Posts

Corporate identifiers and Android BYO with work profile - GraphAPI to the rescue!

Image
When a device is enrolled in Intune as a corporate device then Intune can collect full phone hardware and app inventory, but only partially for devices enrolled as personal. The benefit of managing devices  as corporate is the unlocking of additional device management capabilities as compared to personal devices. At the time of writing this blog, Intune automatically assigns corporate-owned status to devices that join to Microsoft Entra via: - Device enrollment manager account (all platforms) - An Apple device enrollment program such as Apple School Manager, Apple Business Manager, or Apple Configurator (iOS/iPadOS only) - Windows Autopilot - Co-management with Microsoft Intune and group policy (GPO) - Azure Virtual Desktop - Automatic mobile device management (MDM) enrollment via provisioning package - Knox Mobile Enrollment - Android Corporate-owned devices with work profile - Android Fully managed devices - Android Dedicated devices. - Android Open Source Project (AOSP) Corporate-ow

Defender for Endpoint Vulnerability assessment of apps for Intune enrolled iOS devices

Image
Source:Microsoft While going through the Defender for Endpoint configuration in my tenant, I realized that I had Vulnerability management partially configured for iOS devices and therefore, decided to put things in order. Before I dive into the specifics, here is a little something on what MDE Vulnerability assessment of apps is really all about. As part of MDE, Vulnerability management helps in identifying, assessing, remediating vulnerabilities across all onboarded devices. It delivers asset visibility, intelligent assessments, and built-in remediation tools for Windows, macOS, Linux, Android, iOS, and network devices. With the help of capabilities like Microsoft threat intelligence, breach likelihood predictions, business contexts, and devices assessments, Defender Vulnerability Management continuously prioritizes the biggest vulnerabilities on your most critical assets and provides security recommendations to mitigate risk. In case of iOS specifically, vulnerability assessments sup

Enabling Phishing Resistant MFA on macOS for admins and disabling SSPR for the whole tenant

Image
The background.. Just a while back, Merill Fernando  (Product Manager at Microsoft) shared a post on LinkedIn about disabling SSPR for admin accounts. This was based off the recommendation on Maester  that  "Administrators with sensitive roles should use phishing-resistant authentication methods only and therefore not able to reset their password using SSPR." Now, with phishing-resistant authentication enabled, one may argue that there shouldn't be a need to disable SSPR for administrators, however, in my honest opinion it is still a good idea to disable SSPR for administrators as this will also align with both least privilege and zero trust model. But first, we are going to cover what all is involved in configuring Phishing resistant MFA. Enabling Phishing resistant MFA for Windows devices which uses Windows Hello for Business is pretty much an out of box functionality, but what about Apple devices like Macbooks that run on macOS? Let's find out.. Platform credentia

Mixed mode Defender subscription & licensing for endpoints

Image
I was recently asked by a customer about the possibility of using mixed licensing for Defender for Endpoint for endpoints. They had both MDE plan 1 and plan 2 licenses as part of M365 E3 and E5 respectively, but wanted all the Windows endpoints to be moved to MDE plan 1 capabilities until all the features under plan 2 were tested out. For a long time this was not possible and in cases of multiple subscriptions, the highest functional subscription would take precedence in the tenant. But not anymore. Microsoft now supports use of a mixture of subscriptions & licenses. Some of the most common scenarios are - 1. Mixed tenant - Different sets of capabilities for groups of users and their devices based off licenses like MDE plan 1 & plan 2, Microsoft 365 E3 & E5. 2. Mixed trial - Mixture of full and trial licenses like MDE plan 1, M365 E3 (purchased for all users) & MDE plan 2, M365 E5 trial (purchased for some users) 3. Phased upgrades - Upgrade user licenses in phases by m