If you’re an IT admin, do you know what apps users are putting on devices alongside company data? Do you know all the apps that they are directly putting company data into, thinking it helps solve a problem for them? This is the problem of “Shadow IT.” If it’s a personal device, it’s even worse, as they might be installing all kinds of insecure apps without IT approval and it wouldn’t take much to make a mistake like copying and pasting company data or uploading a file into the wrong app.Continue Reading Microsoft Cloud App Security
Once you’ve got devices enrolled in Microsoft Endpoint Manager, one of the very useful things you can apply are compliance policies. These provide you a way to monitor and enforce restrictions on devices which are not following the proper practices that you want in your organization.
These compliance policies can be set up for devices of multiple operating systems:
- Windows 10 and later
- Windows 8.1 and later
As is the case elsewhere in Endpoint Manager, Chromebook is the noticeable omission.Continue Reading Device Compliance Policies
You’ve got your devices enrolled in Endpoint Manager. Now what? This opens up lots of tools including configuration policies.
Configuration policies allow for quickly rolling out the desired configuration to the device, without the user having to manually set it up. This can include a lot of different settings and vary by the operating system of the device. Some of the more interesting tools for Windows 10 includes:Continue Reading Device Configuration Policies
Windows Autopilot is a great system for deploying new Windows 10 devices, especially in the age of COVID-19 and so many working from home. Here’s the official documentation breaking down the details.
The high level overview is that the user of the machine receives it, perhaps at home or perhaps in an office. They turn it on. Depending on the configuration options the admin has set up, they may have as few as two things they need to do to get the device ready for use:
Suppose you’ve started to move toward managing your devices in Microsoft Endpoint Manager (Intune). There are a lot of methods available to do that. I’ll highlight just a few of the most interesting:
If the device was set up with Windows Autopilot, enrolling to Endpoint Manager is one of the options to happen immediately as part of the setup. No further actions are necessary.Continue Reading Enrolling Devices in Endpoint Manager
Passwords are inadequate. Even for standard consumer tools, you should have at least two more tools in your toolbox: a password manager and multi-factor authentication. Those help make passwords suck less. But they do leave open some questions like: should you need to perform multi-factor authentication every time you log in? Should access be all or nothing, or should there be any accounting for degrees of risk?Continue Reading Microsoft Conditional Access Policies
Data Loss Prevention in Microsoft 365 is a feature that helps prevent loss of sensitive data (that makes sense) coming out of your system. This can be within emails or within files, although the latter requires a higher license. Here’s how it works.Continue Reading Data Loss Prevention (DLP) Policies
Over the last few months, I’ve been working on preparing for the MS-101 exam. This exam covers a few topics around enterprise device management and security. I’ve mostly been studying with a few methods:
- The official practice test from MeasureUp
- Reading the learning paths from Microsoft
- Reading a prep booklet from Nate Chamberlain
- Trying as much as I can in my personal tenant with license trials, or a dev tenant, but some things can be hard to test out without significant amounts of real data and users