Conditional access policies

To help keep our University safe, we use a system that checks if your personal device meets certain security rules before letting you access things like email or files.

This software is called Microsoft Intune, which works with something called Conditional Access. Together, they help make sure that only approved devices can access our university systems.

These changes form part of our Cyber Essentials Plus certification.

Changes to your device

If you use a personal device to access ARU information, this will now need to meet certain conditions in order to access ARU information.

Examples of times you may use a personal device, would be using the Outlook app on your mobile to view your ARU emails or using the Teams app to attend meetings on the go.

In order to remain compliant, you will need to ensure that your device is running an up to date operating system and if you are using Microsoft apps on your device e.g. Teams, that you have set an additional security Pin when logging in. This is to protect our information whilst letting you work easily from anywhere and on a device you choose.

A useful resource for checking if your device's operating system version is able to receive security updates is endoflife.date. “Old" devices are those that no longer receive security updates and are not able to be upgraded to an OS version that does.

What happens if my device is not compliant?

These policies will block devices that are not considered compliant due to running old operating systems or not having a PIN set for the applications.

To ensure that you continue to access all the ARU systems you need from your personal devices, follow the instructions below.

Personal device instructions

Step 1: Prompt to install the Microsoft Intune app. Click “Go to store”.

Screenshot of phone screen showing "Go to store"

 

 

Step 2: Google Play store opens. Note: Company Microsoft Corporation and app name Intune Company Portal.

Screenshot of Intune Company Portal on the Google Play store

 

 

Step 3: Application Installed, Click Open.

Screenshot of "Open" on the Play store

 

Step 4: If there is another Microsoft account other than your ARU account, you may see this screen appear, Click the button “Create or use another account”.

Screenshot of the "Use this account" screen

 

Step 5: Enter ARU Credentials

Screenshot of the credentials screen

 

Step 6: App Protection Checking against policy. Everything’s up to date = compliance with Android OS version 12+

Screenshot of the Get Access screen

 

Step 7: You will be prompted to set up a pin, once the pin is set, apps can be accessed as normal.

Screenshot of the set your pin screen

Unlike Android, iOS does not need Company Portal to protect your data. Microsoft Authenticator App does this already. When accessing Microsoft Apps from your personal devices, you can expect to need to complete the following steps:

Step 1: Log in with your ARU username.

Screenshot of Microsoft Teams login page

 

Step 2: Enter your ARU password.

Screenshot of the ARU password page

 

Step 3: You will be prompted to complete MFA.

Screenshot of the MFA prompt page

 

Step 4: You will be prompted to register your device. Tap Register

Screenshot of the Register page

 

Step 5: Your app will then process your request and ask you to create a Pin

Screenshot of the create a pin screen

 

Step 6: Your app is now protecting your data. Click OK to continue to use your app as normal.

Screenshot of the "Your organization is now protecting its data in this app" screen.

Important: before continuing you must ensure that both Windows and the Microsoft Edge browser are fully up to date on your device.

See guidance for checking Windows updates. See guidance for checking Edge updates.

To begin, open Edge and visit an ARU system such as Outlook Online: https://outlook.office.com

Step 1: You will be prompted to enter your ARU Username.

Screenshot of Microsoft sign in screen

 

Step 2: Next enter your ARU account password.

Screenshot of the ARU password screen

 

Step 3: You will be prompted to complete a Multifactor Authentication (MFA) challenge.

Screenshot of the MPA prompt screen

 

Step 4: With the MFA challenge passed, you will be prompted to “Sign in with your work account”, click on “Switch Edge profile”.

Screenshot of the Sign in with your work account screen

 

Step 5: The “Continue with your work or school account” pop up will appear, click on “Sign in to sync data”.

Screenshot of the "Continue with your work account" screen

 

Step 6: You will be prompted to sign in and challenged for MFA again. Important! When prompted, you must uncheck the “Allow my organisation to manage my device” box, then press “Yes, all apps”. This must be followed exactly otherwise this process will not work.

Screenshot of the "Automatically sign in" screen

 

Step 7: You will be notified the process is complete. Click on Done

Screenshot of the "You're all set" screen

 

Step 8: Once this screen appears, press Continue, you can now access your ARU resources. This will also allow you to use desktop applications such as Teams and New Outlook.

Screenshot of the "Let's set up your profile" screen

 

Step 9: Sync will be off by default but can be turned on.

Screenshot of the "Turn on sync" screen

If you have found you are stuck in a loop being prompted to “Switch Edge profile”, follow these instructions to remove your ARU Edge profile/Windows account before attempting the first time setup instructions again.

Removing your ARU Edge profile

Step 1: Open your Edge browser and click on your profile picture in the top right, then select your “School” (ARU) profile.

Screenshot with school profile highlighted

 

Step 2: In the new Edge window that opened, click on your profile picture again then click on the Settings cog.

Screenshot with "Not syncing" and the settings cog highlighted

 

Step 3: Remove your ARU Edge profile by clicking on the bin icon.

Screen with the bin button highlighted

 

 

Step 4: Confirm that you want to remove your ARU Edge profile.

Screenshot of the "Remove this profile?" popup

 

 

 

Step 5: Close all open Edge windows. When you reopen Edge you will see that your ARU profile is no longer listed.

Screenshot of Edge windows

 

 

Removing your ARU Windows account

Step 1: Open Windows Settings and go to the Accounts tab.

Screenshot of Windows account homepage

 

 

Step 2: Scroll down to “Access work or school” and click on it.

Screenshot of the Windows Accounts page

 

 

Step 3: Click on the Disconnect button for your ARU account.
Once completed, restart Windows and follow the first time setup instructions above.

Screenshot with the "disconnect" section highlighted

 

Frequently asked questions

Please contact the IT Helpdesk who will be able to assist with updating or replacing your device.

A useful resource for checking if your device's operating system version is able to receive security updates is endoflife.date. “Old" devices are those that no longer receive security updates and are not able to be upgraded to an OS version that does.

No, ARU will not manage personal devices. This is why we will have to use only supported apps when connecting to ARU systems.

Yes, currently there are no plans to change how Eduroam connections work.

No, Authenticator apps will not be impacted by the newly-introduced controls.

Known issues and fixes

Some users may run into problems, depending on the age and set up of their device. If you run into difficulties and would like support, please contact our Customer Support team, who will be able to help.

Find out more about Conditional Access Policies at the Microsoft Support Centre.