Forum Discussion

NicolasFernandezSanz's avatar
NicolasFernandezSanz
Copper Contributor
Dec 21, 2020

Remover Privilegios de Administración de Usuarios Finales

Estimados,

Actualmente mi organización cuenta con una gran cantidad de dispositivos que autentican con Azure AD. En este momento cada usuario de las estaciones de trabajo poseen derechos de administrador local de Windows. 

Cual seria la forma mas eficiente y correcta de centralizar dichos permisos en la cuenta de administración , removiéndolos de los usuarios finales? 

Muchas gracias. 

2 Replies

  • livearif's avatar
    livearif
    MCT
    Dec 28, 2020

    NicolasFernandezSanz 

     

    Hello Concern,

    Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). Intune is included in Microsoft’s Enterprise Mobility + Security (EMS) suite and enables users to be productive while keeping your organization data protected. This applies no matter what device your employee is working from and no matter where they’re working from, too.

     

    Device Management Application Management Compliance and Conditional Access Solve Common Business Problems Intune Solves Define Your Own App Protection Policies Remotely Managed Devices Reports and System Logs Task Creation and Management Deploy Software and Updates Centralized Control Portal View Hardware Configurations and more.

  • Command0r's avatar
    Command0r
    Iron Contributor
    Dec 23, 2020

    NicolasFernandezSanz, I think the quickest way would be exploring whatever you already have at your disposal. Microsoft MDM (mobile device management) is the option we're using now for exact same purpose and it works well. You can read more about it https://docs.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune, but from the high-level perspective, it solves the problem you mentioned and a lot more, like:

    • Data encryption enforcement
    • Remote data wiping
    • Device tracking
    • App distribution/updates control/app installation policies
    • Password policy enforcement
    • Device inventory
    • Location services
    • Controlling personal devices used for work purposes (BYOD)
    • Allowing data access from the Intune-controlled devices only
    • Etc.

    To enable Intune, you would need to purchase the licenses for every user (in O365). Enterprise Mobility + Security E3 is the cheapest and in my opinion, you won't need more (unless you already use some other O365 service and for cost optimization, you may want to consider some other packages).

    Once the users are already part of O365 (and, subsequently AD), the enrollment is quite straight-forward. Device enrollment for Windows 10 is well-described https://docs.microsoft.com/en-us/mem/intune/enrollment/quickstart-enroll-windows-device (at the same time, the other platforms, like Mac OSX are also supported).

     

    Please let me know if you have any follow-up questions and I'd be happy to answer them. If the answer helps, please kindly like it and mark it as an 'answer'.