This is the 4th part of my blog series on the Road to CE series. We’ll be starting to look at the technical controls inside of AAD and Intune to assist with Cyber Essentials. Please note I’ll be specifically talking about AAD and Intune.
As previous stated under Cyber Essentials you need to know the make and OS version connecting to corporate data and excluding students. With that in mind, we (Jisc) took the decision to block personal (BYOD) Windows and Mac devices from connecting to our systems, this dramatically simplified things. This may change in the future but Windows Information Protection (the Windows BYOD tech) has been deprecated, the replacement isn’t ready yet.
These instructions will also use Mobile Application Management (MAM).
Intune enrolment restrictions
In Intune go to Devices > Device Enrollment > Enrollment device platform restrictions and configure it so personal devices are blocked from Enrolling into Intune, including iOS/Android. I’ll talk about that next.
If you need BYOD for Students or for doing a pilot you’ll create new policies, otherwise edit the All users policy. Configure these policies to block personal enrolment.
Next is the magic bit, Application Protection Policies.
Mobile Application Management
MAM will allow your users to register devices and isolate corporate data on those devices. You can then wipe that data without effecting the rest of the device. The big thing with MAM is the information you get from devices to ensure Cyber Essentials compliance.
We’ll be configuring Android and iOS with compliance policies.
Go to Apps > App protection policies and create a new Android policy. If you are using the Jisc CE Device Database include “Cyber Essentials” in the description.
Microsoft has a list of apps which are Supported Microsoft Intune apps | Microsoft Learn, if an app isn’t in the list contact your app maker to make the app support it, or if it’s an app you control you can wrap it to support Intune.
Web Apps can also be excluded if you want, we do this for our HR system to allow for downloading/access to payslips etc. (This may change).
Target just unmanaged devices (toggle “Target to apps on all device types” to no).
Jisc just allows Microsoft core applications in here, but you add the apps that support.
Android Data Protection
Onto the Data Protection settings, Jisc has elected to lock this down a bit to avoid data leakage/isolation. We restrict copying files to OneDrive/SharePoint only and uploading data is only from OneDrive/SharePoint/Camera/Photo Gallery
Then for encryption, we enforce encrypting org data, block printing and only block org data, not the whole device. Restricting the web to Microsoft Edge ensure the data is encrypted and the correct device compliance data is passed through to AAD. Microsoft Tunnel is a Intune Plan 2 feature.
Android Access Requirements
Access requirements is where we set the CE compliance for data/device access. A PIN is required, this is entered every 24 hours, with biometric every 30 minutes.
Android Conditional Launch Restrictions
Conditional Launch restrictions are the key here to CE compliance, data access is blocked for Rooted/Jailbroken devices, and the Min OS version and patch level is set. The Jisc CE Device Database tool will update these conditional launch settings for you, otherwise you’ll need a process to update these settings.
iOS follows much the same policies as Android, set the device target all to no and select device types of unmanaged. On the apps select the Microsoft apps you want to configure/enforce compliance.
iOS Data Protection > Transfer
When you select Policy managed apps the exemptions are prefilled, if they aren’t refer to Microsoft’s docs. The exemptions basically say for certain urls it’s ok to open in the unmanaged app, or others they need to open in an Intune wrapped and managed app.
We only use OneDrive/SharePoint for filestore at Jisc so we only select that as a save location. Allowing the use of the Camera is optional, it’s useful to turn on especially in teams if you want to quickly take a picture of something and IM it to a colleague. We don’t allow attaching files outside of OneDrive/SharePoint/Camera however. This policy also prevents easily exfiltrating of data.
iOS Encryption/functionality settings
We enforce org data being isolated and encrypted in this section, disable syncing of data to the local device, block printing, require the use of Microsoft Edge for web content (Edge can be Intune controlled) and when the device is out of compliance block the org data.
iOS Access Requirements
As with Android, we specify the minimum levels under Cyber Essentials in this section, you may want higher however. As with Android we set that we require PIN/Face ID every 24 hours with a check every 30 minutes.
iOS Conditional Launch Conditions
We’re going to follow NCSC/Cyber Essentials guidance again with the conditional launch conditions, max pin attempts of 5, offline grace period of 12 hours after which the data is blocked and a further 90 days before the data is wiped off the device.
This is where we block access to data for jailbroken/rooted iOS devices and specify a min OS version for iOS. You should update this based on Apple’s guidance, the Jisc CE Device Database will do this automatically for you if “Cyber Essentials” is included in the policy description.
AAD Conditional Access Policies
The final step to enforce this is to use AAD Conditional Access to prevent access via any other means.
BYOD Non Permitted Devices
This policy blocks unmanaged devices with intune as the exclusion
On Conditions you need to apply this policy to non iOS and Android devices.
We’ll also filter out corporate devices from having this policy applied via a double negative filter on the device Ownership
Finally the grant is set to Block Access.
BYOD permitted Apps
The other conditional access policy for BYOD will allow the permitted apps on compliant devices.
All cloud apps are in scope for this, you may want to exclude certain apps.
Where as the previous CA policy this one is will target explicitly iOS/Android devices.
We are doing the same filter as the previous policy to filter out corporate owned devices.
We have 2 conditions for a grant access: Require approved client app and Require app protection policy. This will enforce the app goes via the app protection policy. We also require both of these requirements.
End user Experience
So what does this look like for the end user? Users will be asked to install Company Portal (this may change in the future on Android, already not required on iOS), after this the device will be checked for compliance.
If any of these fail then the device will not work with org data anymore. Once you continue the user will be asked to register the device, this will register the device with AAD, so you can see the OS information, device compliance, etc, and use that for monitoring.
The user will be asked to configure a PIN during this setup process. Each time you load an app up it will check the state of the device and perform the actions you defined in the policy section.
Only then can you access the app and corporate data
This is a very long post, the next post I’ll go through more technical controls we have in place inside of Intune/AAD, Winget will be getting a big mention.