MD-101 Managing Modern Desktops – Implementing Mobile Application Management (MAM)

  1. Managing and implementing MAM App Protection policies with Intune

Now I want to take a look at some of the ways that we can help protect our apps and control some of the settings, as well as making sure that users aren’t utilizing apps and sharing data with people they shouldn’t be sharing data with and utilizing the apps in ways that they shouldn’t be using the app. So I’m going to go here and click on the Apps blade here in Endpoint Manager. This is is endpoint Microsoft. com. Okay. And as I go to the apps blade, look down here and you’re going to see App Protection Policy. So we’re going to click on that and you’re going to currently see that I don’t have any, I don’t have any policies just yet. Of course it still says Loading, but I don’t have any. So I’m going to create an app protection policy here. So we’re going to drop this down.

Notice that I can create one for the Apple, iOS, iPad, Android or Windows ten. I’m going to go with windows ten. All right? So we’ll click Windows Ten and then at that point I’m going to give this a name. So I could name this whatever I want. I’m going to call it Windows Ten app policy. All right, give it a name if you want, and then you’ve got the enrollment state. Now, I want to clarify something here again. It’s important to understand that you can still control application settings on somebody’s device without them being enrolled using MDM. Okay? So what I’m basically saying is, yes, I could have users that bring their devices to my network and use their Azure Ad account. It could be their personal device, but I could still manage some settings. I helped the university one time do this sort of thing.

They had thousands of students and they needed to allow those students to use Azure Ad account, microsoft 365, and get access to Office and all that. But they also needed to be able to control and put some restrictions on those apps and the way that they use those apps. The problem is you’re not going to convince all those students going to that university to enroll their devices into MDM because some of them were Apple iPhones and iPads and Android tablets. Some were Windows Ten, Surface Pros and desktops laptops. It just wasn’t going to happen. But you can still control application settings even if they’re not enrolled. Now I’m going to tell you, if they are enrolled in MDM, you’re going to be able to control all the device settings, but if they’re not enrolled, you can at least control their app settings.

And how is that? Why is that? Well, imagine this. Imagine somebody has a phone and they download the Microsoft Word app on their phone and then they want to access applications in our cloud. They want to access documents and SharePoint or OneDrive or Team Skype for business, whatever it is, Exchange. They want to check their email they’re going to have to put in their Azure ad credentials. And when they do that, then the settings we put in place here can restrict what they can do in that app. Okay, so we’re going to go ahead, we’re going to go with without enrollment. We’re going to click next. All right. And then at this point, we can target the apps that we want to specify. So I can say add and we can select the apps we want. Maybe we want to do Word. We want to do, excel.

We want to do PowerPoint. We want to do one Note. All right, anything else? We want one drive. All right. So all these things here I can add. All right? And of course, if I want to, if somebody went through and selected a bunch of apps, you could actually add exempt apps. So if there was like a conflict between some you’ve added and some you definitely don’t want, or in some cases sometimes you can add an app package that might include an app you don’t want. You could do exempt apps if you want. I’m going to go next. So from here I can specify my required services and whether or not I’m going to use this thing called Windows Information Protection.

Not going to get into Whip just yet. Okay. So I’m going to go ahead and move past that. All right. And then here’s all these settings I can do. There’s a lot of settings here I can specify if the device has got to use an Enterprise Proxy Server list of supporting a proxy server. I can have certain IP address ranges they have to use. Okay. I can require a certain type of certificate to be used in order to recover encrypted data. I can prevent data from being shared with apps that are outside the enterprise. I can make it where if somebody does try to access app data or something, if the device is locked, I can have that locked down their device. I can revoke encryption keys if their device gets unenrolled. So if we’ve given them an encryption key for encrypted data, that will get revoked.

I can revoke access to protected data when the device is enrolled in MDM if I want. All right. I can have show the Enterprise data protection icon. So what that will do is anytime they’re accessing something that is tied to our cloud, it’s considered enterprise data and they’ll show a little icon on their screen. I can support Azure RMS with whip. Not going to talk about those topics just yet because those are coming up a little later. We’ll get into those thoroughly and take some explaining. I can allow Windows indexer on the device’s, windows device to keep indexing what’s considered corporate data versus personal data. Here’s my MDM Discovery URL. It’s just going to tie.

This is how the devices discover intune services. With this URL, if you ever needed to change it, you could, but this is going to be what it’s going to use. And then I can have offline data offline interval. If a user goes offline, it doesn’t check in with Intune after 90 days, it can wipe all the company data off the device. Down here, you can get into things like Windows Hello, you can adjust the Pin number restrictions on all that, all of those settings. So Windows Hello for business and facial recognition, and I can adjust the sizes of the Pin number and requirements of all of that if I want. So these are all things that I can turn on, I can lock down if I want. I can have certain things turned on, certain things turned off if I want, and do quite a few different types of configurations here. All right, so lots of advanced settings here I can configure.

I’m going to go ahead, now that I’ve got things the way I want it, I’m going to click Next. I can add an Exclusion Group or an Inclusion and Exclusion group. So if I wanted to go ahead and add my Windows devices here, I could. All right, the Windows Devices group click select. I’m going to click Next and then I’m going to review and create my policy. So that’s how you can create your app protection policy. All right, once the policy has been deployed, this will change to yes, and it does take a few minutes for that to happen, but at that point, you can click on that. If you wanted to alter your settings, you could. Another thing you can do there, too, is you can click on monitor and you can see just a couple of little reports here in regards to the apps.

So app licenses discovered, apps that have been found in my enterprise based on Querying, my machine app install status. This will show if apps have actually been installed on the devices. All right, so as you can see, I’ve got a bunch of apps here it’s showing, and then app protection status, which is what I really care about now, because that’s what I was talking about. So once this all gets updated on the Windows Ten computers, you’re going to see the Graph API here get updated, and it will show you that there has been a successful deployment of these app protection status or app protection policies. OK? So that gives you guys a good understanding of what app protection policies are and how you can deploy them.

  1. Windows Information Protection (WIP)

Windows Information Protection is a feature that we have that allows us to actually integrate certain services that we’re receiving from the cloud. Namely in the cloud services, we have what is called DLP Data Loss Prevention, which is all about trying to prevent data from being leaked, or what they call data exfiltration. Data exfiltration means that you have some sensitive information that’s on the inside of your organization and somehow it gets leaked out to people that are unauthorized. Okay, we also have Information Rights Management IRM, and Information Rights Management is a feature that allows us to support the encryption and classification systems and all that.

So Microsoft has a few services that are going to do this. They have something called Azure Information Protection going to be talking more about that. We’ve got DLP to actually enforce all of that. So we have the ability to classify documents based on things like keywords, or the actual types of contents of the files. Numeric data such as Social Security numbers, credit card numbers, bank account numbers. We can flag all that as sensitive information. This works in the financial industry, this works in medical, HIPAA compliance, all of that. We can set all these rules, but we have to be able to enforce those rules. And Whip is the framework that we’ve got built into Windows Ten that actually can do that.

Another thing that Whip does is it’s able to separate personal data on a person’s machine from our corporate data and allow us to enforce policies for all that. So what are the exact features of WIP, Windows Information Protection? You have the ability to separate personal and corporate data. You heard me mention that you have selective wiping. I have the ability to I can deploy a rule out there that just wipes all corporate data off the device. I can do audit reporting so I can gather information about the stuff that’s on the device if there is sensitive information there. I have management system integration with MDM. So we have intune endpoint manager and all that.

We can control the settings through that. I’m going to show you that here in a second. We’re going to jump into Intune and do that. But it all integrates through a web based console that lets me enforce all that. We have encrypt data on the device, all right, so we can force encryption. We can prevent users from using personal apps on the device if it’s a corporate owned device, computer or tablet or whatever. And then we could even have corporate data removed if we want. So you have that selective wiping feature. But what’s cool about this is if the device was stolen or lost or something like that, I can put a policy in that would have everything removed on that device.

And if that device, the moment that device gets access to the Internet, it’ll check with Intune and then at that point it will wipe that stuff off the device. So even if somebody stole it and they’re trying to get into it, if it’s got an Internet connection of any kind, it’s going to do that. You can also have course rules that have data wiped after it’s not been in touch with Intune for a period of time as well. Okay? Now I also want to say one more thing. Whip is a Windows Ten feature. There are other solutions for dealing with Android and Apple and all that. You’re mostly going to be using the conditional access and compliance policies to control the Apple and Android devices.

This is just for windows. I mean, that’s why they call it Whip, windows Information Protection. Okay? So last thing I want to show you here, and I’m going to show you this in a second actually on the console is when you enable Whip, you have some options to do this. Now you’re going to do this through Intunes app protection policies, okay? And then when you do this, some of the different options that you’ve got, you’ve got block or hide overrides. What that’s going to do is if a user is trying to share a sensitive document with somebody else, you can have it block it, or you can just have it not allow overrides at all. Which means you’re going to notice that we do have the ability to allow a user to override in a situation where they’re trying to share data that’s sensitive.

But then they say, wait a minute, this is part of my job. I have to do this, and they can override it. Or sometimes it could detect that there is a piece of sensitive information there. And then from there it may not really be sensitive. It may just look sensitive. And they could override it there, but maybe we don’t want them overriding it. We can allow overrides. We can do silent. Silent means that they’re going to be audited. It’s going to write down that they’re doing it, but it’s not actually going to stop them. Okay? So this is going to give us a reporting system, but it’s not actually going to prevent them from doing anything. It just gives us admins, a chance to see who’s doing things maybe they shouldn’t be doing. And then finally you can just have Whip off.

That means it’s not turned on at all. So those are your options. Now what we’re going to do, we’re going to jump into Endpoint Manager and we’re going to take a look at these options. I’m here now on Endpoint, Microsoft. com, all right? And I’m going to click on the apps Blade, and we’re going to go back to app protection policies. Now you might remember we created one of these before, but I’m going to say create a new policy for Windows Ten. And I’m going to say this is going to enable WIP, all right? So I’m going to say with enrollment, we’re going to click next. We could specify the targeted apps that we’re wanting to protect. And it’ll be word excel and let’s do PowerPoint. All right, we could do more, but we’ll just do those three. We’ll click next.

This is it right here. This is where you turn it on. So I’m going to say block. If somebody tries to share information with people that shouldn’t be shared with, we’re just going to completely block it. All right, we’re going to click Next. These are the advanced settings. We’ve talked about this before. We’re going to click Next, and then I’m going to go ahead now and assign this. So I could assign this to my Windows Ten group of devices if I want. Select next and create. And just like that, you’ve now got Whip and you’re enabling it on the device. And from there, it would try to block devices that try to share sensitive information. Now, keep in mind, you have to define what the sensitive information is.

And we haven’t done that in this. That’s all done through Azure information protection and data loss prevention. But this is just flipping the on switch. So the device does have that capability to do that. So that gives you a good understanding now of what Whip is, windows Information Protection and how it can help your organization. Again, keep in mind, we’ve enabled it, but we still have to configure some rules and all that using Azure Information Protection along with DLP. Okay, but hopefully now you got a grasp on what Whip is and how it can help us.

  1. Understanding Azure Information Protection

Now, Azure Information Protection is also sometimes referred to as AIP. Not to be confused with Azure Ad Identity Protection. That’s actually a different technology. Azure Information Protection is all about identifying and labeling sensitive information. So your goal here is to be able to have information in your environment, your documents, the data stored throughout spreadsheets, documents, database information, all of that stuff to have a way of being labeled as well as classified. This will involve emails also. So your goal here is obviously in an environment where data is very sensitive, in a higher security environment, you’re not just talking about public accessible data.

Your information has to have a way of being flagged so that that information can show that there’s sensitive info there and it needs to be in some way tagged or labeled. Okay, so AIP is Microsoft’s solution for this. You might recall back in the on prem days, we used RMS ADRMs Active Directory Rights Management Services, and you’re going to find that rights Management is still a piece of all of this. But now they’re using Azure Information Protection to do the actual labeling. And you’re going to find that RMS plays more of a role in dealing with the encryption side of things. So Rights Management Services is still a part of this, but AIP is what’s actually dealing with the labeling side of things.

So the way that you’re going to set AIP up is you’re going to configure it using rules and conditions. You’re going to set those rules and conditions up to look for certain types of sensitive information. And then from there, you can configure the different types of labels that are going to be applied by those rules, and you can have that information classified based upon those labels. Now the other thing that’s interesting about this is users can manually classify, manually label and classify, or you can also have automation happen, but there is a rule that applies there, and that is you have to have premium version two to do this. So there’s Azure Information Protection, p one.

There’s. Azure Information. P two. Azure Information. Protection. P two. Now of course, if you have the EMS subscription, the Enterprise Mobility Plus Security subscription, then you’ve got both. And you can use P One for maybe users that you know are going to be dealing with this manually. And P Two for people that you want this to be applied automatically for. I mean, ideally we want it to be automatic for everybody, but depends on what subscriptions, what licensing model you’ve gone with and all that. Now, how are labels applied? Well, AIP labels are going to get applied to your documents, to your emails, based upon the types of information that’s stored inside that document.

Okay. Now once this information gets applied, the information is going to be on that document for good, pretty much.How does that work exactly? Well, what they’ve done is they’ve set up metadata on documents to where information can be classified and the classification label will be in clear text. So the document can be labeled, the label can be applied, classification can be applied, and it’s all going to be in clear text in the metadata of the file. And then you can have encryption on the file as well. The file can then be digitally signed, which provides integrity for the file, which means if anybody tampers with it or tries to change it, modify it, whatever, you’re going to know, because it will have a digital signature associated with it.

And digital signatures, if they get altered, then your system is going to immediately know about it, whatever application you’re using. Word, Excel, PowerPoint, there’s even obviously third party apps also that support all of this as well. If you’re not really familiar with integrity and all of that, the way that integrity works when something is signed is it’s kind of like, I always use the analogy, but it’s sort of like the wax seal analogy. It’s like back in medieval times when kings and queens would write letters, they’d write it on parchment paper and then they would fold it up and they would pour hot wax on it and they would seal it with their seal.

And then they would have somebody to get somebody to deliver the letter. And then of course, if the letter got to the other end and the wax seal was broken, well, at that point the person on the other end knows that that letter has been compromised, right. And off with their head or whatever. Well, the idea though essentially is that when something gets tampered with or altered, we would know about it. Okay. The other thing that’s great about it though is with the help of rights management services, you can have that information encrypted. So somebody is not going to be able to read the information either. So you can have a digital signature to provide authenticity. You can have encryption on the data itself, which provides confidentiality.

But the starting point of all of this is with AIP, which gets into being able to label the information and then classify the information. Now it doesn’t really matter where the document goes at that point. The document can be moved around. It could even somehow slip its way outside our organization. It’s still going to be labeled and classified, encrypted, digitally signed. If you’ve combined this with rights management. So that’s good either way. You can also of course have rules in place and we’re going to talk about this a little later that’s going to try to prevent this document from making its way outside. But even if it was somebody had it on their laptop and walked to their laptop outside the organization, it’s still going to have that information on it.

It’s still going to be protected. Now another thing you’ve got with labels is you’ve got visual markings. You can have a header at the top with a color code. You can have a footer and then you can also have a watermark that can go across the middle of the pager, horizontal across the page that indicates that this is a confidential document or some kind of a sensitive label wording, however you want to do it. And you can configure the font, the color, the way that it’s going to go across the page, all of that good stuff. So there’s quite a few features with this. It’s a really great feature that Microsoft has given us access to and it’s definitely something to look into.

  1. Implementing Azure Information Protection

We’re starting off on admin Microsoft. com. Okay. And we’re going to go and we’re going to go to show all scroll down and then we’re going to click on Security or Compliance. Actually, either one of those will take you to the same place. This is going to take you to the Security and Compliance Center, which is where we’re going to be messing around with AIP. All right? Azure Information Protection. Now I would like to clarify something. You can do this through the Azure Portal as well. There’s an Azure Information Protection Service that you can add and you can figure it through there. But I’m going to give you guys some advice. Don’t try it through there, do it through here.

Okay? That’s all I’m going to say on that. This is where you’re going to want to focus your efforts for the exam. If you’re taking the exam, this is where you’re going to want to do this from. Okay? So I’m going to go and I’m going to drop down Classification and then I’m going to click on Sensitivity Label. So right now what I’m wanting to do is to create a sensitivity label. For every time maybe a Social Security number shows up in a document, I want to have that document labeled as though it is sensitive. Okay? Maybe that it’s got PII information, personally Identifiable information in that document. So we’re going to click on Sensitivity Labels. We’re going to create a label here.

Now again, I also want to point out, notice this little note up here at the top. And it says if your organization has labels in Azure Information Protection, they’ll need to be migrated if you want to use them across other Microsoft apps and services. If you create labels with the same name as your existing Azure Information Protection labels, you won’t be able to migrate. So they’re basically saying that you can migrate the labels from the Azure version of this over to the Microsoft 365. Remember, this is the Microsoft 365. It’s a Microsoft 365 related course we’re going through here. And the exam is a Microsoft 365 courses as well as some Azure stuff. But they’re going to put their focus on this side of things.

So this is why we want to be in this area and not on the Azure Information Protection through the Azure Portal. So this is still AIP though, that we’re doing. And we’re doing it through the Microsoft 365 portals though the Security Compliance Center instead of the Azure Portal. So we’re going to click on Create a Label. At that point you would want to give it a name. So I’m just going to say PII included. Personally identifiable information included. And then you could give it a tool tip. I’m just going to put the same tool tip in there. Now what is a tool tip? A tool tip is it’s going to be a little message that pops up when somebody tries to share this via email or something like that with somebody else, it’s going to pop up.

And you can actually add a restriction that can stop somebody from sharing something with this particular sensitivity label in it if you want. Right now, we’re just creating the sensitivity label where we’re not actually implementing the policy, we’re simply just creating it. So obviously you could give it a description right here and describe to people what this label is going to do and all that good stuff. But I’m going to go ahead and click Next from there. This is where I could include encryption. Again, if I was going to use Rights Management with this, the Azure Rights Management Services and all that, I could do encryption if I want. And I could apply encryption, and it will use a high level of encryption using basically the RSA encryption and all that.

But I’m not going to do that right now. I’m going to click next. Then you’ve got content marking. So this is where you can put a watermark in place. But if you wanted to put a watermark, you would click Add Watermark. You could customize the text here so I could say Secret if I wanted to put the font size in, I could put the font color if I want. Text layout, whether it’s going to be diagonal or horizontal across the page. I could add a header if I wanted. Same thing. Customize the text, put the word Secret in there if I want. Okay, same thing here. I could add a footer if I want. Now, in my case, I’m actually not going to add any content mark, so I’m going to go ahead and click Next, and then from there I’ve got Auto Labeling for office apps, okay? So at this point, I’m going to turn this on, all right? Because I am going to want to use labeling for office apps, and this would be Auto labeling.

So the great thing about this guy is I can create this label, and it can always be manually used by people, but with auto labeling, I can have it automatically used. Now keep in mind that with auto using of labels, you have to have the premium two version of AIP Azure Information Protection, okay, which I’ll jump over here in a second. We’ll take a look, but detect content that matches these conditions. So I’m going to click add condition contains all right. And then add sensitive info. Type So we’re going to click that. And so this is where I can go through and I can find some sensitive info that I want. So just scroll down, find what sensitive information you want to do. If I’m going to do maybe a US Social Security number, I’m going to choose that.

Okay, notice you could select more than one if you want. So I could do us Social Security number. I could do tax identification number from us. All this good stuff. I could add information in here, credit card number, all that. Obviously you can go through this list and choose what you want. You can obviously search as well. So I’m going to click Add. I’ve got the stuff I’ve wanted to add. If I only wanted to add one thing, you would only add one thing. Again, if this was the exam, and the exam says, I want you to add the Social Security number, then that’s the only thing you would add. And then it looks for accuracy. So one thing about Microsoft 365 and Azure with AIP, it actually uses a thing called Regx.

Some people pronounce it Regex, however you like to say it. R-E-G-E-X. That’s regular expression. And it’s essentially a pattern matching system for being able to match up a sequence of numbers. So the sequence of numbers of a credit card, sequence of numbers for a Social Security number, and a tax ID number, for example, a Social Security number. Most of you guys probably know that you have a three digit number, then a two digit number, then a four digit number. Well, that’s what that’s going to look at, and it’s going to look for accuracy as well and try to try to find an accurate example of that number in this document before it labels it. Now the other thing you’ll notice is you have an instance count. So you could require there to be more than one of these showing up.

Maybe you require ten instances of these, instances of these before it becomes a sensitive document. So that’s what they’re saying over here. With this instant count, you can do okay, so I’m going to go ahead. Now I could have another group of these if I wanted to, a group of these that are getting detected if I wanted to. But I’m going to click next, and then I’m going to click Submit, and I’ve now officially created myself a label that can be used. The next thing I want to do though, is I just want to take a look at the licensing side of all of this. So we’re going to go to Portal, Portal, Azure. com Drop, the menu bar down from there I’m going to go to Azure Active Directory Licenses, all products, and I’m going to click on the Enterprise Ability plus Security. This is where I wanted to show you that you’ll notice here service plan details. You have Azure Information Premium One and Two. Again, the big difference is Premium One is going to let you manually do label. Premium Two is going to let you automatically apply labels. So you’re only going to be able to do the automatic application of labels for users that have premium too, just so you know. Okay? And again, you can assign those licenses. We’ve seen how to do that in previous lectures.

img