hi,
after going through https://technet.microsoft.com/en-us/library/hh526961(v=ws.10).aspx several times, i cant find a solution for my challenge:
- block access to o365 for all non company enrolled devices
- users use windows phones (enrolled with intune/sccm) and surface pro (domain joined), access for them should work while travelling
so limit all access based on ip address will not work because:
- mobile phones cannot be enrolled to intune (they use an ip from the mobile provider)
- surface users use direct access, but access to non-company domains (like microsoftonline.com) will go directly, so again different IPs will be used
when accessing adfs from a client, this is what adfs logs:
Following request context headers present:
X-MS-Client-Application: -
X-MS-Client-User-Agent: -
client-request-id: 00000000-0000-0000-de2f-008000000035
X-MS-Endpoint-Absolute-Path: /adfs/ls/
X-MS-Forwarded-Client-IP: 188.20.20.20
X-MS-Proxy: vmprpr1
so nothing except the ip, which is of no real use.
Any ideas how to implement this request?
I have already posted this question to the o365 forum, but they had no idea about adfs configuration and suggested to post here.
regards
Manfred