Block URLs access using Intune - A useful guide

In this post, we will explore how to block URLs access using Intune in specific browsers.

In today’s fast-paced digital environment, managing and securing web access across your organization is more critical than ever. With employees relying on multiple browsers such as Microsoft Edge, Mozilla Firefox, and Google Chrome, IT administrators face the challenge of enforcing consistent policies across diverse platforms. This blog post dives into how Microsoft Intune can be leveraged to deploy URL blocklists effectively, helping you control access to specific sites and ensure a secure and productive work environment.

We’ll walk you through the process of importing the necessary ADMX templates into Intune and configuring browser policies to block access to common webmail services like Gmail, Hotmail, and Yahoo. Whether you’re an experienced IT professional or just starting out in endpoint management, this guide will equip you with a practical, step-by-step approach to managing URL access. Stay tuned as we explore the best practices and key steps needed to harness the full potential of Intune for browser policy enforcement.

Block URLs access using Intune - A useful guide

Prerequisites

Before configuring URL blocklists using Intune, it’s important to ensure you have the necessary components in place for each browser.

Microsoft Edge and Google Chrome

For Microsoft Edge and Google Chrome, there are no additional prerequisites. Intune’s built-in Settings Catalog includes all the necessary options for managing Edge and Chrome policies. This streamlined integration means you can directly configure URL blocklists without having to import any extra templates.

Mozilla Firefox

For Mozilla Firefox, you’ll need to import the appropriate ADMX templates to gain access to the full range of policy settings.

Downloading the ADMX Templates:
- Google Chrome: Although it is not mandatory to import the Google Chrome ADMX, I am presenting the way to download and import the ADMX files for completeness. Download the latest ADMX templates from the official Chrome Enterprise website.

Mozilla Firefox: Obtain the ADMX templates from Mozilla’s official repository or website.

Now that we have the ADMX downloaded we have to import them to Intune. The steps to do that for Firefox (both mozilla.admx and firefox.admx) are presented below:

Sign in to the Microsoft Intune admin center.
Select Devices > Manage devices > Configuration > Import ADMX tab > Import:
Import the ADMX and ADML file like below

A very useful guide on how to import the ADMX and some additional points to have in mind can be found here.

Make sure you download the most current ADMX files that are compatible with the versions of Chrome and Firefox used within your organization. With these prerequisites in place, you’re ready to implement browser-specific policies and ensure secure, controlled web access.

URLBlockList Policies

Now that the prerequisites are fulfilled we will create the policies to block access to specific URLs using Intune. For our scenario we are going to block access to famous email web client like gmail, yahoo and hotmail.

The blockage of the URLs for the above websites is only an example to demonstrate how the URLBlockList works. We can expand this accordingly based on our needs every time.

To create the block URL rules, we have to create a settings catalog profile for Google Chrome and Microsoft Edge and an Administrative Templates profile for Firefox.

Microsoft Edge and Google Chrome

As mentioned above, for Microsoft Edge and Google Chrome we have to create a Settings Catalog profile. Below are the steps for doing that.

While being in the Intune Admin Portal, go to Windows blade and create a new Configuration Profile with Profile Type “Settings catalog”.

Give a proper name to your profile.

Type “URLBlock” and select the corresponding settings for Google Chrome and Microsoft Edge.

Assign the policy to a group and create it.

More details about the format of the URLs and the way to format them, in order to block specific websites can be found here.

Firefox

For Firefox we have to create an Imported Administrative templates (Preview) profile.

While being in the Intune Admin Portal, go to Windows blade and create a new Configuration Profile with Profile Type “Templates” and choose Imported Administrative templates (Preview).

Give a proper name to your profile.

From the available Firefox options choose the “Blocked Websites” one and give the desired URLs.

The above scenario is as simple as possible to present the way to implement the block. In a production environment we would like to add wildcards in order to extend the blockage to all possible scenarios.

How to check if policies are applied?

By checking the corresponding policies URL for each one of our browsers we are able to check if the policies are applied correctly. Below are the policies URLs for the three aforementioned browsers.

Microsoft Edge -> edge://policy
Google Chrome -> chrome://policy
Mozilla Firefox -> about:policies

End-User Experience

Now that we have created and deployed the policies, let’s explore how is the user experience, when trying to access URLs that are defined in the block URL lists.

Google Chrome

Microsoft Edge

Mozilla Firefox

Considerations

Below are some considerations that we should have in mind before implementing such policies in an organization.

Regular Review and Updates:

Blocklists need to be reviewed and updated frequently to ensure that all relevant URLs are covered and to adapt to any changes in webmail domains. This ongoing maintenance can add significant administrative overhead.

Administrative Overhead:

This approach should be employed only when strictly necessary and with well-defined rules, as managing multiple blocklists for different browsers requires continuous monitoring and adjustments.

Browser-Specific Implementation:

Since the policies must be implemented separately for each browser (Edge, Chrome, and Firefox), there is a risk of inconsistencies and increased complexity in managing the settings across different platforms.

Alternative Solutions:

Implementing browser-specific blocklists might not be the most efficient system-wide solution. A centralized DNS filtering solution—such as Cisco Secure Client or Zscaler — can offer broader protection with less overhead.

Comprehensive URL Coverage:

It is crucial to plan carefully and block all the necessary URLs. Without comprehensive coverage, users may find alternative paths to access the restricted content, bypassing the intended restrictions.

Impact on User Experience:

Overly broad or improperly configured blocklists can inadvertently affect legitimate activities, potentially hindering productivity or access to important resources.

Scalability and Future Needs:

As the organization grows, the complexity of managing and updating blocklists for multiple browsers may increase, necessitating a scalable solution that can adapt to evolving security requirements.

Security and Compliance:

Any URL blocking strategy should align with the organization’s overall security policies and compliance requirements, ensuring that security measures do not conflict with business operations.

Final Verdict

In today’s digital landscape, managing web access across different browsers using Microsoft Intune is not only feasible but also offers granular control over which URLs your employees can access. By leveraging Intune’s configuration profiles—whether through the built-in Settings Catalog for Microsoft Edge and Google Chrome or imported Administrative Templates for Mozilla Firefox—you can effectively block access to undesired sites.

However, this browser-specific approach requires careful planning and ongoing maintenance. You must ensure that the ADMX templates are current, that blocklists are regularly reviewed and updated, and that policies are consistently applied across all browsers. While this method offers targeted control, it can increase administrative overhead and may not cover every scenario, especially if users switch to alternative, unmanaged browsers.

Ultimately, for organizations with a diverse browser environment, the solution presented in this guide provides a viable way to enforce web access policies using Intune. It’s a powerful tool in your security arsenal—yet one that should be balanced with considerations for user experience and alternative centralized solutions like DNS filtering. With thorough testing and regular updates, you can maintain a secure, productive environment that meets your organization’s specific needs.

systunation