As you all know, well-managed and secure remote access is a key aspect of Microsoft solutions. As most of us have seen, working remotely has taken on new scale and urgency right now and people across Microsoft have published some great reminders/guidance to help:
As a former IT Pro (and still one at heart), I know that during times of trouble, there is real value in having crisp, concise ‘just tell me what to do’ guidance. In this post, I’ll offer a ‘cut to the chase’ option for Intune that can help enable remote workers on BYO/unmanaged or 3rd party MDM-managed mobile devices with a minimum of impact to your current-state.
With any rapid-deploy change, there is heightened worry around the IT version of the Hippocratic Oath - ‘First, do no harm.’ This could be “Don’t blow up my end-user’s experience (nor my Helpdesk)” or, it could be, “Don’t drop my security posture to the floor.”
To that thought, I’m offering a “lighter hand” here - apply Intune MAM policy to Office Mobile Apps if/when they are used to access O365 content - but don't block existing native app access, nor require device enrollment into Intune (think: personal device or existing 3rd party MDM).
Ok, let’s cut to the chase…
Solution: Apply controls to Office Mobile Apps on mobile devices
Now, when licensed Intune users in the targeted group sign-in to the Office Mobile Apps with their corporate creds, the MAM policy settings will apply to those apps and the corporate data within them.
For example, they’ll be prompted to setup an application-level PIN and will be blocked from cut/copy/paste of corporate data out of the policy-managed apps.
You can now ‘encourage’ your users to install/use the Office Mobile Apps when accessing O365 and know that the corporate data will be well-protected.
Remember, in this specific case, we’re trying to ‘do no harm,’ so we “encourage” vs “require” …
If you need/want more assistance, you have several options:
Best of luck as we all work through these “highly-uncertain” of uncertain times!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.