S
ScottSawyer
The changing leaves and lengthening shadows on my side of the globe are harbingers of the winter to come and of ghosts, goblins, and other frights that are part of the Halloween celebration. Foremost among the things that scare me—and other IT professionals I know—are security breaches. We are almost a year into our Secure Future Initiative (read more about it in this article by Charlie Bell, Executive Vice President, Microsoft Security), and new Microsoft Intune features are oriented toward improving security. Below are some of the features on offer to help thwart hackers’ “tricks” and a “treat” to help keep the focus on fun when the work day is done.
Spoofing, the act of forging digital credentials to assume a false identity, has long been a strategy for bad actors trying to infiltrate systems. As part of the effort to combat certificate spoofing in on-premises environments, a May 10, 2022, security update, KB5014754 made changes to the Active Directory Kerberos Key Distribution Center (KDC), requiring “strong mapping” for all certificates. This required all Simple Certificate Enrollment Protocol (SCEP) certificates delivered through Intune and used for cert-based authentication against KDCs to have additional security identifier (SID) information embedded in the certificate that associates it with a device or user. Enforcement of this change is scheduled to begin February 2025. In this post, we detailed how Intune might address these new strong mapping requirements for comanaged devices. As a result of customer feedback, we elected to explore an alternate solution.
That solution arrives this month, in the form of support for an SID variable in SCEP profiles as part of the subject alternative name (SAN) value. This initial release supports Windows, iOS/iPadOS, and macOS devices, and we expect Android support to follow next month.
New SID variables are shown as Uniform Resource Identifier (URI) values in the Subject alternative name field of a SCEP certificate configuration policy in Intune.
There is a lot of nuance and detail to this operation, and we recommend testing thoroughly before implementing broadly. Be sure to follow the Intune Customer Success blog for an upcoming in-depth article from our engineering partners.
With this month’s release, IT administrators can now configure notification muting and block access to the Microsoft Teams app for shift workers based on their working time status. This guards valuable time “off the clock” needed to rest and recharge, and it helps employers reduce their liability for notifications outside of working time. Note that the Working Time API must be integrated with your tenant before configuring this capability (or some users could lose access). Read more in the documentation.
When notifications are muted via Intune, which is indicated on the conversation, users will not get pop-up windows or notification badges on app icons. However, they will still be able to see sent messages if they open the app.
Messages can be viewed when notifications are muted, but the conversation icon shows that notifications are “snoozed.”
When access is blocked outside of working time, a user trying to open the app will get the message shown below when the app checks to see if they are clocked in.
Message showing check for working time.
In China, Microsoft services including Intune are operated by 21Vianet, an independent data service provider. 21Vianet meets local requirements for secure, reliable, and scalable cloud services, which results in some feature differences for Intune. This month we’re introducing Windows Autopilot device preparation to this market. Prior to this release, devices had to be manually provisioned by IT departments. Now, with this release, the time required to get a new device prepared for end users will be reduced significantly, which will also improve user experience.
Let us know how Intune can help allay your fears as an IT pro. Add your comments, too, if you’re excited to implement these capabilities.
Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune on X to continue the conversation.
Continue reading...
Anti-spoofing updates for on-premises devices
Spoofing, the act of forging digital credentials to assume a false identity, has long been a strategy for bad actors trying to infiltrate systems. As part of the effort to combat certificate spoofing in on-premises environments, a May 10, 2022, security update, KB5014754 made changes to the Active Directory Kerberos Key Distribution Center (KDC), requiring “strong mapping” for all certificates. This required all Simple Certificate Enrollment Protocol (SCEP) certificates delivered through Intune and used for cert-based authentication against KDCs to have additional security identifier (SID) information embedded in the certificate that associates it with a device or user. Enforcement of this change is scheduled to begin February 2025. In this post, we detailed how Intune might address these new strong mapping requirements for comanaged devices. As a result of customer feedback, we elected to explore an alternate solution.
That solution arrives this month, in the form of support for an SID variable in SCEP profiles as part of the subject alternative name (SAN) value. This initial release supports Windows, iOS/iPadOS, and macOS devices, and we expect Android support to follow next month.
New SID variables are shown as Uniform Resource Identifier (URI) values in the Subject alternative name field of a SCEP certificate configuration policy in Intune.There is a lot of nuance and detail to this operation, and we recommend testing thoroughly before implementing broadly. Be sure to follow the Intune Customer Success blog for an upcoming in-depth article from our engineering partners.
Working time
With this month’s release, IT administrators can now configure notification muting and block access to the Microsoft Teams app for shift workers based on their working time status. This guards valuable time “off the clock” needed to rest and recharge, and it helps employers reduce their liability for notifications outside of working time. Note that the Working Time API must be integrated with your tenant before configuring this capability (or some users could lose access). Read more in the documentation.
Quiet time
When notifications are muted via Intune, which is indicated on the conversation, users will not get pop-up windows or notification badges on app icons. However, they will still be able to see sent messages if they open the app.
Messages can be viewed when notifications are muted, but the conversation icon shows that notifications are “snoozed.”Blocking access
When access is blocked outside of working time, a user trying to open the app will get the message shown below when the app checks to see if they are clocked in.
Message showing check for working time.Windows Autopilot device preparation ready for China
In China, Microsoft services including Intune are operated by 21Vianet, an independent data service provider. 21Vianet meets local requirements for secure, reliable, and scalable cloud services, which results in some feature differences for Intune. This month we’re introducing Windows Autopilot device preparation to this market. Prior to this release, devices had to be manually provisioned by IT departments. Now, with this release, the time required to get a new device prepared for end users will be reduced significantly, which will also improve user experience.
Let us know how Intune can help allay your fears as an IT pro. Add your comments, too, if you’re excited to implement these capabilities.
Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune on X to continue the conversation.
Continue reading...