Device Management & Conditional Access: Lockdown edition
Now that the initial dust has settled, and everyone is familiarising themselves with lockdown life, I thought I’d take the opportunity to give an example of one of the scenarios we have been dealing with over the last few weeks. I have a feeling that many of you reading this have probably been through the same or similar recently.
When I’m not solving help desk tickets and supporting our customers, I’m learning how to utilise and implement technologies and services that Microsoft provides. My mentor, Mark Ison, shares and helps me learn the areas he is specialised in. In this case it’s Device Management and Conditional Access (CA), which I’ve briefly touched on before.
What’s the situation?
The customer is a small to medium business with roughly 80% of staff being office based. As these are worker types that have not previously had the need to work from home, they use desktops. Their first instinct was to contact suppliers to get some laptops ordered ASAP. Unfortunately, it seems everyone else in the country had the same idea meaning commercial stocks were practically sold out. On top of this all was the incredibly short time frame we were working to, which was days rather than weeks.
Luckily, this is a fairly new organisation that has the benefit of being cloud first using only Azure AD and Office 365. No on-premises servers or VPNs needed here. They were already set up for device management via Intune and used Multi Factor Authentication (MFA), along with Conditional access to secure their authentication. All their data was stored within Office 365 using SharePoint and OneDrive and their phone system was using a Softphone client installed on the computer.
What were the options?
After realising that a mass laptop deployment was not going to be possible, we were approached to discuss other options. Considerations included:
- Implementing Windows Virtual Desktop
- Creating an RDS environment in Azure
- Allowing personal computers to connect to the VPN so the user could RDP to their local desktop
- Opening Conditional Access to allow personal computers to use O365 services
What did we decide to do?
The short time period we had to find the solution meant that we had to take a slightly unconventional route. We suggested that every employee take their desktop home with them. I know that sounds a bit much perhaps, but bear with me here.
As the customer was already setup for CA and device management the decision to allow employees to take their desktops home was the fastest, most reliable option for us to recommend under the circumstances. This would be the key method for users working remotely.
As a fallback, we had a number of additional options for rules around App Protection on iOS and Android devices in case someone couldn’t take their desktop home, or people wanted to work using their personal mobile or tablet. App protection lets you keep company data secure even when a device isn’t managed by the company, so perfect for this use case.
Of course, there were still some hurdles to overcome. We had to modify CA rules to allow for Intune managed, compliant devices (previously only Azure AD joined devices were trusted). We also had to purchase a large amount of USB wireless adapters for the desktops and we had to make sure every user was setup correctly with MFA. Lucky for us the adapters were in stock 😊
The age of home working
CA and device management are often talked about together for a good reason. They complement each other to provide robust multi-layered level of access control and management. In our customer’s case, we only needed a few minor tweaks and a WiFi dongle to get everyone working from home.
CA ensures that only trusted people on trusted devices at trusted locations can access your services and data.
Intune protected apps lets us prevent documents being copied to personal areas and data from being copy and pasted between applications on mobiles. You can see an overview of the apps Intune can protect here. One of the best features of App Protection with Intune is that there is no need for the user to enrol their device if they don’t want to. As soon as the user logs in to the app with their corporate credentials, protection policies will be applied.
Now we understand that in any other scenario or time in our history, there is far more that we could have done. But that wasn’t the aim of the project. It was to get users working remotely as quickly as possible. Without Intune and CA, even this most simple of solutions wouldn’t have been possible without major security concerns, if at all.
Have you answered all your remote working needs?
If you are still trying to enable and empower your organisation to continue working effectively and safely while remote, please join Mark Ison and myself for a webinar on the 21st of April.
During the session we will discussing some of the latest improvements to both Intune and Conditional Access. In the meantime, it would be worth looking through some of our older blogs in relation to Intune, CA and any other relevant topics.
If you need help and would like to have a chat about how Silversands might be able to help you, please complete the form below: