Many organizations are finally easing up on the corporate stance of you must be in the office from 9a to 5p. At first glance, the possibility of getting hit hard by malicious intruders would seem difficult with a decentralized team of employees mostly working from home. Unfortunately, the decentralized approach has exposed more network vulnerabilities when working at home, the coffee shop, or basically anywhere beyond the office. The work from anywhere security concerns are worthy of losing sleep over for the team managing your IT. Work from Anywhere Support concerns are real and should be addressed immediately. Here are some top of mind concerns for your organization.
- Computer Deployment
- A SOP should be required for how a new computer is deployed. Autopilot deployment should be heavily considered for optimizing successful new user computer setup.
- Harden security at home
- Many home networks may have open networks for anyone to hop on and compromise the work computer or possibly computer you are on. Change the WiFi passphrase, admin router password, and update the router firmware is a good start. Segment work LAN traffic from home, guests, and utilizing VPN is a huge plus.
- Endpoint Protection
- This seems like a no brainer but not all protection is created equally. Some fall way short of what the really capable of stopping.
- Who is registered and joined to your network?
- Run a complete audit with your networking tools. Mobile Device Manager centralized software can assist with this. We discuss Intune as an MDM option below. More in depth information on this subject can be found further down this page.
- DNS protection, Content Filtering, and next generation VPN.
- These solutions can be broken up or consolidated into one solution but are a key ingredient for securing your work from anywhere support & security concerns.
- Security awareness training
- Phishing attacks have increased significantly of late. Please educate your workforce on phishing techniques and update your mail transport rules for adding a disclaimer to outside emails as well as enabling enhanced phishing protection on your mail server.
- Too many cooks in the kitchen
- Audit who has access to what. This ranges from global administrators to who and where all the passwords are located.
- Enable more MDM policies from a solution like Intune
- Enable remote wipe for devices that get into the wrong hands
- Enabled device encryption for the same reasons
- Enable location conditional access.
- We don’t want users logging in from everywhere. Conditional Access is about knowing where the device is logging in from. Work… no worries. Home and the coffee shop, let’s lock that machine down! The admin should setup prompts for MFA.
How does Azure Active Directory integrate with Intune?
A lot of device management issues come up when a new IT management team and MSPs. They inherit an IT network with no standard operating procedure for mobile device management from their predecessor. The devices may or not be in Azure Active Directory and even less likely to be in Intune due to the small business not being subscribed to Microsoft 365 Business Premium. As most organization’s work from home, our team’s messaging to top members of your organization on the importance of security is critical to the safety and success of your business. We introduce a lot of this information in our InTune post.
Pause for a moment and reflect and turn back the clock on your present-day IT environment…
- When did the wheels initially fall off for most small businesses?
- How did things get unwieldy to manage?
- How does your IT team regain control?
You may look no further than the blue screen below if you were a very small start-up that quickly grew without any IT oversite. This screen is seen when an employee receives the computer and tries to set it up themselves. This naturally spark another question, do you really want your team managing this setup or is something like Autopilot deployment for new and existing computers in their future? Regardless, let’s reveal what was done wrong here with the current clue screen setup, how to correct your team’s selections, and develop a SOP for the future deployment of computers.
Set up for Personal Use
Use a Microsoft, Gmail, Yahoo, etc account for personal use.
Note: This selection will cause problems for business use if your team attempts manage devices through the “join device to Azure Active Directory”. You will need a local admin account to join Azure AD if you at some point proceeded with personal use and want to later join the device to Active Directory.
Set up for an Organization
This will join the computer in Azure AD. However, Intune enrollment will not happen unless you have Microsoft Business Premium or equivalent licensing.
Registered vs Joined – What’s the difference?
Catch a glimpse of what it looks like to be joined to Azure AD from administrator’s perspective in the next illustration below.
Device Settings – Active Directory Admin Center
Head over to the Azure Active Directory admin center to reveal what machine exactly is joined to Azure Active Directory.
Please navigate to the Dashboard and select Devices for capturing a basic snapshot of your environment.
Not only can we view current devices but inactive ones, their current users, and less than desirable host naming conventions. The most important column though after confirming all devices are currently is what device is enrolled in MDM.
Mobile Device Management – Intune
Mobile Device Management or MDM, manage and secure your organization’s devices including your local desktop environment. It is included in Microsoft Business Premium and their EMS suite. MDM is not included in Office 365 line of branded products. Microsoft branded their version of MDM cloud-based management solution as Intune. These enhanced services naturally bring up a lot of questions from management and the security team that should demand immediate attention.
- How do we approve registered devices?
- We discuss a little about BYOD in this post.
- Where do you see phones?
- How do we block access from non-approved regions?
- Are our device data encrypted if we lose them?
Additional Microsoft Resources
Joining to network
https://docs.microsoft.com/en-us/azure/active-directory/user-help/user-help-join-device-on-network
Azure Ad joined vs Azure AD Registered
https://docs.microsoft.com/en-us/archive/blogs/trejo/azure-ad-join-vs-azure-ad-device-registration
Azure support team
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/supportRequest
How do I join Azure Active Directory if my computer was already setup?
Please make sure you are a local admin account before proceeding. Login to the admin account, select settings, accounts, access work or school, and select join this device to Azure Active Directory.
Security concerns when joining devices to Azure AD
Do I want my user to default to local administrator status?
Should I tweak the Devices settings?
- Users may join devices to AzureAD?
- Additional local administrators on Azure AD joined Devices?
- Require MFA
How do I manage New and Existing Computer Setups going forward?
Check out our Autopilot join devices post. You will need to auto-enroll your existing devices and develop a relationship with hardware distributor so they are managed as the device’s serial are inputted by the distributor.
Work from Anywhere Support & Security Concerns Summary
It is recommended to get a Microsoft 365 Business Premium or EMS license for taking advantage of the management and security options Azure AD and Intune provide. But Microsoft 365 service itself is just the tip of the iceberg for getting your work from anywhere corporate culture going. You will need an experienced administrator or MSP to effectively deploy it and manage it. Plus, invest in all the man hours necessary to secure and maintain the rest of your network environment.
