Jun 21 2017 08:25 AM
Jun 21 2017 08:25 AM
My organisation is struggling with figuring out the best way to manage Bluetooth. We want to enable it as it provides such a productivity benefit for our customers, but our security team is not having it.
What is the best way to GRANULARLY manage Bluetooth in the enterprise on a Windows 10 Enterprise laptop? (By granularly, I mean, allow only trusted devices/device types)
Jun 21 2017 08:52 AM
Hi there, thanks for your question!
I've done some digging, looks like SCCM only lets you block or allow all bluetooth connections today. Intune also has additional granularity with configurability around allowing pre-pairing, and discoverability, as well as the ability to set the bluetooth device name.
I totally realize that these don't yet cover what you are looking for (yet) :)
What kind of granularity do you need around device type? Is it important to be able to specify specific, unique device BT whitelist?
Jun 21 2017 08:59 AM
Thanks for your response.
As you mentioned, InTune can provide some options with regards to manageing Bluetooth, but it seems like a lot to install/configure/sustain *just to manage Bluetooth* on our corporate Windows 10 Enterprise laptops.
Despite advbances in Bluetooth revision, my research showed that Bluetooth LE (Low Energy) devices are still considered insecure. So, I'd like to block all devices of that class. Also, if I have the option to limit to make/model of a specific keyboard, mouse, headset, stylus that our corporation would be issuing with be AMAZING. Then we wouldnt need to worry about vulnerabilities intrduced from other devices and support for the issued devices makes our lives easier.
Right now, without InTune, it's all ALL, or NOTHING.
Jun 21 2017 11:50 AM
Jun 21 2017 02:39 PM
Jun 26 2017 06:09 AM
@Nathan Mercer Thanks for the replies Nathan!
If I am not mistaken, one would require Intune in order to apply that Bluetooth policy? Our issue is that a single policy requirement doesn't justify the effort to design, configure, deploy and support yet another service (Intune) as we already have an MDM in place.
As for the script, we have already successfully implemented this. It works nicely with 1703. :)