As the use of personal devices in the workplace becomes more common, we are challenged with managing a data environment on Windows and non-Windows devices that contain a mix of work-related and personal data. Using Microsoft Intune and Azure Active Directory, Microsoft IT has enabled modern device management and an improved user experience that allows secure anytime, anywhere access to corporate resources. This approach provides our users the flexibility and convenience of using their personal devices for work. It also makes it easier to incorporate, manage, and secure non-Windows devices within our environment.
Now, non-Windows computers are part of our increasingly diverse computing environment. We have acquired companies in which most users were running OS X and Android operating systems, and we have many developers who use devices running non-Windows operating systems to develop Microsoft products for those operating systems.
We needed a way to manage personal and non-Windows devices so they would be held to the security and compliance policies that we had in place for the Windows devices that are on the corporate network.
Providing mobility while maintaining security
Identity and access management using Azure Active Directory Premium to manage identities across on-premises and cloud. Provides single sign-on and self-service for corporate resources. Enables consistent access to corporate resources to enable users to work on the devices of their choice.
Mobile device and app management using Microsoft Intune to manage and protect corporate apps and data on almost any device with mobile device management (MDM) and mobile application management (MAM).
Information protection using Azure Rights Management for encryption, identity, and authorization policies to secure corporate data (at a file level, in transit, and at rest) and email across phones, tablets, and PCs.
Behavior-based threat analytics using Advanced Threat Analytics to identify suspicious activities and advanced threats in near real time, with simple, actionable reporting.
Defining security policies
We looked at our services and the variety of devices that users are connecting to Microsoft resources. We knew that we needed to plan and implement policies that would help ensure:
- The person using the device is who they say they are.
- The person using the device has permission to access the data that they are trying to access.
- The data is protected moving forward, in the event that the device is lost or stolen.
We used the security policies that we had in place for Windows devices that were already being managed through Configuration Manager and Intune as the standards for settings and configurations that needed to be managed on non-Windows devices.
Developing technical control procedures
We developed technical control procedures (the specific settings implemented on a device or within a policy) that would be used to achieve the standards. Some examples of the technical control procedures we used included ensuring that devices were running the latest operating system versions, the latest updates are installed, encryption was enabled, and the right kind of authentication was in use.
We identified the native security features for each platform that, after their configuration was managed, would provide the type of access security that we needed to connect to the corporate network. For some areas, such as anti-malware protection for Android devices, we identified additional components that would need to be installed to make the device compliant.
We also had to look at privacy regulations for global users and ensure that we were not collecting any type of usage information on personal devices that is protected by the privacy laws of their country or region.
Managing devices through System Center Configuration Manager and Microsoft Intune
Mobile device management is an important part of supporting mobile productivity for our users. At Microsoft, we have a hybrid solution. Almost 52,000 mobile devices are enrolled in the cloud-based Microsoft Intune service, and administrators manage the devices through System Center Configuration Manager integrated with Microsoft Intune.
We are currently supporting Intune enrollment on these operating systems:
- Windows 8.1 and Windows 10 (non-domain joined)
- Windows 10 Mobile/Phone 8.1
- OS X (OS X 10.9 )
- iOS (iPad/iPhone 7.1 )
Enrolling a personal device in Intune
When a user enrolls their personal device to be managed by Intune, we allow them to connect to the corporate network and the Company Portal by provisioning platform-specific Wi-Fi and VPN profiles. The Company Portal contains corporate applications relevant to users and their roles. Enrollment also sets up the device to automatically receive corporate policies and settings, all of which are required to connect to the corporate network.
To enroll a personal or non-Windows device, a user first needs to enroll in Azure Multi-Factor Authentication. They will also need to select a device lock PIN that is a minimum of six-digits long. Mobile devices are required to be encrypted.
Separating personal and corporate data
Intune enrollment provides a clear separation of business and personal data. Users or administrators can selectively wipe corporate data from the device, while leaving personal data such as pictures, personal email accounts, personal apps, and files untouched. Without Intune, we could only do a full-wipe of a device by using Exchange Active Sync.
Intune enrollment does not enable physical tracking or location services for the device. It also does not provide any visibility of private data or contents of personal or corporate email accounts. If necessary, as part of the selective wipe process, corporate email accounts are deleted by Intune to remove corporate email account settings and email messages from device, but message content is not accessible from Intune.
Using remote data wipe to remove company data from a personal device
A user can perform a remote data wipe, or "enterprise wipe," to remove company data remotely from a personal device by simply un-enrolling their device from the Company Portal. They can do this either by using another enrolled mobile phone by or accessing the Self Service Portal with a PC. After a device is un-enrolled, all of the internal apps and policies associated with that account are removed.
In the event that a device is lost or stolen, users can use our self-service Intune device management portal or Outlook Web Access (OWA) to initiate the wipe, or they can contact the helpdesk to ask a support engineer to remotely wipe the device for them.
Configuration Manager and Intune are able to perform heath checks and to monitor and report on device status. For non-Windows devices, enforcement is an area that we are actively working on. We are piloting conditional access functionality that can block access to corporate resources for devices in a real-time health check during a connection attempt.
Managed mobility on Windows Phone, iOS, and Android
We have been using Microsoft Intune to manage Windows Phone, iOS, and Android devices. Users can access secure email and any cloud-based applications or websites that use Azure Active Directory Federated Services for authentication.
Enabling Mac in the Enterprise
We were early adopters in implementing Intune support for OS X management. During the planning phase for the pilot, our first task was to create profiles for Wi-Fi, VPN, and to determine the security policies that we would enforce on the devices. The security policies were designed to achieve parity with the security policies on Windows devices within our environment. We wanted to enable a more consistent work PC experience for our Mac users. Our goals were to create a simple user experience that provided secure access to corporate resources and email.
We also needed to enforce multifactor authentication for the Outlook client. Part of our overall strategy for the last year has been to move from username/password-based authentication to certificate-based authentication, because it provides increased security, and we can deploy certificates and profiles at the same time—which is easier for users.
The following figure shows how we can easily implement new policies and manage compliance rules for Mac computers.
We have been running the Intune for Mac pilot program for three months, and expanded it from 50 users to more than 1,000 users within the first three weeks. The built-in support for OS X management with a consistent user and IT admin experience replaced the multi-step and diverse enrollment process.
All hardware and software reports for Mac management are also available in our System Center Configuration Manager 1602 environment. The consolidated reporting and management provides us with a unified view of devices, PCs, and their health.
Users are required to enroll their Mac computer by installing a Management Profile from the Company Portal. The Management Profile installs the required software and enables a corporate Wi-Fi connection. Users can install Outlook for Mac 2016, Skype for Business Mac Preview, and System Center Endpoint Protection to enable access to email, meeting and other business activities, and antimalware support. For remote connection and access to corporate resources, a VPN client is available.
We support mobility and productivity across diverse devices, while protecting company information. Using Intune and EMS has helped us to meet our goal of providing users with an easy enrollment process, a consistent user experience, and separation of their work and personal information.
We designed our security policies around the ones we had in place for Windows devices, using the inherent security features that are included within each of the support platforms. Having a unified and modern management platform makes it easy for us to create and deploy policies for all of the managed device platforms.
For more information
© 2019 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.