Author: Stuart McCulloch, Cyber Essentials assessor
This blog post focuses on options for implementing technical controls to manage personally owned or bring-your-own devices (BYOD) to meet the requirements of the Government’s Cyber Essentials (CE) scheme. We find that our sector is primarily Microsoft focused and so this blog covers their MDM solutions, but there numerous available. Please investigate your business requirements and make an informed decision.
Going forward, the National Cyber Security Centre (NCSC, the owner of the CE scheme) expects that controls for mobile devices are applied through technical means. Only small organisations (<50 staff) should seek to apply the CE controls via written policy, guidance and training with no technical controls in place, but they recommend applying technical controls if possible.
This means most education and research organisations need to start exploring technical options for managing mobile devices, rather than relying upon a policy- and guidance-based approach.
This advice should be considered alongside this previous post about CE’s BYOD requirements.
What does “technical controls” mean?
It’s expected that organisations will deploy some form of mobile device management (MDM) to control, monitor and enforce policies on devices used by staff for accessing organisational data and services.
In CE these controls apply to both devices provided and managed by the applicant organisation (company-owned, personally enabled (COPE) or company-owned, business-only (COBO)) and any BYOD implementations, where personally owned devices are used by staff for work purposes.
Typical MDM functionality includes device enrolment, the ability to control device configuration, protect data, monitor the status and compliance of devices and manage enterprise approved apps across a range of platforms and operating systems, used both within the organisation and remotely.
For CE it is also a requirement to maintain an inventory of all devices in use by staff, as part of an ongoing asset and lifecycle management strategy. This inventory must include details of the make, model and operating system for all corporately provided and personally owned devices used for work purposes, to ensure that all are in support at the time of the application.
Having visibility of and supporting the use of personal and mobile devices, while ensuring that their configuration is both appropriate and up to date, strikes the right balance between flexibility, usability and security.
What MDM tools are available?
Microsoft’s Basic Mobility and Security and/or InTune are included in most M365 education licensing arrangements. Typically, Microsoft 365 A3 licensing features both Azure Active Directory (AAD) P1 and InTune, both of which can help establish an asset register of all devices, as well as offering a technical means to apply the necessary CE controls.
There are some instances where CE’s controls cannot be applied via technical means (such as ensuring admin accounts are not used for web browsing and email) and a policy and guidance-based approach remains acceptable in these cases.
InTune or Basic Mobility and Security can help to ensure your approach to managing mobile devices is compliant with CE. The work profile functionality within InTune allows access to organisational data to be segregated from personal data to prevent copying and pasting between business and personal areas. However, without additional manual development in AAD/M365, it is not possible to directly reject authentication based on device make or model.
These tools also offer selective wiping control, allowing remote removal of organisational data without affecting any personal data on devices, and can restrict access to organisational services and data to specified approved apps.
While InTune helps organisations manage access to corporate apps, data, and resources, Company Portal is the app that allows staff to access those resources securely. Installing Company Portal supports the device use lifecycle, including enrolment, onboarding, access and offboarding when staff leave the organisation or change devices.
Implementation of these tools can capture device operating systems and allow or prevent access accordingly. Device operating system details must be provided as part of a CE application, so having this automation will help drive both efficiencies and compliance (personal information about device users does not need to be provided for CE). Always-on technical controls like these will also help with continual mitigation of the risks from devices running unsupported operating systems accessing your network and services, rather than a manual once a year check as part of a CE application or renewal or any other requirements.
In addition to operating systems, the make and model of all devices is required for CE compliance. This is because a currently supported operating system does not necessarily indicate that the device is still supported. For example, a phone or tablet may be running a currently supported version of Android, but if the manufacturer has discontinued support for that model, the operating system will no longer receive any feature or security updates, and therefore is no longer compliant.
Dynamic Groups and services such as Power Automate and SharePoint lists allow the creation of workflows and forms for staff to provide details of their devices. These tools enable the creation and vetting of a list of devices currently in use to ensure they are currently supported prior to a CE submission, allowing or denying access as appropriate. We have found https://www.which.co.uk/reviews/mobile-phones/article/mobile-phone-security-is-it-safe-to-use-an-old-phone-a6uXf1w6PvEN for mobile hardware checking.
Whilst InTune is an effective way of managing both corporate and personal devices, the time and resources required for this initial implementation means many organisations are not yet at the stage of utilising it for full compliance with CE. Conditional Access can still be used without fully registering devices in InTune (for example, solely registering the device into AAD instead of fully registering the device in InTune).
Bear in mind that this approach will not provide all the device information CE requires, as it will only record device operating system details. Organisations can filter device access based on policies for ownership status (personally owned or corporately provided) and whether a device is Hybrid Azure AD joined or Azure AD joined. Organisations can choose to allow access to these devices whilst preventing or restricting access from any device which does not match the required criteria.
To ensure compliance all devices must be registered within InTune to allow for further granular controls through Conditional access (CA). CA can be utilised to provide the remaining CE controls, such as minimum operating system for Windows, MacOS, iOS and Android, ensuring devices are not jailbroken or rooted, minimum PIN code requirements (at least 6 digits), biometrics and password complexity. Application protection policies can be used to approve specific applications on devices for accessing organisational data and services too.
The authorisation process for personal devices can be further secured by creating a Conditional Access policy which allows untrusted devices to register in Azure AD, but nothing more. Limiting an untrusted device to merely registering will prevent access to company resources until an untrusted device provides the required make/model information to Azure AD by full registration in InTune, allowing policies to be applied to that device.
It is imperative to note that InTune being configured in this way will only protect and allow access to organisational data through integrated applications. Ensuring your device is integrated into a single Identity Provider IDP such as Azure AD makes this process much easier and the devices compliant in the long run. Applications which support SAML or OAuth can integrate directly, however older applications may benefit from Azure Application Proxy instead to allow for AAD integration.
What are the privacy implications of MDM tools?
Enrolling personally owned devices in MDM tools like InTune does not mean that organisations take full control of them or gain access to all users’ personal data.
InTune allows devices to be enrolled under a work profile. This work profile keeps business apps and data separate from personal apps and data, ensuring organisations only have control over organisational services and data, not personal data.
Organisational data can also be remotely wiped from devices, without affecting personal data, mitigating some of the risks from departing staff taking organisational data with them when they leave.
The device enrolment process should inform and reassure the user what will and will not be accessed by the organisation. This should be accompanied by appropriate advice and guidance, FAQs, training and other helpful information to establish buy-in from your staff and address any concerns.
Some staff may not wish to enrol their devices and these wishes should always be respected. No user should be required to use their own device should they choose not to. The reasons why enrolment is a mandatory requirement for using a personally owned device for work purposes should be made clear and transparent, so users can make an informed decision about whether to use their own device or not.
Microsoft provides further information on joining personal devices and clarification on what is and what is not visible to organisations managing device access via its tools.
BYOD and CE+
If you’re planning on applying for Cyber Essentials Plus (CE+) and you allow BYOD access to data within your organisation, your BYOD guidance and policies should also include and explain in clear non-technical terms that any staff personal devices used for work purposes may be subject to checks as part of the CE+ audit and verification process.
These checks may involve installing an application (such as AnyDesk), sharing screens (TeamViewer for example), downloading files onto the device, or taking and sending screenshots of device settings. No personal data will be accessed, and the user remains in control of the handset and data presented upon the screen throughout the around 10-minute assessment.
This may mean that some staff may choose to stop allowing their own personal device for work, so you need to plan accordingly for this eventuality.
Again, for more Information see our previous post about how BYOD fits into the CE scheme.
Please make informed decisions on your MDM deployment, and enable the enrolment in a phased, change controlled manner.