Implementation of Microsoft Endpoint Manager
Apr 11, 2023
Our client is a leader in investment banking, commercial banking, financial transaction processing, and asset management. They serve millions of customers, predominantly in the U.S., and many of the world’s most prominent corporate, institutional, and government clients globally. Through continued investments, business initiatives, and philanthropic commitments. Customer is not just financial institution; they are one of the biggest technologies driven company across the globe.
For several years the company has been using Microsoft Endpoint Configuration Manager (SCCM) to deploy, manage and secure its on-premises Windows 10 and 11 devices. With a high number of employees in the field and more users working from home, the customer wanted cloud device management. With the existing solution, the client was struggling to manage the below workloads.
- Future software distribution
- Device enrollments
- Application deployment
- Update management
- Onboarding of a new user over the internet
- Device OS upgrades
- Controlling company resources on personal devices
Intuitive.cloud provided appropriate professional support for its cloud transformation and successfully implemented the following innovative technologies.
- Device Registration: To meet the business challenges, the customer decided to implement Microsoft Endpoint Manager with the existing device management tool. Which makes it possible to support both on-premises devices without disturbing the on-site processes. Having Configuration manager as an integrated platform, the windows devices are co-managed using configuration manager and Microsoft Intune. Registration takes place via Azure AD and SSO.
- MDM and MAM: With MDM policy places an agent on a mobile device and manages the phone, enforcing encryption and use of a PIN. MAM, on the other hand, provides secure use of mobile applications without requiring full device control. MDM and MAM policies control and secure the approval of mobile devices and applications.
That solution was a combination of Intune MAM, which allows employees to access company applications without fully enrolling in mobile device management, and providing seamless, helpful mobile apps for their employees enabling them to work from wherever they are. Mobile apps like Microsoft Outlook, OneDrive, which work seamlessly with Microsoft 365 and MAM is enabled out of the box.
- Windows Autopilot: We have provided a solution to onboard the new employees seamlessly using Windows Autopilot, which is one of the features of Microsoft Intune which quickly provides employees with a ready to work device. Having pre-installed apps and policies enforced by few clicks. This reduced most of the manual effort by IT admin.
- Bitlocker: Bitlocker encryption is used to mitigate unauthorized data access on lost or stolen devices by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data.
- Windows Hello for Business: Implemented Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a type of user credential that is tied to a device and uses biometric or PIN. Addressing a few problems such as strong password can be difficult to remember and user often reuse the passwords on multiple sites. Windows Hello is set up on the user's device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate users.
- Remote Wipe: It's essential to make sure we are securing your company and personal information in case that worst case happens, and your laptop falls into the wrong hands. By using remote wipe capability, which helps to protect against unauthorized access to the company’s data. Remote wipe allows the capability to erase all data from a device by a single click. Using this remote wipe capability ensures that if a device is lost or stolen, any sensitive information can be removed before it can be viewed. This is also useful for wiping devices belonging to prior employees. Remote wipes can come in handy even without a security breach. Before giving an existing laptop to a newly onboarded employee, you can remotely wipe all information left behind by the previous user.
- Device Compliance policy: Defined the rules and settings that users and devices must meet to be compliant. Configured action policies for the devices that are noncompliant by sending alerts to the conditions of noncompliance and safeguarding data on the non-compliant device.
- Update rings for Windows 10 and later: Having update rings for Windows 10 and later, is very important to keep devices secured and up to date with the latest security patches. Windows feature updates policies work with update rings for Windows 10 policies to prevent a device from receiving a Windows feature version that's later than the value specified in the feature updates policy.
- Conditional access policy with Intune: Securing access to organization data. Only managed and compliant devices can access the organization's email and Microsoft 365 services. Conditional Access policies are configured to determine the device's compliance status to make decisions on whether to allow or block access to the organization's resources from that device.
- Integrate Apple Business Manager with Microsoft Intune: Using Apple Business Manager with Microsoft Intune to simplify and automate device enrollment for iOS/iPadOS devices procured through Apple Business Manager.
Intuitive.cloud planned a step-by-step approach to integrate and enable cloud device management tools.
- Pre-flight checks: Determine platforms, Inventory of devices, Baseline security requirements, review existing policies and Infrastructure, create a rollout plan, Communicate the change, and support helpdesk and end users.
- Phase 1: Groups and licensing
- Phase 2: Policy and profiles creations
- Phase 3: Adding applications and configuring app rules
- Phase 4: Configuring Enrollments
- Phase 5: Enroll Devices
- Phase 6: Testing and broad deployment
Results and Impact
This section outlines the measurable results and the overall impact of the implemented technologies on the Company's operations.
- The customer successfully transitioned to Microsoft Intune with minimal business interruption, which is a future-proof, cloud-based device management solution.
- With new capabilities, the customer was able to manage MDM and MAM solutions which are aligned to protect data and ease the IT administration and workloads.
- Support a diverse mobile ecosystem. Securely manage devices (iOS, Android, Windows, and MacOS) from a single and unified mobile solution.
- Achieve IT efficiencies in the cloud. Focus time on business needs with a globally scalable cloud service that’s always updated.
- Protect data with or without device enrolment. Create protection policies for apps that keep the client’s organization safe without managing the users’ devices.
Intuitive.cloud learned valuable lessons during the technology implementation process, which include:
- We had a chance to take advantage of opportunities in this project by exploring various configurations.
- From our experience, we communicated well and helped stakeholders and team members develop trust.
- We were able to take appropriate decisions on project deliverables.
- Using best practices helped us to provide a better solution, which saved us time.
- Having clear communication with stakeholders and the board, helped us to timely update the status of the project and complete it.
This case study demonstrates that with a well-planned implementation strategy and a commitment to continuous improvement, integrating innovative technologies can lead to significant benefits for a technology company. This helped the customer to have a modern, flexible, and user-friendly workplace, this change has relieved the IT department from constantly increasing administrative efforts. The new solution specified that employees would no longer need to be present at their respective company locations to receive their configured devices. The onboarding of a new user in the company network could also be done externally over the Internet.