{"id":91142,"date":"2020-05-26T11:00:49","date_gmt":"2020-05-26T18:00:49","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=91142"},"modified":"2023-09-26T08:55:02","modified_gmt":"2023-09-26T15:55:02","slug":"zero-trust-deployment-guide-for-devices","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/05\/26\/zero-trust-deployment-guide-for-devices\/","title":{"rendered":"Zero Trust Deployment Guide for devices"},"content":{"rendered":"

The modern enterprise has an incredible diversity of endpoints accessing their data. This creates a massive attack surface, and as a result, endpoints can easily become the weakest link in your Zero Trust security strategy.<\/p>\n

Whether a device is a personally<\/strong> owned BYOD device or a corporate-owned<\/strong> and fully managed device, we want to have visibility into the endpoints accessing our network, and ensure we\u2019re only allowing healthy and compliant devices to access corporate resources. Likewise, we are concerned about the health and trustworthiness of mobile and desktop apps that run on those endpoints. We want to ensure those apps are also healthy and compliant and that they prevent corporate data from leaking to consumer apps or services through malicious intent or accidental means.<\/p>\n

Get visibility into device health and compliance<\/h3>\n

Gaining visibility into the endpoints accessing your corporate resources is the first step in your Zero Trust device strategy. Typically, companies are proactive in protecting PCs from vulnerabilities and attacks, while mobile devices often go unmonitored and without protections. To help limit risk exposure, we need to monitor every endpoint to ensure it has a trusted identity, has security policies applied, and the risk level for things like malware or data exfiltration has been measured, remediated, or deemed acceptable. For example, if a personal device is jailbroken, we can block access to ensure that enterprise applications are not exposed to known vulnerabilities.<\/p>\n

    \n
  1. To ensure you have a trusted identity for an endpoint, register your devices with Azure Active Directory<\/a> (Azure AD). Devices registered in Azure AD can be managed using tools like Microsoft Endpoint Manager, Microsoft Intune, System Center Configuration Manager, Group Policy (hybrid Azure AD join), or other supported third-party tools (using the Intune Compliance API + Intune license). Once you\u2019ve configured your policy, share the following guidance to help users get their devices registered\u2014new Windows 10 devices<\/a>, existing Windows 10 devices<\/a>, and personal devices<\/a>.<\/li>\n
  2. Once we have identities for all the devices accessing corporate resources, we want to ensure that they meet the minimum security requirements set by your organization before access is granted. With Microsoft Intune, we can set compliance rules<\/a> for devices before granting access to corporate resources. We also recommend setting remediation actions<\/a> for noncompliant devices, such as blocking a noncompliant device or offering the user a grace period to get compliant.<\/li>\n<\/ol>\n

    Restricting access from vulnerable and compromised devices<\/strong><\/p>\n

    Once we know the health and compliance status of an endpoint through Intune enrollment, we can use Azure AD Conditional Access to enforce more granular, risk-based access policies. For example, we can ensure that no vulnerable devices (like devices with malware) are allowed access until remediated, or ensure logins from unmanaged devices only receive limited access to corporate resources, and so on.<\/p>\n

      \n
    1. To get started, we recommend only allowing access to your cloud apps from Intune-managed, domain-joined, and\/or compliant devices<\/a>. These are baseline security requirements that every device will have to meet before access is granted.<\/li>\n
    2. Next, we can configure device-based Conditional Access policies<\/a> in Intune to enforce restrictions based on device health and compliance. This will allow us to enforce more granular access decisions and fine-tune the Conditional Access policies based on your organization\u2019s risk appetite. For example, we might want to exclude certain device platforms from accessing specific apps.<\/li>\n
    3. Finally, we want to ensure that your endpoints and apps are protected from malicious threats. This will help ensure your data is better-protected and users are at less risk of getting denied access due to device health and\/or compliance issues. We can integrate data from Microsoft Defender Advanced Threat Protection (ATP), or other Mobile Threat Defense (MTD) vendors, as an information source for device compliance policies and device Conditional Access rules. Options below:\n