First published on CloudBlogs on Jul 13, 2017

Protecting data at the device and app level with Microsoft Intune

Over the past month, the Enterprise Mobility + Security (EMS) team has been blogging about Microsoft’s broad commitment to making sure our products and services comply with the GDPR and making sure that you – our customers – understand how our technologies can assist you with your GDPR compliance efforts. We’ve outlined the four key steps that we recommend you take to get started:
  1. Discover : Identify what personal data you have and where it resides.
  2. Manage : Govern how personal data is used and accessed.
  3. Protect : Establish security controls to prevent, detect, and respond to vulnerabilities and data breaches.
  4. Report : Execute on data requests, report data breaches, and keep required documentation.
Microsoft Enterprise Mobility + Security delivers multiple capabilities that provide you with crucial advantages in each step. This is the fifth blog in a series about those capabilities. With this blog, we will focus on the capabilities delivered by Microsoft Intune to help you manage the use and access of data and to help in the protection of that data – both key in fulfilling GDPR requirements.

Manage and protect your data with Intune

Organizations that use Intune have access to sophisticated mobile device management, mobile application management, and PC management capabilities from the cloud. These capabilities allow you to provide your users with access to company applications, data, and resources from virtually anywhere on almost any device in a way that helps you to keep company data (including data that may contain personal and sensitive information) secure. These capabilities are critical if you consider how many companies deal with personal and sensitive data as a standard part of doing business. Take, for example, an automaker who maintains a record of every customer who has purchased a car in recent years. The automaker likely does so in files that include customer names, emails, identifier numbers, addresses, credit scores, etc. Employees of the automaker may regularly share personal data like this among themselves as they model future sales figures or try to determine how to build better cars based on customer feedback – and they may be accessing this data on their mobile devices. An organization using Intune can create a secure container for this file with policies that protect company data at the device and app level. That container can be wiped at any moment if necessary. Intune also has tools you can use to inform your end-users about terms and conditions and about which data is collected and visible on managed devices. This unique functionality can help you meet the GDPR expectation that personal data is adequately and appropriately protected, given the circumstances and risks. The ability to control this data is enhanced when you include Azure Information Protection to encrypt the data and Cloud App Security to ensure that it’s stored appropriately in a cloud app. With all this, EMS is well suited to enable the data protection demands of GDPR.

End-user transparency

Before we go into the specifics of how Intune helps you protect company data, it’s worth stating how strongly we believe in end-user empowerment. This is exemplified by the productivity experience we deliver to end users, and includes making sure that end users have full visibility into what data the IT team can access and affect in managed-device scenarios. With Intune, you can provide users with access to your company’s privacy statement, as well as present your own custom terms and conditions to inform them of your data processing activities and data collection. Once these elements of your IT practices are defined, you can embed these notifications into the enrollment process, to inform end users about the implications of their enrollment.

Controlling access and protecting data at the device level

Intune’s mobile device management capabilities and device compliance policies ensure that devices attempting to access your organization’s data or apps (which may contain personal and sensitive information) first meet your team’s security requirements and standards. Administrators can set a number of device compliance policies, such as enforcing device enrollment, requiring domain join, requiring strong passwords, and automatic encryption. These policies may also be set to require that the device operating system (as well as key apps) be current and have the latest updates installed before access is granted. You can use the compliance policy settings in Microsoft Intune to evaluate the compliance of employee devices against a set of rules you create. In cases where devices don't meet the conditions you set up in the policies, Intune can guide the end user though enrolling the device (if it’s not already enrolled) and fixing the compliance issue. To understand how robust these compliance policies are, consider these four ways Intune enforces advanced security polices for mobile devices, apps, and PCs:
  1. Intune delivers comprehensive settings management for mobile devices and PCs – including iOS, Android, Windows, and MacOS.
  2. It provides the ability to deny specific applications or URL addresses from being accessed on mobile devices and PCs.
  3. It enables the execution of remote actions, like passcode reset, device lock, and remote wipe.
  4. It enables the enforcement of strict “lock down” policies for Supervised iOS devices, Android devices using Kiosk Mode, and Windows 10 devices using Assigned Access.

App protection policies give you granular control of what happens after data is accessed

Once mobile apps are granted access to company data, it’s critical to control what happens after the data is accessed. This is where Intune’s mobile application management capabilities and app protection policies have an impact. These policies can protect the data at the app level (which includes app-level authentication) as well as copy/paste control and save-as control. Intune’s application policies give you fine-grained control of what your users can do with the data they access in apps – and this gives you extraordinary power to secure your data. Also, because Intune leverages the user’s identity in its approach, it can enable multi-identity usage of apps – e.g ., where app policies are intelligent enough to only apply to data that’s applicable to corporate accounts. It’s also important to note that Intune’s application management capabilities enable granular control of the data within Microsoft Office mobile apps on iOS and Android devices, and it helps enforce conditional access policies to Exchange Online, Exchange on-premises, SharePoint Online, and Skype for Business.


Six key ways Intune supports your GDPR compliance:
  1. You can enable your employees to securely access company information using mobile apps, as well as ensure that your data remains protected after it’s been accessed via restrictions on actions like copy/cut/paste/save-as.
  2. You can apply app protection policies to protect data with or without device enrollment.  This allows you to protect company information even on unmanaged devices.
  3. Intune applies mobile application management policies to your existing line-of-business (LOB) applications using the Intune App Wrapping Tool without making code changes.
  4. It enables users to securely view content on devices within your managed app ecosystem using the Managed Browser and Azure Information Protection Viewer.
  5. You can encrypt company data within apps using the highest level of device encryption provided by iOS and Android.
  6. It allows you to protect your company data by enforcing PIN or credential policies.
With Intune, you can also selectively remove company data (apps, email, data, management policies, networking profiles, and more) from user devices and apps while leaving personal data intact. Intune’s Mobile Device Management and Mobile App Management capabilities help you protect access to data that may be considered as personal or sensitive as defined by the GDPR, and it ensures that your data remains protected even after it’s been accessed by users. GDPR is great news for people demanding more digital privacy, and Intune as part of EMS is a great tool for the organizations adjusting the way they gather, use, and protect data.