It has become part of the management culture here at Microsoft (and in many other businesses) to talk about priorities as “big rocks.” In this metaphor, the amount of work that can be produced is represented by a jar. The output of an organization ranges from big rocks to smaller stones, gravel, and sand. If the big rocks aren’t put in the jar first, they won’t fit if there’s too much of the smaller material—and that’s where the story ends. To have a full jar to offer to end users, there is lots of other work that needs to be done.
This month I’m highlighting some of the work that goes into Microsoft Intune to improve the security of macOS devices and the productivity of IT professionals managing Android devices.
Certificate management for macOS devices
Digital certificates enable and authenticate secure access to resources, and their types can broadly be described as either user or device. Because of the access they enable, certificates are potential targets for bad actors.
MacOS user and device certificates have been historically stored on the device channel, sometimes called the system keychain. This poses a potential security risk, as users need admin rights on a device to access the device channel, and any user of a device could potentially access certificates they should not otherwise be able to see. It also leads to end users being prompted to select from all of the available certificates each time they connect to resources like Wi-Fi or VPN, which eliminates the convenience certificates are meant to provide.
Now, we’re addressing challenges to security and the user experience with an updated policy creation flow that allows the deployment channel to be specified.
In the case of a Wi-Fi certificate for example, the end user will be prompted to select a certificate once and given the option to remember it going forward, without needing to have admin access.
More details are provided in this documentation. Note that to change the deployment channel for an existing certificate, you must create a new profile.
Enhanced Android inventory catalog for fully managed devices
Hardware inventory capabilities for Windows devices have been broadly enhanced in this month’s release—read more about this “big rock”—and I want to call out an addition to the Android inventory that will help IT professionals to be more productive.
Android devices often require administration of carrier contracts and billing operations. Before this update, Intune did not collect information about the specific subscriber carrier or the Integrated Circuit Card Identifier (ICCID) number associated with the SIM card for these devices. Now with the November release of Intune, the Hardware tab in the Device monitor blade for a given unit will display this information for fully managed or enterprise-dedicated devices, allowing IT professionals to stay within Intune to gather this information. There’s a security benefit too: ICCID numbers can be used to configure multifactor authentication (MFA). You can find more details in this documentation.
The “big rock” news
We’re sharing more at Microsoft Ignite 2024. Read about our announcements in our Intune news at Ignite blog and in our companion blogs to go in depth on the latest. Please join our sessions (virtually or in person), and continue to engage with us online at LinkedIn: aka.ms/IntuneLinked and X: x.com/MSIntune.
Microsoft