Many organizations are finally easing up on their work 9 to 5, you must be in the office corporate culture. While at first glance, the possibility of getting hit hard may have decentralized the threat of network vulnerabilities, the reality is decentralizing has exposed central network tenfold. The work from anywhere security concerns are valid. Here are some top of mind concerns for your organization that needs addressing immediately.
- Harden security at home
- Many home networks may have open networks for anyone to hop on and compromise the work computer or possibly computer you are on. Change the passphrase, admin password, and update the router firmware is a good start.
- Endpoint Protection
- This seems like a no brainer but not protection is created equally. Some fall way short of what the really capable of stopping.
- Who is registered and or join to your network?
- Run a complete audit with your networking tools. Mobile Device Manage centralized software can assist with this. We discuss Intune as an MDM option below
- DNS protection, Content Filtering, and next generation VPN.
- These solutions can be broken up or consolidated into one solution but are a key ingredient for securing your work from anywhere security concerns.
- Security awareness training
- Phishing attacks have increased significantly of late. Please educate your workforce on phishing techniques and update your mail transport rules for adding a disclaimer to outside emails as well as enabling enhanced phishing protection on your mail server.
- Too many cooks in the kitchen
- Audit who has access to what. This ranges from global administrators to who and where all the passwords are located.
- Enable more MDM policies from a solution like Intune
- Enable remote wipe for devices that get into the wrong hands
- Enabled device encryption for the same reasons
- Enable location conditional access.
- We don’t users logging in from everywhere.
How does Azure Active Directory integrate with Intune?
A lot of device management issues come up when a new IT management team and MSPs. They inherit an IT network with no standard operating procedure for mobile device management from their predecessor. The devices may or not be in Azure Active Directory and even less likely to be in Intune due to the small business not being subscribed to Microsoft 365 Business Premium. Your team’s messaging to top members of your organization on the importance of security is critical to the safety and success of your business. We introduce a lot of this information in our InTune post.
Pause for a moment and reflect and turn back the clock on your present-day IT environment…
- When did the wheels initially fall off for most small businesses?
- How did things get unwieldy to manage?
- How does your IT team regain control?
You may look no further than the blue screen below if you were a very small start-up that quickly grew without any IT oversite. This screen is seen when an employee receives the computer and tries to set it up themselves. This naturally spark another question, do you really want your team managing this setup or is something like Autopilot deployment for new and existing computers in their future? Regardless, let’s reveal what was done wrong here with the current clue screen setup, how to correct your team’s selections, and develop a SOP for the future deployment of computers.
Set up for Personal Use
Use a Microsoft, Gmail, Yahoo, etc account for personal use.
Note: This selection will cause problems for business use if your team attempts manage devices through the “join device to Azure Active Directory”. You will need a local admin account to join Azure AD if you at some point proceeded with personal use and want to later join the device to Active Directory.
Set up for an Organization
This will join the computer in Azure AD. However, Intune enrollment will not happen unless you have Microsoft Business Premium or equivalent licensing.
Device Settings – Active Directory Admin Center
Head over to the Azure Active Directory admin center to reveal what machine exactly is joined to Azure Active Directory.
Please navigate to the Dashboard and select Devices for capturing a basic snapshot of your environment.
Not only can we view current devices but inactive ones, their current users, and less than desirable host naming conventions. The most important column though after confirming all devices are currently is what device is enrolled in MDM.
Mobile Device Management – Intune
Mobile Device Management or MDM, manage and secure your organization’s devices including your local desktop environment. It is included in Microsoft Business Premium and their EMS suite. Microsoft branded their version of MDM cloud-based management solution as Intune. These enhanced services naturally bring up a lot of questions from management and the security team that should demand immediate attention.
- How do we approve registered devices?
- We discuss a little about BYOD in this post.
- Where do you see phones?
- How do we block access from non-approved regions?
- Are our device data encrypted if we lose them?
Additional Microsoft Resources
Joining to network
Azure Ad joined vs Azure AD Registered
Azure support team
How do I join Azure Active Directory if my computer was already setup?
Please make sure you are a local admin account before proceeding. Login to the admin account, select settings, accounts, access work or school, and select join this device to Azure Active Directory.
Security concerns when joining devices to Azure AD
Do I want my user to default to local administrator status?
Should I tweak the Devices settings?
- Users may join devices to AzureAD?
- Additional local administrators on Azure AD joined Devices?
- Require MFA
How do I manage New and Existing Computer Setups going forward?
Check out our Autopilot join devices post. You will need to auto-enroll your existing devices and develop a relationship with hardware distributor so they are managed as the device’s serial are inputted by the distributor.
Work from Anywhere Support & Security Concerns Summary
It is recommended to get a Microsoft 365 Business Premium or EMS license for taking advantage of the management and security options Azure AD and Intune provide. But Microsoft 365 service itself is just the tip of the iceberge for getting your work from anywhere corporate culture going. You will need an experience administrator or MSP to effectively deploy it and manage it. Plus, invest in all the man hours necessary to secure and maintain the rest of your network environment.