Microsoft Intune: Security Policies and Security Hardening
Microsoft Intune is one of the most important parts of your device management strategy if you are running an Azure and/or Microsoft workplace. Intune allows you to roll out Windows installations and standard operating environments across machines easily, manage mobile devices (BYOD or company owned, Android or iOS), remotely update to the latest software versions, and ensure enterprise-level security across the diverse device landscape that is your workplace.
It’s the security aspect of Intune that we will be focusing on in this piece today, in particular the endpoint security policies and hardening that can be used with Intune.
Let’s take a look.
Intune Security Policies: Identity Management
Due to the diverse nature of devices, apps, and location access, we now need to extend identity management past the perimeter of the building. The same sort of identity management protocols that we use on our internal systems now need to be applied to remote access devices and cloud applications.
This is possible by using Azure Active Directory combined with Intune. Azure AD groups can be utilised to assign your users to different security settings groups. For instance, higher up managers may be bigger targets for attackers and thus would need a heightened security profile. HR staff have access to personally identifying information across the organisation, so would need specific settings in place for their access to these resources.
Having users in different groups also means you can control whether particular users can download certain workplace apps, or the information that they can access on them.
Intune Security Hardening: App Protection Policies
App protection policies are a feature of Intune that allow you to effectively manage your corporate information within company-managed apps covered by Intune. This means that security is managed at the app level. You can use this type of protection regardless of your other Mobile Device Management configuration.
This includes features like disallowing data movement or access, plus in-app restrictions depending on the user group. This is called Intune Mobile Application Management. It is particularly important for corporate data protection on employee-owned devices (BYOD).
Let’s say your employee uses mobile Word for work purposes but also for personal use. By applying app protection, you are able to disallow certain features of the app only when your employee is logged in under their enterprise account. When they want to use it for personal purposes, they simply log out of their enterprise account and have full access to features again.
With this configuration, there is no ability for corporate data and personal data to accidentally intermingle. With app protection, you can include the ability to not have any corporate data stored on the device.
There are a range of Microsoft apps that can use app protection policies including Excel, Power Automate, Outlook, PowerPoint, Work, and more. There are also plenty of third party apps that can be managed too: Adobe Acrobat Reader, SAP Fiori, Tableau Mobile for Intune, Zoom for Intune, and others. Check out this page for the full list of supported apps.
To read more about mobile app protection policies and how they work, head over to Microsoft’s App protection policies overview page.
Intune Security Hardening: Mobile Device Management Security Baselines
MDM (Mobile Device Management) security baseline settings are a feature of Intune that is currently available for Windows 10 devices. Currently this includes Windows desktops, laptops, tablets, and legacy Windows phones that run the Windows 10 operating system. Versions for Android and iOS are currently in the works but not available as yet.
MDM security baseline settings are defaults that Microsoft recommends for business to manage the remote security of devices. The MDM Security Baseline for September 2020 is the current version, however as security threats advance, Microsoft will update their default settings. This means that organisations should ensure they are always up to date.
It’s recommended to use the MDM security baseline settings within your organisation. They provide a good level of security for devices and can always be reconfigured to meet your own security standards by altering the profile.
To read about all the security settings included, visit Windows MDM security baseline settings for Intune at Microsoft.
Assistance with your Security Settings
We are proud to be a Microsoft Certified Partner, helping organisations to better manage their Microsoft configurations including security settings across devices. If you would like assistance in hardening your security defences across devices used by your employees, then we would love to help. Get in touch to learn more about our security packages and how we can make your business operations secure across any environment.
Subscribe to our newsletter
Enter your email and stay in touch with the latest updates from A1.
You might also like…
- This is a follow-on article to the article ‘Microsoft Passwordless Security Reduces Chances of Being Compromised by Up to 99.9%’ where we looked...
- A Secure Web Gateway (SWG) is a new term for an old service – blocking incoming web traffic based on terms XYZ. If...
- Does your business experience outages that leave employees unable to do their work for a given amount of time? Perhaps it’s unscheduled outages...