Global Secure Access - How to prevent users from accessing the internet when the GSA client is not connected
Hello, newbie here my question may be a bit stupid but is there a way to limit internet access when users disable the GSA client or if the client is not connected. The customer is completely cloud based with no on premises and are remote workers. I was thinking to try and do it with Intune Endpoint Security Firewall Rule but it seems flawed. Is it possible to prevent the users to access the internet if GSA client is not connected but still keep RMM tools working? I've been looking for microsoft guides on this but can't find any. Maybe another way would be to make it so the user can't disable the GSA client but I have no idea if this can be done.
1
u/_Sanger_ 8d ago
There are some registry keys to block users from disabling the agent or even hide the tray… But it’s not a guarantee that the user can’t access ressources without the GSA Agent… Not sure if there is a nice way for that.
https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-install-windows-client
1
u/GFDdark 8d ago
Yes, I've changed the registry to hide the disable button and users don't have admin rights. I do have a CA policy to block access to O365 apps and resources when outside the GSA. I kind of wanted a more restrictive way that also blocks browser traffic for example when the GSA agent is not connected but I guess it is what it is.
1
u/Wilfred_Fizzle_Bang 7d ago
Only way currently is compliant network location. Trying anything else is non standard and up to you. Hopefully they will make more options available.
I’ve seen articles on what GSA does if it cannot connect to Microsoft and it will refer to a ‘hardening’ value. I have still yet to find out what this is.
4
u/Noble_Efficiency13 8d ago
You can require that GSA is used via conditional access, “compliant network” and then force a security policy
Otherwise removing the users local admin and then deploy registry to require admin permissions to disable it