everythingpossible - Fotolia
Microsoft Intune -- now rebranded to Microsoft Endpoint Manager -- is a cloud-based endpoint management tool, and there are plenty of security best practices that administrators can deploy with it.
Microsoft Intune is a part of the Microsoft Enterprise Mobility + Security suite, a mobility management and security platform that helps administrators protect and secure their endpoints, and Intune offers a mobile device management (MDM) component.
With the following six Intune security features, any IT administrators can boost the security of the mobile devices within their organization.
1. Use conditional access to limit access to an organization's apps and data
Microsoft Intune has tight integration with Azure Active Directory (Azure AD). This integration enables one of the key utilities that is central to securing company apps and data: conditional access. The integration between these services provides a strong security boundary for a mobile workforce. Intune provides the management and the device state to Azure AD, and Azure AD enforces the policy.
Conditional access makes decisions to enforce company policies based on signals of the device's compliance state. These signals can be based on properties such as the user, the device, the location, and the app or data that the user is trying to access. A common policy is to force a mobile device or mobile app to communicate with Azure AD before it can access company apps and data.
IT can configure this Intune security feature by using the devices section in Microsoft Intune or by using Azure AD.
2. Use device compliance policies to require a baseline of compliance
Microsoft Intune helps administrators protect access to company apps and data by adding a layer on top of conditional access. This layer contains Intune device compliance policies, which IT can use to define a set of rules and settings that the mobile device users should be compliant with. This can include rules such as devices not being rooted or jailbroken, using a minimal platform OS version and requiring encryption.
When a mobile device is not compliant with the configured policy, the IT administrator can automatically address the noncompliance by sending an email or notification to the user or taking actions such as remotely locking or wiping the mobile device. In combination with conditional access, this provides organizations with the right tools to restrict users' access to company apps and data.
IT can deploy these policies by configuring device restrictions and optional security baseline requirements, such as certificate profiles and VPN configurations. IT administrators can configure device compliance policies by using the devices section in Microsoft Intune.
3. Use MAM to keep company data safe on mobile devices
Microsoft Intune also helps to protect company data by using mobile application management (MAM). MAM enables IT administrators to protect the company data within an app by using app protection policies that enforce localized application encryption. IT administrators can ensure that the data never leaves the app.
IT can use Intune's MAM with or without device enrollment. With device enrollment, MAM is an additional layer on top of MDM in Intune. Without device enrollment, admins can use MAM for BYOD endpoints or mobile devices managed by a third-party MDM system.
IT can configure app protection policies with the apps section in Microsoft Intune.
4. Use enrollment restrictions to better control mobile devices
Microsoft Intune license holders can enroll up to five devices. It's usually preferable for IT to put some restrictions on those devices. This is a common best practice because organizations often don't support specific device platforms or manufacturers. User enrollment also provides IT with the capability to set restrictions for users that want to enroll.
By default, a user can enroll mobile devices of any Intune-supported platform. Enrollment restrictions can prevent the user from enrolling mobile devices of a specific platform, mobile devices with a specific platform version, personal mobile devices or mobile devices from a specific manufacturer.
IT can configure enrollment restrictions in the devices section in Microsoft Intune.
5. Use a Mobile Threat Defense integration to control user behavior
Microsoft Intune provides integration with certain Mobile Threat Defense (MTD) vendors, including Microsoft Defender Advanced Threat Protection. Even though this isn't a native Intune security feature, the integration provides a lot of additional security.
Once IT admins deploy an MTD platform, they can use the signals it sends, in combination with device compliance and app protection policies, to add to conditional access policies. These additional signals are related to behavior of the user on a mobile device. Once the MTD agent identifies a threat on the mobile device, the configured policies will make sure that the user can't access company apps and data on that specific device or app. This will remain the case until the threat is neutralized.
IT can configure MTD integrations with the tenant administration section in Microsoft Intune.