MDM or Mobile Device Management is a solution that uses software as a component to provision mobile devices while protecting an organization’s assets, such as data.

Microsoft Intune is a cloud-based service that focuses on Mobile Device Management (MDM) and Mobile Application Management (MAM). As a user, you can control how your organization’s devices are used, including mobile phones and tablets. Users can also configure specific policies to control applications. MAM policies protect data within work-based applications without managing the entire device.

Intune is being implemented to protect the integrity of the confidential client and county business data that resides within Franklin County’s technology infrastructure. This includes internal and external cloud services. As mobile devices are becoming more prevalent in day-to-day activities, it is important to ensure that any applications or data being accessed on the county side is secured. Leveraging the Intune platform will allow the county to be secure while staying productive.

Personal devices are only impacted on an Application-basis through Application Protection Policies. The personal device is not managed through Intune. For company-owned devices that are enrolled in the Mobile Device Management (MDM) solution:

Your organization can't see:

• Calling and web browsing history

• Email and text messages

• Contacts

• Calendar

• Passwords

• Pictures, including what's in the photos app or camera roll

• Files

Your organization can always see:

• Phone number

• Device storage space

• Location

• App inventory

• App permissions

• Network information

• Device owner

• Device name

• Device serial number

• Device model, such as Google Pixel

• Device manufacturer, such as Microsoft

• Operating system and version, such as iOS 12.0.1

• Device IMEI

• App inventory and app names, such as Microsoft Word

  • On personal devices, your organization can only see your managed app inventory, which includes work and school apps.

  • On corporate-owned devices, your organization can see all apps installed on the device.

  • On corporate-owned devices with a work profile, which is limited to Android devices, your organization can only see the apps installed in your work profile.

https://learn.microsoft.com/en-us/mem/intune/user-help/what-info-can-your-company-see-when-you-enroll-your-device-in-intune

For Franklin County work purposes, specific county-based applications and email are only managed remotely through the Intune platform. Personal devices are only impacted on an Application-basis through Application Protection Policies. The personal device is not managed through Intune.

Enrolling in Intune will grant access to wipe the device. The policies we have in place are implemented so this would only happen for a lost or stolen device. The user would report the lost or stolen device and confirm permission for the Data Center to initiate the wipe command.

“Password length has been found to be a primary factor in characterizing password strength. Passwords that are too short yield to brute force attacks as well as to dictionary attacks using words and commonly chosen passwords.” https://pages.nist.gov/800-63-3/sp800-63b.html

“Reconnect to your Organization”

“Connect to the Intune Service to continue to access your work or school account in this app. You may need to sign in to connect.”

Explanation: This message can be brought on by a device being non-compliant for too long but can also be prompted by some of our App Protection Policies that are in place. Essentially, an app is asking you to sign-in again to validate that you are still active, enabled, and authorized.

“You Must Install the Company Portal App”

Explanation: When trying to access an app that is considered a “managed app” you may be presented with a message like below:

If you follow the steps outlined in that message: Download and install the Company Portal app, then you can attempt to relaunch the app you were trying to before and you should see something like this:

You can hit Continue here and it should allow you into the app now.

“PIN Required to Access Managed Apps”

After following the above instructions (installing the Company Portal App) you will be periodically required to enter a PIN to access “Managed Apps” that are on your device, if your device is not enrolled in Intune. You will see the following:

This PIN is separate from your device PIN and only required after you have not actively used any of your “Managed Apps” within 30 minutes. This 30-minute timer refreshes whenever you go into one of the apps that are considered “Managed.”

Android - Check for Compliance

Once you’ve downloaded the Company Portal app, you can check to see if your device is complaint or not with FCDC’s mobile device policies by opening the app:

Click Devices at the top which should take you here:

From there, you should see your device like the above screenshot. Tap it:

If your device is not enrolled in Intune, you’ll see the above message: “This device is not managed.”
If you click that, it will start the enrollment process. You might instead see this message:

This means your device is enrolled in Intune but is failing to meet certain compliance requirements.
It details what requirements you are failing to meet and tapping the Resolve button to fix that, which really just begins walking you through adjusting the appropriate settings on your device.

Once you have went through the process of fixing those, you might return to that screen and it looks exactly the same, causing you to think you are still not compliant. Tap Confirm Device Settings:

This will prompt your device to re-sync with the Intune platform and check for compliance updates. If the appropriate changes were made on your device, you should see this come back:

Once you’ve downloaded the Company Portal app, you can check to see if your device is complaint or not with FCDC’s mobile device policies by opening the app. Click Devices and then select the Check status button. This will prompt your device to re-sync with the Intune platform and check for compliance updates.

Please reach out to your designated Business Relationship Manager (BRM) and file a LINK Request to submit a request for an application. This will lead to the app in question undergoing a Security review. If approved, then the app will be added to the Application Library by the Intune Administrators, and it will show in Company Portal.

To learn more about the application request process, please review 3.0 Intune - Application Requests

Applications are configured according to security protocol baselines for Franklin County. Work applications for iOS are managed through the Company Portal. Android applications are managed through the Managed Google Play Store. For more information, please visit the Intune - Application Requests confluence.

To learn more about the application request process, please review 3.0 Intune - Application Requests

The Company Portal is managing mobile applications for Franklin County. Please file a ticket via Jira to complete a root cause analysis of the issue. Possible scenarios include:

• Security Group Assignment

  • You need to be added to a specific Security Group Assignment. In this case, please follow up with your BRM to submit a Jira ticket requesting approval to the application

• The designated application is not in-scope or is not work approved by security.

• The application is not included in the Mobile Application Library. In this case, please follow up with your BRM and submit a LINK request.

To learn more about the application request process, please review 3.0 Intune - Application Requests

Connecting to County VPN on your Enrolled Device

For iOS devices, the county VPN configuration profile is automatically pushed out to your device if it is enrolled in Intune. You can see and confirm this if you go into Settings > General > VPN & Device Management:

You do not actually connect the VPN here but this configures the Global Protect VPN app for you so that you only have to tap “Connect” and sign-in.

If you do not have the Global Protect VPN app on your device, you can find it and install it from the Company Portal app. After tapping the connect button:

You’ll get the usual PingID MFA prompt and, after satisfying that, the VPN app will come back up and show it is connected.

The MDM enrollment process can take anywhere from 5-15 minutes depending on your connection on both Android and iOS.

The MAM enrollment process is automatic and configured on the back-end. If there are any Franklin County work critical applications on your device, those will be impacted by the MAM policies.

Yes, you can add up to 5 devices.

Intune supports devices running the following Operating Systems (OS):

• iOS

• Android

Intune supported Operating System (OS) Versions:

• Apple iOS 13.0 and later

• Apple iPadOS 13.0 and later

• Android 8.0 and later

A full breakdown can be found at the below link.
https://docs.microsoft.com/en-us/mem/intune/fundamentals/supported-devices-browsers

However, the minimum-security standards to meet device compliancy for the County differ from Intune’s minimum supported OS versions:

• Apple iOS 15.0 and later

• Apple iPadOS 15.0 and later

• Android 10.0 and later

What is Compliance and what are my obligations?

The compliance requirements in Intune are a set of minimum-security standards against which enrolled devices are compared to.

Once a device is enrolled in Intune, it will periodically check-in with the Intune platform to see if it meets our compliance requirements. This is an automated process that requires no work on your part although the device does need to have internet access to check-in.

If your device fails to meet any of these standards, it will be marked as Non-Compliant by Intune. As long as your device is able to meet all of the standards, it will be marked as Compliant. This status of Compliant vs Non-Compliant will determine if you can access County resources with that particular device.

What if I am on a leave of absence?

A leave of absence, for any reason, should be communicated to your IT contact.

“Multiple accounts: Only the user's Office 365 GCC account and OneDrive for Business account can be added to a single device. Personal accounts cannot be added. Customers can use another device for personal accounts, or an Exchange ActiveSync client from another provider.”
https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-in-the-government-cloud

If you have a .gov email in your Outlook, a constraint imposed by Microsoft is that you cannot have personal accounts added as well. Government and personal email accounts must remain separated.

FCDC recommends having a separate application for personal emails (e.g native application) to manage personal email accounts. Provided below you will find Microsoft Support guides to help you set up your personal accounts.

• https://support.microsoft.com/en-gb/office/set-up-an-outlook-account-on-the-ios-mail-app-7e5b180f-bc8f-45cc-8da1-5cefc1e633d1

• https://support.microsoft.com/en-gb/office/set-up-email-in-android-email-app-71147974-7aca-491b-978a-ab15e360434c

iWatch devices that are paired to a device that have passcode restrictions applied for enrollment are passed on from that device and need to also adhere to the same condition.

The Pincode for your wearable device must adhere to the compliance policy. For example, your wearable device might require an iPhone passcode of at least six digits with no repeating digits.

Android devices are more broad in both manufacturer and type of device and would be looked at on a case-by-case basis depending on the make, model, and OS version of the device. There does not seem to be official, native support from Intune whereby restrictions on the mobile device passthrough to the Android smart watch.

https://support.apple.com/en-us/HT204953

If your device has been lost or stolen, then a Help Desk ticket must be created to allow the Security Team to process the request. Please also notify your IT Contact/Senior Manager for awareness. A Help Desk ticket will be created for the Security team to send the Wipe Command to the device, clearing county data based on confirmation of permission to do so.

FCDC Help Desk Information

• Monday - Friday 7am - 5pm

• (614) 525-3282

• helpdesk@franklincountyohio.gov

For Corporate-owned devices, you are required to return all county-owned property back to the Help Desk or your IT Contact. When an employee separates from Franklin County, User Management will wipe the device. Employees are not permitted to keep their county-owned device after separation from employment.

The user account will be disabled and a new user account will be created on behalf of the new agency.

There is no data that will be transferred across agencies (e.g. One Drive, Email, etc.). The user would have to re-enroll in Intune in order to ensure the new agency’s data is protected accordingly. When an employee separates from an agency and transfers to another agency, User Management will wipe the device.