The “Top 10 actions to secure your environment” series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In “Step 5. Set up mobile device management,” you’ll learn how to plan your Microsoft Intune deployment and set up Mobile Device Management (MDM) as part of your unified endpoint management (UEM) strategy.
In Steps 1-4 of the series, we provided tips for securing identities with Azure Active Directory (Azure AD). In the next two posts (Step 5 and Step 6), we introduce you to ContosoCars to illustrate how you can deploy Microsoft Intune as part of your UEM strategy for securing company data on devices and applications.
ContosoCars is an automotive company with 1,000 employees that work in the corporate headquarters, and 4,000 that work in several branches across the U.S. Another 2,000 service centers are owned by franchises. To stay competitive, IT needs to support a fleet of cloud-connected devices for secure, remote access to Office 365 and SaaS apps and sensitive customer data. With their expanding business, franchise sales staff need access to ContosoCars customer data as well, but ContosoCars does not own those devices.
They have defined the following goals:
- Deliver the best Windows 10 experience for all their corporate PCs.
- Allow employees to use personal devices and mobile phones at work.
- Protect the network from unknown or compromised users and devices.
- Secure data on tablet devices shared by several shop floor workers that are often left in public areas of the shop.
- Prevent employees from accessing and maintaining corporate data if they leave the company.
Plan your Intune deployment
Once ContosoCars defines their goals, they can begin to set up use-case scenarios to align their goals with user types and user groups (Figure 1). ContosoCars wants to provide corporate devices for their employees at headquarters and branches. They will not supply devices to their franchise sales staff, but they need to make sure staff-owned tablets can use Office 365 apps to securely access company data.
Figure 1. ContosoCars’ defined Intune use-case scenarios and requirements.
You can find more information on setting goals, use-case scenarios, and requirements in the Intune deployment planning, design, and implementation guide. The guide also includes recommendations for a design plan that integrates well with existing systems, a communication plan that takes into account the different channels your audience uses to receive information, a rollout plan, and a support plan.
Set up Mobile Device Management (MDM)
Once planning is complete, ContosoCars can move onto implementing their Intune plan. ContosoCars uses Azure AD to fully leverage Office 365 cloud services and get the benefits of identity-driven security (see Step 1. Identify users). Before employees can enroll their devices to be managed by Intune, IT admins will need to set MDM authority to Intune in the Azure portal.
In order to manage the devices, ContosoCars can add and deploy configuration policies to enable and disable settings and features such as software delivery, endpoint protection, identity protection, and email. ContosoCars can also use configuration policies to deploy Windows Defender Advanced Threat Protection (ATP), which provides instant detection and blocking of advanced threats. Once IT admins set up Intune, users can enroll devices by signing in with their work or school account to automatically receive the right configuration profiles for their device.
ContosoCars can configure devices to meet business requirements and enable security features, such as Windows Hello, which allows users to sign in to their computer using a combination of biometrics and a PIN.
Manage personal devices
Next on the rollout plan are the personal iPhones and Android phones used by the staff to keep up with work email and data. ContosoCars will manage these devices by requiring employees to enroll their devices with Intune before allowing access to work apps, company data, or email using enrollment requirements guidance. ContosoCars can set up configuration policies for these devices just as they did the Windows 10 PCs, and they can add additional security controls by setting up device compliance policies. Using Azure AD you can allow or block users in real-time if their compliance state changes. These policies ensure only known and healthy devices enter the network.
Some examples include:
- Require users to set a password to access devices; password must be of certain complexity.
- Require users to set a PIN to encrypt the device; PIN must be of certain complexity.
- Deny access to jail-broken or rooted devices, as they may have unknown apps installed.
- Require a minimum OS version to ensure security patch level is met.
- Require the device to be at, or under, the acceptable device-risk level.
With Windows 10, conditional access policies are integrated with Windows Defender ATP. Microsoft works with leading mobile threat defense technology partners to provide comprehensive device-risk assessment on all platforms.
Check back in a few weeks for our next blog post, “Step 6. Manage mobile apps,” where we explore the use of Intune app protection policies to allow only approved applications to access work email and data. We will also learn how ContosoCars keeps sensitive customer data secure on shared franchise devices on the shop floor.
Get deployment help now
FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.