Original Post from Microsoft Enterprise Mobility + Security
Author: Mayunk Jain
Enabling a remote workforce is no trivial challenge in the best of times, and it can seem especially daunting when rolling out during a global crisis. Luckily, there are some easy ways to start, so your employees can continue working as close as possible to how they worked back in the office. The goal is to minimize the learning curve, so people can stay productive when dealing with so many other changes. It is very important to avoid local storage of data so that any changes made during this extraordinary time are readily available when work shifts back to the office and work-based devices. Once you take care of the immediate needs of your users, we can recommend some ways you can prepare the organization with a more comprehensive remote work infrastructure for the future.
If your organization uses Microsoft 365 or EMS E3 and above licenses, you may already have the technology needed to implement these recommendations. In this article, we’ll look at some easy wins that can be achieved with simple configuration changes from IT and minimal change in behavior of your workforce. In a future article, we will discuss a few more comprehensive changes to your remote work infrastructure.
Quickly set-up your users to work securely from their personal PCs and mobile devices
The first thing to consider is the devices people use when they work from home or other locations outside the office. Some of you may have already provided company-owned devices that are set up for remote access. Many people end up using their personal laptops, or sharing their home PCs, or even other mobile devices to access work files in this situation. The priority here is to make sure that only trusted and compliant devices have access to work files. You can achieve this quickly by turning on multi-factor authentication (MFA) and Conditional Access in Microsoft Endpoint Manager, powered by Azure Active Directory. Mobile users don’t necessarily have to enroll their personal devices, and we will see next how you can use application-level controls for secure access.
To help with change communications for end users, you can use the planning guides, user communication kits, and end-user enrollment videos available here as a starting point.
The next thing to consider is what applications people use remotely. Here, the priority is not only to make sure trusted and compliant applications are used, but also ensure a user experience that is familiar and friendly. Most people are familiar with Office 365 apps such as Outlook and Teams on their work machines. These apps contain built-in security controls so that data is not at-risk when it leaves your physical workplace boundaries. Microsoft Office 365 mobile and web apps are available at no additional cost with most Microsoft 365 and Office 365 subscriptions, further helping remote workers to be productive on their home PCs and mobile devices.
Using Conditional Access, you can direct end users to download trusted apps such as Microsoft Outlook, Microsoft Teams, Microsoft Edge, and the Office mobile app from iOS and Android public app stores. In the background, you can assign Intune App Protection Policies to these apps and keep work data safe by controlling or stopping sharing of work data outside the trusted apps. This provides application-level controls and compliance, while maintaining the familiar user experience for end users. In this case, users don’t even have to enroll their devices to start being productive. There is little to no impact on how they may be used to working with those apps.
The third aspect to consider is ensuring data is stored in trusted and compliant locations after people access it. Intune app configuration policies can help you add a further layer of protection and business continuity by enabling a policy that requires files to only be saved to OneDrive for Business, not the local device or other cloud storage. Not only does that allow users to easily share and collaborate on the files, but helps prevent data leaks on non-managed devices and ensures that files are available in one place when people get back to the office. Depending on your needs, you could manage more device and data security options, like turning on BitLocker or enforcing password length, without interfering with users’ personal data, like family photos.
Helping your remote workforce provision new, business-ready devices
Once you take care of maintaining business continuity and productivity in the immediate term with our recommendations above, you can take a step back and enable other parts of your existing infrastructure to support remote work. For instance, if you need to provision a new laptop to a user, you can take advantage of Windows Autopilot to procure the new device from your OEM or reseller and have that device shipped directly to the user’s home. Upon power on and login, they will have a secure and encrypted device that has their business applications automatically installed and ready to work.
If you already have a virtualized environment or want to leverage one to provide remote access, especially to line-of-business apps, Windows Virtual Desktop enables users to get the Windows 10 Enterprise desktop or app experience on virtually any device, including mobile devices. Because the virtual apps and desktop reside in the Azure cloud, they are not bound by the potential limitations of home devices. Workers access them using a standard web browser and easily scale up their processing power. Virtualization also provides another option for helping you to make sure the remote access to apps and data remains secure.
Watch this space for more recommendations on preparing your organization with a more comprehensive remote work infrastructure for the future.
Videos and end user assets to help quickly roll-out a mobile workspace
Ready to get started? Here are some assets that provide more information on how to enable secure mobile productivity on any device:
- Manage Windows 10 and other mobile devices in your modern workplace
- Secure your workplace, including applications, identities, data, and the device itself
Successful adoption of remote work is about helping users to understand and embrace the new technology. It is a change in culture and mindset for many people, especially if they are new to this way of working. Proactively addressing user concerns about privacy and why your company needs to manage devices is critical to a successful rollout. Getting devices ready for remote work also creates change in end user experience. Here are some tools to help you to educate your users:
- Intune Adoption Kit – Email templates, posters, instruction videos and other guidance to help you plan communications for successful rollout
- Mobile device management (MDM) enrollment – End user instructions to help you roll-out faster at a global scale with minimal hand-holding for enrolling devices such as iOS, Android, Windows, and macOS.
- Understanding mobile application management (MAM) for non-enrolled BYOD devices
These are unprecedented times and we are here to help and share guidance so you can keep your employees connected. We continue to update our Microsoft 365 blog with guidance and learnings, please check frequently for more ideas and information: https://www.microsoft.com/en-us/microsoft-365/blog/
As always, we would love to hear your experiences with remote work; joys and tears, highs and lows. Join the conversation in our Remote Work Tech Community to share, engage and learn from experts.
Follow @MSIntune on Twitter
Go to Source
Author: Mayunk Jain