Device Management & Conditional Access: Lockdown edition
Now that the initial dust has settled, and everyone is familiarising themselves with lockdown life, I thought I’d take the opportunity to give an example of one of the scenarios we have been dealing with over the last few weeks. I have a feeling that many of you reading this have probably been through the same or similar recently.
When I’m not solving help desk tickets and supporting our customers, I’m learning how to utilise and implement technologies and services that Microsoft provides. My mentor, Mark Ison, shares and helps me learn the areas he is specialised in. In this case it’s Device Management and Conditional Access (CA), which I’ve briefly touched on before.
What’s the situation?
The customer is a small to medium business with roughly 80% of staff being office based. As these are worker types that have not previously had the need to work from home, they use desktops. Their first instinct was to contact suppliers to get some laptops ordered ASAP. Unfortunately, it seems everyone else in the country had the same idea meaning commercial stocks were practically sold out. On top of this all was the incredibly short time frame we were working to, which was days rather than weeks.
Luckily, this is a fairly new organisation that has the benefit of being cloud first using only Azure AD and Office 365. No on-premises servers or VPNs needed here. They were already set up for device management via Intune and used Multi Factor Authentication (MFA), along with Conditional access to secure their authentication. All their data was stored within Office 365 using SharePoint and OneDrive and their phone system was using a Softphone client installed on the computer.
What were the options?
After realising that a mass laptop deployment was not going to be possible, we were approached to discuss other options. Considerations included:
- Implementing Windows Virtual Desktop
- Creating an RDS environment in Azure
- Allowing personal computers to connect to the VPN so the user could RDP to their local desktop
- Opening Conditional Access to allow personal computers to use O365 services
What did we decide to do?
The short time period we had to find the solution meant that we had to take a slightly unconventional route. We suggested that every employee take their desktop home with them. I know that sounds a bit much perhaps, but bear with me here.
As the customer was already setup for CA and device management the decision to allow employees to take their desktops home was the fastest, most reliable option for us to recommend under the circumstances. This would be the key method for users working remotely.
As a fallback, we had a number of additional options for rules around App Protection on iOS and Android devices in case someone couldn’t take their desktop home, or people wanted to work using their personal mobile or tablet. App protection lets you keep company data secure even when a device isn’t managed by the company, so perfect for this use case.
Of course, there were still some hurdles to overcome. We had to modify CA rules to allow for Intune managed, compliant devices (previously only Azure AD joined devices were trusted). We also had to purchase a large amount of USB wireless adapters for the desktops and we had to make sure every user was setup correctly with MFA. Lucky for us the adapters were in stock