intune edr integration

src/components/NavigationDocs.jsx

@@ -104,11 +104,12 @@ export const docsNavigation = [
                     ]
                 },
                  {
-                     title: 'Integrate EDR',
+                     title: 'Integrate MDM & EDR',
                      href: '/how-to/endpoint-detection-and-response',
                      isOpen: false, 
                      links: [
                          { title: 'CrowdStrike Falcon', href: '/how-to/crowdstrike-edr' },
+                         { title: 'Microsoft Intune', href: '/how-to/intune-mdm' },
                      ]
                  },
 

src/pages/how-to/endpoint-detection-and-response.mdx

@@ -1,20 +1,30 @@
-# Endpoint Detection and Response (EDR)
+# Integrate NetBird with MDM & EDR Platforms
 
 ![Endpoint Detection and Response](/docs-static/img/how-to-guides/endpoint-detection-and-response/edr-integrations.png)
 
+## What is EDR and MDM?
 Endpoint Detection and Response (EDR) is a cybersecurity technology designed to help organizations detect, investigate,
 and respond to threats on endpoint devices. An endpoint is any device that is connected to a network, such as laptops,
 desktops, smartphones, tablets, servers, and even some IoT (Internet of Things) devices.
 
+MDM stands for Mobile Device Management. It's a type of security software that
+enables organizations to monitor, manage, and secure their employees' mobile devices, including smartphones, tablets, and laptops,
+across various service providers and operating system.
+
+MDM focuses on managing and securing mobile devices, while EDR focuses on detecting and responding to threats on various
+endpoints, including desktops, laptops, and servers.
+
+## NetBird's EDR and MDM Integration
 With the rise of remote work, endpoints often operate outside the traditional corporate network perimeter,
 making them more vulnerable to attacks. EDR provides a layer of security that is not dependent on the physical location
 of the endpoint, thus extending protection to remote workers and their devices.
 
-NetBird integrates with major EDR platforms to restrict network access only to devices managed by the company's IT department.
-With the integration enabled, NetBird synchronizes the list of devices managed by the EDR platform via the API and
-checks the presence of the EDR agent on the device, blocking access to the network if the agent is not installed.
+NetBird integrates with major EDR and MDM platforms to restrict network access only to devices managed by the company's IT department.
+With the integration enabled, NetBird synchronizes the list of devices managed by the MDM or EDR platform via the API and
+checks the presence of the MDM or EDR agent on the device, blocking access to the network if the agent is not installed or
+not compliant with the organization's security policies.
 
-NetBird doesn't apply the EDR checks to all devices in the network. Instead, you can select specific groups of devices for
+NetBird doesn't apply the MDM and EDR checks to all devices in the network. Instead, you can select specific groups of devices for
 the checks to apply.
 
 <Note>
@@ -26,3 +36,4 @@ the checks to apply.
 NetBird integrates with the following EDR platforms:
 
 * [CrowdStrike Falcon](/how-to/crowdstrike-edr)
+* [Microsoft Intune](/how-to/intune-mdm)

src/pages/how-to/intune-mdm.mdx

@@ -0,0 +1,157 @@
+# Microsoft Intune® Compliant Devices Network Access Only
+
+[Microsoft Intune](https://www.microsoft.com/en-us/security/business/endpoint-management/microsoft-intune) is a cloud-based endpoint management platform that enables organizations to manage devices, enforce security policies, and protect their networks. Intune agent presence on endpoints allows continuous collection and evaluation of device posture, which can then be used to enforce network access controls based on device compliance, security configuration, and enrollment status.
+
+The integration of NetBird with Microsoft Intune provides network security by ensuring only devices registered and managed by Intune can access the protected network. This approach ensures only up-to-date and compliant Windows/macOS endpoints have access to critical network resources via NetBird and lets administrators enforce access restrictions based on compliance policies defined in Intune, such as device health, OS version, security baseline adherence, and more.
+
+In this guide, you'll learn how to integrate NetBird with Microsoft Intune and configure access controls to allow only Intune-managed/compliant devices onto your network.
+
+## Get Started with NetBird-Intune Integration
+
+- Navigate to the [Integrations » EDR](https://app.netbird.io/integrations?tab=edr) tab in the NetBird dashboard
+- Click `Connect Intune` to start the configuration wizard
+<p>
+    <img src="/docs-static/img/how-to-guides/intune-mdm/getting-started.png" alt="NetBird Get Started Intune EDR" className="imagewrapper-big"/>
+</p>
+
+## Prerequisites
+
+Before starting the integration process, verify that you have the required permissions in Microsoft Intune.
+Specifically, you will need an Azure user account with at least one of these roles:
+
+* Application Administrator
+* Cloud Application Administrator
+* Global Administrator
+
+To check your permissions:
+
+* Log in to the [Azure portal](portal.azure.com).
+* Navigate to Manage Microsoft Intune and click `View`.
+* Expand the `Manage` tab and click on `Roles and administrators` in the left menu.
+* Look for your username and verify if you're assigned any of the above roles.
+
+![Intune Roles](/docs-static/img/how-to-guides/microsoft-entra-id-sync/lDyaAeV.png)
+
+If you don't have the required permissions, contact your Azure AD administrator to grant you the appropriate role before proceeding with the NetBird integration.
+
+## Create and Configure a Microsoft Entra ID Application for NetBird Integration
+
+Now that you have the required permissions, return to the NetBird dashboard. Click on the `Get Started` button to initiate the integration process.
+
+A new wizard screen will appear, offering step-by-step instructions for creating and configuring your Microsoft Entra ID application. To simplify the process, the wizard also provides quick-copy buttons for essential information:
+
+* Name
+* Account Type
+
+![NetBird Create Application](/docs-static/img/how-to-guides/intune-mdm/create-app.png)
+
+For convenience, click on [Azure Active Directory](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview) (step 1). That will open the Azure dashboard. Navigate to `App registrations` in the left menu and then click `+New registration` as indicated below:
+
+![Intune App Registration](/docs-static/img/how-to-guides/microsoft-entra-id-sync/Yxxktk6.png)
+
+Fill in the required information:
+
+![Intune Register an App](/docs-static/img/how-to-guides/intune-mdm/register-app.png)
+
+After entering all required information, click the `Register` button at the bottom of the form to finalize the application registration process.
+
+Upon successful registration, you'll be redirected to a confirmation screen similar to the following:
+
+![Intune App Registered](/docs-static/img/how-to-guides/microsoft-entra-id-sync/7WYZMW6.png)
+
+Copy and securely store the generated `Application (client) ID` and `Directory (tenant) ID` as you will need them shortly.
+
+## Configure API Permissions for NetBird-Intune Integration
+
+On the NetBird dashboard click the `Continue →` button. A new wizard screen will appear, this time, offering step-by-step instructions for setting up API permissions.
+
+![NetBird Add API Permissions](/docs-static/img/how-to-guides/intune-mdm/api-permissions.png)
+
+Back to Azure, in the `App registrations` screen, click on `Manage` in the left menu to expand it and then click on `API permissions`:
+
+![Intune API Permissions](/docs-static/img/how-to-guides/microsoft-entra-id-sync/V0aRf7f.png)
+
+Look for the `+ Add a permission` button, located near the top of the permissions list and click on it.
+
+![Intune API Permissions Screen](/docs-static/img/how-to-guides/microsoft-entra-id-sync/Qy9lDMF.png)
+
+A new pop-up window will appear, asking you to select an API. Click on `Microsoft Graph`.
+
+![Intune Microsoft Graph](/docs-static/img/how-to-guides/microsoft-entra-id-sync/tP7WqXO.png)
+
+On the next screen, click on the `Application permissions` button, which will let you select the appropriate permissions for NetBird to function correctly with your Microsoft Intune environment.
+
+![Intune Request API Permissions](/docs-static/img/how-to-guides/microsoft-entra-id-sync/zSkSGAm.png)
+
+To assign user permissions:
+
+* Locate the search bar at the top. Type `DeviceManagementManagedDevices.Read.All` into the search bar and press `Enter`.
+* In the search results, click on the `DeviceManagementManagedDevices` tab to expand it and view the available permissions.
+* Click on the checkbox to select and enable the `DeviceManagementManagedDevices.Read.All` permission.
+
+![Intune UserReadAll](/docs-static/img/how-to-guides/intune-mdm/device-permissions.png)
+
+The `DeviceManagementManagedDevices.Read.All` permission allows NetBird to read the properties of all devices managed by Microsoft Intune in your organization.
+
+Once done, click the `Add permissions` button. You will see a few warnings:
+
+![Intune API Permissions Warnings](/docs-static/img/how-to-guides/intune-mdm/grant-permissions.png)
+
+Locate the `Grant admin consent for [Your Organization Name]` button (you’ll find it next to `+Add a permission` button). Click on it to grant the required permissions.
+
+A confirmation dialog will appear, asking you to verify this action. Review the permissions listed in the dialog and click `Yes` to confirm. Wait for the process to complete, this may take a few seconds.
+
+Once finished, the status of the permissions should change to `Granted for [Your Organization Name]`. Verify that all selected permissions now show a green checkmark, indicating they've been successfully granted:
+
+![Intune API Permissions Granted](/docs-static/img/how-to-guides/intune-mdm/granted-permissions.png)
+
+## Create a Client Secret for Secure NetBird-Intune Authentication
+
+Back to the NetBird dashboard, click the `Continue →` button. A new wizard screen will appear, showing instructions for generating a client secret in Entra ID.
+
+![NetBird Generate Client Secret](/docs-static/img/how-to-guides/intune-mdm/client-secret.png)
+
+On Azure, click on the `Certificates & secrets` button in the left menu to open the management page. Click on `+New client secret` as shown below. Choose an expiration time that suits your security needs and click the `Add` button.
+
+![EntraID Add a Client Secret](/docs-static/img/how-to-guides/microsoft-entra-id-sync/WIercn5.png)
+
+A new client secret will be generated and displayed on the screen. Copy and securely store the `Value` field immediately, as you will needed in the next step.
+
+![EntraID Client Secret Value](/docs-static/img/how-to-guides/microsoft-entra-id-sync/LimVmGI.png)
+
+## Enter Application ID and Directory ID in NetBird
+
+Paste the secret `Value` from the previous step into NetBird and click the `Continue →` button. A new wizard screen will appear, asking for the `Application (client) ID` and the `Directory (tenant) ID` credentials generated previously.
+
+Paste the values and click the `Continue →` button.
+
+![NetBird Application ID and Directory](/docs-static/img/how-to-guides/intune-mdm/client-id.png)
+
+## Choose Groups to require Intune Agent
+
+At this stage, you need the specify the Netbird group(s) you'd like to ensure the EDR check will apply and will require a running Intune agent installed on the peer.
+
+
+![NetBird Group Sync](/docs-static/img/how-to-guides/microsoft-entra-id-sync/xyLPzxH.png)
+
+<Note>
+    The EDR check will apply only to machines in the selected groups and will require a running Intune agent.
+</Note>
+<Note>
+    You can also use groups [synchronized from your Identity Provider (IdP)](/how-to/idp-sync).
+</Note>
+
+Peers that have the Intune agent installed and are compliant will be granted access to the network. Peers without the agent will appear
+with a `Approval required` mark in the peers list and won't be able to access the network until the agent is installed.
+
+<p>
+    <img src="/docs-static/img/how-to-guides/edr-approval-required.png" alt="edr-approval-required" className="imagewrapper-big"/>
+</p>
+
+## Important Notes
+
+- Only Windows and macOS devices are supported; Linux, iOS, and Android are not eligible for this integration.
+- A device must have successfully synced with Intune within the last 24 hours otherwise, it will not be treated as compliant, regardless of its last known state.
+- Devices with a Intune compliance state of `Compliant` or `InGracePeriod` are accepted; all other states are rejected.
+- New devices or those that recently achieved compliance may need to be disconnected and reconnected to Netbird to propagate updated status.
+- NetBird regularly synchronizes with Intune every few minutes, so changes in compliance can take some time to reflect on the dashboard.