Microsoft Endpoint Manager Multi-Platform Compliance Security Misses

I would argue that the strength of Microsoft Endpoint Manager (previously Intune) is its multi-platform capabilities. With one enterprise mobility management solution, you can manage and secure Windows, Android Enterprise, Android legacy, iOS/iPadOS and macOS. This can save you money, frustration and the need to know multiple tools for mobile device management. That’s great!

But, this multi-platform strength can also leave holes in your device management configuration and decrease your security posture. By default, MEM allows enrollment of all platform, on both org owned devices and personally owned devices. This might be fine if you want to support all scenarios but when I look at compliance policies and configuration profiles in customer tenants out there the picture isn’t complete. If you’re going to allow a platform, you better secure it.

For example, many customers allow Mac device enrollment just because it is enabled by default. But they haven’t created any policies and profiles to set a good security level of the Mac devices. This means that any user can enroll a Mac, bought from anywhere, but there won’t be any security configuration pushed to the device at all. This can be very bad!

So, first of all, make sure you block platforms and scenarios your org don’t support by using Enrollment Restrictions. Only allow the platforms you know and manages.

Enrollment Restrictions:

EnrollmentRestrictions1

Ones you have blocked unsupported scenarios, you should create compliance policies for your supported platforms. I actually create compliance policies for blocked platforms as well so I have them for future use. This is also something you get scored on in Microsoft Secure Score under the Device category so It’s something Microsoft recommends.

Compliance policies for all platforms:

EnrollmentRestrictions2

If you don’t have any special scoping requirements, make sure you assign all compliance policies to All users. Also make sure you set devices without a compliance policy to Not compliant.

EnrollmentRestrictions3

Finally, you should use Conditional Access to block devices not complying with your MEM compliance policies. This makes sure only secured devices can access org data. If you play it right, you can be sure that only secured devices have access.

If you need help with your Conditional Access policy design I’ve written about this before.

Please follow me here, on LinkedIn and on Twitter!

@DanielChronlund

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s