Bring Your Own Device - Plan, Configure and Securely Enrol Your Personal Devices

This blog post describes the key concepts of the ‘”Bring Your Own Device” (BYOD) scenario and will also suggest measures you can use to mitigate the risks associated with allowing BYOD in your organization.

BYOD

Bring Your Own Device, commonly known as “BYOD“, allows employees to use their personally owned device(s) for work purposes that allow them to access corporate data/resources on their personal devices.

Few basic advantages of allowing BYOD in your organization are:

Greater flexibility.
Increase mobility.
Improved efficiency and productivity.
Reduced cost for hardware procurement.
No Training Required

Like any other technology, it also has its own disadvantages:

High-Security Risk.
Difficult Data Retrieval.
Legal Issues.
Complex IT support

Drivers for BYOD

Before allowing your users/employees to enrol their personal devices in your MDM solution, determine what you want to achieve with BYOD. Think over what you want to achieve with it. Few things to consider:

What and how will BYOD be used? Which business functions are you trying to achieve with this concept?
Who will be the primary users for it? Will you allow for the whole organization or only a subset of users?
What all platforms (Windows, macOS, Android, iOS) will you allow to enrol? And what will you restrict?
What will be the minimum OS/hardware requirements?
How flexible will you be in your security policies/configurations?

Alternatives

Before jumping on to BYOD, you must think and plan for the alternatives to allowing users to enrol their personal devices in your MDM solution.

The different platform provides different combinations for this. Android, for example, has the below four options to choose from for configuring & planning your mobile landscape:

Corporately Owned, fully Managed
Corporately Owned with work profile Enabled
Corporate Owned, dedicated device
Personally Owned with work profile

At the same, the iOS family also have its own configurations to support this:

User enrollment
Device enrollment
Determine based on the user device

As it is said that ‘there is no one-size-fits-all, it is recommended that you carefully plan your BYOD solution by mixing both solutions, i.e. Corporate Owned + Personal Owned.

List down the Why, What, Who & How?

Before configuring any policies or profiles in your MDM solution, write down all possible considerations for using BYOD:

What platforms will be allowed?
What is the minimum standard for operating systems & patches allowed before the device is enrolled?
What all security policies will be enforced?
What are the different options for enforcing security controls?
How restrictive and strict will the security policies be?
How will you enforce conditional access?
How will you protect sensitive data?
How will you protect user identities?
How will you differentiate corporate data from user data?
What will be the process for security breaches/incidents?
Who will use the BYOD services?
How will user education be driven?

The list is endless, but you might have an overview of how you will plan the rollout of the BYOD service.

Security Controls

Once you have ironed-out all the aspects for introducing BYOD for your users, the next most important step is too define security controls to ensure that there is no leakage of corporate data from end-user’s personal devices.

The security measures depend upon how you chose the deployment approach for BYOD. Few mandatory measures to enforce are:

Enforce conditional access.
Force encryption of corporate data at-rest & in-transit
Enforce Multi-Factor authentication control to access any corporate resource from personal devices.
Give access only to corporate resources that the user or group requires on their personal devices.
Do not expose entire environment/resources on personal devices.
Block legacy operating systems, browsers, authentication protocols, unpatched & compromised devices.
Enforce user sign-in risk assessment
Block transfer of data to & from remote desktop sessions & work profiles on mobile devices.
Disable clipping data to dashboards in remote dashboard sessions.
Block sideloading of apps.
Enforce ‘Terms & Conditions’ from MDM solution so that users cannot use corporate resources without accepting them.

The components that make up the BYOD are illustrated below:

Use Intune to Secure Your Corp Data on BYOD

The following components of Microsoft Intune should be used for configuring BYOD

Conditional Access

An example for configuring CA for your BYOD is as below:

App Configuration Policies

App protection policies are applied to your corporate apps/data enabling additional layers of security; an example:

Device Enrolment Restrictions

Device Enrolment Restrictions can be used to manage enrolment restrictions that define what & how many devices can enrol into management with Intune.

Maximum number of enrolled devices.
Device platforms that can enrol:
- Android device administrator
- Android Enterprise work profile
- iOS/iPadOS
- macOS
- Windows
Platform operating system version for iOS/iPadOS, Android device administrator, Android Enterprise work profile, Windows, and Windows Mobile.
Restrict personally owned devices (iOS, Android device administrator, Android Enterprise work profile, macOS, Windows, and Windows Mobile only).

Microsoft Cloud App Security

If you have M365 E5 then Microsoft Cloud App Security (MCAS) can be used

Session Controls

You can use session controls for cloud apps to control in-session activities and can also apply access controls to block the same set of native mobile and desktop client apps, thereby providing comprehensive security for the apps.

Conclusion

I hope that with this post you will be able to support the use of Bring Your Own Device (BYOD) scenarios in your organisations by allowing the use of personal devices along with securing access to your corporate data.

The next post will be a step-by-step enrollment guide for enrolling a personal iOS & Android device in Intune. Stay In(tuned).

Image by macrovector on Freepik