Ensure personal iOS, Android, and Windows devices are configured for security and productivity

Today, as part of our Enabling Remote Work for IT Pros web series, we're showing you the various options you can use to configure personal devices to ensure security of your corporate data. We walk through questions to consider when looking at different models for iOS, Android, and personal Windows devices such as Application Protection Policy without enrollment, iOS user enrollment and Android Enterprise work policy. Extensive resources have been provided below, which are discussed throughout the presentation.

 

 

Learn more

Here are links to the resources mentioned in this session:

• Depreciation of Device Admin Android management
• Create and manage Intune enrollment restrictions
• Assign licenses to users to enable Intune enrollment
• Compare Windows 10 Home and Windows 10 Pro
• Configuration Service Provider (CSP) support matrix

Here are the links to the resources mentioned in the detailed resources portion of the session, by solution:

Application Protection Policy (APP)

• App Protection Policy overview
• Create and assign App Protection Policies (APP)
• Monitor app protection user status
• QuickStart: Create and assign an app protection policy
• Protect Exchange Online email on unmanaged devices

iOS User Enrollment

• Set up iOS/iPadOS User Enrollment
• Get an Apple MDM push certificate
• Create Managed Apple IDs in Apple Business Manager

Android Enterprise Work Profile

• Connect your Intune account to your Managed Google Play account
• Set up enrollment of Android Enterprise work profile devices
• Managed Android work profile devices with Intune
• Enroll your device with Android work profile

Conditional Access

• What is Conditional Access?
• Azure AD Conditional Access documentation
• How to plan your Conditional Access
• Conditional Access: Session Controls
• Building a Conditional Access Policy
• Best Practices
• Require MFA Conditional Access Policy

Microsoft Cloud App Security

• Microsoft Cloud App Security documentation
• What is Cloud App Security?
• MCAS Data Protection Policies

Information Protection

• Manage Information Protection
• Learn more about Sensitivity Labels

Windows Virtual Desktop

• Required reading: Getting started with Windows Virtual Desktop
• PG Sessions and Summary Guidance
  • All you need to know about Windows Virtual Desktop | On Demand
  • Webcast resource guide: All you need to know about Windows Virtual Desktop
• YouTube sessions
  • Azure Academy Virtual Desktop Series
  • Optimizing your applications for Windows Virtual Desktop
• Azure Windows Virtual Desktop Public Preview Walkthrough
  • Azure Windows Virtual Desktop FSLogix Profile Management Walkthrough
• Online tutorials
  • Tutorial: Create a tenant in Windows Virtual Desktop Preview
  • Tutorial: Create service principals and role assignments with PowerShell
  • Tutorial: Create a host pool with Azure Marketplace
  • Tutorial: Manage app groups for Windows Virtual Desktop Preview

Windows 10 Virtual Desktop Integration (VDI)

• VDI Recommendations
• Optimization scripts from field are open source on GitHub and also updated for 1909

Windows Information Protection (WIP)

• WIP Overview and documentation
• WIP and Intune App Protection Policy Creation and Management
• EnterpriseDataProtection CSP
• Azure Active Directory (Azure AD) Premium license (required if MAM or WIP auto-recovery)
• Enlightened Microsoft apps for use with WIP
• BitLocker CSP

While not mentioned specifically in this session, here are some additional resources you might find helpful:

• Microsoft COVID-19 response site
• Enabling Remote Work
• Microsoft Endpoint Manager remote work blog
• Work remotely, stay secure
• 2 weeks in: what we've learned about remote work
• Secure remote access to on-premises apps
• Frequent questions about using Conditional Access to secure remote access

Frequently asked questions

Q: For app protection on iOS, do you still need the intuneMAMUPN attribute in the application configurations per app for identified an application on a fully managed device?

A: Yes, that is the hint to the SDK that it is an MDM managed app. For more details, see How to manage data transfer between iOS apps in Microsoft Intune.

 

Q: For Android Enterprise Devices in COBO, we are trying to launch OneDrive for our mobile users. Inside of the App Configuration Policy for managed device, I only see the “configuration key” for allowed accounts. Is there additional documentation that has more json keys so that we can automatically configure the app for the user?

 

A: Managed Configuration (App Configuration) in Android Enterprise is pulled from Managed Google Play directly, so if the key is there, we’ll pull it directly. That being said, the key is IntuneMamAllowedAccountsOnly because it is the same key across all apps for the Intune SDK to find it. Here is the iOS documentation and here is the Android documentation. These docs also list the applications that support single account mode (require both the Intune SDK to be integrated and in-app logic by developers to support this mode).

 

Q: Does the application protection policy work based on source only? For example, I have a Word document saved in SharePoint, so the policy applies there. Now let’s say I have the file inside my external hard disk as well, does the policy apply there too? Does the policy apply to both external and non-cloud sources?

 

A: The policy is targeted based on the application and the identity signed into that app. This is about protecting the app. If you need the data wherever it resides, then that is a function of Microsoft Information Protection. Assigning MIP labels would protect the data itself, regardless of location.

Feedback

We hope you find this session useful. We'd love your feedback and ideas for future sessions so please fill out this short survey. Thank you!