Office 365 Use Case Guidance

Content

Microsoft 365 Use Case Guidance

Use Case - Customer wants to deploy a Microsoft 365 App (e.g. Teams, Outlook, OneDrive) and use MaaS360 to manage application distribution and security.

Maas360 UEM can support your M365 app deployments by enabling the secure distribution, management and access to all M355 Apps and services. Read on to understand how to accomplish this.

The following provides a high-level solution and some relevant links.

1. Deploy Applications – Get the app to the right users and use MDM controls to manage and secure the application data.
   1. Use the MaaS360 Catalog to publish and distribute the app to appropriate users, device and groups. By using the MaaS360 Enterprise catalog, the apps become “Managed” and flags can be added to dictate policy controls such as removing the apps when MDM control is removed, etc.
   2. On IOS, make sure that Allow Open from Managed to Unmanaged apps and Allow Open from Unmanaged to Managed Apps are set to No if you have concerns about Data Loss Prevention. See https://www.ibm.com/support/knowledgecenter/en/SS8H2S/com.ibm.mc.doc/pag_source/tasks/pag_apps_add_ios_enterprise.htm
   3. If there is a concern about Data Security on Android, use the Android Enterprise Managed Profile capability and the Managed Google Play Store to deploy the apps to the Managed Profile only. See https://www.ibm.com/support/knowledgecenter/en/SS8H2S/com.ibm.mc.doc/pag_source/concepts/afw_managing_apps_for_afw.htm

2. Control Access - Depending on the identity and conditional access solution being used, there are options on how to control access to the app and add MFA to the login process.
   1. AzureAD Conditional Access – Many customers choose to control access to Microsoft 365 services using AzureAD Conditional Access configurations. MaaS360 now integrates with the Microsoft Endpoint Manager Compliance Partner Integration (https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-partners) to sync MaaS360 Device Compliance data with AzureAD and allow MaaS360 device data to be used within the AzureAD Condition Access Device Trust framework. When enabled, MaaS360 will sync Device Trust information (isEnrolled, isCompliant) to AzureAD. This allows the customer to include and enforce MaaS360 activated device information in Azure AD Conditional Access rules. In addition, MFA can be enabled in the AzureAD console and optionally , an Azure AD Conditional Access rule requiring MFA can be applied. See https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-mfa
   2. SAML Federation (Ping, Okta, IBM Security Verify) – MaaS360 can leverage IdP integration to ensure only trusted devices connect to your deployed SaaS apps including all the M365 apps and services. For Microsoft 365 app to be controlled, they must be configured to use the target IdP. This has likely already been done and beyond the scope of this article. Once the target Microsoft 365 app is configured as an app in the IdP, Access Rules and MFA policy can be applied.

3. Secure Data – Use MaaS360 and Microsoft 365 Application Protection technology to secure and contain application data depending on risk tolerance.

1. 1. Depending on risk tolerance related to users leaking sensitive data from Microsoft 365 applications, a combination of controls that can be applied. For customers with a moderate risk tolerance, MaaS360 can apply various controls to provide a reasonable set of controls for preventing most Data Loss scenarios (see chart below).

If a high level of control is required where risk tolerance is lower, Microsoft technology is required to prevent users using cut/copy/paste to and from non-sanctions apps and from saving files to unauthorized Cloud services. This technology is called “Intune App Protection” See https://docs.microsoft.com/en-us/intune/apps/app-protection-policy

These policies can be managed from the Endpoint Manager console or from MaaS360 which can create, manage and deploy these policies. See https://www.ibm.com/support/knowledgecenter/en/SS8H2S/com.ibm.mc.doc/pag_source/tasks/intune_app_policies_config.htm

The following table provides a list of desired DLP Policies and how they might be applied on IOS and Android enterprise devices.

1. 1. 1. DLP capabilities required protect data in Microsoft Applications on IOS Managed Devices.

Assumptions

• Devices are enrolled in MDM.
• Apps are distributed from the Enterprise app store and are Managed IOS Apps.
• Allow Open from Managed to Unmanaged apps and Allow Open from Unmanaged to Managed Apps are set to No.

**The user may require an InTune License