For Managed Service Providers, Microsoft Endpoint Manager can be broken into three key pillars: Conditional Access, Compliance and Configuration. This gives partners a much clearer path to adopting the technologies that are already included with many of the customers’ existing licenses.
Many partners see the value in these pillars but are unsure where to start, and the size of the task seems overwhelming. Meanwhile, other partners may have the knowledge and skills but are resource constrained, which prevents them from getting started.
Having a library of quality pre-made policies which target the basic needs of most customers can drastically reduce the investment of time required to get started with Endpoint Manager.
How can an MSP begin rolling out Endpoint Manager policies in the shortest timeframe possible?
Whether it’s a lack of knowledge, time, or both, this creates an obstacle for the MSP who wants to roll out the benefits of Endpoint Manager policies to its clients.
Delaying the rollout of Endpoint Manager put both the MSP and the clients at risk in a number of ways.
For clients who subscribe to Microsoft 365 Premium, E3 or E5, there is a missed opportunity to improve the overall security of their users by not utilising Endpoint Manager policies. In particular, conditional access and compliance policies, two of the three key pillars.
Increased risk of compromise
The clients become more exposed to the risk of compromise, which in turn puts the MSP at risk too, as they are responsible for keeping their clients secure. The implications of this are the reputations of both the MSP and the client, the client’s data, and in many cases, there is a financial consequence too.
For the MSP, delaying the adoption of Endpoint Manager creates a technical gap in their knowledge and experience, resulting in a competitive disadvantage. The gap continues to grow with time as Microsoft continues to evolve the product, placing the MSP further and further behind.
To help get over the initial barrier, MSPMagic provides a set of pre-defined policies within each of the three pillars, Conditional Access, Compliance and Configuration. These ensure that MSPs can quickly and easily build a quality policy library and start deploying in the shortest amount of time possible.
Most policies can be deployed to all customers, even those resistant to MFA (i.e. MFA for admins, and Azure portal).
MSPMagic regularly adds more pre-made policies. Here is a small selection of the most popular ones:
- Conditional Access
- Require multi-factor authentication for all users – Enforce multi-factor authentication for all user accounts to reduce the risk of compromise.
- Block legacy authentication – Block legacy authentication endpoints that can be used to bypass multi-factor authentication.
- Require compliant or hybrid Azure AD joined device for admins – Ensure privileged administrators can only access resources while using a compliant or hybrid Azure AD joined device.
- Windows 10 and later OneDrive for Business Known Folder Move – Silently sign in the user and move their Desktop, Documents and Pictures folders to OneDrive.
- Windows 10 and later Microsoft Edge enable Automatic Sign in and Sync using Windows Credential – Enable Microsoft Edge’s sync of user favourites, passwords, and other browser data across all synced devices.
- Enable Windows 10 and Later Disk Encryption (BitLocker) – Enable BitLocker encryption on OS and Fixed drives for Windows 10 and later devices. The BitLocker recovery keys will be backed up to Azure AD and rotated automatically after they are used on a device.
- Windows 10 and Later Secure Device Compliance – This checks Windows 10 devices to ensure they have Bitlocker, Secure Boot, and Require Code Integrity enabled as well as a firewall, TPM, Antivirus and Antispyware.
- iOS/iPadOS Secure Device Compliance – Checks that iOS/iPadOS devices are not Jailbroken, a passcode has been set, and the maximum amount of time inactivity before the device locks itself is set to 15 minutes.
- Android Enterprise (Personally-owned work profile) Secure Device Compliance – Checks that Android Enterprise devices are not rooted, a passcode has been set, and the maximum timeout before locking is set to 15 minutes. It will also disable the ability to perform USB debugging on the device.
Already using MSPMagic? Book a free policy workshop here
- MSPMagic’s Templates for Microsoft Endpoint Manager (Intune) Policies and Best Practice Settings
- Release Update – November 2022
- MSPMagic’s Pre-Made Policies for Microsoft Endpoint Manager (Intune)
- Release Update – October 2022
- COMP-DV05: Windows 10 and later Microsoft Defender for Endpoint Enabled and Clear of Risks