You are thinking of switching to Microsoft InTune security tools & processes, and naturally, you have a few questions about the permissions InTune asks for on each device and your privacy. We address those concerns and demonstrate that neither InTune or your IT management services team are not using InTune to monitor you, or invade your privacy.
What Microsoft InTune Does
First a little history:
In the good old days, most companies had a server and computers in the office, and nobody worked from home or personal devices. Each team member had a work computer assigned to them and those that didn’t, used shared terminals in the office for work.
It is easy to maintain security best practices when all the devices allowed to touch company data can be physically constrained within an office like this, and authenticated against a Domain Controller to approve/deny logins and access attempts.
For years now, we all work remotely, from home, from remote or personal devices. In this new remote work world, a Domain Controller in an office doesn’t apply and the way security is implemented is with Mobile Device Management (MDM) tools, and with Identity Access Management (IAM) tools. A great tool for MDM and IAM is Microsoft InTune, also known on mobile devices as ‘Company Portal App‘.
What Intune does is evaluate the settings on devices, then measures them against pre-defined security policies, then evaluates whether the device meets those policies and then grants access to things like email and files in SharePoint if it does.
Naturally, installing a security app can seem scary, especially since the ‘Company Portal App’ does not explain very well what it can and cannot do on personal devices. We hope to remedy that fear so that you can feel comfortable installing it and knowing that your personal information is not accessible to either your employer, your IT Company or Microsoft.
InTune Permissions When Installed On Mobile Phones and Tablets
During setup, the app will ask you to grant permissions to:
- Allow Company Portal to make and manage phone calls
- Allow Company Portal to access your contacts
- Allow Company Portal to access photos, media, and files on your device
This can seem invasive, since the messaging seems counterintuitive to maintaining your privacy and sounds like Your Employer/Your IT Company/Microsoft DO have access to those things. However, those messages are stock messages from Google (Android) and Apple (iOS) and can’t be changed to reflect the actual permission requests.
Here are the actual permissions granted when you approve those messages:
Allow Company Portal to make and manage phone calls
This allows you to use the company portal app to place a call to the helpdesk from within the company portal app. Your Employer/IT Company/Microsoft cannot make or manages phone calls. The message text is controlled by Google and Apple and cannot be changed.
Allow Company Portal to access your contacts
This allows you to add your work account to your phone and sync the contacts that reside in Outlook. Your Employer/IT Company/Microsoft cannot access your contacts. The message text is controlled by Google and Apple and cannot be changed.
Allow Company Portal to access photos, media, and files on your device.
By accepting this prompt, users allow their device to write data logs to the device’s SD card. This also enables those logs to be moved using a USB cable.
Your Employer/IT Company/Microsoft cannot access users’ photos, media, and files. The message text is controlled by Google and Apple and cannot be changed.
None of those requests need to be approved to continue installing and using the Company Portal App. You may select deny on all of them and it will continue to function as intended.
What the company portal app will do is:
- make sure you have a secure enough password/PIN that it can’t be guessed easily
- ensure the mobile device has encryption to make it harder for hackers to get in
- allow Employers to delete company data off employees’ phone if/when employment ends with them.
These same security policies are applied to computers as well as phones, but the setup is a bit more invasive in that the user account on the computer is a user account that is ‘bound’ to the company more tightly than simply accessing email via Outlook.
Since Computers are inherently more insecure than phones, in addition to the password and encryption requirements, there are also:
- compliance checks for Antivirus
- screen saver time-out locks
- Windows/Mac updates enforcement
- rules about what can and can’t be installed on the computers and more.
In cases where an Employer provides a company-owned managed computer to an employee, these security rules are not invasive.
For contractors/Interns/Part time employees who use their personal device for work, it is clear the Employer should not have this level of control over their personal computers. However without it, company data is at risk.
Therefore best practice is no personal computers for work. Company-owned and managed computers or virtual remote desktops are the best solutions.
Employees can safely use personal computers to access secure remote desktops and company resources without risk to either party.
Remote desktops do not require any security changes to employees’ personal devices. It is an application just like any other standard office application. It is a streaming ‘virtual’ desktop viewer only.
Why is InTune necessary?
Microsoft InTune and other IAM and MDM tools are necessary because it is too easy for bad faith actors to gain access to sensitive data, now that everything is cloud based and everything is distributed remotely. They no longer need to ‘hack’ a firewall to get access to corporate systems, they just send an email that tricks you or a teammate into entering work credentials in a fake website. They then have access to everything you have access to, which is a lot. You are none-the-wiser about having granted access to a hacker, nor is the IT department responsible for maintaining the safety of that sensitive information. Financial data, legal data, and customer data all are vulnerable, with just one convincing phishing email.
By limiting the ‘endpoints’ (computers and phones) that are allowed to access sensitive company data to only those that have been ‘approved’ (enrolled in Intune) you mitigate the most common attacks against all that sensitive data in the cloud. If you accidentally supply your username and password to an attacker now, they are unable to bypass these ‘Conditional Access’ parameters without also enrolling their device in ‘Intune’ which gives you a measure of control against its loss or theft because the data can be removed from any device that has been enrolled.
More small and medium businesses are adopting these best practices in cyber security at a fast pace. Toronto IT Security Companies like TUCU are experts that can help you update your systems.
In addition, more clients and vendors are requiring proof of cyber security best practices to be in place before agreeing to do business with organizations such as yours.
You are investing in both a security upgrade and a business strategy by adopting these best practices today. That’s something to feel good about.