When using Microsoft Intune, we can utilize the Managed Browser Application, available both for iOS and Android, to restrict or allow access to certain websites on a managed mobile device.
In this blog post, we will use ConfigMgr in Hybrid Configuration with Microsoft Intune and deploy the Managed Browser App to an iOS Device. Additionally, we use Application Management Policies to configure the Managed Browser to block a certain URL.
Creating the Managed Browser Application
Open the Software Library Workspace, select Applications and click on Create Application.
Select App Package for iOS from App Store as Type and provide the following URL in the Location field:
http://itunes.apple.com/us/app/microsoft-intune-managed-browser/id943264951?mt=8
Click Next
Confirm that the Application information have been successfully imported, as seen on the Screenshot above.
Click Next.
Optionally, you can change for example the Name and the Publisher to a Value that fits your needs. I used:
Name: Microsoft Intune Managed Browser
Publisher: Microsoft Corporation
Click Next.
Verify your settings and click Next.
Click Close.
You should now have the Managed Browser available as a ConfigMgr Application.
Creating the General Application Management Policy
In the Software Library Workspace, switch to the Application Management Policies Section and click on Create Application Management Policy.
Specify a Name for the General Application Management Policy. In this example, I used: Test Intune iOS General Policy
Click Next.
Select iOS as Platform and General as Policy Type. Click Next.
Configure the Policy Set as you like. In this example, I specified that the Managed Browser requires a PIN for access. We’ll see this in the Demonstration at the end of the post.
Click Next.
Verify your settings and click Next.
You should now have the first Application Management Policy.
Creating the Managed Browser Application Management Policy
NOTE: You need to have a General Application Policy in place. Deploying the Managed Browser only with a Managed Browser Application Management Policy won’t work!
Click on Create Application Management Policy.
Specify a Name for the Managed Browser Application Management Policy. In this example, I used: Test Intune iOS Managed Browser Policy
Select iOS as Platform and Managed Browser as Policy Type. Click Next.
You now have the choice to configure the Managed Browser in two ways:
Allow the Managed Browser to open only the URLs listed below
Meaning: Everything that you won’t specify will be blocked.
Keep in mind that this also affects embedded content in those Sites. For example, if you Whitelist a Website which includes a Facebook Image Gallery, all the Requests to Facebook will still be blocked!
Block the Managed Browser from opening the URLs listed below
Meaning: Everything that you specify will be blocked.
For this Demo, we will use the second option and block the access to my blog. (Please don’t block my blog in your Policies! 😉 )
Click Next.
Verify your settings and click Next.
Click Close.
You should now have two Application Management Policies.
Deploying the Managed Browser Application
Switch back to the Application Section, select the created Managed Browser Application and click on Deploy.
Select a User Collection, which contains User(s) who are enrolled to Intune. Click Next.
You can skip the content distribution page by clicking Next, as we don’t have any Content to distribute.
Select Install as Action and Required or Available as the Purpose of the Deployment.
If you go for an Available Purpose, the User needs to install the Application on demand via the Company Portal. When using Required, the Application will be installed automatically. For this Demo, I used Required.
Click Next.
Going through Scheduling / User Experience and Alerts, you should reach the Application Management page.
Select the created General Policy and Managed Browser Policy, as seen above.
Click Next
Skipping App Configuration Policy, you should reach the Summary page.
Verify your settings and click Next.
Click Close.
Testing the Managed Browser
Head over to a Device, which is owned and enrolled by a User who was targeted with the Deployment. If you selected Required as Purpose on the Deployment, you should get a Notification after a while as seen above. If you selected Available, you need to trigger the Installation in the Company Portal App.
Tap on Install.
After a short while, the Managed Browser should be present on the Home Screen. Tap on it, to launch the Browser.
Because we selected to require a PIN in the General Application Management Policy, we are prompted to do so.
Enter your PIN.
The Managed Browser should now launch and you should be able to browse to “ww.microsoft.com”, for example. So far so good.
Let’s try to access my blog, which I blocked in the Managed Browser Application Management Policy.
As expected, the Website won’t open and the User receives a Notification.
To prevent that the user just switches to the native Browser or downloads a 3rd party Browser from the AppStore to access a blocked Website, you can use Configuration Items to further lock down the device.
