Security

Do you impose restrictions on your users from accessing their Office 365 accounts on personal devices to protect company data? What technologies do you use? I'm testing pushing out policies using Azure Conditional Access and Device Compliance, which will allow my users to access org data provided their BYOD devices meet some compliance requirements.

Here are some examples. Scenario 1. User Ana Green tries to login into Microsoft Teams on her personal Windows 10 computer. She gets a notification she will need first to connect her Windows 10 computer using her corporate account so the org MDM, Microsoft Intune, can manage it.



Scenario 2. She tries to add her corporate email account on her iPad she will first get a notification she needs to create a pin. This is when the app protection policy kicks in. After the pin is created, the corporate data is secured from getting accessed by other apps installed on her iPad.



Scenario 3. She accesses her Office 365 account via the browser she is not restricted in any way from accessing, except she is prompted by MFA first. After successfully meeting the MFA challenge, she is allowed to login.



Is this similar to what you're doing now in your org?

------------------------------
Joe Aldeguer
IT Director
Society of American Florists
Alexandria VA
(703) -836-8700
https://safnow.org
------------------------------

Hi Joe:

This is amazing.  When I start my lab - this will be what I will want to experiment with.  

• I can't remember if we discussed this - were you able to stop the addition of email in both the native email client of Android or iOS - or only the Outlook app?
• What footprint does Intune create on a staff person's personal computer - be it Windows or Mac?  If any of us were to push this out - especially after an unmanaged implementation - I would want to be able to explain what corporate software is going to appear on a staff person's personal computer so that I can allay any fears of big brother spying.  

Very cool stuff.

 - Adam

------------------------------
Adam Kuhn
Director, IT
202-772-3002
akuhn@fia.org
------------------------------

Original Message:
Sent: Jul 27, 2022 03:18 PM
From: Joe Aldeguer
Subject: BYOD restrictions

Do you impose restrictions on your users from accessing their Office 365 accounts on personal devices to protect company data? What technologies do you use? I'm testing pushing out policies using Azure Conditional Access and Device Compliance, which will allow my users to access org data provided their BYOD devices meet some compliance requirements.

Here are some examples. Scenario 1. User Ana Green tries to login into Microsoft Teams on her personal Windows 10 computer. She gets a notification she will need first to connect her Windows 10 computer using her corporate account so the org MDM, Microsoft Intune, can manage it.

Scenario 2. She tries to add her corporate email account on her iPad she will first get a notification she needs to create a pin. This is when the app protection policy kicks in. After the pin is created, the corporate data is secured from getting accessed by other apps installed on her iPad.

Scenario 3. She accesses her Office 365 account via the browser she is not restricted in any way from accessing, except she is prompted by MFA first. After successfully meeting the MFA challenge, she is allowed to login.

Is this similar to what you're doing now in your org?

------------------------------
Joe Aldeguer
IT Director
Society of American Florists
Alexandria VA
(703) -836-8700
https://safnow.org
------------------------------

It will apply to Android as well.  I just don't have an Android device to test with.  In Conditional Access, you can choose which devices to apply.


------------------------------
Joe Aldeguer
IT Director
Society of American Florists
Alexandria VA
(703) -836-8700
https://safnow.org
------------------------------

Original Message:
Sent: Jul 27, 2022 03:26 PM
From: Adam Kuhn
Subject: BYOD restrictions

Hi Joe:

This is amazing.  When I start my lab - this will be what I will want to experiment with.  

• I can't remember if we discussed this - were you able to stop the addition of email in both the native email client of Android or iOS - or only the Outlook app?
• What footprint does Intune create on a staff person's personal computer - be it Windows or Mac?  If any of us were to push this out - especially after an unmanaged implementation - I would want to be able to explain what corporate software is going to appear on a staff person's personal computer so that I can allay any fears of big brother spying.  

Very cool stuff.

 - Adam

------------------------------
Adam Kuhn
Director, IT
202-772-3002
akuhn@fia.org

Original Message:
Sent: Jul 27, 2022 03:18 PM
From: Joe Aldeguer
Subject: BYOD restrictions

Do you impose restrictions on your users from accessing their Office 365 accounts on personal devices to protect company data? What technologies do you use? I'm testing pushing out policies using Azure Conditional Access and Device Compliance, which will allow my users to access org data provided their BYOD devices meet some compliance requirements.

Here are some examples. Scenario 1. User Ana Green tries to login into Microsoft Teams on her personal Windows 10 computer. She gets a notification she will need first to connect her Windows 10 computer using her corporate account so the org MDM, Microsoft Intune, can manage it.

Scenario 2. She tries to add her corporate email account on her iPad she will first get a notification she needs to create a pin. This is when the app protection policy kicks in. After the pin is created, the corporate data is secured from getting accessed by other apps installed on her iPad.

Scenario 3. She accesses her Office 365 account via the browser she is not restricted in any way from accessing, except she is prompted by MFA first. After successfully meeting the MFA challenge, she is allowed to login.

Is this similar to what you're doing now in your org?

------------------------------
Joe Aldeguer
IT Director
Society of American Florists
Alexandria VA
(703) -836-8700
https://safnow.org
------------------------------