EIRE Systems was engaged to build a secure and fully-featured environment in Azure for managing our client’s user devices, including laptops and smartphones. Creation of this new environment involved:
- Setting up a domain on Azure Active Directory (including AD DS setup.)
- Migrating all local endpoints to use Azure AD login accounts.
- Configuring SharePoint as storage for shared files and migrating existing files from the existing cloud storage provider to this SharePoint environment.
- Configuring OneDrive for user file storage and migrating user personal file storage from Egnyte to OneDrive.
- Implementing Intune for application distribution.
- Enabling management of BYOD devices.
- Configuring O365 security /DLP/anti-virus capabilities.
For the solution, the following plan was developed and implemented.
- Created a plan for the migration of a workgroup-based environment to an Intune-managed environment.
- Setup windows autopilot profile for automatically enrolling devices in Intune.
- Added “compliance policies” to set minimum security requirements on Windows devices, such as encryption with BitLocker, requiring antimalware software to be installed, having minimum password complexity, and other security settings. Further configuration dictates what happens when a non-compliant device is discovered, including blocking the device from accessing company data and notifying IT.
- Added “Configuration profiles” for configuring enrolled devices (similar to group policy). These include automatically setting up OneDrive and Outlook for the end-user, Edge and Chrome configuration, and security settings such as requiring the user to re-login after a period of inactivity.
- Added setting for Windows applications to be automatically pushed by Intune to enrolled devices or be available for users to install from a company portal.
- Added automatic BitLocker disk encryption configuration for enrolled Windows devices.
- Added automatic Windows defender and Firewall configuration for enrolled devices.
- Added automatic Windows updates configuration for enrolled devices.
- Linked Intune to Managed Google Play to allow enrolling both corporate and BYOD Android phones.
- Enrolled BYOD android phones as “Personally-owned devices with work profile”. This installs a second “Work profile” on the users’ devices, giving IT complete control over how corporate data is handled on a device. This allows IT to remotely wipe all company data from a user’s device without affecting the user’s personal data.
- Added Android compliance policy for corporate-owned devices, requiring minimum security standards such as encryption, a password to unlock the device, and the latest security updates.
- Linked Intune with Apple’s MDM push certificate to allow enrolling both corporate and BYOD Apple devices.
- Similar to BYOD Android devices, with BYOD Apple devices, corporate IT get complete control over how corporate data is managed on the device with the ability to remotely wipe the corporate data from the device without interfering with the users’ personal data.
- Added configuration profiles for BYOD Apple devices to force minimum security standards. These standards included requiring a complex password, forcing cloud backups to be encrypted, and blocking the viewing of corporate documents in unmanaged applications.
- Added iOS compliance policy for corporate owned devices requiring minimum security standards. These standards included requiring a password to unlock a device and automatically locking the screen after a period of inactivity.
- Used “App protection policies” to help protect corporate data on BYOD Android and iOS devices. These policies dictate whether a user can save corporate data on the local machine, copy and paste data between company-managed and unmanaged applications, requiring the user to set up a PIN code for accessing company-managed apps, and requiring company data to be encrypted.
Before service cutover, all services were tested by EIRE System’s engineers, with further tests performed with end-users to ensure that all necessary configurations and data was present in the new environment.
All activities performed, including preparation steps, configuration and activation of the new environment and service cutover, were documented.
All technical documentation was provided to the client upon completion as a permanent record of the work performed.
For more information on our services contact us here.