Previously on BYOD…
I discussed the restrictions and conditions you can make so the BYOD fleet can be managed well. Read below if you haven’t. My focus was the Azure AD and Intune side of things when it comes to managing the fleet.
However, part 2 of this series is focusing on the scenario where you allow devices to be registered in Azure AD as personally owned devices in the Workplace Join mode. The question is, are you allowing ANY device to be registered OR do you want to manage that part in a controlled way so the eligible devices will get registered.
What I will be covering 👇🏽
- Control Your BYOD Fleet
- Start with the User to Agree to Terms of Use Before Accessing Data from a Personally Owned Device
- Set Intune Compliance Policies and Conditional Access Polcies for Personally Owned Devices
- Microsoft Graph API to Help with Azure AD Groups
- Dynamic Device Group Audit Logs
- Wrapping Up
Control Your BYOD Fleet
If your BYOD policy is to let the user Register the personally owned device in Azure AD (Workplace Join), you can easily apply some of these into the regime and that can be the path towards securing the environment from threats.
Start with the User to Agree to Terms of Use Before Accessing Data from a Personally Owned Device
As I mentioned earlier, you have the option of getting the user to accept the terms of use before accessing the company data. A device filter with the TrustType is equal to AzureAD registered or DeviceOwnership is equal to Personal In the Conditional Access policy before accessing the apps will prompt the user to accept it.
Let the user accept the terms of use from every device they access company data
If your idea is to get the user/s to accept Terms of Use on every device, then the below setting in the Terms of User feature should be set.
Once the Terms of Use section is done, create your Conditional Access Policy and add the created policy.
In this way, they have to register any device before they can access the data.
Result
Set Intune Compliance Policies and Conditional Access Polcies for Personally Owned Devices
Identify Workplace Joined devices (Personal) – Dynamic Group
When the devices are registered, they are getting categorized as Personal, as opposed to the AADJ and HAADJ, getting categorized as Corporate
Create your Dynamic Group as below –
Or to capture by the rule soon after it gets registered in Azure AD, use deviceTrustType equals workplace rule like below.
In this way now you can apply Compliance Policies and other restrictions because you are dynamically adding Personally owned devices in a device group. Further, it’s convenient to further filter as to what OS they are from and they can be managed based on the OS.
Create the Compliance Policy
It’s always a debate when it comes to forcing encryption if the user wants to access company data from personally owned devices. Some organizations do have strict policies on that and some will not force it. At the end of the day, the criticality of the data and the legal/ IT policies will enforce so the personal device will be compliant before accessing the data.
In there, I would like to focus on a small but powerful setting that you can easily apply. Minimum OS versions. You can force update the device fleet in your organization, but not the personally owned devices. But you can enforce a compliance setting to manage the right OS level which can access the company data.
And below marked settings are easy to set up and are powerful when it comes to controlling device compliance.
Actions for Non-compliant devices
Tip – Set an email alert so that when the device is marked as non-compliant, the nominated IT admin will receive an email
Best to mark the device as non-compliant immediately in the Actions for noncompliance section as well.
Assign the policy to the above-created Dynamic Group so that only the devices in that group will be evaluated with this policy.
Create the Conditional Access Policy to Block access to Non-Compliant Devices
Set the Conditional Access Policy, and in the Grant section, set Require device to be marked as compliant
Also in the Conditions section, I will be filtering the devices which have the TrustType as Azure AD Registered
Below will be the result that the user gets when they try to access company data from the device which is registered but not meeting the compliance levels.
Create Notifications in Compliance Policies
You can get notified when the devices are not compliant using the
Anc set the option Send email to end user and select an additional user as well. This can be your IT admin or helpdesk email address.
Microsoft Graph API to Help with Azure AD Groups
This may come in handy if you want to be on top of your Workplace Joined (Azure AD Registered) Devices fleet.
https://graph.microsoft.com/v1.0/groups/GROUP-ID/members?$select=displayName
Permissions required: Group.Read.All
Dynamic Device Group Audit Logs
You can also check the group Audit Logs to identify the changes that took place in the Dynamic Device Group
Wrapping Up
If you are allowing the Bring Your Own Device option in your workplace, it should be a hassle-free process for both the user and IT. All the BYOD users should have the same level of restrictions as changes to those will be loopholes if not reviewed properly. If you have good practice when it comes to security, BYOD can be a blessing in these times because people are mostly working remotely or hybrid.
I hope this post gave you ideas about managing your Workplace Joined fleet and if I have missed anything, feel free to let me know in the comments section.
Discover more from EMS Route
Subscribe to get the latest posts to your email.
EMS Route 
2 thoughts on “BYOD – Part 2 – Manage Your Azure AD Registered Devices”