October being National Cyber Security Awareness month, I wanted to write a quick dossier for our existing customers and those exploring to find the right UEM, to help you understand different security capabilities we’ve built in the product for Windows. Most of these features cover Windows Laptops/Desktops and Holographic & kiosk devices. Though these cover Windows Phones as well, I hope you’re aware that Microsoft is pulling the plugs on Windows Phones in January 2020.
Each of the security settings or features described in this blog can be seen under the Windows MDM security policy in the MaaS360 console. The MaaS console with a very easily usable interface, makes it easy to understand different security settings, the applicable Windows devices & Operating systems etc., so that I&O officers can build the right security policies for their enterprise, easily and quickly.
There are three or four key areas under which the security for Windows devices and corporate data can be brought. This blog details out each of these areas and describes different use-cases applicable.
Device Security
Keeping the devices secure is critical to every enterprise, and having the right tool set & settings is even more important. The right amount of control over the corporate owned and personal devices reduces potential nightmares significantly for the administrators on a day to day basis. Here is a list of some of the key device security settings that administrators can leverage:
Passcode: From a set of roughly 20 parameters, organizations can enforce a strict passcode policy on user endpoints.
BitLocker: BitLocker can be enabled/disabled and this includes a feature to back up the recovery password in AD or Azure AD. Whether an internal HDD or external drive, either can be brought under strict device encryption policies via MaaS360.
Windows Store access: Irrespective of the device type, there are controls to allow access to store, enable/disable running of apps from store, restrictions on installations and running of store apps, and restriction of these store app installations to system drives/volumes etc. Even if the user attempts to tamper with the system, these settings will avoid it.
Restrictions: Though there are 20 different restrictions that can be enforced on Windows devices like Cortana, Camera, Locations, root CA certificate installation etc, there is an ‘accounts synchronization’ section where additional non-Microsoft accounts for emails can be enabled/disabled. You can enable/disable whether Microsoft accounts can be used for non-email related authentication services.
Application Compliance: The enterprise Blacklists/Whitelists that you want to configure, and rollout is done precisely here. Both Universal apps and Desktop (native) apps are supported. Additionally, multiple blacklists/whitelists of desktop apps based on File Path, File Hash & the publisher can be created, and MSI, EXE and scripts are supported.
VPN: Though there are at least 6 different VPN product configurations supported in the MDM policy, MaaS VPN is a homegrown VPN solution that makes it easy for all the users to access their hosted corporate resources. The Always On VPN, device level or app level VPN are some of the configurations of MaaS360 VPN.
Update Management: The latest is for enterprises to configure Update Management settings for Windows devices, so that they get patched month after month, consistently and efficiently, over-the-air. In combination with delivery optimization features, admins don’t have to worry–even if a cumulative patch is ~500MB. P2P will reduce the bandwidth utilization very significantly from the internet. P2P can be configured for both Patch Management & OS Upgrades. In case there is a WSUS service available, that configuration can be pushed to the end points as well.
Removal of local admin privileges: On Windows 10, Microsoft mandates enrolled users to have local administrator privileges. This removal option can be enabled to work around Microsoft’s imposed limitation. Exercise caution while enabling this option as it has other side effects! Refer to the console for more information.
BitLocker encryption requires an enrolled user account to have device administrator privileges. In case you have enabled BitLocker encryption on your devices, you can enable this setting to wait until BitLocker encryption is complete.
Advanced Security Settings
Here is a brief on the additional and advanced security settings for Windows devices:
Antivirus Settings: Using these settings, you can configure the MS Defender settings and behavior like scan frequency, locations to scan, file & location types for scanning. But Real time protection, behavior monitoring & Cloud protection are even more important so that MS Defender’s capabilities are fully leveraged. Please go through these settings deeper. There is a setting to disable UI for Defender as well in this section.
There are threat management functions as well - If there are threats found by MS Defender, you are able to assign some default actions based on the severity of the threat. These default actions are Clean, quarantine, remove, allow, User Defined and Block.
Network & Browser restrictions: Admins can allow/disallow Bluetooth, connecting to Wifi hotspots, projection to PC & Pin for sharing, etc. There are some Bluetooth specific settings such as enable/disable of Advertising, Discovery mode & device name etc. You can decide how severely you want to enforce these settings.
The browser restrictions play a key role in ensuring that the employees do not inadvertently visit any malware or other disallowed sites, ensuring that the browser experience remains as defined by the IT administrators. There are tons of additional key parameters such as allowing/disallowing of saving passwords, private browsing, developer settings, popups and whitelisting sites, etc.
Certificates configuration: The Certificates settings support trusted server or root certificates configuration on a Windows device. The supported certificate files types are PKCS1 (*.crt, *.cer, *.pem, *.).
Custom OMA settings: Though we’re constantly working on rolling out support for new CSPs for Windows 10, what if IT administrators need specific CSPs not supported on MaaS360 yet? The Custom OMA settings in MaaS help with customized CSP configuration along with distributing them to end points. The documentation clearly guides readers on how to configure the SyncML.xml file and push it.
The above were some of the key advanced settings; there are many more that are available within the Windows MDM Policy. Feel free to take a look at them in the console.
Enterprise Settings
Enterprise settings are another category of security settings for Windows 10 devices through which admins can control Data Leak Prevention, passwordless logins, monitoring of important security related parameters, and flagging devices as non-compliant if these settings are violted. Let us take a closer look at these:
Windows Information Protection: WIP is the core Data Leak Prevention mechanism for Windows devices. Be it Phones or Laptops/Desktops, these settings ensure that your corporate data remains solely on the appropriate devices.
Here, the “Enforcement Settings” section under WIP in the console helps you decide how stringent you want these policies to be. There are three modes – Silent, Override, and Block. Other settings can be configured as well such as: removal of corporate data after the device is unenrolled, show a suitcase icon on WIP protected documents for identification, etc., For example, enabling ‘remove data after device is enrolled’, will revoke encryption keys on MDM control removal thus selectively restricting access to protected data on unenrollment.
The “Enterprise protected Apps” section helps you define the blacklist/whitelist of apps on which these WIP settings will be affected. Both universal and native apps are supported. If a blacklist is created with an app name, the data will not be protected for that application. Contrarily, a whitelist means that all of them will be protected by the DLP rules.
Windows Hello: The Windows Hello for Business settings allow you to use public key or certificate-based authentication beyond passwords. This setting configures the PIN policy and enforces the use of a PIN to unlock a Windows device. All the settings for PINs are supported here: how the PINs should be, how often they need to be changed, Pin Age, allow Biometrics usage, Length, special characters etc.
Windows Health Attestation: There are 20 different parameters you can configure to monitor the devices and report on them. For example, you can whitelist boot manager versions, Bitlocker encryption status, Secure boot enabled etc. Any violation from this baseline will make this device a non-compliant device, and strict action can be initiated. There are advanced settings in this such as Boot Debug, Windows Pre-installation environment, safe mode, virtual secure mode etc, which can be either enabled or disabled. Once set, deviation from this baseline can be monitored.
The above three sections are part of a security policy that can be pushed to every Windows 10 device. In addition to those policies, there are other security configurations and measures supported by the product, including:
Compliance Rules: Here you can define your own custom attributes such as monitoring of a service or change to a registry key etc., and link them to compliance of devices. If a service is stopped by the user or is found to have malware, then the device will become non-compliant in the device view in the inventory section. On top of this, you can link the Azure AD conditional access rules with these custom attribute-based non-compliant devices and restrict the access to the corporate resources for those users. Conditional access support is fully present in the product. Additionally, if you have further questions about this topic in particular, please do not hesitate to reach out to me.
Realtime Actions: You might be very well aware that an Enterprise wipe and remote wipe can be initiated over-the-air if devices are lost or land in the hands of someone outside the organization inadvertently.
To conclude, we as IBM are constantly evaluating the security requirements in the enterprise to ensure that the right set of capabilities are built into the product. Our customers’ problems are our problems, and we take care to ensure that your day to day tasks are highly automated and effectively addressed by MaaS360. The features and capabilities mentioned in this article are only a very small subset of what the product offers across iOS, Android, Windows, rugged, and non-traditional devices such as IOT. If you’re new to UEM, you are welcome to sign up for a trial of MaaS360.
As the 2019 Gartner Magic Quadrant for Unified Endpoint Management Tools demonstrates, MaaS360 is positioned highest for completeness of vision in the Leaders quadrant.
If you would like to learn more, again, do not hesitate to reach out to me with any questions on UEM, MaaS360, Windows support, or any other related topic. In the meantime, happy National Cyber Security Awareness and happy UEMing!
#MaaS360