Other
      Back to home
      1. Home
      2. Other

      Prepare for Blocking Access Outside Authorized Devices

      This conditional access policy requires that devices used to access Microsoft 365 resources (Outlook, Teams, SharePoint, etc.) to be domain joined. In practice, this means your organization’s Atomus Aegis users will be unable to sign in to Microsoft through desktop apps and browsers on any non-work/personal computers. This policy is valuable for strengthening security posture as it prevents access to organizational resources from unknown and unmanaged devices, significantly reducing the likelihood of successful phishing attempts. 

      Because this policy directly impacts end users and their workflows, organizations should prepare carefully for its rollout to minimize disruption. The information in this article outlines the criteria for Windows and macOS devices that this policy checks for to determine if a device is joined to the domain correctly. It also provides a checklist to ensure devices are ready ahead of the policy’s implementation.

      Note: This policy does not apply to mobile devices.

      Windows

      Windows devices must be joined to the domain via Work or School account in Settings. To verify this, navigate to Settings → Accounts → Access work or school. You should see Connected by [your work email] and when selecting the dropdown arrow, it should show Managed by [your organization].

      To further check the device’s joined status, launch the Aegis application and verify the Organizational Connection has a green checkmark .

      Please note: Windows users who use Chrome and Firefox to access M365 resources will require an extra step for the browser to “read” the device’s joined status. Users will therefore be blocked from signing in until the following steps are completed and the browser is relaunched. The Microsoft Edge browser should work with no additional steps and may be used to test if sign-in issues are browser specific.

        • Chrome: Download this Chrome extension, and relaunch the browser to enable Microsoft SSO.
        • Firefox: Follow this guide to enable Microsoft SSO.

      Windows Prep Checklist

      1. Device is connected and managed by your organization in Settings Accounts Access work or school
      2. Organization connection in Aegis app shows a green check mark
      3. Using Edge (or Chrome or Firefox with Microsoft SSO) for online M365 access

      macOS

      macOS devices must be signed into the Microsoft Company Portal app to be joined to the domain. This app is automatically downloaded during the Atomus Aegis app setup. If the user is not signed into the Company Portal app with their Microsoft account, their device is unmanaged and therefore, attempts to access M365 resources will be blocked.

      Please note: If you are using Chrome/Firefox/Safari to access online M365 resources, you may get a popup window (see below) when trying to sign into Microsoft resources, which prompts for authentication through your device’s Microsoft Workplace Join Key.


      After clicking OK please input the password you use to unlock your computer, then click Always Allow. This popup may reappear and you may have to click Always Allow a number of times; this is expected behavior.

      The Edge browser should work with no additional steps needed; if preferred, you can also use Edge to test if you Microsoft sign-in issue is browser specific.

      macOS Prep Checklist

      1. User is signed into Company Portal app with their Microsoft account
      2. Aegis app Organization connection shows a green check mark
      3. Using Edge (or Chrome/Firefox/Safari with Microsoft Workplace Join Key) for online M365 access