Entra machine groups
James McNab
Documentation for the preview Device name restrictions feature is now available on our docs site: https://docs.appsanywhere.com/appsanywhere/3.2/device-name-restrictions-for-delivery-methods
Alexandre Cop
James McNab in our environment we do not differentiate between AD/hybrid joined and Entra joined from the device name, so it's not something I can make use of.
James McNab
Alexandre Cop If you have a naming convention for your devices then you should be able to use the device name restrictions feature to control access for Hybrid and Entra joined devices, instead of using directory based machine restrictions.
Alexandre Cop
James McNab as mentioned above, out naming convention does not differentiate between native and hybrid device, so the device name restriction does not address our needs.
James McNab
Alexandre Cop Apologies I perhaps am misunderstanding what you are trying to do, but you can use this new restriction for both Entra joined and Hybrid joined devices (and AD joined). It's also independent of AD or SAML based provisioning and restrictions.
Alexandre Cop
James McNab I'm not sure how else I can say "we use the same naming convention on native and hybrid".
For us, groups are currently the only way to differentiate devices. I could use those to create e.g. reg keys locally though.
James McNab
Michael Coxon / Alexandre Cop
We have a new feature available in preview for AppsAnywhere 3.2; Device name restrictions for delivery methods.
Device name restrictions allow delivery methods to be restricted to specific devices by name. This is useful when your devices are not AD joined (Entra joined). The feature supports pattern matching and exclusions so you can target groups of devices, single devices or a mixture.
Device name restrictions is available in preview for AppsAnywhere 3.2, and must be enabled by AppsAnywhere support. Please contact your Customer Success Manager for more details and to schedule the update.
If you are using the Locally Deployed delivery method then please note that this delivery method is currently only compatible with AD joined devices. We would recommend using the Locally Installed delivery method to target pre-installed applications. If you need to restrict to specific devices you can then use either a directory record mapping or the new Device name restrictions feature if you need to support Entra joined devices.
Alexandre Cop
sigh
just as well I haven't implemented it, that's what I had been suggested to do by Support.James McNab
Alexandre Cop Are you planning on implementing SAML provisioning on top of your existing LDAP provisioning with Hybrid joined devices or are you moving to pure SAML based provisioning with Entra joined devices?
If you are using a hybrid approach then you can continue to use AD/LDAP where you need to target devices and use SAML for your user based provisioning.
You can't mix and match SAML and LDAP provisions and restrictions, but where you have pure user-based provisions and restrictions for apps these can be migrated to SAML.
Alexandre Cop
James McNab we're moving to a split scenario this year, where staff devices are Entra joined and Student devices will remain hybrid.
So, the users are not an issue, but I have instances where an app needs to be available on the Staff Desktop, and others only on the Student Desktop.
Student Desktop is not an issue
this year
, but the Staff Desktop is.Hope this clarifies.
James McNab
Hi Alexandre Cop
Yes that is correct, SAML is all user based and doesn't have any concept of devices.
Alexandre Cop
James McNab am I reading correctly that using SAML works for users and user groups, but not device and device groups?
James McNab
Thanks Andy, for anyone else here is a link to the related feature request: https://feedback.appsanywhere.com/feature-requests/p/custom-restriction-fields-in-provision
Since this is related to support for Intune device groups specifically I won't merge it with that one, which is a more specific solution suggestion.
James McNab
Merged in a post:
Azure AD Groups
Alexandre Cop
As SSO is shifted to Azure, it would be useful to have provisioning using AD Users and Groups.
Native AAD devices (i.e. not hybrid) cannot use device restriction.
A
Andy Corps
Agreed. Simplest solution I can see is to apply a "tag" (via reg or env variable or file) to a device via Intune while deploying the AppsAnywhere client.
This tag could be used as a restriction type.
Stuart Pearson
Agree with this 100%. This is a feature that is absolutely necessary right now.
Load More
→