Configure MDM Posture Checks for Prisma Access Agent

Table of Contents

MDM Posture Checks for Prisma Access Agent

Configure Pre-Logon Support for Prisma Access Agent

Configure MDM Posture Checks for Prisma Access Agent

Connect your MDM tenant to Prisma Access and enable compliance enforcement to control which devices can establish a tunnel to Prisma Access.

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)	Prisma Access license with the Mobile User subscription Minimum Prisma Access Agent version: 26.2 Windows 10 and later desktop devices Contact your Palo Alto Networks account representative to activate this feature

Mobile device management (MDM) posture checks require two configuration components in Strata Cloud Manager: an MDM integration that defines how Prisma® Access authenticates to your MDM tenant, and a compliance enforcement setting in your agent configuration that activates the compliance check for connecting devices. You must complete both before Prisma Access enforces MDM compliance at tunnel establishment. Devices that are not enrolled in your MDM tenant are treated as non-compliant and are blocked from establishing a tunnel.

In Strata Cloud Manager, go to Access Agent Setup by selecting ConfigurationNGFW and Prisma AccessConfiguration ScopeAccess AgentSetup.
Set up an MDM integration.
1. Edit the Global Agent Settings by selecting the gear icon.
2. Select MDM Integration.
3. Add an MDM integration or select an existing integration to edit.
  
  The Add MDM Integration panel opens.
4. Enter a descriptive Name for the MDM integration profile.
5. For Mobile Device Management (MDM), choose your MDM vendor, such as Microsoft Intune.
  
  MDM integration supports only Microsoft Intune with Windows devices at this time.
6. Enter the Tenant DeviceID from your MDM vendor.
7. Enter the Client DeviceID from your MDM vendor.
  
  For Microsoft Intune, the Client DeviceID is the application (client) ID of the Azure AD app registration that the Endpoint Manager uses to authenticate to the Microsoft Graph API. The Endpoint Manager queries the following endpoint: https://graph.microsoft.com/v1.0/deviceManagement/managedDevices
8. Enter the Client Secret.
9. For Confirm Client Secret, re-enter the client secret.
10. Enter the Polling Frequency to set how often the Endpoint Manager performs bulk device queries against your MDM tenant.
  
  The default polling interval is 8 hours. You can set a value between 1 and 24 hours.
  
  For Microsoft Intune, the Endpoint Manager performs bulk queries at each polling interval by calling the Microsoft Graph API (https://graph.microsoft.com/v1.0/deviceManagement/managedDevices), filtering by the lastSyncDateTime field and paginating through results in batches of 100 devices to sync the full managed device inventory into the Endpoint Manager cache.
  
  In addition to these scheduled bulk queries, the Endpoint Manager performs real-time queries when a device is not found in the cache or when its cached status is non-compliant. For Microsoft Intune, real-time queries are filtered by device serial number. Real-time queries allow the system to verify current device state immediately at tunnel establishment without waiting for the next polling cycle.
11. Click Add.
12. Click Save.
Enable the compliance enforcement setting in your agent configuration.
1. In Access Agent Setup, click Add Agent Settings or select an existing agent setting to edit.
2. Scroll to the Authorization section and enable MDM Compliance Check. (Default: Disabled)
3. Configure other agent settings as needed.
4. Click Save and push the configuration to Prisma Access.
(Optional) To verify MDM compliance enforcement is active, run the pacli mdm command on an endpoint and check the Device MDM Compliant field.

For example, on a device that fails the MDM compliance check, the Device MDM Compliant field returns Not Compliant, and the Prisma Access Agent displays a banner stating that the connection could not be established because the device is not compliant.