Unifying security policy across all mobile form-factors with Wandera and Microsoft

The way we work is evolving—technology enables more effective employees by helping them to be productive where and when they choose. Businesses have also been enjoying the productivity benefits of an always-on and always-connected workforce.

While new business applications and device form-factors helped to accelerate these changes, organizations are now discovering the challenges with managing security and compliance policies in the modern workplace. As devices physically leave the corporate campus, administrators need tools to effectively manage end user applications and the corresponding access to company data; this is a particularly complex challenge for businesses who manage mobile devices running a variety of operating systems with significantly different management capabilities.

Mobile devices also introduce new IT challenges that can seriously impact business operations, such as:

  • Legacy security infrastructure such as Secure Web Gateways aren’t built for mobile devices, and backhauling traffic isn’t feasible for enforcing acceptable use policies, meaning that inappropriate content could be accessed, or shadow IT tools used, potentially creating legal liability for the business.
  • Insecure apps and content risks such as mobile phishing represent new attack vectors; modern app distribution methods and mobile-specific attack vectors (e.g., SMS, WhatsApp, Facebook Messenger) represent significantly expanded surface area that IT teams must now protect.
  • Excessive mobile data usage can lead to bill shock and result in unexpected financial risk for businesses of all sizes.

The modern business needs to manage risk in the simplest and most effective way, while simultaneously enabling worker productivity. Embracing tools that meet the needs of mobile work will improve employee and organizational productivity, and ultimately make the business more agile.

Mobility comes in many form factors and OSs, leading to admin complexity

The explosion in the number of iOS and Android smartphones and tablets sold over the last decade is a testament to their revolutionary impact in providing always-on communication, productivity, and organizational tools. Mobility has been great for businesses; according to Frost and Sullivan, portable devices increase productivity on work tasks by 34 percent and save employees 58 minutes per day.

While smartphones have been at the forefront of transforming personal productivity and improving business operations, they are not the only form-factor available for work that is performed on-the-go. Many worker tasks, such as manipulating large data sets or refining high resolution images, require specialized hardware such as a large display or a trackball to optimize the user experience and efficiency. A different type of mobile tool is needed for certain remote workers with job-specific tasks.

Windows devices have long been a key tool for enabling office employees, and in recent years, laptops have become lightweight and highly portable, making them as versatile as mobile devices. Many laptops now also include a physical SIM or eSIM to enable always-on connectivity, and the 2-in-1 form factor is proving to be a popular choice for office workers because of the resulting flexibility in working style.

Challenges managing a diverse mobile workforce go beyond the device

Supporting Windows devices outside of the office creates new challenges for IT teams—principally, how does the admin effectively manage users working remotely? Separate tools exist to manage apps and user access on different operating systems, creating management overhead. Additionally, Windows devices are typically attached to Wi-Fi and other unmetered networks where users are not constrained in how much data they can consume without penalty. As these devices are enabled for mobile data networks, these powerful systems need to be more intelligent in the way they consume data.

The difference in managing apps and data on mobile vs on Windows led to increased complexity for the admin. For example, Microsoft Word may be deployed via an Enterprise Mobility Management (EMM) solution such as Microsoft Intune on mobile, while on Windows, System Center Configuration Manager (SCCM) may be used. The different management infrastructures required for these tools have increased overhead and created challenges for IT teams maintaining more than one service to manage employees that simultaneously use mobile and Windows devices for working.

Any changes to users, such as employees joining or leaving the company, must be replicated across both tools. Additionally, the different tools have disparate controls, meaning that it is impossible to apply consistent security, acceptable use, and Conditional Access policies. Applying policies inconsistently can result in users receiving inappropriate privileges or disparate access to services across different form factors and operating systems. As a result, employees may be drawn to using a corporate-approved app on their Windows device but an unapproved consumer variant on their mobile device, leading to increased risk.

Strategies for effectively enabling a mobile workforce

It is just as important to protect users working remotely as it is to protect users within the network perimeter. Extending security policy in a consistent manner to mobile devices can be achieved with three services: a Unified Endpoint Management (UEM) service such as Microsoft Endpoint Manager, inclusive of both Microsoft Intune and Configuration Manager, an Identity and Access Management (IAM) service such as Azure Active Directory (AD), and a network-based risk management service such as the Wandera Mobile Security Suite that protects against cyber threats and usage risks.

Organizations looking to adopt this suite of services for unified policy should seek solutions that are deeply integrated in order to achieve a fully secure and manageable mobility stack. Wandera and Microsoft have partnered together to offer an integrated secure technology stack:

  • UEM services bridge the management gap between Windows and mobile devices. Microsoft Endpoint Manager enables administrators to push applications and configuration profiles to enable homogeneous management across both mobile and Windows devices.
  • Pairing Microsoft Endpoint Manager with Azure AD means that the profiles can be managed at a user level, instead of at the device level, further improving management consistency.
  • Wandera Mobile Security Suite allows administrators to define security and acceptable use policies at the network level, agnostic to the device that is being used. This means that applications and websites can be whitelisted or blacklisted, preventing users from using dangerous or unapproved services regardless of device type.

For example, a business may choose to use OneDrive for storing files in the cloud and want to prevent other file sharing services from being used. Microsoft Endpoint Manager and Azure AD can be used to push and configure the OneDrive application to the Windows and mobile devices, enabling employees to use this service. Wandera Mobile Security Suite can then be used in tandem to prevent employees from using other services such as Dropbox, preventing the user from accessing shadow IT in the form of application and web browser versions.

Many organizations have found that the lack of consistent controls create new attack surfaces that hackers use to penetrate the organization and mischievous employees abuse to circumvent IT policies. It is not uncommon for users to be blocked by acceptable use policies as they browse to unsanctioned content from a desktop computer, only to enable tethering on a mobile device to circumvent the policy.

Managing different technologies and applying different policies creates undue complexity for admin teams and prevents business flexibility, potentially leading to overlooked security gaps. Wandera Mobile Security Suite’s in-network security technology allows content security policies to be applied consistently across different device types. This means that phishing attacks, which are how 90 percent of data breaches begin, can be prevented regardless of device type. Mobile Security Suite is also able to block spam sites and stop malware communicating with command-and-control (C2) servers.

Mobile data management is another area of disparate control for businesses. The rich set of features in Wandera Mobile Security Suite for managing data usage on mobile devices can help an organization prevent bill shock caused by data overages or roaming on any iOS, Android, or Windows 10 device, with detailed and holistic reporting so businesses can understand how they use data and where risk may enter through mobile usage.

Better together—Microsoft and Wandera

Businesses can benefit from the strong integration between Microsoft Endpoint Manager, Azure AD, and Wandera Mobile Security Suite, making device management processes seamless. The combined solution streamlines device lifecycle management, involves a single source-of-truth for users and roles that is applied consistently between products, and makes security policies more intelligent and effective by ensuring that all components in the solution are sharing intelligence to remediate threat as soon as it’s detected.

Using Azure AD to centrally manage user identities simplifies administration, as credentials do not need to be created across multiple systems. When an employee is added in Azure AD, a profile will automatically be created in Microsoft Endpoint Manager, enabling their devices to be managed. In turn, Wandera Mobile Security Suite can be integrated with Microsoft Endpoint Manager so that the same acceptable use, content security, and data management policies can be applied seamlessly. This workflow functions when an employee leaves the business, unenrolling them from all services, making integration of services an easy way to manage a device’s lifecycle and ensuring that sensitive data remains secure

The integrated solution also enables differentiated access for users through applying policies by role. The three services can be linked directly so that an organization’s directory hierarchy can be shared, and acceptable use policies applied to the user level simply and easily.

Enabling employees is very important for productivity, but equally as important is preventing unwanted parties accessing confidential information and critical systems. Infecting an endpoint is an easy way for malicious parties to infiltrate a businesses’ technology systems.

The integrated solution also incorporates risk signals from a variety of sources to ensure that the user, device, and data are safe. Microsoft Endpoint Manager provides a risk assessment of the device configuration, including whether the lockscreen is configured properly. Azure AD is able to determine when sign-in behavior is anomalous or risky, through signals integration with Azure AD Identity Protection. Wandera Mobile Security Suite provides an added set of security assessments on the device that includes vulnerability scans, app vetting, and Man-in-the-Middle checks. All of these risk signals are brought together through a single Conditional Access policy.

Best practices for mobility management with iOS, Android, and Windows 10 devices

As mobile employees are enabled with mobile iOS, Android, and Windows 10 devices, businesses need to embrace technology that will give admins the necessary controls to effectively manage employee devices consistently. Businesses need to be able to manage productivity tools, by providing access to acceptable applications and blocking unwanted applications. Organizations need to provide strong security across devices to close gaps in their defenses and prevent common threats from impacting business operations. Finally, businesses should ensure that Windows devices do not cause unexpected data charges by employing cost control tools.

To be able to effectively enforce acceptable use, content security, and control costs across a device fleet with many different device types, businesses should utilize integrated solutions that can support consistent management. Microsoft Endpoint Manager, Azure AD, and Wandera Mobile Security Suite provide features that organizations need to embrace a mobile fleet. Bringing these three services together creates a powerful joint solution that can improve businesses’ lifecycle management, policy application, and identity and security management.

Bookmark the Security blog to keep up with our expert coverage on security matters. Check out our security solutions that help to address these issues. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

READ MORE HERE