One of the most important tasks involved in securing remote work is onboarding devices into Azure AD and Intune (MDM). It’s vital to have visibility into the devices owned by the business, because you can’t secure what you can’t see.

To provide secure access to company email, data, and apps, mobile devices need to be onboarded into Intune to allow for Mobile Device Management. With the continued use of “BYOD”, users can access company data from their devices by default unless further actions are taken to further control their access with the goal of not eliminating productivity.

Before we can configure, assign, protect, or monitor apps, we need to add them to Microsoft Intune which allows us to deploy the apps to enrolled devices in mass. We need to determine what apps or app types you would like to be available.

Provides users with a unified experience across all Windows devices and reduces the time needed for configuring a new device. User data and settings are synchronized across devices, data is stored in a centralized location and under the control of the organization. This feature can be useful for organizations with employees who frequently use multiple devices by reducing manual configuration on each device (hybrid workers)

With the increase of employee-owned devices, there’s also an increasing risk of accidental data leak through apps and services like email, social media, and the public cloud, which are outside of the company’s control. For example, when an employee sends the latest engineering pictures from their personal gmail account or saves a recent sales spreadsheet into their 3rd party cloud storage service like DropBox.

Do you want to allow employees to be able to access company data from their personal devices? For example, if an employee leaves, this protection policy can allow for business data to be removed from a protected app without impacting the user’s personal data and apps. Mobile app management (MAM) doesn’t require device management therefore app policies can protect the company data regardless if the device is managed.

Should employees be able to access company data from their personal computers?

Configuration profiles allow standardized devices settings like device features, security controls, certificates, VPN, and Wi-Fi profiles across all your devices.

Windows Autopilot streamlines the process of setting up, resetting, and repurposing Windows Devices. We can utilize this tool to provision and customize the settings of a new/refreshed/repurposed PC by setting up specific global settings for devices within your organization to follow (applications installed, available networks, file access, etc).

What rules and settings need to be determined to establish what it means for a device to be compliant. For example, we can create a policy that requires a minimum OS level and Bitlocker encryption turned on before allowing access to Microsoft 365.

WHFB replaces the use of passwords on your computers with strong MFA to prevent unauthorized access. This consists of a user credential that tied to the device and uses biometric or PIN data to successfully login.

BitLocker and FileVault can be used to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive. These drives can only be decrypted using a key that is stored in a secure place only for administrators to access. If the attacker doesn’t have the key, then they will not be able to read the data on the drive.