified by the owners of the confidential pods. The policy document contains rules and data corresponding to each pod, using the industry standard [Rego policy language](https://www.openpolicyagent.org/docs/latest/policy-language/). The enforcement of the policy inside the CVM is implemented using the [Open Policy Agent (OPA)](https://www.openpolicyagent.org/) – a graduated project of the [Cloud Native Computing Foundation (CNCF)](https://www.cncf.io/).
22
+
In AKS Confidential Containers, the Kata agent API self-protection is implemented using a security policy (also known as the Kata *Agent Policy*), specified by the owners of the confidential pods. The policy document contains rules and data corresponding to each pod, using the industry standard [Rego policy language](https://www.openpolicyagent.org/docs/latest/policy-language/). The enforcement of the policy inside the Utility VM (UVM) is implemented using the [Open Policy Agent (OPA)](https://www.openpolicyagent.org/) – a graduated project of the [Cloud Native Computing Foundation (CNCF)](https://www.cncf.io/).
23
23
24
24
## Policy contents
25
25
@@ -44,9 +44,9 @@ Examples of data included in the policy document for each of the containers in a
44
44
45
45
### Rules
46
46
47
-
The policy rules, specified in Rego format, get executed by OPA for each Kata agent API call from outside of the CVM. The agent provides all API inputs to OPA, and OPA uses the rules to check if the inputs are consistent with policy data. If the policy rules and data doesn't allow API inputs, the agent rejects the API call by returning a "blocked by policy" error message. Here are some rule examples:
47
+
The policy rules, specified in Rego format, get executed by OPA for each Kata agent API call from outside of the Utility VM (UVM). The agent provides all API inputs to OPA, and OPA uses the rules to check if the inputs are consistent with policy data. If the policy rules and data doesn't allow API inputs, the agent rejects the API call by returning a "blocked by policy" error message. Here are some rule examples:
48
48
49
-
* Each container layer is exposed as a read-only [virtio block](https://docs.oasis-open.org/virtio/virtio/v1.1/cs01/virtio-v1.1-cs01.html#x1-2390002) device to the CVM. The integrity of those block devices is protected using the [dm-verity](https://docs.kernel.org/admin-guide/device-mapper/verity.html) technology of the Linux kernel. The expected root value of the dm-verity [hash tree](https://docs.kernel.org/admin-guide/device-mapper/verity.html#hash-tree) is included in the policy data, and verified at runtime by the policy rules.
49
+
* Each container layer is exposed as a read-only [virtio block](https://docs.oasis-open.org/virtio/virtio/v1.1/cs01/virtio-v1.1-cs01.html#x1-2390002) device to the Utility VM (UVM). The integrity of those block devices is protected using the [dm-verity](https://docs.kernel.org/admin-guide/device-mapper/verity.html) technology of the Linux kernel. The expected root value of the dm-verity [hash tree](https://docs.kernel.org/admin-guide/device-mapper/verity.html#hash-tree) is included in the policy data, and verified at runtime by the policy rules.
50
50
* Rules reject Container creation when an unexpected command line, storage mount, execution security context, or environment variable is detected.
51
51
52
52
By default, policy [rules](https://github.com/microsoft/kata-containers/blob/2795dae5e99bd918b7b8d0a9643e9a857e95813d/src/tools/genpolicy/rules.rego#L37) are common to all pods. The *genpolicy* tool generates the policy data and is specific to each pod.
@@ -61,17 +61,17 @@ When evaluating the Rego rules using the policy data and API inputs as parameter
61
61
62
62
## Sending the policy to Kata agent
63
63
64
-
All AKS Confidential Containers CVMs start up using a generic, default policy included in the CVMs root file system. Therefore, a Policy that matches the actual customer workload must be provided to the agent at run time. The policy text is embedded in your YAML manifest file as described earlier, and is provided this way to the agent early during CVM initialization. The policy annotation travels through the kubelet, containerd, and [Kata shim](https://github.com/kata-containers/kata-containers/blob/main/src/runtime/cmd/containerd-shim-kata-v2) components of the AKS Confidential Containers system. Then the agent working together with OPA enforces the policy for all the calls to its own APIs.
64
+
All AKS Confidential Container Utility VM (UVM) start up using a generic, default policy included in the Utility VM (UVM) root file system. Therefore, a Policy that matches the actual customer workload must be provided to the agent at run time. The policy text is embedded in your YAML manifest file as described earlier, and is provided this way to the agent early during Utility VM (UVM) initialization. The policy annotation travels through the kubelet, containerd, and [Kata shim](https://github.com/kata-containers/kata-containers/blob/main/src/runtime/cmd/containerd-shim-kata-v2) components of the AKS Confidential Containers system. Then the agent working together with OPA enforces the policy for all the calls to its own APIs.
65
65
66
66
The policy is provided using components that aren't part of your TCB, so initially this policy isn't trusted. The trustworthiness of the policy must be established through Remote Attestation, as described in the following section.
67
67
68
68
## Establish trust in the policy document
69
69
70
-
Before creating the Pod CVM, the Kata shim computes the SHA256 hash of the Policy document and attaches that hash value to the TEE. That action creates a strong binding between the contents of the Policy and the CVM. This TEE field isn't modifiable later by either the software executed inside the CVM, or outside of it.
70
+
Before creating the Utility VM (UVM), the Kata shim computes the SHA256 hash of the Policy document and attaches that hash value to the TEE. That action creates a strong binding between the contents of the Policy and the Utility VM (UVM). This TEE field isn't modifiable later by either the software executed inside the Utility VM (UVM), or outside of it.
71
71
72
72
Upon receiving the policy, the agent verifies the hash of the policy matches the immutable TEE field. The agent rejects the incoming Policy if it detects a hash mismatch.
73
73
74
-
Before handling sensitive information, your workloads must perform Remote Attestation steps to prove to any Relying Party that the workload is executed using the expected versions of the TEE, OS, agent, OPA, and root file system versions. Attestation is implemented in a Container running inside the CVM that obtains signed attestation evidence from the AMD SEV-SNP hardware. One of the fields from the attestation evidence is the policy hash TEE field described earlier. Therefore, the Attestation service can verify the integrity of the policy, by comparing the value of this field with the expected hash of the pod policy.
74
+
Before handling sensitive information, your workloads must perform Remote Attestation steps to prove to any Relying Party that the workload is executed using the expected versions of the TEE, OS, agent, OPA, and root file system versions. Attestation is implemented in a Container running inside the Utility VM (UVM) that obtains signed attestation evidence from the AMD SEV-SNP hardware. One of the fields from the attestation evidence is the policy hash TEE field described earlier. Therefore, the Attestation service can verify the integrity of the policy, by comparing the value of this field with the expected hash of the pod policy.
0 commit comments