INTERTEC BLOG

Whether you’re transitioning to a BYOD (bring your own device) policy, or you’re provisioning laptops, tablets, and mobile devices as usual and shipping them to remote workers, you need to find a way of ensuring standardization and compliance across those devices. Not only that, but you need to do so in a manner that’s cost- and time-effective and doesn’t place a huge burden on your IT staffers. In other words, you need mobile device management (MDM).

If you’re already a Microsoft user, your best bet in the MDM department is likely going to Microsoft Intune. It’s a part of the larger Office365 suite, and it offers powerful remote management capabilities. The result is that IT staff can set things like password requirements, encryption standards, and VPN settings in order to keep devices secure while enforcing uniform standards across the board. As an added bonus, tasks that used to be done manually—e.g. setting up a new user device—can now be automated, which cuts down significantly on labor time (from an hour to a matter of minutes in the case of the a new device setup, for instance).

All that being said, Intune can also be quite complex, with a host of different possible configuration options that your IT team will have to grapple with (unless you choose to outsource configuration and management to a group of cloud device management experts). Hopefully, these best practices will give you enough of a bearing to get started grappling with that complexity.

1. Conditional Access

Chronologically, the first thing you’ll need to deal with are enrollment settings—which you can find in the next section. But before we talk about that, we’re going to talk about conditional access. Conditional access is basically what it sounds like: a policy you set that says that device users in a particular group or a particular profile cannot access corporate email or other cloud apps unless the devices meet certain conditions. These conditions might include:

• Password length, complexity, and expiration requirements
• Running the most up-to-date versions of particular apps
• Having a secure or specially-provisioned Wi-Fi connection
• Not running any unauthorized or unapproved apps
• Utilizing two-factor authentication of MFA (multi-factor authentication)

The right set of policies for conditional access will depend on the exact nature of your business and its threat model (more highly regulated businesses will often have more conditional access requirements), but it’s crucial to keep this concept top-of-mind as you go through other best practices and configuration passes. You should continually ask yourself what actions you want different users or device groups to take—or not take—across the board in order to create the optimal user experience on your network. With this consideration at the fore, you’ll be able to maximize the value of your deployment.

2. Microsoft Intune Enrollment

While you’re thinking about the right conditional access policies to set, you can also set up your device enrollment flow. You’ll want to audit the variety of devices that you’ll be enrolling on your network, then make sure that you’re able to meet the enrollment requirements for each type of device.

• Apple devices: Apple devices require you to set up a Push Notification certificate with Apple, which then has to be renewed every year. Here, you’ll need to give Microsoft permission to send user and device data back to Apple, then create and upload the relevant certificate. You can learn more from Microsoft’s documentation here.
• Android devices: With Android devices, Intune admins will need to connect a managed Google Play account in order to enable Android Enterprise. Read more here (note that the steps are slightly different if someone is using a personal device as part of a BYOD program).
• Windows 10 devices: These will offer a handful of automated enrollment options (since they’re ostensibly already integrated within Microsoft’s larger platform), which Microsoft will walk you through as needed.

This is a basic building block to get your Intune usage off the ground. Without taking the requisite steps to actual enable device enrollment, you can set the world’s most sophisticated policies and none of them will actually be enforced on your network. For businesses that are slow to realize the ins and outs of these basic enrollment steps, there’s a significant chance of disruptions and rework as the process moves forward.

3. Security Baselines

Simply put, most businesses aren’t cybersecurity experts. Even companies that have development teams on staff might not have the specialized knowledge required to fully assess and implement their security needs—especially when it comes to something as specialized as remote device management settings. Luckily, Microsoft has a set of pre-configured “Security Baselines” that admins can create for different groups or users in order to start out with a foundational configuration that’s robust enough to ensure high security standards. These baselines work as a starting point for admins who want to tweak configurations further—but they’re often perfectly workable settings on their own. And, what’s more, Microsoft updates them on a regular basis to conform to the latest security guidelines.

As Microsoft puts it on their documentation: “Th(ese) baselin(es are) built as a generic infrastructure that allows customers to eventually import other security baselines based on CIS, NIST, and other standards. Currently, it's available for Windows and will eventually include iOS/iPadOS and Android.” In other words, again, these can act as a starting point—even in specialized industries that require additional security configurations. As such, giving these Security Baselines a thorough audit and considering them as starting points is very much a best practice.

4. Firewall Configuration

Okay, we’ll admit that this is on here in part because it’s an issue we’ve come across unexpectedly—and solved successfully. You can get the full rundown for configuring Intune in an environment with restrictive firewalls in this post, but the upshot is that integrating with firewalls is one of those areas where Microsoft’s documentation is sometimes hard to parse or not entirely complete. Thus, in our Azure expert’s first attempts to set up Intune in a particular environment, the system wouldn’t recognize that a given endpoint had a valid connection, even though the right sites had been whitelisted. Eventually, it became apparent that there was another site that Microsoft was using to check the endpoints connection, and that site had to be on the whitelist in order for the system to actually connect.

Since a large number of businesses use firewalls for precisely the same reasons that they’re inclined to use MDM—increased standardization, cutting down on risky online behavior that could jeopardize corporate data—it’s not terribly uncommon to find that these two systems have to interact with one another. Thus, there’s a real potential pitfall here for admins or IT teams that don’t know to look out for this issue. At the same time, it also serves as a helpful reminder of the kinds of troubleshooting situations that any team is likely to encounter at least occasionally with a technology like Intune. Some problems will be easy to resolve through common sense, while others may remain thorny even after a lot of time and mental effort has been thrown at them. In cases like these, it can be valuable to search outside your own enterprise for an expert eye.

Does It Make Sense to Outsource Mobile Device Management on Intune?

In the paragraph above, we gave a piece of advice that some readers may have been surprised to hear. “Intune is supposed to be an easy, labor-saving addition to our cloud-based ecosystem,” you might say, “So why should we have to seek out help with getting our configuration and deployment right?” It’s a reasonable question—but it’s the wrong question.

The right question is: what’s the most efficient, scalable, or cost effective way to manage a network of mobile devices that are located in a variety of different physical locations. Using Intune certainly increases the efficacy with which you’re able to do that—but when you don't have expert resources, real efficiency isn’t guaranteed. Yes, Intune will still save time, but it won’t realize its full time-saving potential, and you’ll run a higher risk of future time and resources being spent on rework for any number of reasons: a work stoppage due to a misconfiguration in a particular device group, a data governance lapse because of how applications were configured on particular devices, etc.

At the end of the day, if you can cut down on rework and security lapses by partnering with an outside agency, that might easily represent the most cost effective approach to managing your device network in the long run. Even in the short term, MDM experts with considerable cloud knowledge will be your best bets for quick integration, configuration, deployment, and ongoing device management—which means that you can deploy your internal resources more strategically. The result is that you can focus on creating cost optimization opportunities elsewhere, while your devices run smoothly in the background.