Using Microsoft Azure this project was around creating the process in maintaining data leakage prevention (DLP) using the latest technologies, limiting non-work devices.
Working for a financial institution the rules around accessing "company data" outside of the company walls or VPN was unheard of. Attending a few larger Microsoft conferences in the year of 2016 I was amazed by the "new" technologies in Azure that would allow a user to access company data from anywhere with certain controls set by IT and Security in place.
This is one of the slides that really helped me see that power of this technology...
The requirements around this project were the follow....
The first thing we had to tackle in the beginning was decided if we wanted to go with an MDM or MAM setup. Both options presented pros and cons, but in the end we decided to go with MAM mainly because most of our users have personal devices.
The next big hurdle was HOW? How would we control company data from a desktop and also mobile device, The answer was utilizing Azure AD Conditional Access along with Microsoft Intune to control additional policies for mobile. Azure AD allowed us the ability to create a policy for example that required a device to be "domain-joined" in order to access the Microsoft Outlook client. Using AD Connect we were able to sync devices to our Azure AD environment which then would be labeled as "Hybrid Azure Joined" meaning the computer would recognize that device as "domain- joined".
The Intune application allowed us the ability to block personal mobile apps from touching managed mobile apps. For example we set the following rule on all mobile devices...
These settings allow Microsoft apps to talk with Microsoft apps and only allows users the ability to save files to 2 locations.
An example of what this policy wouldn't allow you to do is copy text from an email in outlook (a Microsoft app) and paste it into the iPhone notes app (a non Microsoft app). Data pasted outside of a non managed app with display "Your organization's data cannot be pasted here." Likewise you could only save to a company data to a SharePoint site or OneDrive location and not on the personal device.
From Azure AD we create a series of policies including the following and there purpose: