TagCompliance

Get started with Microsoft Endpoint Manager

In this post I want to go through some steps that I think is quickest method to get started with Microsoft Endpoint Manager. This will not cover ALL the features but it will give you an quickstart to the service.

For instance, what shold you start with?

To be honest, start with something easy and creates quick ROI (Return of investment) and that could be more than just how to get my money back – rather it could mean that your infrastructure is getting more secure.

So to start with something “easy” let`s kick it of with mobile devices. Many companies does not have any Mobile device management in place and their Cloud services is available for EVERYONE to attache to. So let`s start with demanding compliant devices and closing the door for others!

Requirements:
Microsoft 365 E3 / E5
or
EMS E3 / E5
or
Intune licenses

Devices
Android devices will work straight “out of the box” with Intune but to be able to join iOS/iPadOS Devices to Intune we need to generate and apply a “Apple MDM Push certificate”.

Let`s start with the Certificate for Apple devices (this certificate is also needed for MacOS devices). The only thing you need here is an Apple ID and follow the guide from “Devices -> iOS enrollment -> Apple MDM Push Certificate”. When this is in plnace we can procede.

When it`s created you have a valid Certificate for the next 365 days. That means that you need to remind your self to renew the certificate every year! When the certificate expires your intune services will stop against Apple devices.

So what is a compliant device?

A compliant device is a device registred to Intune and has passed the Compliance policy that you have created.

The policy can contain several “settings” that must be enabled or set on your device for it to be marked as “Compliant Device”. For iOS/iPadOS we have at the moment (04.04.2020) 17 settings we can check to validate the device and for Android 19 settings (04.04.2020).

Here is a simple set of compliant device policies for Android and iOS.

iOS/iPadOS Comliance.

Navigate to “Devices -> iOS -> Compliance policies” and create a new policy. Give it a name, set some settings and click create. In this policy i have just put on two settings, “block Jailbroken devices” and “Require password to unlock device”

Hit Create and go to “Assignments”, in this menu we will assign the policy to all users so that everyone that tries to enroll their device will get the policy.  (this is the same step for both iOS and Android).

Android Compliance

Navigate to “Devices -> Android -> Compliance policies” and create a new policy. Give it a name, set some settings and click create. In this policy i have just put on two settings, “block Rooted devices” and “Require password to unlock device”

And like the iOS policy we need to assign it to all users, so head in to Assignents after creating the policy and assign it to all users.

Block devices that are not compliant

To block users from connecting with other devices we will use Conditional Access to prevent devices that are not enrolled in your organization. The policy is created from the Microsoft Endpoint Manager portal under “Endpoint security -> Conditional Access. Create a new policy and name it “Require compliant devices”

The policy looks like this and will of course not block the Intune enrollment portal 😊

  • Users and groups
    • Include all users and create exclution for users you want to exclude from the policy
  • Cloud Apps or actions
    • Include “All cloud apps” and click on “Exclude” and search after “Microsoft Intune Enrollment”
  • Conditions
    • Device platforms, configure it and choose Android and iOS from the list.
  • Access controls
    • Grant access and choose “Require device to be marked as compliant”

Now you can enroll your first device, i`ll show it with an iPad her, but first you need to downlod the Company Portal to your iPad.

Then you stat the application and sign in – then starts the enrollment of the device.

Sign-in

setup device

Apply profile

Enrolled!

When that`s completed the device is registred in the Device pane in Microsoft Endpoint Manager Admin Center and you`ll see complance status on it.

That`s it! Now you have a new requirement for all users, they need to enroll their devices (mobile devices) within Microsoft Endpoint Manager to gain access to cloud resources!

Until next time – stay safe and secure!

AIP is deprecated, move to Unified labels now!

At 06.01.2020 Microsoft released the deprication notice for Azure Information Protection client and Label management in the Azure portal. The service is deprecated as of March 31, 2021.

The notice is telling us that within 15 months you all need to migrate all your labels from AIP in the Azure portal over to the new Unified label experience within Office 365 portals.

You find the new label management in several places;

So heres a easy pointer on how to migrate you labels from Azure Information Protection to Unified labels within Office 365.

Navigate to portal.azure.com and head into the Azure Information Protection pane.

From there click on “Unified Labeling” in the left menu and acitvate it.

When this is done you can start using the Unified labeling clients and stop rolling out the classic Azure Information Protection client.

Please keep in mind that you need to have a specific version of Office applications installed on your machine or phone.

  • Windows Desktop – 1910 or higher
  • Mac Desktop – 16.21 or higher
  • iOS mobile – 2.21 or higher
  • Android mobile – 16.0.11231 or higher

For the licensing part here is the license requirement to use Sensitivity labels.

  • Microsoft 365 E3 or above
  • Office 365 E3 or above
  • Azure Information Protection P1

For more advanced use like Automated labeling with sensitivity labels you need to go to E5

  • Microsoft 365 E5
  • Office 365 E5
  • Azure Information Protection P2

© 2020 IdefixWiki

Theme by Anders NorénUp ↑