How to Secure Office 365 for Personal Devices
One of the main benefits of migrating your systems to the cloud is that it’s easier for your employees to access resources from any device and any location – all they need is an internet connection.
The problem is that while the cloud makes it easier for your employees to access your systems remotely, it also makes it easier for hackers to do the same.
This article provides an overview of the best solutions to secure enterprise data on personal devices – allowing you to enable BYOD for your employees, maintain user privacy and keep out the bad guys.
Microsoft Intune and Mobile Application Management (MAM)
Microsoft has developed their own MAM solution called Intune App Protection or Intune APP. It’s great for personal devices and BYO programs.
This is a great solution if you need to secure data in the Microsoft Apps for Enterprise suite including Outlook, Teams, Office and Edge.
Intune APP provides a secure, containerised solution that enforces encryption, device pin and checks device health before allowing access to Office 365.
As soon as someone downloads one of the enabled apps and authenticates with their work account (Azure Active Directory account) the Intune APP policies will be applied, regardless of whether their device is MDM managed or not.
The apps that can be secured with Intune App Protection policies include many apps.
Microsoft’s Apps for Enterprise
These are partners that have added the Microsoft Intune app SDK to their applications.
The full list of apps that can be included in the Intune MAM container are detailed here. This list is frequently updated with new partner apps being added.
Internal and third-party apps
It is also possible to add your in-house and third-party developed apps to this eco-system if you write the Intune app SDK into your apps or wrap them with the Intune app wrapping tool. You can read more about these options here.
How does Intune APP Secure my data?
Intune APP provides a secure, encrypted sandbox for enterprise data on a personal device. This data can be expired / access revoked remotely as required (lost, stolen, compromised device, employee offboarding). Access to these apps is only accessible via an Azure Active Directory (AAD) account so decommissioning an employee’s AAD or AD account would also block access.
Intune APP provides these capabilities
- Several policies to protected enterprise data on a personal device including requiring a PIN to access the Office 365 apps (Outlook Email), encryption, and DLP.
- Many policies to reduce risk to company data stored in the Microsoft apps on a personal device including blocking data transfer from the Office 365 apps to personal apps, blocking back up to cloud storage, blocking screenshots and blocking 3rd party keyboards.
- A mechanism to only allow access to enterprise data on a personal device if the device is running an approved operating system version.
- Integration with Google’s SafetyNet Attestation to validate the integrity of the device which checks for rooted devices, emulators, virtual devices, and devices with signs of tampering fail basic integrity.
- A policy that blocks the use of Microsoft apps on a jailbroken or rooted device. For example – the user will not be able to open/authenticate to Outlook on a jailbroken or rooted device.
Intune APP, in combination with Azure Conditional Access policies, can be used to block access to Office 365 data if compliance requirements are not met (e.g., encryption, patching level, authentication – including MFA).
Both Intune and Azure logging can identify what apps are being leveraged using Intune APP.
Mobile Threat Management add-on for Intune APP
An additional recommendation for Intune APP – MAM enrolled devices would be to leverage a Mobile Threat Management Solution (MTM) to inspect for threats before allowing access to the apps.
MTM can detect compromised apps and networks on any device with the MTM app installed, allowing for greater visibility and control. It is possible to integrate MTM with Conditional Access to ensure only access to Office 365 data is only allowed on devices that have a Mobile Threat Defence app installed.
Native Containerisation – MDM BYOD
Google and more recently Apple, have both released native operating system level options to secure data on an employee’s personal devices through a containerised partition on the device that keeps enterprise apps and data separated from personal apps and data.
You need to have a Mobile Device Management solution in place to be able to leverage these solutions and there is a bit of set up effort required.
For Android devices this containerisation is delivered through Android Enterprise Work Profile. Read more about how to set up Android’s Work Profile in this blog article.
For iOS devices this containerisation is delivered through Apple’s User Enrollment. Read more about how to set up Apple User Enrollment in this blog article.
Management options with MDM BYOD
Both Google’s Android Enterprise Work Profile and Apple’s User Enrollment allow you to push policies, settings, profiles, in-house and third-party apps, Microsoft Apps for Enterprise and app configurations (AppConfig) to the managed container on the device.
Wiping the container is also possible; however, resetting the device PIN code is not. You get some visibility of the device itself through MDM BYOD although it is designed to maintain a high level of user privacy so don’t expect too much visibility or control.
What is the best option – MAM or MDM BYOD?
If you answer YES to any of these questions, then MDM BYOD is the option you need to deploy.
- Do you have in-house or third-party apps you need to deploy?
- Do you want to push Wi-Fi settings and certificates?
- Do you want to push network settings? APN / VPN?
- Do you want to provide a curated enterprise app store for your employees?
- Do you want to report on what apps are installed on devices?
- Do you want more visibility of devices?
Intune APP on it’s own is a viable option only if you want to provide access to Office 365 and don’t need to push any other business apps or services on your employees’ devices.
You can enable Intune APP on unmanaged devices, MDM BYOD managed devices, and fully managed devices. Think of it as an extra layer of security for the Microsoft suite of apps no matter what device is being used.
Conditional Access and Modern Authentication
While MAM and MDM BYOD go a long way to securing enterprise data on personal devices, it’s not until you add Microsoft’s Conditional Access into the mix that you start securing access to Office 365.
Conditional Access acts like a gatekeeper for Azure and Office 365 resources. Every connection is checked for user identity, location, device health and can allow or deny access based on a minimum set of requirements.
REQUIRE MULTI-FACTOR AUTHENTICATION
Multi-factor authentication (MFA) adds a second factor of authentication to an employee’s Azure Active Directory username and password. The second factor can be a token made available through the Microsoft Authenticator app or a code sent via SMS to employees’ smartphones. Having MFA set up means that even if your employees’ credentials are stolen, without access to the MFA token, your Office 365 data will still be secured.
If you don’t have MFA enabled yet, stop reading this and go get it sorted!
If you are deploying Intune App Protection policies you should enable the Conditional Access policy Require Multi-factor authentication which ensures access to Outlook, Teams, etc. will only be allowed on devices authenticated using MFA.
REQUIRE COMPLIANT DEVICES
It is possible to mark devices compliant if they meet all the compliance requirements you set e.g., are encrypted, have a passcode, are running an approved operating system.
MDM BYOD devices can be tagged as compliant as they are deemed managed by MDM.
The Conditional Access policy Require device to be marked as compliant can be used to ensure only devices that are managed can gain access to Office 365 data. This means you can block access to any devices that have not properly authenticated and enrolled through your internal processes.
Be careful with this policy though – blocking access to all devices unless they are managed will impact your employees. It’s important to communicate any change before implementing it. Conditional Access has a report only option where you can see the impact of the policy before you enable it in production. You can read about this report the only mode via this link.
Intune MAM devices can also be tagged as complaints when they meet the required risk status which is delivered to Intune when you integrate with a Mobile Threat Management solution.
Don’t be afraid of allowing personal devices at your company. Instead, empower your employees to use their devices safely. If you want help, check out our BYOD 365 service, or our Intune Security Baseline. Both are great for extending security to all devices. Finally, consider switching to Intune for Windows and manage your entire fleet through modern, cloud-first technology. If you have any questions, please contact us.
Securing Office 365 for Personal Devices (BYOD) as previously published on mobile-mentor.com
We enable remote teams to be secure and productive. Work is an activity, not a place. We’re a Microsoft Gold partner specialising in modern work technology that enables remote teams to be secure and productive.
Compliance and Vulnerability
Cloud compliance is the general principle that cloud-delivered systems must be compliant with standards that the cloud customers face. Essentially, cloud customers need to look at the effective security provisions of their vendors the same way they would look at their own internal security. They will need to figure out whether their cloud vendor services match the compliance that they need. There are several ways to go about this. In some cases, companies can just look for vendors that certify compliance, and choose their services without any further input. However, sometimes clients may need to actually get involved in accessing the cloud vendor's security, to make sure that it complies with the industry standards and regulations.