Blog Post

Security, Compliance, and Identity Blog
4 MIN READ

Controlling the Uncontrollable, Component 3:  Device Configuration Policies

Brad Anderson's avatar
Brad Anderson
Iron Contributor
Sep 08, 2018
First published on CloudBlogs on Mar 04, 2016


The concept of applying policy to devices is not new or exciting – in fact, you’ve probably been using Group Policy or ConfigMgr to do this for your PC’s for years. The fact of the matter is that the type of control you’re accustomed to with PC’s must be applied to your mobile OS’s too if you expect to adequately protect the e-mail on your workforce’s devices.  This means you’ll need to have policy applied to both corporate-owned and personally owned devices.  For those personally owned devices, there is obviously another sensitive element to consider because the owners of those devices will need to approve the settings your policy dictates.  In the video below we’ll explore how to troubleshoot these challenges. For each of these challenges, Microsoft Intune has an enterprise-grade solution.  Intune provides IT with access to policy settings that can execute across a broad range of important functions, e.g. configuring device settings, configuring certificate enrollment, and providing access to company resources (like VPNs or WiFi configurations). There are a lot of available settings for you to use, but in this series I’ll focus on the ones that are relevant to protecting e-mail (which, in the case of enrolled devices, likely means protecting the device, too). Device configuration policy is currently only available for devices that are enrolled into Intune for management.  Check out the previous post for information about how to set up policy for MAM without enrollment apps via application managed policy. The features offered here by Intune are incredibly impressive.  The general device policy configuration includes the ability to set the following:
  • Device level encryption.
  • Passwords characteristics such as complexity, reuse, length and finger print use – of note is that we recently introduced the ability to allow Smart Lock on Android.
  • Screen captures and logging.
  • Cloud backups.
  • For web-browsers, pop-up blockers are allowed.
  • Whether or not app stores are allowed and, if so, if a password is required to access them.
  • Whether or not games or entertainment apps are allowed on the device.
  • Permissions for specific hardware features like WiFi, Bluetooth, and WiFi tethering.
  • If cellular functions like roaming of data and voice are allowed.
  • If specified apps are allowed or not.
  • There are also device-specific settings, like specifying an app to run on a device in “kiosk” mode.
This list covers just a handful of what’s available, and it does vary a bit based on the platform. A key thing to remember when designing a policy configuration is the need to plan for a balance between protecting your organization and making things usable for the workforce.  With so many work devices being BYO, IT has to very carefully consider the restrictions they chose to put in place.  With e-mail being such a critical workload for any organization, one of the most crucial decisions you’ll make is how you’ll configure e-mail profiles on mobile devices. I’ve seen an overwhelming amount of evidence indicating that the most efficient, effective, and secure way to run an organization’s e-mail is with Outlook.  If you choose another e-mail client, however, Intune can still provide you with control and security. One great example of this is the e-mail policy on iOS and Samsung KNOX.  In this setup, you can configure the e-mail settings for users such that, after the device has been enrolled, e-mail will be automatically configured on that device. This can be especially useful since it’s not helpful to have your users worrying about the complexities of mail server hostnames and authentication methods.  There are a lot of cases, however, of users manually adding themselves to mail servers.  In these cases, you can use Conditional Access to require the user to remove a manually added account and allow MDM to provision the account for them. I’ll cover Conditional Access in the next post in this series. I think it's also really important, at this point in the discussion, to note the things that MDM does (and does not ) do.  First and foremost:  MDM does not violate the privacy of the personal data on a users' device.  This issue has been forced to the forefront of the news lately with the Apple vs. FBI story we have all read so much about. In a keynote earlier this week , Brad Smith (Microsoft's Chief Legal Officer) spoke at length about Microsoft's perspective on Apple's position, and our own views about the privacy of devices and the data on those devices.  In particular, he articulates how we at Microsoft place a preeminent value on the trust of our users -- and how this value effects the decisions we make when approached by governments that are in search of information.  I really recommend you take the time to check it out. One final note:  Besides being used to control what a user can do on a device, you can also use device policy to enables resource access, e.g. e-mail, WiFi, and VPN profiles that will make BYO enrollment easier for your users.

Additional Resources


Published Sep 08, 2018
Version 1.0
No CommentsBe the first to comment