Starting point for implementing Intune security policies

This plan focuses on establishing foundational security controls across your diverse devices, leveraging the integrated features of M365 BP.

Core Concepts:

• Microsoft Intune: Your cloud-based Mobile Device Management (MDM) and Mobile Application Management (MAM) solution.
  

• Azure Active Directory (Azure AD): Your identity provider. User accounts and groups live here. It’s tightly integrated with Intune.
  

• Configuration Profiles: These define settings and restrictions pushed to managed devices (MDM).
  

• Application Protection Policies (APP / MAM): These protect organizational data within specific apps, useful for both corporate and personally owned (BYOD) devices, without requiring full device enrollment.
  

• Compliance Policies: Define rules devices must meet to be considered “compliant” (e.g., have encryption enabled, be updated).
  

• Conditional Access (CA): The powerhouse feature (included in M365 BP via Azure AD Premium P1 features) that uses signals (like user, location, device compliance) to enforce organizational policies (like requiring MFA or blocking access from non-compliant devices).

Assumptions:

• You have Microsoft 365 Business Premium licenses assigned to all 20 users.
  

• You have Global Administrator access to your Microsoft 365 tenant.
  

• Your users are licensed and exist in Azure AD.

Step-by-Step Implementation Plan:

Phase 1: Preparation & Foundational Setup

1. Access the Endpoint Manager Admin Center:

   • Go to: https://endpoint.microsoft.com/
   • Log in with your Global Administrator account. This is your central hub for Intune configuration.

2. Set MDM Authority to Intune:

   • Navigate to Tenant administration > Tenant status.
     

   • Verify that the Mobile device management authority is set to Microsoft Intune. If it’s something else (like Office 365 MDM or Configuration Manager), you’ll need to change it. This is usually a one-time setting for new tenants. Be careful if you have existing MDM.

3. Configure Enrollment Settings (Enable Platforms):

   • You need to explicitly allow each device platform to enroll.
     

   • Windows: Go to Devices > Enroll devices > Windows enrollment > Automatic Enrollment.
     
     • Set MDM user scope to All (or a specific Pilot Group first).
       

     • Set MAM user scope to All (or Pilot Group). This enables MAM without full enrollment for BYOD Windows.
     • Recommendation: Also configure DNS CNAME records (enterpriseenrollment and enterpriseregistration) pointing to Microsoft’s services to simplify Windows enrollment. Search Microsoft Docs for “Configure DNS for Intune Windows enrollment”.
   • Apple (iOS/iPadOS & macOS): Go to Devices > Enroll devices > Apple enrollment.
     
     • You must create an Apple Push Notification service (APNs) certificate. Follow the Apple MDM Push certificate link and instructions carefully. This certificate needs renewal annually. Set reminders!
       

     • For macOS enrollment methods, initially, users can enroll via the Company Portal app.
       

     • For iOS/iPadOS enrollment methods, users can enroll via the Company Portal app.
       

     • (Advanced/Recommended for corporate devices later: Consider Apple Business Manager integration for supervised enrollment).
   • Android: Go to Devices > Enroll devices > Android enrollment.
     
     • Click Managed Google Play and connect your Intune tenant to your organization’s Managed Google Play account. Follow the instructions. This is required for most Android management scenarios.
       

     • Decide on enrollment profiles. For a mix of BYOD and potentially corporate devices, enabling Android Enterprise: Personally-owned devices with work profile is the most common starting point for BYOD. This creates a secure container for work apps/data separate from personal data.

4. Create User Groups:

   • Go to the Azure AD portal (https://aad.portal.azure.com/) or via M365 Admin Center (Groups > Active groups).
     

   • Create at least one group, e.g., “All Company Employees”. Assign all 20 users to this group. This makes targeting policies much easier. You might create pilot groups later for testing.

Phase 2: Basic Security Policies (Configuration Profiles)

Start with essential security settings for each platform. Target these profiles to your “All Company Employees” group (or a pilot group first).

• How to Create: In Endpoint Manager (https://endpoint.microsoft.com/), go to Devices > Configuration profiles > Create profile. Select the Platform, then choose a Profile type (use Settings catalog where possible for granularity, or Templates for common scenarios).

1. Windows Security Policies:

   • Platform: Windows 10 and later
   • Profile Type: Settings catalog
   • Key Settings to Configure (Search within Settings catalog):
     • BitLocker: Require device encryption, configure recovery key storage. (Crucial!)
       

     • Password: Set minimum length, complexity, history.
       

     • Windows Defender (Microsoft Defender Antivirus): Ensure real-time monitoring, cloud protection, daily scans are enabled. (M365 BP includes Defender for Business features here).
       

     • Windows Update for Business: Create Update Rings to manage patch deployment (e.g., install deadlines, deferral periods).
       

     • Firewall: Ensure Microsoft Defender Firewall is enabled for relevant profiles (Domain, Private, Public).

2. macOS Security Policies:

   • Platform: macOS
   • Profile Type: Settings catalog (preferred) or Templates (e.g., Device Restrictions)
     

   • Key Settings:
     • Passcode: Set minimum length, complexity, auto-lock time.
       

     • Encryption (FileVault): Require FileVault disk encryption, configure recovery key escrow. (Crucial!)
       

     • Software Update Policy: Configure how updates are handled.
       

     • Security & Privacy: Enforce Gatekeeper (allow apps from App Store and identified developers), ensure Firewall is enabled.

3. iOS/iPadOS Security Policies:

   • Platform: iOS/iPadOS
   • Profile Type: Settings catalog (preferred) or Templates (e.g., Device Restrictions)
     

   • Key Settings:
     • Passcode: Require passcode, set minimum length, complexity (e.g., alphanumeric), maximum grace period for device lock, max failed attempts before wipe (optional but strong).
       

     • Device Restrictions: Consider disabling simple passcodes, maybe block untrusted TLS certificates, configure AirDrop settings. Start minimally.

4. Android Enterprise (Work Profile) Security Policies:

   • Platform: Android Enterprise
   • Profile Type: Personally-owned work profile > Device restrictions
   • Key Settings:
     • Work profile settings: Require a separate Work Profile Password (complexity, length).
       

     • Device password: Require a device screen lock (can be less strict than work profile if desired, but still recommended).
       

     • Security: Ensure work profile data is encrypted (usually default), block screen capture within the work profile, potentially restrict data sharing between personal/work profiles.

Phase 3: Protect App Data (Application Protection Policies – MAM)

This is vital for BYOD scenarios and adds a layer of security even on enrolled devices.

• How to Create: In Endpoint Manager, go to Apps > App protection policies > Create policy. Select the platform (iOS/iPadOS, Android, Windows).

1. Create Policies for iOS/iPadOS and Android:

   • Target these policies to your “All Company Employees” group.
     

   • Apps: Select All Microsoft apps or target specific core apps initially (Outlook, OneDrive, Teams, Edge, Word, Excel, PowerPoint).
     

   • Data Protection Settings:
     • Prevent Save As to local/personal storage.
       

     • Restrict Cut, copy, and paste between policy-managed apps and unmanaged/personal apps (Allow within policy apps).
       

     • Block opening work data in unmanaged apps.
       

     • Encrypt work app data.
   • Access Requirements:
     • Require PIN for access (separate from device passcode). Set complexity, length, timeout. Allow Biometrics (Face ID/Touch ID/Fingerprint) as an alternative to PIN.
   • Conditional Launch:
     • Set conditions like minimum OS version, block jailbroken/rooted devices.

2. (Optional but Recommended) Create Policy for Windows:

   • This protects data on Windows devices without full MDM enrollment (useful if some Windows PCs are personal).
     

   • Target the policy to the user group.
     

   • Select target apps (e.g., Edge).
     

   • Configure similar data protection settings (prevent save-as, restrict copy/paste).
     

   • Note: Windows MAM has fewer features than mobile MAM.

Phase 4: Enforce Health and Access (Compliance & Conditional Access)

This ties everything together.

1. Create Device Compliance Policies:

   • How to Create: In Endpoint Manager, go to Devices > Compliance policies > Create policy. Select Platform.
     

   • Key Settings (Align with Configuration Profiles):
     • Windows: Require BitLocker, Require Secure Boot, Require Antivirus, Require Firewall, Set Min/Max OS Version, Require Password.
       

     • macOS: Require System Integrity Protection, Require Firewall, Require Password, Require FileVault, Set Min/Max OS Version.
       

     • iOS/iPadOS: Require Passcode, Require device encryption (implicit with passcode), Min/Max OS Version, Block Jailbroken devices.
       

     • Android Enterprise (Work Profile): Require Device Lock, Require Encryption, Min/Max OS Version, Block Rooted devices, Require Google Play Protect checks.
   • Actions for Non-Compliance: Start with Mark device noncompliant (immediately). You can add Send email to end user after a few days.
     

   • Assignment: Assign these policies to your “All Company Employees” group.

2. Configure Foundational Conditional Access Policies:

   • How to Configure: In Endpoint Manager, go to Devices > Conditional Access > Create new policy. (This actually takes you to the Azure AD CA portal).
     

   • Policy 1: Require MFA for All Users:
     • Name: CA001: Require MFA for All Users
     • Assignments: Users and groups > Include All users. Exclude 1-2 emergency access/”break-glass” accounts (highly recommended).
       

     • Cloud apps or actions: Include All cloud apps.
       

     • Conditions: Define any trusted locations (like your office IP) where MFA might be skipped if necessary (use with caution).
       

     • Access controls: Grant > Grant access > Check Require multi-factor authentication. Require all the selected controls.
       

     • Enable policy: On (or Report-only initially to test impact).
   • Policy 2: Require Compliant Devices for Cloud App Access:
     • Name: CA002: Require Compliant Device for Access
     • Assignments: Users and groups > Include All users. Exclude break-glass accounts.
       

     • Cloud apps or actions: Include All cloud apps.
       

     • Conditions: Device platforms > Configure > Include All platforms. Client apps > Configure > Include Browser, Mobile apps and desktop clients.
       

     • Access controls: Grant > Grant access > Check Require device to be marked as compliant. Require all the selected controls.
       

     • Enable policy: Report-only first, then On.
   • Policy 3: Require Approved App / App Protection Policy for Mobile Access:
     • Name: CA003: Require Protected Apps on Mobile
     • Assignments: Users and groups > Include All users. Exclude break-glass accounts.
       

     • Cloud apps or actions: Include Office 365 (or specific apps like Exchange Online, SharePoint Online).
       

     • Conditions: Device platforms > Configure > Include Android, iOS. Client apps > Configure > Include Mobile apps and desktop clients.
       

     • Access controls: Grant > Check Require approved client app AND Require app protection policy. Select Require one of the selected controls (allows flexibility if one isn’t applicable).
       

     • Enable policy: Report-only first, then On.

Phase 5: User Enrollment, Communication & Monitoring

1. Communicate with Users:

   • Explain why these changes are being made (security, data protection).
     

   • Provide simple instructions on how to enroll their devices (e.g., install Company Portal app from the app store and sign in).
     

   • Explain what they should expect (e.g., prompts for PINs, work profile creation on Android).
     

   • Offer support for the transition.

2. Guide Users Through Enrollment:

   • Have users install the “Intune Company Portal” app on their iOS, Android, and macOS devices and sign in with their M365 credentials. Follow the prompts.
     

   • For Windows devices that are not already Azure AD Joined: Guide users through Settings > Accounts > Access work or school > Connect, entering their M365 email and following prompts to join Azure AD and enroll in Intune (if Automatic Enrollment is configured).

3. Monitor Enrollment and Compliance:

   • In Endpoint Manager, check Devices > Overview for enrollment status and compliance overview.
     

   • Check specific device compliance under Devices > Compliance policies.
     

   • Review Conditional Access sign-in logs in Azure AD (Monitoring > Sign-in logs) to see policy impacts.

Important Considerations:

• Start Simple & Iterate: Don’t try to implement everything at once. Start with foundational policies and build complexity as needed.
  

• Test Thoroughly: Use pilot groups before rolling out to everyone. Use “Report-only” mode for Conditional Access policies initially.
  

• BYOD vs. Corporate: Be clear about expectations for personal devices (Work Profile on Android, MAM policies) vs. company-owned devices (potentially fully managed).
  

• User Experience: Balance security with usability. Overly restrictive policies can hinder productivity.
  

• Documentation: Keep track of the policies you create and why.
  

• Annual APNs Renewal: Don’t forget this! If it expires, you can’t manage Apple devices.

This step-by-step guide provides a solid starting point leveraging the security features within Microsoft 365 Business Premium. Remember to consult Microsoft’s official documentation for detailed configuration options as you proceed.