Merge pull request #6269 from Brenduns/blackberry-early-work

2112 - 7822722 - Blackberry MTD partner

Author: v-shils

memdocs/intune/protect/blackberry-mobile-threat-defense-connector.md

@@ -0,0 +1,129 @@
+---
+# required metadata
+
+title: Blackberry Protect Mobile connector for Intune
+titleSuffix: Intune on Azure
+description: Learn about integrating Intune with Blackberry Protect Mobile (powered by Cylance AI) to control mobile device access to your corporate resources.
+keywords:
+author: brenduns
+ms.author: brenduns
+manager: dougeby
+ms.date: 12/16/2021
+ms.topic: how-to
+ms.service: microsoft-intune
+ms.subservice: protect
+ms.localizationpriority: high
+ms.technology:
+ms.assetid:  
+
+# optional metadata
+
+#ROBOTS:
+#audience:
+#ms.devlang:
+ms.reviewer: aanavath
+ms.suite: ems
+search.appverid: MET150
+#ms.tgt-pltfrm:
+ms.custom: intune-azure
+ms.collection: M365-identity-device-management
+---
+
+# Use Blackberry Protect Mobile with Intune
+
+Control mobile device access to corporate resources using Conditional Access based on risk assessment conducted by BlackBerry Protect Mobile (powered by Cylance AI), a mobile threat defense (MTD) solution that integrates with Microsoft Intune. Risk is assessed based on telemetry collected from devices running the Blackberry Protect Mobile app.
+
+You can configure Conditional Access policies based on a BlackBerry Protect risk assessment, enabled through Intune device compliance policies for enrolled devices. You can set up your policies to allow or block noncompliant devices from accessing corporate resources based on detected threats. For unenrolled devices, you can use app protection policies to enforce a block or selective wipe based on detected threats.  
+
+For more information about BlackBerry UES, BlackBerry Protect, and Cylance AI, see [BlackBerry UES documentation](https://docs.blackberry.com/unified-endpoint-security/blackberry-ues).  
+
+## Supported platforms
+
+- **Android 9.0 and later**
+
+- **iOS 13.0 and later**
+
+## Prerequisites
+
+- Azure Active Directory Premium
+
+- Microsoft Intune subscription
+
+- BlackBerry UES account with access to UES management console 
+
+## How do Intune and the BlackBerry MTD connector help protect your company resources?
+
+The BlackBerry Protect Mobile app for Android and iOS/iPadOS captures file system, network stack, device, and application telemetry where available, then sends the telemetry data to the Cylance AI Protection cloud service to assess the device's risk for mobile threats.
+
+- **Support for enrolled devices** - Intune device compliance policy includes a rule for MTD, which can use risk assessment information from BlackBerry Protect. When the MTD rule is enabled, Intune evaluates device compliance with the policy that you enabled. If the device is found noncompliant, users are blocked access to corporate resources, such as Exchange Online and SharePoint Online. Users also receive guidance from the BlackBerry Protect app installed on their devices to resolve the issue and regain access to corporate resources. To support using BlackBerry Protect with enrolled devices:
+  - [Add MTD apps to devices](../protect/mtd-apps-ios-app-configuration-policy-add-assign.md)
+  - [Create a device compliance policy that supports MTD](../protect/mtd-device-compliance-policy-create.md)
+  - [Enable the MTD connector in Intune](../protect/mtd-connector-enable.md)
+
+- **Support for unenrolled devices** - Intune can use the risk assessment data from the BlackBerry Protect app on unenrolled devices when you use Intune app protection policies. Admins can use this combination to help protect corporate data within a Microsoft Intune protected app, Admins can also issue a block or selective wipe for corporate data on those unenrolled devices. To support using BlackBerry Protect with unenrolled devices:
+
+  - [Add the MTD app to unenrolled devices](../protect/mtd-add-apps-unenrolled-devices.md)
+  - [Create a Mobile Threat Defense app protection policy](../protect/mtd-app-protection-policy.md)
+  - [Enable the MTD connector in Intune for unenrolled devices](../protect/mtd-enable-unenrolled-devices.md)
+  
+## Sample scenarios
+
+The following scenarios demonstrate the use of Blackberry UES when integrated with Intune:
+
+### Control access based on threats from malicious apps
+
+When malicious apps such as malware are detected on devices, you can block devices until the threat is resolved:
+
+- Connecting to corporate e-mail
+
+- Syncing corporate files with the OneDrive for Work app
+
+- Accessing company apps
+
+*Block when malicious apps are detected:*
+
+> [!div class="mx-imgBorder"]
+> ![Conceptual image of Malicious apps detected](./media/blackberry-mobile-threat-defense-connector/blackberry-malicious-apps-blocked.png)
+
+*Access granted on remediation:*
+
+> [!div class="mx-imgBorder"]
+> ![Conceptual image of access granted after remediation](./media/blackberry-mobile-threat-defense-connector/blackberry-malicious-apps-unblocked.png)
+
+### Control access based on threat to network
+
+Detect threats like **Man-in-the-middle** in network, and protect access to Wi-Fi networks based on the device risk.
+
+*Block network access through Wi-Fi:*
+
+> [!div class="mx-imgBorder"]
+> ![Block network access through Wi-Fi](./media/blackberry-mobile-threat-defense-connector/blackberry-network-wifi-blocked.png)
+
+*Access granted on remediation:*
+
+> [!div class="mx-imgBorder"]
+> ![Access granted on remediation](./media/blackberry-mobile-threat-defense-connector/blackberry-network-wifi-unblocked.png)
+
+### Control access to SharePoint Online based on threat to network
+
+Detect threats like **Man-in-the-middle** in network, and prevent synchronization of corporate files based on the device risk.
+
+*Block SharePoint Online when network threats are detected:*
+
+> [!div class="mx-imgBorder"]
+> ![Block SharePoint Online when network threats are detected](./media/blackberry-mobile-threat-defense-connector/blackberry-network-spo-blocked.png)
+
+*Access granted on remediation:*
+
+> [!div class="mx-imgBorder"]
+> ![Access granted on remediation for SharePoint example](./media/blackberry-mobile-threat-defense-connector/blackberry-network-spo-unblocked.png)  
+
+## Next steps
+
+- [Integrate BlackBerry Protect Mobile with Intune](blackberry-mtd-connector-integration.md)
+
+- [Set up BlackBerry Protect Mobile app](mtd-apps-ios-app-configuration-policy-add-assign.md)
+
+- [Create BlackBerry Protect Mobile device compliance policy](mtd-device-compliance-policy-create.md)
+
+- [Enable BlackBerry Protect Mobile MTD connector](mtd-connector-enable.md)  

memdocs/intune/protect/blackberry-mtd-connector-integration.md

@@ -0,0 +1,91 @@
+---
+# required metadata
+
+title: Connect BlackBerry Protect Mobile MTD connector to Microsoft Intune
+titleSuffix: Microsoft Intune
+description: How to set up the BlackBerry Protect Mobile MTD connector in Microsoft Intune to control mobile device access to your corporate resources.
+keywords:
+author: brenduns
+ms.author: brenduns
+manager: dougeby
+ms.date: 12/16/2021
+ms.topic: how-to
+ms.service: microsoft-intune
+ms.subservice: protect
+ms.localizationpriority: high
+ms.technology:
+ms.assetid: 363fd280-1865-4a61-855b-eb75c3c62753
+
+# optional metadata
+
+#ROBOTS:
+#audience:
+
+ms.reviewer: aanavath
+ms.suite: ems
+search.appverid: MET150
+#ms.tgt_pltfrm:
+ms.custom: intune-azure
+ms.collection: M365-identity-device-management
+---
+
+# Connect BlackBerry Protect Mobile MTD connector in Microsoft Intune
+
+Connect the BlackBerry Protect Mobile MTD connector to mitigate device risk levels on Intune-managed devices. When connected, BlackBerry Protect Mobile (powered by Cylance AI) reports device risk levels to Intune, and Intune uses that information to enforce app configuration and risk assessment policies configured for each risk level. This article describes the requirements and steps to connect the MTD connector in your tenant.  
+
+For more information about BlackBerry Protect Mobile, the MTD connector supported by Microsoft Intune, see [Key features of BlackBerry Protect Mobile](https://docs.blackberry.com/unified-endpoint-security/blackberry-ues/overview/What-is-BlackBerry-Protect-Mobile/Key-features-of-BlackBerry-Protect-Mobile)(opens BlackBerry UES docs).  
+
+## Before you begin    
+
+The following subscriptions and accounts are required to integrate UES with Microsoft Intune. 
+
+- Microsoft Intune subscription 
+
+- Azure Active Directory (Azure AD) account with Global Administrator rights to grant the following permissions:
+
+  - Sign in and read user profile
+
+  - Access the directory as the signed-in user
+
+  - Read directory data
+
+  - Send device information to Intune
+
+- Admin sign-in credentials to access the UES management console 
+
+### BlackBerry UES app authorization
+
+By integrating BlackBerry UES with Intune, you authorize the following actions in your tenant:   
+
+- Allow BlackBerry UES to communicate information related to device health state back to Intune. To grant these permissions, you must use Global Administrator credentials. Granting permissions is a one-time operation. After the permissions are granted, the Global Administrator credentials aren't needed for day-to-day operation.
+
+- Allow BlackBerry UES to sync Azure AD enrollment group membership to populate its device's database.
+
+- Allow BlackBerry UES management console to use Azure AD Single Sign On (SSO).
+
+- Allow BlackBerry Protect app to sign in using Azure AD SSO.
+
+For more information about consent and Azure AD applications, see [Request the permissions from a directory admin](/azure/active-directory/develop/v2-permissions-and-consent#request-the-permissions-from-a-directory-admin).  
+
+
+## Set up BlackBerry Protect Mobile MTD connector 
+
+1. Sign in to the [Microsoft Endpoint Management admin center](https://go.microsoft.com/fwlink/?linkid=2109431) with an Intune administrator account.  
+2. Go to **All services** > **Tenant administration**.
+3. Select **Connectors and tokens**.  
+4. Under **Cross platform**, select **Mobile Threat Defense**.
+5. Select **Add**.
+6. For **Select the Mobile Threat Defense connector to setup,** choose **BlackBerry Protect Mobile**. 
+7. Select **Open the BlackBerry Protect Mobile admin console**. Keep the Microsoft Endpoint Manager tab open for later.
+8. Sign in with your Azure AD account, and then follow the instructions in [Integrating UES with Intune to respond to mobile threats](https://docs.blackberry.com/en/unified-endpoint-security/blackberry-ues) (opens BlackBerry UES docs) to complete setup.  
+9. After you finish setup in the UES management console, return to your tab in the Microsoft Endpoint Manager admin center. 
+10. Under **MDM Compliance Policy Settings**, turn on the following settings:  
+    * **Connect Android devices to BlackBerry Protect Mobile**
+    * **Connect iOS devices to BlackBerry Protect Mobile**  
+    These settings allow BlackBerry Protect Mobile to evaluate the devices in your organization.  
+ 11. Select **Create** to save your connector configurations.    
+
+## Next steps
+
+- [Set up BlackBerry Protect app for enrolled devices](mtd-apps-ios-app-configuration-policy-add-assign.md)
+- [Set up BlackBerry Protect app for unenrolled devices](mtd-add-apps-unenrolled-devices.md)