Mobile Security: Microsoft Intune Configuration Frameworks and NIST Guidelines for Enterprises
This blog outlines various Microsoft Intune configuration frameworks for securing mobile devices, including the APP data protection configuration, iOS/iPadOS security configuration, and Android Enterprise security configuration. It provides detailed recommendations for different security levels based on device ownership and usage scenarios, along with corresponding GitHub links. Additionally, it references NIST guidelines for managing mobile device security in enterprises, offering comprehensive insights and solutions.
Content
APP data protection configuration framework
The APP data protection configuration framework is structured into three distinct configuration scenarios:
Enterprise Basic Data Protection (Level 1): This configuration is recommended as the minimum data protection setting for an enterprise device.
Enterprise Enhanced Data Protection (Level 2): This configuration is advised for devices used to access sensitive or confidential information. It is relevant for most mobile users accessing work or school data, with potential impacts on user experience due to certain controls.
Enterprise High Data Protection (Level 3): This configuration is suggested for devices operated by an organization with a larger or more advanced security team, or for specific users or groups facing uniquely high risks. For instance, organizations identifying users handling data whose theft could directly and significantly impact their stock price. This configuration is suitable for organizations likely to be targeted by well-funded and sophisticated adversaries.
iOS/iPadOS security configuration framework
The iOS/iPadOS security configuration framework is structured into various configuration scenarios, offering guidance for personally owned and supervised devices.
Personally owned devices:
Basic Security (Level 1): This configuration is advised as the minimum security setup for personal devices where users access work or school data. It involves enforcing password policies, device lock characteristics, and disabling specific device functions (e.g., untrusted certificates).
Enhanced Security (Level 2): This configuration is suggested for devices used to access sensitive or confidential information. It includes data sharing controls and is relevant to most mobile users accessing work or school data on a device.
High Security (Level 3): This configuration is recommended for devices used by specific users or groups facing unique high risks, such as those handling highly sensitive data where unauthorized disclosure could lead to significant material loss for the organization. It enforces stronger password policies, disables specific device functions, and introduces additional data transfer restrictions.
Supervised devices:
Basic security (Level 1): This configuration is suggested as the baseline security setup for supervised devices used to access work or school data. It involves enforcing password policies, device lock characteristics, and deactivating specific device functions (e.g., untrusted certificates).
Enhanced security (Level 2): This configuration is recommended for devices handling sensitive or confidential information. It implements controls for data sharing and restricts access to USB devices. It is suitable for the majority of mobile users accessing work or school data on a device.
High security (Level 3): This configuration is advised for devices assigned to specific users or groups facing exceptional risks. For instance, users dealing with highly sensitive data where unauthorized disclosure could result in significant material loss to the organization. This configuration enforces more robust password policies, deactivates specific device functions, introduces extra data transfer restrictions, and mandates app installations through Apple’s volume purchase program.
Recommended by LinkedIn
Android Enterprise security configuration framework
The Android Enterprise security configuration framework is structured into various configuration scenarios, offering guidance for work profile and fully managed situations.
Android Enterprise work profile devices:
Work Profile Enhanced Security (Level 2): This configuration is proposed as the minimum security setting for personal devices where users access work or school data. It is suitable for most mobile users, although some controls may have an impact on the user experience.
Work Profile High Security (Level 3): This configuration is recommended for devices allocated to specific users or groups facing exceptional risks, such as those handling highly sensitive data where unauthorized disclosure could result in substantial material loss to the organization. Organizations likely to be targeted by well-funded and sophisticated adversaries should consider adopting this configuration.
Android Enterprise fully managed devices:
Fully managed basic security (Level 1): This configuration is proposed as the baseline security setting for an enterprise device. It is suitable for most mobile users accessing work or school data, although some controls may influence the user experience.
Fully managed enhanced security (Level 2): This configuration is suggested for devices handling sensitive or confidential information. While some controls may affect the user experience, it is recommended for users accessing such types of data.
Fully managed high security (Level 3): This configuration is recommended for devices assigned to specific users or groups facing exceptional risks. For instance, users dealing with highly sensitive data where unauthorized disclosure could lead to substantial material loss for the organization. Organizations likely to be targeted by well-funded and sophisticated adversaries should consider adopting this configuration.
Device Compliance security configuration framework
Enhanced security (Level 2): This configuration is advised as the minimum security setting for personally owned and supervised devices where users access work or school data. It involves enforcing password policies and verifying that the device is not jailbroken. This configuration is suitable for the majority of mobile users accessing work or school data on a device.
High security (Level 3): This configuration is recommended for devices allocated to specific users or groups facing exceptional risks, such as those handling highly sensitive data where unauthorized disclosure could result in substantial material loss to the organization. This configuration implements more robust password policies and necessitates a mobile threat defense solution.
NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise
This publication guides organizations in managing and securing the pervasive use of mobile devices in enterprises, covering technologies, strategies, and recommendations for deployment, usage, and disposal across the entire mobile device lifecycle, including both organization-provided and personally owned scenarios.
NIST SP 1800-22 Mobile Device Security: Bring Your Own Device (BYOD)
This practice guide addresses the security and privacy challenges associated with Bring Your Own Device (BYOD) deployments, offering an example solution that leverages standards-based, commercially available products to enhance protection while maintaining flexibility in organizational workflows.