Conditional Access policies can be used to control users' access to your organization's resources using iManage Work Mobility for Intune. iManage Work Mobility for Intune supports the following Conditional Access policy: require device to be marked as compliant

If the device is out of compliance, that is, Intune is not managing the device, users cannot sign in to iManage Work using the iManage Work Mobility for Intune app.

For more information, refer to the Microsoft documentation: Azure AD Conditional Access documentation.

TIP:

While Microsoft Intune does support policy app exemptions (as described in How to create exceptions to the Intune App Protection Policy (APP) data transfer policy), iManage Work Mobility for Intune does not use custom URLs for data transfer, and custom URLs cannot be used to transfer files between apps, and so these policy exemptions cannot be applied to Work 10.

Configuring Mobility for Intune for Conditional Access

To ensure iManage Work Mobility for Intune supports the Conditional Access policies enabled by the organization, the web_authentication_mode policy setting introduced in version 10.20.2 must be set to ASWebAuthenticationSession (web_authentication_mode = 2).

IMPORTANT:

Microsoft Azure Conditional Access will not function properly without this setting.

Configuring Conditional Access in Microsoft Endpoint Manager

Before completing these steps, iManage Work must be configured to use SAML single sign on with Microsoft Azure. For more information, see the following article on iManage Help Center:

Configure SAML-based SSO with Microsoft Azure for iManage Cloud

Perform the following steps to configure a Conditional Access policy in Microsoft Endpoint Manager:

  1. In Microsoft Endpoint Manager, select Devices.
  2. In the Policy section, select Conditional Access.
  3. Select +New Policy.
  4. In the Name field, enter a descriptive name for this policy.
  5. In the Assignments section, assign the users and groups this policy applies to.
  6. In the Cloud apps or actions section, select the SAML SSO app that you previously configured in Azure as described in the articles at the beginning of this section.
  7. (Optional) In the Conditions section, apply any conditions for this Conditional Use policy. For example, to apply this policy only to iOS and iPadOS devices, select iOS.
  8. In the Grant section, select the Grant access option, and then select Require device to be marked as compliant.
  9. (Optional) In the Session section, apply any session controls to this Conditional Use policy.
  10. At the bottom of the screen, set Enable policy to On.  By default this is set to Report-only which does not restrict access, but only reports when users are not device compliant.
  11. Select Create to complete the Conditional Access policy setup. 

Connecting to iManage Work with Conditional Access policy in effect

Each device must be enrolled and managed by Intune. Until the user completes the enrollment process on their device, they cannot sign in to iManage Work.

The first time a user attempts to access iManage Work on an unmanaged device, they will be prompted to enroll their device.

  1. When prompted, tap Continue to use the client certificate provided.
  2. When prompted with the Set up your device to get access screen, tap Continue.
  3. Proceed through the steps to install the Microsoft Intune Company Portal app and complete the enrollment process.
  4. Open the iManage Work Mobility app again to sign in to iManage Work.