Secure your organization’s mobile devices using Microsoft Intune, which provides mobile device management capabilities.
Part two of a series.
In a previous post, I explained how Mobile Applications Management (MAM) works with Microsoft Intune. MAM is all about managing and securing data from an application.
But what about the rest of the mobile device? Well, that’s where Mobile Device Management (MDM) comes into play.
Mobile Device Management
Whether your employees are using an iOS, Android or Windows mobile device, Intune can provide easy-to-use management for your organization’s security needs.
In June 2017, Microsoft completed a major overhaul of the Intune platform migrating it from its own Silverlight console to Microsoft Azure. This major overhaul includes new features to make deployment of Intune easier. It makes deploying policies faster and reporting much more effective.
I’d like to cover some major features to get you started with simple MDM features.
Adding Devices to Intune
To assist with automating the enrollment of devices to Intune, Microsoft has added the ability to use Dynamic Azure Active Directory groups. This allows users to choose the type of Device they are enrolling in Intune.
When a user installs and enrolls their device with Intune, they can select a pre-defined Category (an Intune Console setting). For example, you can separate devices used for the sales team from devices used by the marketing team.
A Dynamic Azure AD group then reads the Category that was assigned to that device when the user enrolled it, and adds the device to that Active Directory group. You can assign the Dynamic Azure AD group to any of the policies you may have defined in Intune. This greatly simplifies the administrative overhead for administrators who may need to enroll thousands of users.
Apply a Configuration Policy
One of the points of MDM is to ensure your users are not abusing their mobile devices by weakening security (such as no passcode to unlock or waiting hours to lock the device), or installing apps that have nothing to do with their work.
A configuration policy will allow you to define what users can and cannot do with their mobile device. You can setup restrictions to lock down the devices and even provide configuration policies to require email profiles, VPN profiles, or even WIFI profiles.
Apply a Compliance Policy
Once you have assigned a device what it can or cannot do, next you need to implement policies to ensure the device is also compliant at all times.
For example, what happens to a device if it is jail-broken or rooted? What if someone tries to change their passcode length to something shorter than allowed?
Compliance policies ensure that the device always meets the policies you have set, and can automatically evaluate the perceived threat level of a device.
Apply a Conditional Access Policy
If you have specific security requirements for certain users, you can create a “Conditional” access policy.
Perhaps you only want your engineers to be able to access files on OneDrive while they’re on the company’s network. With Conditional access policies, you can define rules such as that one to determine who can use what apps, in what location, and on which platform.
You can implement extremely granular permissions as your organization needs them.
Intune also provides reports on device users, including the hardware and apps installed on the device. This way you can gain insights on the policies deployed to the device, and determine errors on policies that could not be deployed.
There is so much more in the platform besides what I have covered here today.
Intune is a part of the Enterprise Mobility and Security license, which is an add-on to Office 365. Find more licensing details here.