intune

How to protect company data on Users Personal Computers ( BYOD )?

Due to the Current Health issues, there has been alot of people using personal computers to access their company’s information. The best practice is always to use a company device, however due to the availability of the whole world needing laptops for home , this hasn’t been possible. Most of this access has been through a Terminal Server or Citrix which is a method to control company data as its streamed to the computer which is not controlled by a company. This means that if the local PC gets a Virus or Malware data cannot be accessed via this intruder, or the device stolen the company data is still secure.

Some applications might have been setup locally due to issues such as Teams being able to Stream Video and Audio and also email ( for people who want access to their email offline ) such as a plane. The question is how to secure these items?

The answer is Intune MAM. A policy can be defined in Microsoft Intune ( Users will need an Intune and Azure AD p1 License ) so users authenticating with Microsoft Apps direct or Apps that have been wrapped using the Intune Wrapping Tool can be Managed bu the intune App Protection Policy.

MAM can be applied to IoS( Apple ) , Android and Windows 10 build 15063 ( 1703 ) or greater.

MAM uses WIP (Windows Information Protection) on Windows 10 Devices in one of four modes:

  1. Hide overrides: Blocks enterprise data from leaving protected apps.

  2. Allow overrides: User is prompted when attempting to relocate data from a protected to a non-protected app. If they choose to override this promt, the action will be logged.

  3. Silent: User is free to reloacate data off protected apps. These actions are logged.

  4. Off: User is free to relocate data off protected apps. No action are logged.

Intune MAM policies can be added to a device after is has been enrolled , this doesn’t just need creating at the start.

Windows Information Protection (WIP)

Microsoft Windows Information protection - “helps to protect against this potential data leakage without otherwise interfering with the employee experience. “

More of the time data leakage will be situations where hackers , ex or existing empoloyees or third parties try and extract company owned data for their benefit or resales value. Some examples of this could be a recruiter extracting all his customers to take to a new company, a employee extracting his worked on projects so he has a base to continue them on as a contractor.

Other cases could be totally by accident , where an employee copies a file to an Unencrypted USB stick and loses it , or emails it home to a personal email so they can work on it later.

Devices enrolled in windows InTune can have policies set to protect specific files and only allowed them to be opened in applications that support information protection , such as the Office suit or Adobe Products. You can then set granular permissions on what is allowed to be done with these files such as only print.

You can also make sure that documents are only opened on Enrolled devices to InTune which makes sure documents never leave the Company on purpose or by accident.

Price

If you have enrolled a device in Intune you should already have this as a license for free. It comes with the E3 mobility Security E3 License more price variables can be found here

Microsoft 365 InTune with Azure AD - Recommended Features

We have recently deployed Microsoft Intune in 365 for a customer and would like to share some great features of this product with you!

InTune is for device management being mobile phone, PC or Mac , you can control this from your 365 tenant and devices check in through an internet connection meaning no need to take the PC back to the office to deploy software or settings.

Deploy InTune with Azure AD

We recommend the minimum license you will need for this is Enterprise Mobility + Security E3 ( 6.60GBP / month/ user ) you can get Intune on its own as a seperate license , however you will want to setup auto enrollment so that users can join Laptops to Azure AD by themselves and it will deploy the needed apps and setting.

Windows Update Management

Enforce PC’s to update and have a global WSUS control panel in InTune to check the status of devices

Only allow Email on enrolled Mobile device

You can set security so only devices enrolled in InTune can receive emails. As you get Azure P1 License with the E3 Mobility License , this also enables you to get Azure Conditional Access which allows you to set these options

Deploying MSI are easier than Win32 Application Deployment

Hopefully most of your company apps will have MSI’s. These are very straight forward to deploy. If your app only has an .exe . then hopefully it has a silent installer. You can use the Win32 Packager to zip this up with the needed files for deployment. Tricky situations are when the .exe do not have silent .exe installation so you need to build an .msi from scratch using packaging software

Useful Items to configure with InTune

We really found no limitation thanks to powershell and Win32 Packager to what we could deploy. We replicated a whole standard Group Policy deployment and more

  • Rename PC using company name and serial or random number

  • Create a local admin for PC in case PC falls of Azure AD Domain

  • Enable Bitlocker

  • Deploy Signatures and ‘mail merge’ details from AD

  • Add Firewall Policies

  • Deploy Fonts

  • Deploy Outlook Settings

  • Deploy Printers with drivers

  • Deploy Drive Shares

Microsoft 365 Intune with EMS

If your organisation has Office 365 with Enterprise Mobility Suite (EMS), you’re probably already familiar with Intune, Microsoft’s solution for mobile device and application management.


You can use EMS as a Single Sign on Solution to over 1200 Software as a Service Cloud Applications such and salesforce and box across devices and browsers

Active Directory Premium gives you full Active Directory into the cloud so you don't need local servers for management of Active Directory , see here for a full list of differences

Group membership can be requested by users to the groups Owner and this can be approved from the cloud

User Password resetting can be done in the cloud and automated to be self service to reduce the time for users to fix their issues and load on helpdesk staff

Intune is also your go-to solution for managing shared tablets in limited-use mode. With Intune, you can bulk provision, secure, and centrally manage shared tablets configured to run in limited-use mode.

 

This makes IT’s a job a lot easier: you don’t have to configure settings on individual tablets, and you don’t have to do anything differently than you would for devices not in limited-use mode. With Intune, your transactions, inventory, and other information are protected, no matter what your tablets are used for.