The way businesses utilize technology has changed significantly over the last few decades. No longer are individuals confined to their desks so that they can use physical desktops for work. With the advent of Bring-Your-Own-Device (BYOD) policies, plenty of organizations are now having employees use personal devices to do their work as well. This gives individuals greater flexibility regarding when, where, and how they can complete their work-related tasks.
However, despite the countless benefits this scenario presents, there is still the issue of organizations securing their data. This is why Microsoft Intune is so important as a cloud-based device and application management solution that gives the organization control over who can access its resources and how. Following on from the previous blogs on planning and designing your Intune environment, today I’ll be continuing our look into Intune.
One of the most important areas that your organization should be looking at is identity management. Without this, your organizational security will not be as strong as it should be. When we talk about identity management, this will also refer to all the various user accounts and groups that will be able to access the organization’s resources. It is the role of admins to ensure that identity management is done properly and the responsibilities will include:
- Management of account memberships.
- Management of settings that affect user identities.
- Authorizing as well as authenticating access to resources.
- Securing and protecting the identities from actors with nefarious intentions.
The advantage that comes with using Microsoft Intune is that it will carry out all these tasks for you and plenty more. Because it’s a cloud-based platform, Intune can use policies such as security and authentication policies for identity management.
Scenario with existing users and groups
Management of users and groups forms a significant part of endpoint management and if you already have some existing then Intune can help. For organizations with on-premises environments, your user accounts and groups are created and managed in an on-prem Active Directory. And by using any domain controller in the domain, you can quite easily update the users and groups.
When it comes to Intune, you’ll find a central location for user and group management within the Endpoint Manager admin center. Since this admin center is web-based, access to it can be obtained through any device connected to the internet. As an admin, all you need is to sign in with your Intune administrator account. Getting the user accounts and groups into Intune can be done via several methods:
- For users of Microsoft 365 with users and groups in the Microsoft 365 admin center, you’ll also find the users and groups in the Endpoint Manager admin center. For users that may have multiple tenants, you’ll need to sign in to the Endpoint Manager admin center, And you’ll do so in the same Microsoft 365 tenant as your existing users and groups.
- Those with on-prem Active Directory can use Azure AD Connect to synchronize on-prem AD accounts to Azure AD. And then once these accounts are in Azure AD, you’ll also find them in the Endpoint Manager admin center.
- Users and groups can also be imported into the Endpoint Manager admin center from a CSV file. Alternatively, you have the option of creating users and groups from scratch. To create a more structured situation, you can add users and devices to the groups that you add and organize them according to your chosen criteria, for example, location, hardware, department, etc.
Move from machine accounts
A computer account is automatically created every time a Windows endpoint joins an on-premises AD domain. This account can then be used for authenticating on-premises programs, services, and apps. However, you should note that machine accounts are strictly local and so you cannot use them on Azure AD-joined devices. So, in such a case, you would have to opt for user-based authentication to authenticate to on-premises programs, services, and apps.
Roles and permissions control access
Role-based access control (RBAC) is the feature that is used in Intune and the selection of who will have access to what resources is determined by the roles you assign. This will also set the rules clarifying what users can do with those resources. There are some built-in roles that you can find in the Endpoint Manager admin center whose focus is endpoint management. Among these are Policy and Profile Manager, Application, etc.
If necessary, roles will have their read, update, create, or delete permissions but in cases where admins may need specific permissions, custom roles can be created.
Create user affinity when devices enroll
Devices will become associated with a particular user the first time they sign in and this feature is what is known as affinity. This is particularly convenient because users will have available on all their devices all the policies assigned or deployed to their user identities.
Therefore, once associated with a device users will have access to their files, apps, email accounts, and more. Without this association, devices will be categorized as having no user which is often the case with kiosk devices that are focused on specific tasks as well as devices that are used by multiple individuals.
Regardless of which scenario you are dealing with, Intune allows for the creation of the appropriate policies on Windows, macOS, Android, and iOS. So, you’ll need to first establish the intended purpose of a device before proceeding with placing it under management so that you’ll have all the necessary information during enrollment.
Policy assignment with Microsoft Intune
On-premises and cloud-based scenarios have a few differences when it comes to policies. For on-premises scenarios, there are both domain and local accounts, and these accounts will then have group policies and permissions deployed to them at the local, site, domain, or OU level (LSDOU). There is a hierarchy that is followed with OU policies overwriting domain policies, and then domain policies overwriting site policies, and so on.
Alternatively, when it comes to Intune, any policies created therein will have settings for controlling security rules, device features, etc. Users and groups will have these policies assigned to them and unlike with LSDOU, there is no hierarchy.
Management of Windows, macOS, and iOS devices is simplified by the availability of the thousands of management settings that you get in the Intune settings catalogue. Using this settings catalogue will prove to be a relatively easy transition for those using on-premises Group Policy Objects (GPOs).
User identities need to maintain the highest level of security because they are used to access your organization’s resources. Therefore, you need to have measures in place to reduce the risk of unwanted actors potentially accessing these identities. Some of the things you can look at include:
- Options that promote a password-less strategy such as Windows Hello for Business that does away with username and password sign-in. This will improve security because by entering a password on your device it will then be transmitted over a network where it can be vulnerable to interception. Not only that but if certain servers are compromised countless stored credentials can be exposed.
Windows Hello for Business
With Windows Hello for Business users have the option of signing in and then authenticating using biometrics. The advantage that this method gives you is that all this information will be stored locally on the device thus eliminating the risk of transmitted data being intercepted. Once you have Windows Hello for Business deployed to your environment, you can now use Intune to create the necessary policies for your devices to configure PIN settings, allow biometrics, and more.
- Another option in the password-less strategy category is certificate-based authentication. By using certificates, you can authenticate users to apps and organization resources via Wi-Fi, a VPN, or email profiles. Therefore, certificates offer great simplicity by eliminating the need for entering usernames and passwords.
- Next on the list is multi-factor authentication (MFA) which is a feature that you get with Azure AD. As the name suggests, this is an option that will require at least two different verification methods for successful authentication. Once you have MFA deployed to your environment, you could also make it a requirement for enrolling devices into Intune.
- Lastly, you can also consider Zero Trust which is a feature that will verify all endpoints, devices, and apps included. By leveraging this option, organizations can significantly reduce the chances of data leaving the organization whether intentionally or by accident. The objective here is to ensure that your organization’s data remains internal.
Device management with Microsoft Intune
Microsoft Intune gives organizations a cloud-based service that is designed to make the colossal task of device management something that is much. Otherwise, you may look at all the laptops, tablets, and mobile phones in your environment and it may be daunting to even think about where to start.
Fortunately, with Intune, you get several policies that enable you to control your organization’s devices. These will help you to manage both organization-owned and personal devices in such a way as to ensure that the organization’s data remains secure. There are several elements that you need to consider when looking at your device management strategy.
Management of personal and organization-owned devices
Plenty of organizations nowadays have embraced Bring-Your-Own-Device policies as part of their overall IT strategies going forward. And allowing employees to access organizational resources using personal devices gives them greater flexibility in how they conduct their work.
Also, it can help the organization save money on purchasing devices for employees. To ensure the security of your organization you can request users to enroll their devices in the organization’s device management services. Admins can then deploy policies and configure device features among other things on these devices.
Alternatively, you can protect app data by leveraging app protection policies like SharePoint and Outlook. Another option you could consider is to combine both of these solutions. When it comes to organization-owned devices it’s a completely different situation because they should be fully managed by the organization.
New and existing devices
Intune allows you to use both new and existing devices. In addition, there is support for multiple platforms including Windows, macOS, Linux, Android, and iOS/iPadOS. However, a few changes could be necessary such as in the case of devices that have another MDM provider which may need a factory reset. Another concern could be that of devices that are still running older OS versions as they may not be supported.
Compliance health status
You need to verify the compliance health of your devices because it is a very important part of managing devices. For your organization to maintain high levels of security it needs to enforce the use of password/PIN rules as well as verify security features on devices.
The role of compliance is to evaluate which devices are compliant with your requirements and which are not. Your organization will be responsible for creating compliance policies that enforce your minimum requirements. This can include ensuring that there is a minimum OS version, blocking simple passwords, etc.
And when you combine these policies with built-in reporting, you’ll not only see which devices are falling under the non-compliant category but which settings exactly are causing them to be non-compliant. What this will do is give you a clear picture of the status of the devices that have access to organizational resources. With Azure AD you also get conditional access which is a solution that enables you to enforce compliance as well as block access to any non-compliant devices.
Controlling device features and assignment of policies
The policies that you can create with Microsoft Intune enable you to control any number of device features. You can also have device groups and with these, your organization can create policies targeted at the device experience or task.
Additionally, you may also create policies with settings that you want to be permanently established on a particular device regardless of the user. Devices can be placed in groups that you can differentiate based on any chosen criteria. These can be things like OS platform, location, function, etc.
Furthermore, groups may contain devices that are shared by multiple users and thus are not associated with one specific user. Generally, we find these dedicated or kiosk devices being targeted at frontline staff but they can also be managed by Intune. Assignment of policies to device groups can be carried out as soon as the groups are ready.
Securing your devices with Microsoft Intune
There are several measures you can take to secure your devices against attacks. These measures can include enabling security features and installing tools like antivirus solutions. Intune can offer your organization additional features to further enhance your security.
Mobile Threat Defense integration
To increase security for both organization-owned and personal devices, Intune enables integration with Mobile Threat Defense (MTD) partners. MTD services operate by scanning your devices and then assisting in addressing any detected vulnerabilities. And these MTD partners will also support the same platforms that are supported by Intune including Windows, macOS, Android, and iOS/iPadOS.
Using security baselines
Another thing that you should be doing is using security baselines on your Windows devices. These pre-configured Windows settings enable you to secure and protect your users and devices by giving you more granular control over security configurations. Not only will you get better overall control but each baseline that you deploy can be customized to apply the settings and values that you want. Therefore, you can take advantage of this to configure your settings specifically for your organization.
Built-in policy settings
You can also leverage built-in policy settings to perform several tasks such as encrypting hard disks, managing software updates, configuring built-in firewalls, etc. Furthermore, you can take advantage of the cloud service known as Windows Autopatch to enhance the security and productivity of your organization. It does this by automating aspects such as the patching of Windows and the updating of Microsoft 365 Apps for enterprise, Windows, Microsoft Teams, and Microsoft Edge.
Lastly, you can use the Endpoint Manager admin center to manage your devices remotely. There are plenty of actions that can be performed remotely and these include locating lost devices, locking or restarting devices, restoring devices to factory settings, and more. Having the option of remote management can be very useful, especially in instances where devices are lost, stolen, or need remote troubleshooting.
We cannot talk about securing an organization’s data if we don’t first address the issue of protecting apps and the data they contain. App management often comes with significant challenges because of where users may source apps that they use to access your organization’s resources. Not to mention LOB apps that need careful management to help secure company data. And this is where Intune can play a key role in facilitating the management of these apps and thus improving your overall security.
Your organization can use several different types of apps such as LOB apps, web apps, store apps, etc. Intune makes life easier for you by enabling you to add apps and then deploy them to your devices using the app management policy. The Endpoint Manager admin center has app features that are designed to simplify the process of deploying various types of apps across multiple platforms such as:
Through the Endpoint Manager admin center, you’ll get an automatic connection to the Play Store where you can search for apps. Additionally, you can sync with your Managed Google Play account thus gaining access to your Android Enterprise apps. There’s plenty you can deploy on Android devices such as custom LOB apps, public and retail apps from the Play Store, Android Enterprise system apps, and more.
Through the Endpoint Manager admin center, you’ll get an automatic connection to the Play Store where you can search for apps. Additionally, you can sync with your Apple Business Manager/Apple School Manager account thus gaining access to your volume-licensed apps. After syncing, you can expect to find the apps you purchase automatically appearing in the admin center. Similar to Android devices, you can deploy plenty of apps such as custom LOB apps, public and retail apps from the App Store, built-in apps, and more.
You’ll find built-in features in the Endpoint Manager admin center that have apps that plenty of users deploy to macOS. Additionally, you can sync with your Apple Business Manager/Apple School Manager account thus gaining access to your volume-licensed apps. After syncing, you can expect to find the apps you purchase automatically appearing in the admin center. For macOS devices, you can deploy custom LOB apps, Microsoft Defender for Endpoint, Apple disk image apps, Microsoft 365 apps, volume-licensed apps, and more.
Through the Endpoint Manager admin center, you’ll get an automatic connection to the public Microsoft Store where you can search for apps. Furthermore, you can sync with your Microsoft Store for Business account thus gaining access to your volume-licensed apps. After syncing, you can expect to find the apps you purchase automatically appearing in the admin center. When it comes to Windows devices, you can deploy custom LOB apps, volume-licensed apps, Win32 apps, public and retail apps in the Microsoft Store, and more.
In an ideal scenario, you want to configure apps before they are installed as this will allow you to set them up the way your organization wants. Otherwise, if apps are deployed to users and devices and then they are required to enter configuration information it may end up creating problems.
So, the best thing for you to do may be to leverage app configuration policies that enable the automatic configuration of apps. You can even make your policies such that users won’t need to enter any information. Moreover, with app configuration policies you get the flexibility to deploy them at any time.
So, something you can do is to include the app configuration policy when users enroll their devices thus allowing you to complete the configuration of apps before users open them the first time.
Another key part of your organization’s security is ensuring that apps are protected on both organization-owned and personal devices. The data in apps that have access to your organization’s data needs to be secured from malicious activity. With this in mind, we can easily see the importance of app protection policies that will help you to secure shared files, email, access to meetings, etc.
App protection policies can be created, configured, and deployed to your users and devices using Microsoft Intune. And this applies not only to personal devices but to devices that may be under the management of another MDM provider as well. As far as organization-owned devices are concerned, they are commonly managed by the organization so app security is not an issue.
However, when these devices may have certain apps that require additional security, app protection policies can also be used. These policies also come in handy when it comes to separating users’ personal data from the organization’s data. Therefore, you’ll have the option to set up policies that require a PIN for opening apps, prevent copy-and-paste between apps, and any other features you may deem necessary.
We all know about the importance of updating our apps for maintaining security standards and improving performance. To make things simpler, when using Intune most apps will get an automatic update if one happens to be available. As already mentioned earlier, Windows Autopatch is another solution that you can use for the automatic patching of Microsoft Edge, Microsoft 365 Apps for enterprise, and Microsoft Teams.
Whenever users install apps themselves, they will need to assume the responsibility of ensuring that these apps are manually updated. And this includes apps that they install from a public app store.
Your organization will want to protect its data and so the best solution, in this case, maybe to use app protection policies. By using these policies, you can enforce minimum app versions as well as wipe the organization’s data from any devices that do not comply with your requirements.
Next, I want to look at the measures available in Intune to enhance your organization’s endpoint security. Security admins will find in Intune an Endpoint security node that can be used for configuring device security as well as managing security tasks for devices at risk. The comprehensive Endpoint security policies that you get will help you to enhance device security and mitigate risk. Admins will also get via Intune several tools designed for securing devices:
- You can use the All devices view to verify the status of all managed devices and assess compliance.
- You can utilize security baselines to implement standard security configurations for devices.
- The management of security configurations on devices can be done through strict policies.
- By using compliance policies, you can set the requirements for your devices and users. And this means that you determine the rules that users and devices need to follow for them to be compliant.
- If you integrate Intune with Microsoft Defender for Endpoint this will allow you access to security tasks. The link that exists between Intune and Microsoft Defender for Endpoint due to these security tasks will enable your security team to detect at-risk devices. Subsequently, your Intune admins will then get the necessary information to implement remediation measures.
There is an All devices view section in the Endpoint security node that has a list of all devices from your Azure AD that are available in Microsoft Endpoint Manager. Using this section can allow you to review the status of devices for information such as the policies that they are not compliant with. Additionally, there are several actions that you can take from this view to remediate various device issues and this can include restarting devices, scanning for malware, and more.
Manage security baselines
Using security baselines is a great way to implement best practice recommendations from the relevant Microsoft security teams. The security baselines for Microsoft Edge, Windows 10/11 device settings, and Microsoft Defender for Endpoint Protection among others are supported by Intune. Leveraging security baselines enables you to quickly deploy the most ideal configuration of device and application settings to improve the security of users and devices.
However, it’s important to note that these baselines are for devices running Windows 10 version 1809 and later, as well as Windows 11. Another thing to note is that you can have several different methods in your environment for device configuration. So, when looking at the management of settings, you need to first establish what other methods may be in use to prevent problems.
Defender for Endpoint tasks
If you have integrated Intune with Microsoft Defender for Endpoint, you’ll have the option to assess Security tasks in Intune to identify devices that are at risk. With that done, you’ll have the information necessary to mitigate the risk. And then after you have successfully mitigated the risks, these tasks can be used to report back to Microsoft Defender for Endpoint.
- The Defender for Endpoint team begins by reviewing which devices are at risk and then sends that information along to your Intune team as a security task. The process is a relatively simple one that will see a security task being created to identify the at-risk devices and their vulnerabilities, as well as provide the information necessary to mitigate the risk.
- Once the information is passed along, the Intune Admins will review the security tasks before implementing actions within Intune to begin remediating the tasks. After the mitigation has been carried out, the task is set as complete and this will report the update back to the Defender for Endpoint team.
Using policies to manage device security
In the Endpoint security node under the Manage section, you will find security policies. If you are a security admin, these are policies that you will want to consider using to simplify the process of configuring device security. Otherwise, the process can involve a lot more work. For example, you may need to go through the vast number of settings in device configuration profiles or security baselines.
It’s also worth noting that these Endpoint security policies are only one of several methods in Intune that can be used for configuring settings on devices. So you’ll need to first verify what other methods may be in use to prevent problems.
Furthermore, under the same Manage section, you’ll also find Conditional Access and Device compliance policies. These two types of policies aren’t involved in the configuration of endpoints. But they do play a key role in device management and controlling access to your organization’s resources.
Use device compliance policy
These policies set the conditions for users and devices to have access to your organization’s resources. Common policy rules include, enforcing password requirements and requiring specific OS versions, among others. These policies also carry out various actions against non-compliant devices. For example, they’ll notify device users and going as far as retiring non-compliant devices. Also, just like other policies, you’ll want to verify what other methods may be in use in your environment so you can avoid policy conflicts.
Configuration of conditional access
Using Azure AD Conditional Access policies with Intune can enable you to enhance security for your devices and your organization’s resources. After an assessment of your environment has been carried out, Intune will then forward a report concerning device compliance policies to Azure AD.
The latter will then use conditional access policies to determine which devices and apps will be granted access to your organization’s resources. Conditional access policies may also be used to control access for devices that are not under Intune management. You will most likely be using device-based conditional access or app-based conditional access with Intune.
Set up Integration with Microsoft Defender for Endpoint
If you want to improve how your organization identifies risks and responds to them then integrating Microsoft Defender for Endpoint would be ideal. There are several MTD partners that Intune can integrate with to improve security.
However, by integrating Intune and Defender for Endpoint, you get additional benefits. These include access to Tamper Protection capabilities, security tasks, and streamlined onboarding for Defender for Endpoint on clients. Additionally, you’ll have access to Defender for Endpoint device risk signals in Intune compliance policies and app protection policies.
Pre-requisites for role-based access control
The management of tasks in the Endpoint security node of the Intune admin center requires you to have an account that has a license for Intune. In addition, the account should also have RBAC permissions that are equal to the permissions that you find in the built-in Intune role of Endpoint Security Manager. Access to the Intune admin center is something that you’ll obtain because of the Endpoint Security Manager role. Anyone responsible for the management of security and compliance features can utilize this role.
Permissions granted by the Endpoint Security Manager role
|Android for work
|Corporate device identifiers
|Device compliance policies
|AssignCreateDeleteReadUpdate View reports
|Device enrollment managers
|Endpoint protection reports
|Read deviceRead profileRead token
|Intune data warehouse
|DeleteReadSet primary userUpdateView reports
|Microsoft Defender ATP
|Microsoft Store for Business
|Mobile Threat Defense
|Partner device management
|Remote assistance connectors
|Get FileVault keyInitiate Configuration Manager actionReboot nowRemote lockRotate BitLockerKeys (Preview)Rotate FileVault keyShut downSync devicesWindows defender
|Terms and conditions
|Windows Enterprise Certificate
Avoid Policy Conflicts
In Microsoft Intune, what you’ll find out is that plenty of the configurable settings for the various devices can also be managed by different features. Some of the features on this list include device configuration policies, security baselines, Windows enrollment policies, and endpoint security policies among others.
A scenario that you can consider is that of Endpoint security policies with settings that are a subset of the settings that you’ll also find in endpoint protection and device restriction profiles in the device configuration policy. You should keep in mind that they are managed through various security baselines.
So, if you want to steer clear of conflicts then you must avoid using different baselines, instances of the same baseline, or different policy types and instances to manage the same settings on a device. Achieving this will require meticulous planning so that you clearly determine which methods will be used for configuration deployment. Fortunately, however, if you do encounter conflicts Intune has built-in tools that enable you to identify and resolve those conflicts.
The modern work environment has a lot going on in the IT department and this can be overwhelming for IT staff. With the advent of Bring-Your-Own-Device policies, no longer are you only concerned about physical desktops in the office. Employees have tablets, mobile devices, and personal laptops that can be used for work-related tasks. With that being the case, it means that these devices need to have access to organizational resources. And this is when security concerns become an issue.
This is why it’s important to have management solutions such as Microsoft Intune. Using this cloud-based platform gives you a solution that simplifies the management of the vast number of devices that have access to your organization’s data.
Additionally, you benefit from numerous management policies that ensure that all those devices are compliant with company regulations thus maintaining a high level of security for your company’s data. So, whether or not you already have a management solution in place, Intune is certainly worth considering.