As employees embrace a new culture of work across devices and cloud apps, it’s important to secure our digital estate. For the highest level of productivity, It is encouraged to use personal devices and work from any location. So, the need to balance mobility with security to protect our corporate resources, data, and documents increased by multi-fold.
With Windows Hello for Business, one can replace passwords with strong two-factor authentication that combines an enrolled device with a PIN or biometric (fingerprint or facial recognition) to sign in. Windows Hello can easily be implemented within existing identity infrastructure, by extending certificates to include the use of a PIN or biometrics as an enterprise credential; plus, it allows remote access. Users can sign in to their Microsoft account, an Active Directory account, or an Azure AD Premium account.
People can use multifactor authentication to securely access their work from anywhere. To enable mobile access to on-premises resources, we use a couple of remote access solutions:
- We help ensure the security of cloud resources and remote access at Microsoft by validating who the user is through multifactor authentication.
- We check system health to ensure that the user accesses corporate resources on a device that’s managed through System Center Configuration Manager or Microsoft Intune, and that the device has all the latest updates installed.
Conditional Access was introduced in Windows 10, to help ensure that users sign in from a healthy device with strong authentication, device management policies can also be configured for remote access.
Cloud services gave the ability to introduce more self-service capabilities for identity and access management. These services have helped reduce manual administrative tasks and Helpdesk support calls for help with password and identity management changes.
Password management- The user can change their passwords using an internal, cloud-based, self-service password management solution. Users are prompted to answer verification questions when they change a password. When users need to change their password, they do so without calling Helpdesk.
Security and distribution group management- Tools like Office 365 Teams help users manage their teams without going through an administrator or Helpdesk to create and manage their groups. Group owners can set up access policies to user groups rather than an individual.
Azure AD Join- Bring your own device (BYOB) scenarios are also taken into account. Many employees do part of their work on their personal device. In Windows 10, users can add an Azure AD account, and their device will be enrolled in mobile device management through Microsoft Intune.
A Microsoft Intune subscription acts as a gateway between mobile devices and on-premises Configuration Manager, sending policy settings and software deployment information to Intune and retrieving status and inventory messages. Intune gives us a single administrative console to manage all enrolled devices. One administrative advantage of this solution is the ability to create reports, such as security and audit reports.
An Intune subscription establishes a cloud service sync with Configuration Manager. The sync specifies the Intune configuration settings, such as which users can enroll their devices and which mobile device platforms should be managed.
- Device encryption to help prevent unauthorized access.
- A six-digit PIN or password.
- An inactivity timeout period.
- Antivirus and malware protection, and signature updates via Windows Defender or Lookout for Work.
- Auto-updates on Windows 10 devices that include the latest security updates.
- Pushing VPN and wireless settings and certificates to your device.
A self-service portal gives people the ability to check their system health and to unenroll a device that no longer needs to be managed. For example, if a device has been lost or stolen, the user can either remove Intune management or ask us to do so. When a device is removed, corporate assets are automatically deleted. Devices can be completely or selectively wiped.
A full wipe restores the device to its factory defaults. This removes all company and user data and settings. A full wipe can be performed on Windows Phone, iOS, and Android devices.
A selective wipe removes only company data. The specific data that a selective wipe removes and the effect on data that remains on the device vary by platform.
Office 365 is a great product that gives you access to information anywhere and on any devices, however, it does open a challenge to protect and control company data.
Organizations want to use Office 365 to increase employee productivity, however, without compromising security.
Following is what we hear from our customers:
- We want to control which devices and location our services will be accessible from.
- We want to ensure that business data is not copied to personal apps.
- We want to manage devices (PCs & mobiles) and business apps.
- We want to implement information protection policies.
- Manage Desktop clients for software update/inventory/protection/remote assistance
- Manage mobile devices and mobile apps
- Gain deeper visibility for your cloud apps and start controlling data with granular policies
- Help prevent data loss in iOS and Android devices with an unparalleled ability to manage Microsoft Office mobile apps
- Deliver and manage apps across a broad range of devices, including iOS, Android, Windows and Windows Phone all from a single management console
- Simplify administration by deploying required apps automatically during enrollment and allowing users to easily install corporate apps from the self-service Company Portal
- Create and manage a single identity for each user across your hybrid enterprise, keeping users, groups, and devices in sync
- Provide single sign-on access to your applications including thousands of pre-integrated SaaS apps
- Protect identities by enforcing risk-based conditional access policies and multi-factor authentication for both on-premises and cloud applications
- Provide secure remote access to on-premises web applications through Azure AD Application Proxy
- Improve user productivity with self-service password reset and application access requests for directories in the data center and the cloud
- Securely manage the identities for Office 365 and all our SaaS apps.
- Protect emails to View only rights and cannot print/forward
- Protect documents to view only or set expiry
- Encrypt emails and documents
- Enable secure internal and external file sharing that lets you classify and label files at creation, track their usage, and protect them wherever they go.