018: Review security, compliance, resource access requirements (Certs/Wi-Fi/VPN)

Overview

Options for Certificates, Wi-Fi, and VPN for MDM for iOS in Intune

When managing iOS devices with Microsoft Intune, you have several options for configuring certificates, Wi-Fi, and VPN settings. These configurations are crucial for ensuring secure and seamless access to corporate resources. Here’s a detailed look at the available options, their benefits, and how they contribute to a Zero Trust security posture.

Certificates

Options:

1. Simple Certificate Enrollment Protocol (SCEP):

   • Purpose: Automates the issuance and renewal of certificates.
   • Use Case: Ideal for large-scale deployments where automated certificate management is needed¹(https://learn.microsoft.com/en-us/mem/intune/protect/certificates-configure).

2. Public Key Cryptography Standards (PKCS):

   • Purpose: Provides a more controlled certificate issuance process.
   • Use Case: Suitable for environments requiring high security and manual certificate management¹(https://learn.microsoft.com/en-us/mem/intune/protect/certificates-configure).

3. Imported PKCS Certificates:

   • Purpose: Allows importing pre-issued certificates.
   • Use Case: Useful for integrating with existing certificate infrastructures¹(https://learn.microsoft.com/en-us/mem/intune/protect/certificates-configure).

Benefits:

• Enhanced Security: Certificates provide strong authentication, reducing the risk of unauthorized access²(https://microsoft.github.io/zerotrustassessment/docs/workshop-guidance/devices/RMD_179).
• Seamless User Experience: Users can access resources without repeatedly entering credentials²(https://microsoft.github.io/zerotrustassessment/docs/workshop-guidance/devices/RMD_179).
• Centralized Management: Simplifies the deployment and management of certificates across all devices²(https://microsoft.github.io/zerotrustassessment/docs/workshop-guidance/devices/RMD_179).

Wi-Fi

Options:

1. Basic Wi-Fi Configuration:

   • Purpose: Connects devices to a Wi-Fi network using SSID and password.
   • Use Case: Suitable for simple network setups(https://www.youtube.com/watch?v=-edLIdPu-FE).

2. Enterprise Wi-Fi Configuration:

   • Purpose: Uses certificates for authentication (e.g., WPA2-Enterprise).
   • Use Case: Ideal for secure corporate networks requiring strong authentication(https://www.youtube.com/watch?v=-edLIdPu-FE).

Benefits:

• Automated Connectivity: Ensures devices automatically connect to the corporate Wi-Fi network.
• Improved Security: Enterprise configurations provide stronger security through certificate-based authentication.
• User Productivity: Reduces the need for manual Wi-Fi configuration by users.

VPN

Options:

1. Per-App VPN:

   • Purpose: Directs traffic from specific apps through a VPN.
   • Use Case: Useful for securing sensitive app data without routing all device traffic through the VPN(https://www.youtube.com/watch?v=5eZNwYB6DZ4).

2. Device-Wide VPN:

   • Purpose: Routes all device traffic through a VPN.
   • Use Case: Suitable for scenarios where all network traffic needs to be secured(https://www.youtube.com/watch?v=5eZNwYB6DZ4).

Benefits:

• Secure Access: Ensures secure connections to corporate resources, even from remote locations.
• Continuous Verification: Regularly updated VPN settings help maintain secure access.
• Flexibility: Per-app VPN allows for granular control over which apps use the VPN.

Zero Trust Security Posture

Zero Trust is a security model that assumes no implicit trust and continuously verifies every access request. Here’s how these configurations align with Zero Trust principles:

1. Verify Explicitly:

   • Certificates: Provide strong, certificate-based authentication, ensuring that only authorized users and devices can access resources.
   • Wi-Fi: Enterprise Wi-Fi configurations use certificates to authenticate devices, ensuring secure network access.
   • VPN: VPN profiles enforce secure connections, ensuring that only authorized devices can access the network.

2. Use Least Privilege Access:

   • Per-App VPN: Limits VPN usage to specific apps, reducing the attack surface.
   • Conditional Access: Intune policies can enforce conditional access, ensuring that only compliant devices can access sensitive resources.

3. Assume Breach:

   • Continuous Monitoring: Integrates with mobile threat defense solutions to continuously monitor device health and compliance(https://learn.microsoft.com/en-us/mem/intune/fundamentals/zero-trust-with-microsoft-intune).
   • Automated Remediation: Policies can automatically remediate non-compliant devices, maintaining a secure environment(https://learn.microsoft.com/en-us/mem/intune/fundamentals/zero-trust-with-microsoft-intune).

By leveraging these configurations, organizations can enhance their security posture, streamline device management, and ensure compliance, all while adhering to the principles of Zero Trust.

Reference

(1) Types of certificate that are supported by Microsoft Intune. https://learn.microsoft.com/en-us/mem/intune/protect/certificates-configure. (2) Configure WIFI Profile using Intune |A Step-by-Step Guide | Microsoft Intune. https://www.youtube.com/watch?v=-edLIdPu-FE. (3) S01E33 - Configuring VPN Profiles with Microsoft Intune - (I.T). https://www.youtube.com/watch?v=5eZNwYB6DZ4. (4) Zero Trust with Microsoft Intune | Microsoft Learn. https://learn.microsoft.com/en-us/mem/intune/fundamentals/zero-trust-with-microsoft-intune. (5) Deployment guide: Manage iOS/iPadOS devices in Microsoft Intune. https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-platform-ios-ipados. (6) iOS/iPadOS device settings in Microsoft Intune | Microsoft Learn. https://learn.microsoft.com/en-us/mem/intune/configuration/device-restrictions-ios. (7) Create and Deploy Wifi profile in Microsoft Intune. https://www.youtube.com/watch?v=-jq90KneBxI. (8) Planning guide to move to Microsoft Intune | Microsoft Learn. https://learn.microsoft.com/en-us/mem/intune/fundamentals/intune-planning-guide.