In this article, I’m going to show you how to customize endpoint security settings in Microsoft Intune. Including how to change security baseline settings, how to make sure devices are running a specific operating system version (or later), and how to configure Windows and iOS disk encryption settings.
Microsoft provides a series of recommended security baseline settings. But depending on your organization’s needs, it may be necessary to review and change the settings to ensure that devices and data are properly secured.
Additionally, you should configure Intune to automatically update Windows and make sure that devices aren’t running an outdated version of an operating system. Finally, configure disk encryption and Mobile Application Management settings to make sure data is protected on mobile devices.
What you need to know:
Similar to Conditional Access policies, Microsoft provides you with some baseline Endpoint security policies as seen here. These are the recommended security settings; however you may customize them to your organization’s requirements.
To use the settings, you must select one of the policies and then create a profile. The profile should then be assigned to user or groups as needed. You can create multiple profiles and assign them to different groups or all users.
Now you can assign users or groups.
All devices should be updated automatically. This helps you to keep devices compliant. This can be defined as follows:
Apart from having the right OS, it’s also important to streamline the OS version on each machine. You can achieve uniformity in the Windows 10 OS version installed on all devices.
Follow the path shown in the screenshot here. The Feature update to deploy field is the OS version that will be installed on all the selected machines.
It’s important to have a policy in place to handle iOS devices too. The screenshot here showcases a new policy, where a specific version of iOS is defined for all iOS-based devices. The location for this is Devices > Update policies for iPadOS/iOS.
On the next page you must select the users on whom this will be effective.
BitLocker should be used to encrypt all your Windows 10 machines. In the Endpoint manager portal, go to Devices > Configuration profiles > Create Profile. In the new profile, define your settings under Windows Encryption.
You can also configure a similar policy to control iPad and iOS devices.
End users access corporate data on organization-owned mobiles or on their personal devices. It’s critical to ensure that corporate data doesn’t leak. Because Mobile Application Management (MAM) depends on identity management, you can safeguard both managed and unmanaged mobile devices.
Application protection policies (APP) can be applied to all apps running on mobile platforms. You should configure APP for both iOS and Android devices.
The settings in these policies can be used to enforce disk encryption; disable saving copies of data; restrict cut, copy, and paste operations between apps; block screen capture; and require a PIN to access specific apps.
Once you have configured all the settings above to suit your organization’s needs, you can be sure that you have a more secure mobile workforce, that devices are less likely to be compromised, and data is better protected.