Working with in-browser protection in Microsoft Edge for Business

This week another blog post focused on the security capabilities within Microsoft Edge. With the introduction of Microsoft Edge for Business, there is a larger focus on providing a Microsoft Edge experience for work. That experience provides IT administrators with the ability to give their users a productive and secure browser for work, across managed and unmanaged devices. With that, Microsoft Edge can be the secure enterprise browser for many organizations. Especially with the focus of Microsoft Edge on security, privacy, and manageability. And not just that, it includes enhanced productivity alongside the security features. That brings us to the focus of this week and that is in-browser protection. In-browser protection is a great example of that combination as it reduces the need for proxies, …

Read more

Working with device compliance for Windows Subsystem for Linux

This week is all about the device compliance capabilities for Windows Subsystem for Linux (WSL). WSL is a feature of Windows that allows the user to run a Linux environment on their Windows device, without needing a separate VM or a dual boot. It’s designed to provide a seamless experience for users that want to use Windows and Linux at the same time. By default, Ubuntu is used as the Linux distribution. There are, however, more options such as Debian, Kali, and SUSE. For the IT administrator it’s good to have the ability to be able to check the Linux distribution and version that is used. That can be achieved by using device compliance policies, as there is now a section specifically focused on adding …

Read more

Configuring Google Chrome for usage with device-based Conditional Access

This week is sort of a follow-up on last week. Last week the focus was on configuring Mozilla Firefox for usage with device-based Conditional Access, while this week the focus is on configuring Google Chrome for usage with device-based Conditional Access. That is already a supported scenario for many years, but in the early days that would require the Windows Accounts extension. That, however, has changed, making it easier to configure without installing a specific extension in the browser. Nowadays, there is a setting available that can be configured to automatically sign-in user accounts backed by a Microsoft Cloud identity provider. So, that’s even easier to configure. Especially when knowing that Microsoft Intune has Google Chrome configuration options directly available via the Settings Catalog. Minor …

Read more

Configuring Mozilla Firefox for usage with device-based Conditional Access

This week is all about managing and configuring Mozilla Firefox, with the main focus on using it with device-based Conditional Access. When looking specifically at Conditional Access, Mozilla Firefox is nowadays a supported browser for device-based Conditional Access scenarios on devices running Windows 10 and later. That is of course a really good thing, but it does require a specific configuration that should be in place within the browser. A single configuration that could be a real lifesaver on managed devices. Even better, on managed devices that configuration can also be set by using Microsoft Intune. To facilitate that, Mozilla provides easy configuration options via Group Policy templates. This blog post will provide a brief overview of importing those settings, followed with the steps to …

Read more

Combining the different layers of data security on personal Windows devices

This week is a continuation of my previous blog post about working with personal Windows devices. That post was focussed on the different options available for providing secure access to corporate data on personal Windows devices. This post is focussed on providing more details around using those different options actually as different layers in a single solution. All with the focus on providing secure access to corporate data on personal Windows devices, while still providing the user with as much flexibility and options to be productive. Besides that, using different layers of data security also enables the IT administrators to add more granularity to the solution. That makes the total solution less black-and-white. So, for example, not just block the ability of the user to …

Read more

Working with personal Windows devices

This week is kind of a follow up on my post of a couple of weeks ago about why enrolling personal Windows devices might be a really bad idea. That post was focussed on advising against allowing enrolling personal Windows devices into Microsoft Intune (or any other MDM provider). The logic follow up question would be: what are the alternatives? And that’s of course a fair question. This post will be about answering that specific question. And to be quite honest, the answer might come very close to a blog post of about four years around supporting unsupported platforms. The main difference will be what Microsoft has provided over the years. And that’s a lot, especially for the Windows platform. This post will focus on …

Read more

Troubleshooting MAM for Windows

This week is a short follow-up on a post of a few months ago about getting started with Mobile Application Management (MAM) for Windows. That post was really focused on getting started with MAM for Windows, while this post will be more focused on what’s coming after that. The concept and the basic configuration of MAM for Windows is pretty straight forward, once being familiar with the available configuration options. However, it gets more challenging when verifying the configuration and the behavior. Especially when there is not that much information available. The (location of the) log file is not really well documented, as is the process to verify the applied configuration. This post will provide answers to those questions. It will described were to find …

Read more

Enabling remote access for specific users on Azure AD joined devices

This week is sort of a follow-up on my previous posts about restricting the local log on to specific users. While those posts were focused on restricting the local log on, this post will be focused on enabling remote access for specific users. More specifically, remote access for specific users on Azure AD joined devices. That’s not something to exciting, but definitely something that comes in useful every now and then. Besides that, this was already possible – for a long time – but would often require the device to be joined to the same tenant and take out some security configurations (like Network Level Authentication). That’s no longer required – already for almost a year – as it it can now rely on Azure …

Read more

Getting started with Mobile Application Management for Windows

This week is all about Mobile Application Management (MAM) for Windows. A long awaited feature that will be a big help with addressing unmanaged Windows devices. MAM for Windows enables organizations to manage the app in a similar way as already possible on mobile platforms. So, making sure that there is a separation between personal and work data, and making sure that the chances of accidental data leakages getting slimmer. In some areas, especially when looking at browser access, it might feel similar to what could already be achieved by using app enforced restrictions in Conditional Access, or by using Microsoft Defender for Cloud Apps in combination with Conditional Access. Big difference, however, is that MAM for Windows also includes the ability to use app …

Read more

Using authentication strengths in Conditional Access policies

This week is all about a nice feature of Conditional Access. Not a particular new feature, but an important feature for a solid passwordless implementation. That feature is authentication strengths. Authentication strengths is a Conditional Access control that enables IT administrators to specify which combination of authentication methods should be used to access the assigned cloud apps. Before authentication strengths, it was not possible to differentiate between the different authentication methods that can be used as a second factor. Now with authentication strengths, it enables organizations to differentiate the available authentication methods between apps, or to simply prevent the usage of less secure MFA combinations (like password + SMS). With that, it opens a whole new world of potential scenarios that can be easily addressed. …

Read more