Enterprise Device Management with Microsoft
Shaun Struik
Experienced ICT Leader with a passion for digital transformation, repeatability, and scalability.
Mobile Device Management (MDM) is such a broad term that encapsulates so many aspects of managing technology. MDM was designed initially for mobile telephony devices, but as the way we work have evolved so much including, hybrid, remote work and BYOD have become part of the norm, all user technology is now considered ‘Mobile’. MDM and MAM (Mobile Application Management) have now taken a lead role in the deployment and management of user technology. IT departments can no longer rely on devices being polled on the corporate LAN for maintenance and security updates or for device troubleshooting and traditional compute deployment and management solutions are being replaced
End user devices pose high risk in organisations with the majority of security breaches originating from human error and Gartner has identiefied over 80% of security breaches are a result of mis-configured cloud technology. Controlling what can and can’t be done or controlling access to corporate resources will help greatly with data loss prevention and securing your environment. Impersonation of your staff is a great risk, without proper security practices in place, a password shared by mistake can cause grave effect to your organisation. Proper configuration of your cloud management technologies will give you the best chance of preventing intrusions and data breaches.
MDM configuration should be treated as a dial based on a risk & productivity balance. Different levels of security and configuration automation can be applied via configuration profiles to all or selected users and / or devices based on need.
When configured correctly, MDM will not only provide security, but enhance efficiency, collaboration and how users interact with each other, devices and data and over all, save you money. MDM can completely automate many aspects (with zero touch of the IT department). Some examples below will allow;
MDM deployments when correctly configured are very repeatable and scalable, once the rule sets are deployed, you can manage 50 to 50,000 devices in the same way without adjusting settings.
Microsoft Office 365 Endpoint Manager is a feature rich solution that allows management of nearly all device types. Setting up a robust MDM and MAM solution is all about setting up identity and device access security properly.
Security
There are numerous security features available that can be?used?in?conjunctionwith?each?other?to?ensure?only?the?right?people?have?access?to?your?data, the system is governed and auditable.
Security Groups
Security groups are the backbone to Microsoft security governance and compliance. Security groups can be based on either users or devices and can be created for all users and all devices or created manually or dynamically based on simple or complex rule sets based on user or device characteristics. Once the security groups are defined and tested, they can then be applied to all areas of the Microsoft 365 Environment and even synced to your on-prem Active Directory if required. These groups can be used to control access, apply settings and even install applications depending on requirements.
Password?Governance
Microsoft?365?has?inbuilt?password?governance?that?allows?administrators?to?set?the?complexity,?length and cadence in which the password needs to be changed. Users can change their passwordson?authenticateddevices?or?online?as?required.
Multi Factor Authentication (MFA)
MFA can be configured for all users or to security groups as created in your environment. MFA can be configured to send a text message, email or use the Microsoft authentication app depending on your preference. MFA authenticates the device a user is on and re-authenticates that access as required. Microsoft uses multiple advanced algorithms to detect is the user login is being impersonated and will push for re-authentication or even block user access. Even if the user remembers the device authentication for 60 days, should the system feel someone else has the device it will still push for re-authentication.??
Conditional?Access?Policies &?Configuration?Policies
The next steps in security are setting several policies based on your acceptable risk and productivity scale. Conditional access can purely check if the user is known, blocking access to certain applications depending on the working environment to blocking access to data unless it is a company owned device with numerous levels between. You can change the behaviour on different device platforms, web applications or device applications or different users based on security groups. The basis of these policies is to ensure only active users can access data and limit what they can do with data if required.
Configuration policies are applied to security groups to enhance functionality / productivity or block access, or activity based on requirements. The combination of Conditional Access and Configuration policies can completely automate user experience and near every process within the Microsoft 365 environment.
Policies, configurations and settings and be combine into policy sets and applied in bulk to user and device groups as needed for ultimate automation. As something changes on a user profile, policy sets can automate processes.
Single Sign On
While all the Microsoft Office 365 applications with authenticate to the users’ main identity password with MFA, configuring SSO other business critical apps, authenticating via Microsoft will allow to maintain fewer passwords and allow for a more secure environment.
Typical MDM Use Cases
There are so may use cases for MDM and so many ways to configure an environment. It really depends on your requirements and level of appetite for risk. Below are a few common scenarios.
领英推荐
Different User Roles and Application Configuration
The sales team will require different application to the finance team and executive team. Different applications can be installed on different devices based on their job function. This ensures only useful apps are on devices and updates are only relevant to the apps in use. This makes devices last longer and keeps the cost down as you may not have to use higher storage models.
Consistency in Device Configuration
When devices are deployed to users, it’s best practice to have a standard operating environment (SOE) for consistency. All users operate in the same way to streamline support. MDM can ensure devices are configured to a standard prior to the user being able to use the device.?
Remote Workers
IT departments can ship devises direct from your suppliers and based on the initial email address being entered into the device for activation, the device completely configures itself to the user based on their job function.
Self Service App Installation
Users may prefer different web browsers or require different company tools as their responsibilities change. Curated app portals allow users to install applications themselves without the need for IT to login and configure
Data protection
If users are trying to do the wrong thing or a user device has been compromised, settings can be configured to detect, prevent and alert malicious activity.
MDM Deployment Best Practice
Policy / profile complexity
There are so many settings and app configurations that can be applied, understanding your goals and needs from the start is so important. Without a clear plan of what you need to achieve for launch may result in extended time and getting lost in profile creation.
Force MDM Enrolment
Don't rely on users maintaining MDM on their devices, if settings can be removed they will. A simple conditional access policy to require devices to be market as 'compliant' if a user tries to configure email or access company resources with automate MDM install and configuration.
Apple Device Enrolment & Windows Autopilot will force drives to be attached to the organisation and prevent management from being removed.
Use ‘Device’ app deployments rather than ‘User’
Deploying apps with a tokenized approach to devices rather than user authentication means apps can be deployed silently without the user having to accept the app. This reduces notifications and allows IT departments to maximize security by applying patches and updates without relying on user acceptance.
With this method, ensure you are only applying business critical apps as a deployed forced install app will render it company owed. If the user had the same app, but used it for personal use, the company ownership will override and erase the user data. When the user leaves the organization, the company owned apps will be removed too.
Tokenized apps mean if you have paid for them, you can revoke the token from one user and apply it to another as required.
Documentation
Documentation is key to the system long term performance. As personnel change, providing clear documentation to understand what settings do what and how they are applied is imperative to a sustainable solution.
Communication
Like with any changes to a user environment, communication is the key to maintaining positive relationships with IT. Users do not like their devices / settings change without knowing ahead of time and why it’s happening. Allow users time to ask questions and fully understand any changes that affect their privacy and / or productivity.