Previous parts in this series are:
Office 365 Mobile MDM – Modern Device Management with Microsoft 365 Business Premium–Part 1
Endpoint Manager – Modern Device Management with Microsoft 365 Business Premium – Part 4
All the articles so far have focused on the technical implementation of device management, however these are all effectively subservient to real need of allowing users to get their work done. Security that gets in the way of what people need to do will simply result in them bypassing it and opting for solutions that are less secure and less controllable, aka shadow IT. Thus, when implementing successful device management, you keep in mind the end game here which is, allowing users to get done what they need to, securely.
Deploying all the options that are available with device management is daunting given the sheer number of settings, across multiple operating systems via multiple services like Intune and Endpoint security. Thus, even before you start implementation you should ensure that you have a good documentation regime in place to keep track of what you implement and what changes you make over times. There are going to be circumstances when you need to track down a specific setting in a specific policy and having good documentation is going to save you boatloads of time. It is also going to save you going round and round in circles making changes that have unexpected consequences. Thus,
Rule number 1 = maintain good documentation
With a plethora of policies and settings to configure having a define naming convention is going to make troubleshooting far easier. I have seen all sorts of policy names that bear no relevancy to the actual settings it implements. Remember, you can end up with multiple policies for multiple device operating systems, for multiple audiences across multiple services. Using something like MAM iOS Sales team or MDM Windows Executives or ES Antivirus Field Staff is going to allow people to quickly understand what these policies are for, where they come from and who they apply to. Good naming conventions are defined prior to implementation and applied consistently (which is why they are called conventions after all!). So,
Rule number 2 = define a naming convention upfront and apply it consistently
All users are not created the same. Thus, you’ll need to consider dividing up your policies into deployment rings, much like what Microsoft does with Windows I suggest. You’ll probably need a test or canary ring, and early adopters ring and an everyone else ring.
The canary ring is basically test devices and users to determine the effects of applying policies. This will give you early warning as to what impact settings actually have in your environment. This will be 1 – 2% of your population.
The early adopters ring is targeted at those users who like to be first and are prepared to ride out and bumps along the way by providing constructive feedback on the impacts of settings to them. This will probably be 10 – 15% of your population. Users in this ring should ‘opt in’ and understand the ramifications of getting things that may still be testing.
You may need to have multiple rings for different locations, devices or audiences. This is again where good documentation and naming conventions are critical. It is therefore recommended that:
Rule 3 = apply policies and updates to policies in rings to the environment
Not everything goes to plan. Sometimes setting and policy changes can have unexpected consequences on devices. Sometimes, these unexpected changes can prevent you from doing something you need to do. As with setting up conditional access, don’t lock yourself out:
Rule 4 = ensure you have an admin user that is not subject to any policy in case of emergency
Device management is typically never a world of all green check marks (and rainbows and unicorns). It is typically a world with setting conflicts, non compliance and strange impacts. Bulk policy implementations and/or changes are a recipe for never ending frustration. Start small and grow. Don’t turn everything on to the max out of the box. My advice is to start with one baseline at a time and get that all green, then move to individual Endpoint security policies and get that all green, then compliance and get that all green and so on. Thus,
Rule 5 = grow into your settings and policies
Some other recommendations for those that are actually tasked with deploying device management:
A. Have at least one physical test device for each operating systems. That means having a test iOS, Android and Windows 10 device at your disposal. It is easy enough to pick up a cheap or second hand device you can use. Nothing beats seeing exactly what happens on a physical device when policies are applied. It will also allow you to better understand the process of wiping and re-purposing devices.
B. Use a demo tenant first time out. Don’t learn this stuff on your customer’s dime. Don’t learn on your own production tenant. Sign up for a free demo Microsoft 365 demo tenant at https://cdx.transform.microsoft.com/ and do your learning there. There is nothing worse than test policies and configurations continuing to show up in production environments.
C. Fully implement device management in your own production tenant. Don’t forget that if you look after other customers, YOU are also a target of the bad actors. Your environment is an Aladdin’s cave full of passwords, logins and confidential information for many others. In short you hold the crown jewels for many businesses. Don’t think it can’t happen to you. Over prepare. Over secure your environment. Doing so will also help you more fully appreciate the impact that device and security settings will have on your customers and deployments as well as keeping their treasures secure.
D. Configuration is never complete. New devices, enhanced baselines, new policy options will all emerge over time. Security is a journey, not a destination as they say. You will need to monitor, review and adjust what you have implemented over time. You will need to evaluate what works, what doesn’t and what additional security you can apply to the environment. It will never be a ‘set and forget’ situation. Security is a service not a product.
E. Leverage the power of automation. Baselines are a great starting point and reduce much of the need for individual settings. However, technologies like PowerShell and the Microsoft Graph give you the ability to automate much. An example of this that I have detailed is here:
The great things about these device management services from Microsoft is that they are consistent for everyone that has them. Thus, the same script will work across every customer that has those services. With so many settings available to you in device manage these days, it makes sense to invest your time in become more ‘code centric’ (DevOps anyone?) and adding those skills to your quiver.
In summary then, successful device deployment is all about people. It should be focused on delivering secure productivity without mindless obstruction, which being carried out in a systematic and consistent manner. You can have all the greatest deployment tools at your beckoned call, but if they are implemented incorrectly, the end result is far worse for end users and administrators than it would have been without device management. So, don’t make the mistake of seeing device management as a purely technical challenge, It ain’t!