Our Latest Content is on the FPT Blog

Feel free to browse our existing content below, however, if you're looking for the latest articles, we now post them to FPT Software's blog page

How to Create the Right MDM Policies in Office365

November 24, 2020 / by Mark McLoud

Months and months into the pandemic, the reality of a distributed workforce is starting to become clear. Users working on their own devices in a BYOD context aren’t always as scrupulous at setting and updating strong passwords; their home Wi-Fi networks aren’t as secure what’s back at the office; data loss and prevention policies aren’t being adhered to strictly, and it’s increasing your risk.

Close up of business man hand working on laptop computer with social network diagram on wooden desk as conceptYou need a way to manage these devices (and/or the application that run on them) remotely—and luckily, if you’re an Office365 user, you have some ready-made options for doing just that. But how do you choose the right option, and how do you dive into the nitty-gritty once you’ve made your choice?


Microsoft Intune vs. Basic Mobility and Security

First things first, you’ll need to figure out whether Microsoft’s Basic Mobility and Security functionality is enough to meet your needs, or whether you’ll want to utilize Intune, Microsoft’s full-fledged MDM (mobile device management) solution. This will depend on what types of devices you’re working with and what types of actions you’d like to be able to take remotely on those devices.

  • Basic Mobility works on: Windows 10, iOS, Android, Android Samsung KNOX
  • Intune supports: Windows 10, iOS, Android, Android Samsung KNOX, Android Enterprise, mac OS, iPad OS

This part is pretty straightforward—if you’re only utilizing devices supported under Basic Mobility, you may not need a full-blown Intune account. If you need support for operating systems that Basic Mobility doesn’t cover, then Intune is your best bet.

When we get to actual functionality, there’s a bit more nuance to consider. Basic Mobility will support a fair number of actions, including:

  • Setting device compliance (with some limitations) around pins, jailbreak detection, etc. and keeping noncompliant devices from accessing email in the cloud
  • Configuring some device settings
  • Remotely retiring, wiping, or deleting devices
  • Provisioning native email accounts on devices

In short, it lives up to its name: if you have a relatively homogenous mix of devices in use across your operation, and you don’t need too much granularity in your controls (in the next section, we’ll discuss how much granularity you actually need based on your business), then this can be a quick and simple solution to the challenges that crop up in device management with a remote workforce.

If this doesn’t seem like enough, then Intune has a number of additional capabilities that you might need or want:

  • Prevent noncompliant devices from accessing corporate data (beyond email) in the cloud
  • Autopilot reset (on Windows)
  • Bitlocker key rotation (on Windows)
  • Fresh start (Windows only)
  • Disable activation lock (on iOS)
  • Locate device or active lost mode (on iOS)
  • Perform a full scan (for Windows 10)
  • Perform a quick scan (for Windows 10)
  • Remote control for Android
  • Remote lock
  • Rename device
  • Reset passcode or Windows 10 PIN
  • Restart (on Windows)
  • Update Windows Defender Security Intelligence (Windows only)
  • Send custom notifications (Android, iOS, iPad OS)
  • Synchronize devices
  • Provision native Wi-Fi and VPN profiles on devices
  • Application management and protection (e.g. pushing business apps directly from the app store to the device; restricting functions like copy and paste in certain apps in order to enforce data loss and prevention policies)
  • Managed web browsing via Edge
  • Bulk, zero-touch device enrollment

There’s obviously a big difference in the amount of functionality offered by these two offerings. If your gut reaction looking at the list of capabilities for Intune above is that your outfit doesn’t need that level of sophistication, that’s fine. On the other hand, if you’re seeing a lot of the tasks that your IT department would normally perform for device management at the office, Intune may be a safer bet.

New call-to-action

What Are the Right MDM Policies for Your Business?

For some of, there’s an obvious choice to be made between the two options presented above. For others, it might depend on what MDM policies would actually best fit with your business. This is going to depend on your size and industry more than anything.

  • Industries like insurance and banking that have myriad compliance and data governance requirements will often necessitate more robust policies. If, for instance, you require all messages that traverse your back-office ecosystem to be encrypted, it’s crucial that you be able to set and enforce an encryption policy remotely. If your people are working with sensitive data, it might be critical to restrict their copy and paste privileges in particular apps, for instance.
  • In larger companies with multifaceted workforces (e.g. companies that have significant development resources but also a brick-and-mortar presence), you might need to divide user devices into different groups. Some device profiles might be designated as point-of-sale devices—which you might set to automatically receive PoS system updates and to otherwise have a highly restrictive environment—while others might be established in a management group that enforces password length requirements but offers users more flexibility in terms of how they use their devices.
  • Then, there are a number of industry-specific features that Intune offers that you might be in a position to take advantage. OEMs, for instance, can use an add-on app (OEMConfig) that’s built with native functionality specific to the industry. This has the potential to save a lot of configuration effort—if you’re aware that it exists.

There’s also the question of whether to manage usage on the application or the device level. When users are utilizing their own home devices for work, they may be less inclined to provide unfettered device access to a remote administrator. In this case, you can set compliance standards and regulations for particular applications instead. In this way, you’re able to maintain some level of standardization in terms of security, data governance, etc., while your distributed workforce is able to maintain control over their own laptops, phones, and tablets.

At the end of the day, there aren’t a lot of one-size-fits-all answers for setting the right policies. You need to assess your current device landscape; consider what your device policies were when everyone was in the office; assess whether those actually helped you achieve standardization, boost efficiency and achieve better security; and, ultimately, put forward a vision of how you want users to access to your cloud infrastructure.


How to Actually Set Policies

All of the considerations that we laid out above might seem daunting—and, to be sure, there is a lot to consider. But, at the end of the day, Intune or another MDM solution can save you a ton of time and money while allowing you to scalably maintain consistent standards across a whole host of different devices. Not only can you prevent security breaches by gaining a more comprehensive, granular overview of compliance across devices and profiles, you can rapidly speed up the device provisioning, configuration, and setup processes. The result is smarter, more cost effective device management all around.

Cyber Security as a Competitive Advantage

And, as it happens, once you’ve decided on a policy to set in a particular area, it’s not too hard to actually implement it. If, for instance, you decide set a compliance policy for specific devices, you simply enter the admin portal and navigate to Devices and Compliance policies.

  • Select a platform and policy type, then click Create.
  • From there, click on New policy and give the policy a relevant name.
  • Here, you’ll go through the various available tabs to give the relevant information. Fill out the required information on the Compliance setting
  • On the Locations tab, you can specify location-based triggers for the compliance policy if needed.
  • Under Actions for noncompliance, you can specify what happens if your devices aren’t in compliance with the new rule.
  • Add Scope tags as desired to make it easier to filter policies.
  • Then, on the Assignments tab, assign the policy to the relevant groups.
  • From there, review the policy and click

You’ll also have the option to set an appropriate cycle time and grace period if necessary. Then, you can navigate back to the admin portal to see the compliance status of each relevant device (see here for more granular instructions). In this way, you’re able to gain insight into all your endpoints at once, and even run analytics on them to get a clearer picture of compliance for your various policies.


What’s the Most Efficient Strategy for Mobile Device Management?

Though some of this might seem a little bit in-the-weeds, our hope is that it gives you a sense of how comparatively easy Intune and similar MDM systems can make it to manage devices remotely. Before the rise of this kind of technology, it might take the IT department an hour per device to get a new laptop or phone configured and sent to its intended user—with an MDM, you can do it all in a manner of minutes. On top of that, you can avoid data breaches and other security lapses, you can maintain uniformity, and you can improve productivity beyond the walls of the IT department.

All that being said, there is plenty of room for confusion—especially if your team isn’t comprised of cloud experts. This is where a managed services provider can come in and add a lot of value. Since a nearshore services provider would be able to offer labor cost savings of up to 30%. On top of that, they’d be able to add even more time savings, since they’d be cloud experts with a specialized knowledge of Intune’s various configuration and policy options. In this way, you can reserve your IT resources for more important tasks, and keep your devices safe, secure, and efficient no matter where in the world they are.


Learn More About Intertec's Cloud Solutions:

Intertec’s teams have hands-on experience in developing and migrating applications on leading cloud platforms. In addition to design and development, we provide a complete range of application testing, deployment and ongoing support services, including managing physical infrastructure and offering outsourced DevOps teams. Click here to learn more. Prefer a personal consultation? Go ahead and schedule a meeting with us here!

Tags: Cloud Migration, MDM

Mark McLoud

Written by Mark McLoud

I was raised in a rural town in the state of Iowa where I learned the value of hard work. My passion is working hard for my clients and colleagues with enthusiasm, responsiveness, and creativity. As the late, great Vince Lombardi once said, "The harder you work, the harder it is to surrender."

Contact Us