Leveraging your Azure subscription for Microsoft Intune massively reduces the requirements for on-premises infrastructure. In this post I will show you how to use Azure Blob Storage to provide the Lock Screen and Desktop background all with the power of the Microsoft Cloud.
First up you will need to create a storage account within your Azure subscription.
Create Storage Account
Specify the following; – Resource Group – Storage Account Name – Location (Europe) UK South
Specify settings
Once the storage account has successful created, you will need to go to the resource
Go to resource
Go to “Containers” Create new “Container” Specify the name of the Container Specify the Public Access level as “Blob” Then click ok
Specify settings
Click on your new “Container”
Created Container
Click Upload You will need to upload your required .jpg file
Click on the uploaded file and you will be provided a URL which can be used
Provide the URL into your required destination for example Lock Screen as shown below
As you can see from below my Lockscreen and Desktop backgrounds are what I have specifed.
Image for LockscreenLockscreenImage for DesktopDesktop
Enterprise organizations today are becoming more and more security conscious of where the corporate resides. If you have come across Windows Information Protection yet, check out the below video from Microsoft.
Right let us jump right into it
Windows Information Protection is configured via the Microsoft Intune portal. Browse to Client Apps –> App protection policies –> Required settings
Windows Information Protection mode
Windows Information Protection mode
Block: Block enterprise data from leaving protected apps
Allow overrides: User is prompted when attempting to relocate data from a protected to a non-protected app. If they choose to override this prompt, the action will be logged.
Silent: User is free to relocate data off of protected apps. No actions are logged.
Off: User is free to relocate data off of protected apps. No actions are logged.
You will need to specify your corporate identity, if you have multiple identities you will need to “Protected Domains” under “Advanced settings” –> “Add network boundary”
Protected domains
Once you have selected the Windows Protection mode, we need some applications to protect.
Protected Apps
This step is definitely one of the easiest to do, as Microsoft has already generated a list of all the default applications and all you need to do is go to “Protected Apps” and “Add apps”.
For the purpose of this blog, I have missed out the Cloud Resources as shown below.
I have recently been running into the following issue where using white-glove experience for Windows Autopilot. The error already occurs around the 14-minute mark when “Registering the device for mobile management”.
Device prepartionWindows Autopilot Configuration
This issue is cause by multiple MDM enrollment applications defined within the Mobility (MDM and MAM) window within your Azure Active Directory
Once I had remove Microsoft Intune Enrolment, Windows Autopilot provisioing was able to successful complete.
I have been recently investigating Cloud App Security how it can benefit organizations already paying for this functionality without even knowing. Do you already pay for the following Microsoft licenses?
Starting with Cloud App SecurityCloud App Security – DashboardGetting started with Cloud App Security
Log process flow: From raw data to risk assessment
The process of generating understanding the risk within your organisation from a Cloud Securtity starts here with the following. You can upload data to Cloud App Security and the process takes between a few minutes to several hours depending on the amount of data processed.
Upload – Web traffic logs from your network are uploaded to the portal.
Parse – Cloud App Security parses and extracts traffic data from the traffic logs with a dedicated parser for each data source.
Analyze – Traffic data is analyzed against the
Cloud App Catalog to identify more than 16,000 cloud apps and to assess
their risk score. Active users and IP addresses are also identified as
part of the analysis.
Generate report – A risk assessment report of the data extracted from log files is generated.
Note
Continuous report data is analyzed twice a day.
Supported firewalls and proxies
Cloud App Security support data uploads from the following Firewalls and Proxies.
Barracuda – Web App Firewall (W3C)
Blue Coat Proxy SG – Access log (W3C)
Check Point
Cisco ASA with FirePOWER
Cisco ASA Firewall (For Cisco ASA firewalls, it’s necessary to set the information level to 6)
Cisco Cloud Web Security
Cisco FWSM
Cisco IronPort WSA
Cisco Meraki – URLs log
Clavister NGFW (Syslog)
Digital Arts i-FILTER
Forcepoint
Fortinet Fortigate
iboss Secure Cloud Gateway
Juniper SRX
Juniper SSG
McAfee Secure Web Gateway
Microsoft Forefront Threat Management Gateway (W3C)
Palo Alto series Firewall
Sonicwall (formerly Dell)
Sophos SG
Sophos XG
Sophos Cyberoam
Squid (Common)
Squid (Native)
Stormshield
Websense – Web Security Solutions – Investigative detail report (CSV)
Websense – Web Security Solutions – Internet activity log (CEF)
Cloud App Security also enables organizations to automatically discovery the Cloud Apps in use via actives on your firewall logs. This is done via Log Collectors that allows organizations upload logs to Cloud App Security. Every single long is automatically transfers to the portal, there is 2 different behaviours if you are using FTP or Syslog
FTP Uploads
FTP logs are uploaded to Microsoft Cloud App Security after the file finished the FTP transfer to the Log Collector
SysLog Uploads
The Log Collector writes the received logs to the disk. Then the collector uploads the file to Cloud App Security when the file size is larger than 40 KB
App connectors use APIs from cloud app providers to integrate the
Cloud App Security cloud with other cloud apps. App connectors extend
control and protection. They also give you access to information
directly from cloud apps, for Cloud App Security analysis.
To connect an app and extend protection, the app administrator
authorizes Cloud App Security to access the app. Then, Cloud App
Security queries the app for activity logs, and it scans data, accounts,
and cloud content. Cloud App Security can enforce policies, detects
threats, and provides governance actions for resolving issues.
So how does the look from the portal?
List of Connected Apps available today
Lets connect Office 365 for the purpose of this post.
Connect Office 365Select the components you would like to monitor and connect the appSuccess
Conditional Access App Control protection
Microsoft Cloud App Security Conditional Access App Control uses reverse proxy architecture to give you the tools you need to have real-time visibility and control over access to and activities performed within your cloud environment. With Conditional Access App Control, you can protect your organization:
Avoid data leaks by blocking downloads before they happen
Set rules that force data stored in and downloaded from the cloud to be protected with encryption
Gain visibility into unprotected endpoints so you can monitor what’s being done on unmanaged devices
Control access from non-corporate networks or risky IP addresses
Conditional Access App Control protection
With Conditional Access App Control protection you can define you want to Monitor what is being accessed or block.
Conditional Access Policies
When configured you will notice the below appear for all access control applications
Policies
Once you have configured the basics above the next steps is to enable policies you would like run within your environment. Out of the box you will receive a number policies deemed appropriate from Microsoft but there may be additions ones you would like for example;
In my environment I have created a policy that check for OneDrive Documents shared outside my business to specific domains
This policy also has the power to remove the external user to prevent access and this is where Cloud App Security really comes into its own. As it allows organisations and IT Administrators to the power to real take control of corporate data.
After a bit of recent investigate App Protection policies I have noticed a large chunk of information missing from Microsoft resources and other blog posts. I have recently experienced an issue where network boundaries were not configured correctly and I had to ensure that all applications that were being protected do not experience any issues access corporate resources.
It is recommended to use the following when adding a network boundary.
The following post contains the new features and updated features from September 2019. This post enables you to quickly glance at the Office 365 Roadmap that directly targets Microsoft Intune based on the latest information provided from Microsoft.
The following post contains the new features and updated features from September 2019. This post enables you to quickly glance at the Microsoft Teams Roadmap based on the latest information provided from Microsoft.
One thing I have included in this month round up is Microsoft Bookings as it now integrates with Skype and Teams.
Cloud App Security offers the ability to leverage Conditional Access for Exchange Online and SharePoint Online but how do we configure this functionality?
Let’s start with your Azure Portal and browse to Conditional Access –> New Policy
Conditional Access
So as I previously mentioned this control only works for Exchange Online and SharePoint Online so you will need to select;
Under Session, you need to select Conditional Access App Control and as you can see below we only have 3 options
– Monitor only (Preview) – Block downloads (Preview) – Use custom policy…
Session
For the purpose of this post, I am going to just Monitor what happening their Cloud App Security to discover what’s happening within my tenancy.
Once the policy is enabled, sign into Exchange Online or SharePoint Online and you will be welcome by the below message. This demonstrates that Conditional Access App Control is now in place.
Welcome to Conditional Access App Control
From you Cloud App Security console you will be able to see this activity and all future activities
Recently my partner and I allowed our daughter to have her very first mobile but as a Security Consultant within the world of IT, I wanted to make sure that we could protect her and also ourselves. As you hear horror stories all the time with children building up hundreds of pounds of mobile phone charges.
After a bit of research and testing, I realized I could easily protect our child using native a application from the Google Play store.
The Family Link app from Google helps parents stay in the loop as their child or teen explores on their Android device, and lets parents set certain digital ground rules for their family.
With Family Link you can perform the following; – Check your child location using Location Services on their Android phone – Check what applications your child is using and how long for – Lock the device if your child device is lost, or if you want to prevent usage – Set daily screen time limits – Set bedtime screen access – Check what applications have been installed if you dont set “Adult Approval for Applications from Play Store”
As parents we are always concerned what our child can access from their mobile devices
With Family Link you can prevent; – Access to Age rated applications that are not appropriate for your child – Block mature sites
Common Questions
Will my child be able to use their phone when locked in case of an emergency?
Yes, your child will be able to make phone calls to emergency services or favorite contacts from their device.
Is my child device compatible for Family Link?
Family Link runs on Android devices running version 7.0 (Nougat) and higher devices running Android versions 5.0 and 6.0 (Lollipop and Marshmallow) may also be able to run Family Link. You will need to check the Google Help Center for more details.
What child age is Family Link targeted at?
Parents can also use Family Link to create a Google Account for their child under 13 (or the applicable age in your country). Once complete, children can sign-in to their device with their new account.
Can I add accounts to Family Link I have already created for my child(ren)?
If a child/teen already has a Google account, Family Link will walk their parent through linking their account to their child’s account. As part of that process, the child/teen may also need to download the Family Link (Child/Teen) app on their phone to complete the process of linking the accounts.
Once the accounts are linked, parents can use Family Link to help them do things like keep an eye on screen time and manage the content they use.
If your child is using Andriod device today, go and get Family Link.
The following post contains the new features and updated features from August 2019. This post enables you to quickly glance at the Microsoft Teams Roadmap based on the latest information provided from Microsoft.
One thing I have included in this month round up is Microsoft Bookings as it now integrates with Skype and Teams.
