Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM).
The following Services can be delivered in this Service Pack. For sake of Simplicity, we are classifying the devices into 4 Categories:
1. Company Owned Computer
Standardize Corporate WallPaper
Install Office Apps on enrolled Windows 10 devices
Corporate Data can be accessed only using Compliant devices
Only IT person can enroll devices
Wipe all Data . Used either when Employee leaves the Company or device is lost
Block USB Storage devices
Remote Lock of Corporate Devices.
Allow employees to securely access Microsoft 365 from Public WiFi and Kiosks. In this case one can limit the usage only to devices managed by the Organization. This ensures that users do not leave corporate data on untrusted computer.
In addition to the above, we can ensure additional Data Security by deploying Windows Information Protection. These can be summarized below:
If you download file from SharePoint and OneDrive it will be downloaded as corporate file
Access data only using managed apps
when corporate file is copied to USB drive it will copy as work document only and can accessed by corporate people. If USB drive lost still, we don’t worry about our data.
Employees won’t be able to sync encrypted files to their personal cloud storage like personal OneDrive or Dropbox.
Employees cannot attach Work Documents to their personal Email like Gmail.
Copy paste block from corporate owned file to personal file.
Selective wipe removes this corporate owned downloaded data from device.
We can copy a work content to new file, but the file will save as work document only.
2. Employee-owned Computers
Data and app access are only on browser
Email attachments cannot be downloaded. View only.
In addition to the above, we can ensure additional Data Security by deploying Windows Information Protection. These can be summarized below:
If you download file from SharePoint and OneDrive it will be downloaded as corporate file
Access data only using managed apps
when corporate file is copied to USB drive it will copy as work document only and can accessed by corporate people. If USB drive lost still, we don’t worry about our data.
Employees won’t be able to sync encrypted files to their personal cloud storage like personal OneDrive or Dropbox.
Employees cannot attach Work Documents to their personal Email like Gmail.
Copy paste block from corporate owned file to personal file.
Selective wipe removes this corporate owned downloaded data from device.
We can copy a work content to new file, but the file will save as work document only.
3. Company owned Mobiles and Tablets:
Only fully compliant devices can access Corporate Data. Using Conditional access, Companies can ensure that no users, apps, or devices can access Microsoft 365 data unless they meet your company’s compliance requirements (performed multi-factor authentication, enrolled with Intune, using managed app, supported OS version, device pin, low user risk profile, etc.)
See the devices enrolled and get an inventory of devices accessing organization resources.
Configure devices so they meet your security and health standards. For example, you can block jailbroken devices.
Push certificates to devices so users can easily access your Wi-Fi network or use a VPN to connect to your network.
Protect data through restricting the copy/ paste of corporate data within Office 365 apps only in Mobile.
Block the printing of corporate data. (App protection)
Block taking screenshot of corporate data (App protection)
Remove company data from an employee’s device while leaving their personal data in place. (Retire)
Ensure Corporate data is saved only to One Drive and SharePoint on Mobiles
Block USB device on managed systems. (Device restriction)
Wipe Corporate Data from system if it gets lost
Remote Lock of Corporate Devices
Manage Corporate owned Mobiles. Intune helps in provisioning of corporate devices in an automated fashion. As soon as employee powers on the device , they are walked through a corporate branded setup flow where they must authenticate themselves. The device is then seamlessly setup with all security policies. Then the employee launches the Intune Company portal app to access the corporate apps available to them.
Allow employees to securely access Microsoft 365 from Public WiFi and Kiosks. In this case one can limit the usage only to devices managed by the Organization. This ensures that users do not leave corporate data on untrusted computer.
See reports on users and devices that are compliant, and not compliant.
4. Employee-owned Mobiles and Tablets:
Protect data through restricting the copy/ paste of corporate data within Office 365 apps only in Mobile.
Use app protection policies that require multi-factor authentication (MFA) to use the apps like Outlook, Teams, etc.
Lock down Exchange Online so that it can be used only by Outlook Mobile.
Block the printing of corporate data. (App protection)
Block taking screenshot of corporate data (App protection)
Remove company data from an employee’s device while leaving their personal data in place. (Retire)
Ensure Corporate data is saved only to One Drive and SharePoint on Mobiles
Block USB device on managed systems. (Device restriction)
Wipe Corporate Data from system if it gets lost.
