A lot of companies are using Microsoft 365 these days, which means that they’re using a lot of Microsoft’s cloud based tools and services. It’s a lot of great stuff, but it’s also a lot of stuff to manage and keep track of. That’s why it’s so important to know how to use Microsoft 365 efficiently and effectively. There are tons of ways to maximize efficiencies with Microsoft 365, and one valuable but often overlooked add-on is device management with Microsoft InTune and Microsoft Azure.  Device management is defined by Microsoft as “A key task of any Administrator…to protect and secure an organization’s resources and data on devices in their organization.” Ideally, if you are having employees or team members access your company network or data, knowing what devices and programs they are accessing is essential to providing proper security to prevent security issues or breaches. In this overview of device management with Microsoft 365, we’ll briefly explain the reasons to enable and work with Intune and Azure, as well a case study our team developed to demonstrate its usefulness. To learn how to set up the process for your team, or consult an expert to set it up for you, contact us directly!

How to Set Up Device Management Policies within Microsoft 365

When an employee joins your company, it’s important to quickly set up rules about who, when, and where employees are permitted to use company computers and smart devices like tablets or phones. Doing so ensures that they are only accessing corporate data and won’t do anything malicious. Additionally, many employees don’t realize that they can install software onto their work computer without permission. This is problematic because these programs are capable of capturing or transmitting documents, emails, and other communications. It’s possible for someone else to steal valuable company documents, send spam emails, or listen in on meetings. To avoid being vulnerable to attacks like this, you’ll want to properly manage company computers. Fortunately, you can configure Microsoft 365 to let employees create policies that restrict what is allowed to run on their personal computers. Let’s dive a little into what you can do with Microsoft Azure and Intune.

Device Management: Benefits of Microsoft 365 Azure

Device Management and Active Directory

The most common (and useful) aspect of Azure is the Active Directory. The active directory allows the IT admin in an organization to “help your employees access external resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.” It dually catalogues and restricts users on the network, while additionally restricting users on each device to proper company programs (i.e. blocking social media or malicious downloads).

Eliminate Device Spoofing

If users are accessing a device that shouldn’t be accessed, it might not actually be located where everyone thinks it is. For example, if people aren’t accessing their computers through their home or office networks, and instead are connecting using a public Wi-Fi hotspot, this could expose those PCs to attacks, and the IT admin with Azure access can restrict this type of access.

Eliminate Phishing Attacks on Mobile Phones

If people aren’t physically interacting with their mobile phones while they are online, then attackers are going to assume that there won’t be anybody monitoring them for suspicious activity. Therefore, the chances that malicious code will enter a person’s phone are much lower. Azure also allows for remote enabling of MFA, doubly ensuring each person accessing devices is the actual approved employee.

Prevent Unauthorized Access of Personal Information

Device management software gives IT admins tools that can reduce the risks associated with sharing sensitive information by making sure that only authorized people have access to your network. If people were allowed to look at personal customer records, for example, that would leave them vulnerable to identity theft. Device management is a valuable tool for IT administrators, allowing them to improve productivity and decrease operational downtime while minimizing the risk of cyberattacks.

When IT administrators implement secure device management, they can help reduce risk and increase efficiency of user interaction within organizations. If you have access to Microsoft 365 Business Edition, you have an opportunity to learn how to leverage features and functionality that make device management easier, safer, and more effective. Check out https://docs.microsoft.com/en-us/business-cloud/modernize/device-management for more details on Microsoft’s new approach to managing devices.

Device Management: Benefits of Microsoft 365 Intune

Intune, though also an IT admin tool, does have a different function than Azure. Azure can be thought of as a way of digitally managing physical devices, while Intune is a way to digitally manage the software and applications on the devices. Intune, by Microsoft’s definition, is “to secure proprietary data that users access from their company-owned and personally owned devices. Intune includes device and app configuration policies, software update policies, and installation statuses (charts, tables, and reports).” Intune is a handy tool when a company wants to create a policy for devices – certain programs must be updated by certain dates, patches are automatically sent to devices to update security breaches, and more. Essentially, making company computers as uniform and up to date as possible to restrict malicious activity (whether deliberate or accidental).

Turn On/Off Automatic Updates

When setting up policies, the first thing you’ll want to do is disable or enable automatic updates on all company computers. Keep in mind, that a rogue program can get installed onto these machines since they automatically update. To disable automatic updates, go to Security & Compliance > Configure Apps. After selecting the “Applications and Features” section, scroll down to find the “Allow automatic updating” box. Check/uncheck this box so the machine isn’t automatically updated.

Add Software Restriction Policy Roles

To add policy roles, select the top menu item and choose System App Pane > Users, Groups, or Roles > Role definitions. Then, click + Select roles. From there, search for users, groups, or roles. Drag these selections into one of the policies listed below under Software Restriction Policies. Once complete, you may see the policy appear next to the selection bar, allowing you to start configuring the rule settings.

Create Device Group Policies

For example, you may want to block certain programs based on the type of client device. For instance, you can block any program downloaded from the web that requires additional permissions (which includes many antivirus tools). You can also limit the capabilities of programs installed from the OS store. If you want to further restrict access, you may want to block employees from installing applications directly on a particular device. For example, you can tell employees they must request approval from IT before they are permitted to install any apps.

Create Personal Profile Settings

You should also enforce policies that are specific to the user’s profile settings. This will mean that an individual’s privacy settings will be enforced as well. In addition to allowing specific application controls, you should also require the option of turning off telemetry. For example, there are some apps available through the Microsoft Store which record everything you are doing while using the app

Device Management is Important for Network Health

Device management allows IT administrators to remotely manage PCs, tablets, phones, printers, and even network hubs, switches, and routers! If you’ve been around computers since the DOS days, this may sound like pretty big stuff. But, when properly planned an executed, it’s a really valuable tool to use. It can make your network operate more efficiently because administrators can take immediate action whenever problems arise. However, just because administrators can access your computers in real time doesn’t mean they shouldn’t be secured.

Fidato Intune and Azure Case Study: Read Here