Microsoft Business Premium Implementation Guide – Part 3 of 7

Part 3: Secure Devices

Before we continue, let's confirm a few things:

1. All steps have been implemented from Part 2.

2. Onboard Existing AD Joined PCs or AAD Join PCs

One of the most important tasks involved in securing remote work is onboarding devices into Azure AD and Intune (MDM). It’s vital to have visibility into the devices owned by the business, because you can’t secure what you can’t see.
Options:
Changes Communicated:

If user computer profiles change due to going from AD to AAD, end users will need to know what to expect so they can login without issues.

3. Onboard iOS & Android Devices

To provide secure access to company email, data, and apps, mobile devices need to be onboarded into Intune to allow for Mobile Device Management. With the continued use of “BYOD”, users can access company data from their devices by default unless further actions are taken to further control their access with the goal of not eliminating productivity.
Options:
Changes Communicated:

There are different paths for iOS vs. Android devices. How-to information will need to be provided to end users so they can enroll their devices. Further touchpoints will be necessary to confirm all users have enrolled their devices before any lockdown policies can take place.

4. Deploy Microsoft 365 Apps via Intune

Before we can configure, assign, protect, or monitor apps, we need to add them to Microsoft Intune which allows us to deploy the apps to enrolled devices in mass. We need to determine what apps or app types you would like to be available.
Options:
Changes Communicated:

Click here to view the overview of the apps

If a custom policy is selected that prohibits available applications to be reduced, end users may need to be notified.

5. Enable Enterprise State Roaming

Provides users with a unified experience across all Windows devices and reduces the time needed for configuring a new device. User data and settings are synchronized across devices, data is stored in a centralized location and under the control of the organization. This feature can be useful for organizations with employees who frequently use multiple devices by reducing manual configuration on each device (hybrid workers)
Options:
Changes Communicated:

If enabled, those users that do use multiple devices should be aware and take advantage of this feature. The device must be AAD joined in order for this feature to function.

6. Configure App Protection Policies for Company Owned PCs (WIP)

With the increase of employee-owned devices, there’s also an increasing risk of accidental data leak through apps and services like email, social media, and the public cloud, which are outside of the company’s control. For example, when an employee sends the latest engineering pictures from their personal gmail account or saves a recent sales spreadsheet into their 3rd party cloud storage service like DropBox.
Options:
Changes Communicated:

Decision makers discretion if and how they would like to notify their end users of these company policies. This notification could also already be provided through a company policy manual but this would enforce that policy.

7. Block / Allow Access From Employee Owned Mobile Devices

Do you want to allow employees to be able to access company data from their personal devices? For example, if an employee leaves, this protection policy can allow for business data to be removed from a protected app without impacting the user’s personal data and apps. Mobile app management (MAM) doesn’t require device management therefore app policies can protect the company data regardless if the device is managed.
Options:
Changes Communicated:

Click here to view the individual data protection frameworks and what is included in each.

Depending on the protection framework selected, instructions and what to expect emails will need to be provided as the use from their mobile device may change (use of PIN)

8. Block / Allow Access from Employee Owned PCs

Should employees be able to access company data from their personal computers?
Options:
Changes Communicated:

If access is going to be revoked in anyway different than what is already in place, communication around the new company policy need to be spread across the organizations along with explanations on how to go about accessing data securely remotely.

9. Enable Device Configuration Profiles

Configuration profiles allow standardized devices settings like device features, security controls, certificates, VPN, and Wi-Fi profiles across all your devices.
Options:
Changes Communicated:

Depending on the options selected, especially security, changes may need to be communicated to the end users.

10. Provision New / Refresh / Repurpose Company PCs

Windows Autopilot streamlines the process of setting up, resetting, and repurposing Windows Devices. We can utilize this tool to provision and customize the settings of a new/refreshed/repurposed PC by setting up specific global settings for devices within your organization to follow (applications installed, available networks, file access, etc).
Options:
Changes Communicated:

In order for this to work correctly, all computers will need to be purchased through The Miller Group due to this being set at the supplier level.

11. Enable Device Compliance Policies

What rules and settings need to be determined to establish what it means for a device to be compliant. For example, we can create a policy that requires a minimum OS level and Bitlocker encryption turned on before allowing access to Microsoft 365.
Options:
Changes Communicated:

Depending what is enabled / disabled, expectation changes notifications will need to be provided to end users on new company policies.

12. Setup Windows Hello for Business (WHFB)

WHFB replaces the use of passwords on your computers with strong MFA to prevent unauthorized access. This consists of a user credential that tied to the device and uses biometric or PIN data to successfully login.
Options:
Changes Communicated:

1. Existing computer inventory will need to be taken to determine the current authentication options available (facial recognition, fingerprint scanner, FIDO key). Additional purchases may be required based on the computer inventory.

2. This action will need to be scheduled with all users once the appropriate hardware requirements have been determined. All users must be aware and follow the instructions or they may be unable to login to their computers.

13. Enable Bitlocker Policy (for Windows) & FileVault (for macOS)

BitLocker and FileVault can be used to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive. These drives can only be decrypted using a key that is stored in a secure place only for administrators to access. If the attacker doesn’t have the key, then they will not be able to read the data on the drive.
Options:
Changes Communicated:

This can be done in the background for devices that are using an updated version of Windows 10 that have TPM 1.2 or higher.

If devices don't meet the TPM 1.2 requirements, then a separate process will need to be worked through using a USB flash drive.

STOP!

Let's complete the action items in this section and reconvene as soon as possible.

Our Responsibility:
Your Responsibility: