MS-101 Microsoft 365 Mobility and Security – Implementing Mobile Device Management

1. Managing Devices with MDM

Oftentimes with organizations, your end users are going to want to be able to use mobile devices. Now, those could be mobile devices that you own and control or they could be mobile devices that the end user has that they would like to have access to their corporate resources on. Fortunately, there is a solution to help us extend our security into those mobile devices. That’s mobile device management, right? The ability for us to go out there and actually manage these and use mobile device management. It’s not a Microsoft solution, it’s an industry standard for being able to go out there and actually manage mobile devices. Whether they be Windows devices, iOS devices, Android devices, they all have the ability to support some type of mobile device management capability. In order to implement this though, you’re going to need an authority, some mobile device management authority that has the ability to push policy out to these systems.

Now, with those mobile device authorities, you also need a client that can consume that. In certain cases, like with Windows Ten, for example, the mobile device client is built in. In other situations, like for example, working with iOS devices or with Android, you actually have to go to the App Store for the appropriate OS and download some type of app, like a company portal app that will allow you to register the device for mobile device management. But once we have that device registered in that environment, we get the ability to enroll it for management capabilities. So I have the company portal, I log in with appropriate credentials and I join the device into that mobile device management authority so I can go out there and have some control over it. Now that we have control, we can start forcing some configuration onto it.

For example, make sure that you have to have some type of screen lock password on it and set the kind of strength that it has to be. Go out there and require that corporate data be stored in some type of an encrypted environment, giving us the ability to go out there and push applications onto your system so that we can make sure that you have the ability to access the resources with the systems that we want you to have access to. We also get the ability to go out there and do a selective wipe, which means we can wipe out the corporate information without impacting the user’s personal data at the same time. And of course with all systems you’re going to want to have the ability to monitor it, to be able to see which devices are connected, which devices are compliant or non compliant with policy at that point in time, and who’s accessing our users using the various devices.

2. Activating MDM

Depending on which type of subscription you’re going to use for mobile device management. Whether you’re going to be using the Office 365 MDM or Windows Intune, you have to activate it and select who’s going to be your Mobile Device Authority. Now, if you have the Office 365 environment, what you could do is from the home screen, if you go into the search here and just type in Mobile, you’ll see the ability to go into Mobile Device Management. Click on that, that’ll open up a page and put you into the Mobile Device Management environment. Now what you’re actually doing here is activating the Mobile Device Management Authority for Office 365.

You simply do that by clicking the let’s get started. I will tell you after you click this button, right, you go in and you actually click the let’s Get Started button. What will happen then is you’ll have about a 1 hour wait, at which time it’ll go through and it’ll activate the service for you and then send the person who activated it in an email to let them know what the next steps are in setting up and configuring the Mobile Device Management Authority for Office 365. In our case, let’s go out there and actually do it via Ntune instead. So I’m going to go through and I’m going to open up and go to the Portal Azure. com, and in Portal Azure. com, I’m just going to search for the entune service.

So we’ll go out there and just type in the word Intune. And because I might use this a little bit later, I’m going to go ahead and have it add Intune to my Hub menu to make it a little easier to find. So I’ve got that gray star out there, I’m just going to click on it and when I do that it turns it to a gold star. And now I see that it’s available as an option on my menu over here. We’ll click into that. Now it opens up Microsoft Intune for me, but I really haven’t configured it yet for me to be able to use it. And the way I do that is if I go in here to my device enrollment as if I wanted to enroll a device in Windows Intune, it’s going to switch over and say, wait a minute, before you can do this, you have to tell us who’s who the Mobile Device Management Authority is.

Now, in this instance, I’m being presented with intune MDM authority. Or if you happen to have a Configuration Manager, if you’re using your on premises System Center Configuration Manager, you can set that as the Mobile Device Management Authority. In this case, let’s go ahead and choose the Intune Mobile Device Management Authority and we’ll click the choose button there. And now it’s going to give us the ability to start working with Intune tune because we’ve chosen who is going to have the power over those mobile devices that we want to manage.

3. Configuring MDM

Once you’ve activated your mobile device management authority, there’s a few other things that you might have to take care of so that your clients can actually register their mobile devices. If you’re using the Office 365 MDM environment, you have to make sure that you’ve gone through the process of setting up your DNS records for that. So from the from the Admin Center here, if I go into my setup section and go down to my domains, in my domains here, you can see I’ve got my arrowmar domain. We’ll open that up and take a look at it. And I’m going to click on my DNS management here. Now in this case, we’re managing our own DNS records. But if you want to use mobile device management, you need to check the box for mobile device management for Office 365.

Right? Once you check that box and click Next, it’s then going to give us some DNS records that we need to configure for enterprise enrollment and enterprise registration for those mobile devices. This is sort of like you might think about working with the Auto Discover record in your there we go. The Auto Discover record in your Outlook environment or your Skype for business environment by setting up the enterprise registration and then the enterprise enrollment pointing to the values that are required for Microsoft 365 Mobile Device Management. Your devices will be able to find it once they log into the management system with their username and password from Azure Active Directory. Now, if we are instead actually going out there and using Intune in the Intune environment, let’s go into our device enrollment section for a moment and depending on the devices that we want to enroll, we may have to configure some additional requirements.

For example, if I wanted to enroll some Apple devices for mobile device management. If I go to Apple enrollment here, I’m going to have to get an Apple mobile device management push certificate, which means I’m going to have to go through a process of requesting an Apple push notification certificate from Apple that we can then install in this environment. So we have the ability to issue certificates that will be trusted by those Apple devices. You do not have to do that. That’s not a requirement if you don’t plan on enrolling Apple devices. And it’s certainly not a requirement to go out there and work with Android devices. Right? With Android devices, we can just go out there and start registering. It the same with the Windows devices.

4. Managing Device Policies

Now that we’ve configured our mobile device management, we have the ability to set some device configuration policies that we want to apply to some of these mobile devices. We can set things like our security policy, our compliance policies, as well as the configuration policies for those devices. For example, if I were to go in here here and click on Device Security, you can see we have a mobile device management security baseline for Windows Ten. We could go through and create a profile if we wanted to and we’ll just give it a name here, demo profile for example, and click Next where we can see a whole bunch of the various settings that we could modify or change for the security on those devices. Do we want to enumerate administrators out there? We can enable that.

Do we want to use Device guard or something that’s going to support it like a Windows enterprise environment to be able to go out there and work with that as well? Remote assist capabilities even go out and block Internet sharing if we wanted to. So there’s lots of different options that we have out there that we can actually apply to those Windows devices. We don’t need to scope this to any tags necessarily. Then we decide which groups we might want to assign this to, like say for all users, for example, out there and we can review the settings and then apply them. I’m not going to actually save that for right now, but you have the ability to go through and set up a security policy.

Now if we go and look at our device configuration for a moment, you see we have the ability to go out there and have some assignment statuses, look at our certificates that we have going on with us in the environment and again, I can create profiles here for my configuration. We’ll call this one Config one here and then there we go. And then I decide which platform do I want this to apply to. So understand that what this means is I’m going to have to create a configuration profile if I wanted to manage things for my Android devices, another one for my Windows devices, another one for my iOS devices in that environment. There’s also in here the ability to work with Windows Eight phones if anybody’s still working with one of those as well.

So you have to decide which platform you want this configuration policy to apply to. Then we can go out there and add any tags if we wanted to scope this to some specific people and then set the rules here, right? What our applicability rules are out here, assign profile if the OS version is and then we could set an OS version range. So if we only want this to apply to certain iOS devices within a range environment, we can go out there and actually configure the profile that way so we can set up a configuration profile. And then if we go back one, you see you have the ability to set up a device compliance policy. So we’ll go in here and look at our policies for device compliance.

And what you’ll note here is when I go create a policy, again, just like with the configuration compliance one, just like with configuration here, we’re going to have to set which operating system, which platform we want this compliance policy to apply to. Let’s go ahead and just say, for example, we’ll apply this one to our Android devices out here, then we start getting into some settings, right? Configuration settings, device health settings. There are six various settings that are available. Do we want to block rooted devices? So if somebody’s rooted their Android, we’re not going to let them go in and be in compliance. Now, this is not going to block them.

This is just going to state, are they compliant or non compliant with policy. Later we’ll configure a conditional access rule that will rely on that to determine whether they’re compliant or not and what they have access to so we can go through and actually set some of these settings. You see, you’ve got some device properties here we can set in terms of the OS ranges that we wanted to work with. And then the security settings require a password if we wanted to say, you know what, it’s going to have to be at least numeric, so it’s going to have to have some numbers with it in there.

And then we can go out there and put some other ranges in there, like how long it has to be, maximum number of inactivity before it’s going to lock them out and things like that. Do we want to force encryption there on the device? Right, so you’ve got lots of different security settings that you can also set right in there in your compliance policies. Then we have the ability to configure educating actions for non compliance here, and the simple action is going to be to mark the device as non compliant so you can create those various policies right from the entune environment once you have your intune mobile device management environment configured. Bye.

5. Creating Conditional Access Policies

One of the methods we can use to force mobile device management is not allowing somebody access to a resource unless they meet certain conditions. And you can actually use the mobile device management conditional access policy to set that up. So if we go into intune here and I click on conditional access, we’ll open that up. You can see there’s already some baseline policies in there such as requiring MFA, right? So in this case, if you’re going to go out there and work with this and we can use this policy, anybody that is a global admin, a SharePoint admin, anybody that has these administrative roles out there, it’s going to require multifactor authentication before they’re allowed to gain access to that capability.

Now, if your organization has not instituted MFA for all of your users, this is a way you can make sure all of your admins, even if somebody forgets to turn it on for them, still have to go out there and use multifactor authentication. But you also have the ability to create a new policy, right? Conditional access is sort of if this then this type of activity, if then that type of environment, right? So we’ll go out here and just call this one our demo condition, all right? And we’ll say again we can choose users or groups out here. Let’s say for example, we can choose some select users and groups, directory roles, certain users and groups if we wanted to. Like for example, maybe people who are working with, let’s say finance group people, we’ll select them out there assuming we’ve assigned an intune license to them.

Now we can start having this conditional access policy affect them. No cloud apps or action selected out here. So we can go out there and say, you know what, for all cloud apps. Now you got to be careful here because if we’re part of that group and we don’t meet the condition, we could actually block ourselves out here and that’s why they’re warning us here. But you could also go out there and choose selected apps if you wanted to and only have certain apps that they can’t use or gain access to. Like for example, let’s say the Outlook groups they can’t use if we wanted to office 365, exchange online. We don’t want them to be able to connect to. So if you don’t meet the condition right, we have the ability to go out there and block access.

So these are some apps then. Now we set the condition up. What is it? Sign in risk. We say, you know what, configure this. If their sign in risk is high, we can block them from having access. So we can go out there and set that up, have the ability to go out there and say the device platform here, right? And we could include and limit it. Maybe we don’t want you connecting with any Apple devices whatsoever and we can exclude those from our environment if we wanted to. So you get the ability to go through and set various settings. How about locations, right, let’s go out there and configure locations from all trusted locations or selected trusted locations. Then we can go out there and find some trusted locations.

When you’re using multi factor authentication, one of the things you can actually set up is a trusted IP range. Like for example, if all of your users are coming from behind your web application proxy from your corporate office, if they’re in that IP, when they go out to the Internet, then we’ll let them have access to it. But if they’re not, if they’re coming from some other one, like at home, at a hotel, we can block their access just based on the location that they’re coming from. So you can see there’s lots of different conditions that we can actually set here in our environment. If we go out and look at a couple of the other ones here, the device state, right, include all the device states out here.

If we wanted to, we could also exclude a hybrid configuration. Or if the device is marked compliant, we can exclude that. So all devices, but if it’s compliant, we’re going to go ahead and let it in. So you can set that up if you wanted to in your environment. And then of course, the client apps themselves, we can go out there and select the client apps. We’re not going to apply this to browser based policies. Yeah, but maybe mobile apps will go ahead and still let them use, but only if the mobile app supports modern authentication clients, for example. So you can get a little bit more granular with that as you set up the conditions that have to be met. Now if they meet the condition right, then we can choose what access. We can either grant access or we can block access.

If we choose block, it’s a very simple they’re not getting into that resource. If we choose grant, we can actually apply some additional requirements such as require MFA, require that the device be marked as compliant. So if the device is non compliant, it’s not getting in. Require hybrid Azure ad joined devices. So they’re not going to go out there and use a personal device. They’re going to use a device that we have control over from our corporate network. So you’ve got lots of choices that you can go out there to grant or deny access. And of course, once you set up all your environment and here we’ve got the session controls. Use conditional app control here.

Now notice we have the ability to monitor it initially, so if we’re blocking something at first, we’ll just start recording the activity and then later we can actually implement it so we can kind of get a sense of what’s happening with it. There are some additional ones that are coming in here as well, like sign in frequency, right? And we can go out there and say if they come in and they sign in more than 30 times over 30 days, we’ll go out there and take a look at that instead, see how many times they sign in within a given rolling window. So you can go out there and track all sorts of things and decide whether you’re going to let them in or not with a conditional access policy.

6. Enrolling Devices for MDM

When you want to enroll a device into mobile device management, you have to take a look at what type of device it is you’re actually enrolling. With Windows Ten devices. There is a client, a mobile device management client built right into the Windows Ten device. As such, if you have an Active Directory domain join device, you can actually we use Group policy to enroll it into Intune. In addition to that, if you have an Azure Ad Join device, you can actually set up a policy that when a device joins Azure Active Directory that it automatically enrolls it into Intune for you. For mobile device management, you can also go out there and use the Settings app on a Windows Ten computer to manually just join it.

Now we have the ability with some of those dynamic settings to go out there and use something like a provisioning package where I can pre create the settings, including the fact that I want this to be joined for mobile device management and then deploy that provisioning package out to the client computer. Or we could go to the Windows Store and there is a Company Portal app we could download and use that to actually join the device. For mobile device management with Intne, if you’re working with an Android device, you need to go to the Google Play store to download the Intune company portal and that will give us the ability to go out there and actually register the device for mobile devicmanagement. With iOS, we’re going to the Apple Store and the exact same thing. The Intune Company Portal app is available for us here in the Apple Store, so we can go out there and leverage that as well. We also have the ability to take advantage of something called the Apple Device Enrollment Program. The Apple Device Enrollment Program allows if a company is buying their devices from an authorized Apple retailer, either so directly from Apple or from an authorized Apple retailer. And this is only for company purchase devices.

You can actually have the devices registered and enrolled in intune for you, so that when the user gets the device and they set up and they start the device the very first time, it automatically enrolls that device with mobile device management and pushes policy onto it. So we don’t have to pre stage them or pre install them with that. So there’s nothing we have to do. But again, it’s only if they’re corporate purchased. If it’s an individual users, the company portal is going to be the only way that they can actually go out there and enroll that device. You.

7. Monitoring Enrolled Devices

Once you have devices that have actually enrolled for mobile device management, now we have the ability to go into the portal and actually monitor their status and manage those devices a little bit. Here I am in the overview screen for Microsoft Intune and you’ll note that I have a device that is registered as compliant. Right? Now I can add actually drill in further to that device. So from this screen I go in and click on compliant. It’s going to show me the devices that make up the compliant devices in my environment. But I can go further with that if I click on the actual clients that are registered as compliant. Here I’ve got some details on the device itself now, right, I can go see the device name, the management name that’s assigned to it, who owns the device out here in the environment, the serial number, its status, et cetera, and other things there. Right.

If we click on the See More button here, we’ll see the manufacturer and see any remote assistants or connectors. And notice here that team viewer connector is not configured so we don’t have remote assist out there. We can see who the primary user is. Notice I’m also getting the ability to remotely wipe that device. I can remove that device, I can go out there and force it to sync its information so we can get an updated status on its compliance out there. I could even restart the device if I wanted to, or go out there and get a fresh start with this device, which means make them re register that device again in the environment. So we can go through and manage the properties of this device here and notice if I wanted to, I could rename it out here.

I could assign it to a category if I had any set up out there, change the ownership as well in this environment and lots of different other things that we can monitor, such as the hardware for the device. I can see the operating system version, the amount of storage and stuff that it has. If we discovered any apps out there, what apps are on that device and giving us the ability to go out there and work with it. What kind of compliance policy? In this case it’s got an error with the built in compliance policy showing up as an error. Well, in this case the compliance policy hasn’t been assigned to that device yet, right? So I can start drilling into this and try to get a sense of exactly what’s happening with the device.

It’s configuration. If I had in the app configuration policy set up our security baselines assigned to it, which I don’t have, if we needed to go out there and have a recovery key for the device registration, if I had BitLocker out there, I could go out there and have that. And if we had any managed apps out there, we could go out there and look at them for that device as well. So by drilling down deeper or into the device, we can really get a lot of information on the device that we’re managing through our mobile device management environment.