6 hours 59 minutes
the lowest barbarians. Welcome back to the S 3 65 Security Administration course
I'm your instructor, Jim Daniels.
And today we're a model to identity and access Lesson three access management
or to device access.
Let's get started
in this lesson. I have the ultimate confidence that you will learn
how device compliance policies function within intern
conditional access with device compliance as a signal.
Remember prior lessons
we discussed what conditional Isis was We talked about signals
this lesson. We're going to focus on the vice compliance
compliance policies defined the settings that should be configured one device
somewhat like a baseline.
Either you made it or you don't.
You have to have something to number one. Set the baseline
and number two, shake the baseline
for that and invest for 65. We're going to use intern
in Tune right now is currently being phased into point manager.
So whenever I say in tune with the point manager, just know they are one the same
again. Microsoft loves to update and change names of their cloud services. Ornate right. Your basis
compliance policies are platform specific.
If you have a compliance policy for IOS, the voice
they're not going to run that run on Windows 10
It doesn't make sense
just to have a standard in a baseline
for your compliance policy
For each platform that you have enrolled in the engine,
here's uncommon device compliance settings
encryption. You require local data to be encrypted on the device
Password If you have a minimum lines.
Were you even required a device to have a password to start with
Maybe there is a mobile threat, defence level or risk analysis.
Kind of a I type analysis that you won't perform based on actions and configuration of that device Tampering.
If the device is jail broken were routed.
You can no access
of this Min Max version.
So if there is a mess
that has security vulnerabilities,
you can say OK, it needs to be minimal. This s Orson. If you have the other one, your noncompliant,
you can get access to why you want this conditional access to give you access to until you fix it and you're marked as compliant.
After you enroll your device and answered begins to sink the details of that device into mentum.
You can view device information and insane blade on the azure portal
user and device groups. Static or dynamic
can be created and assign policies by answer.
You have to have a population of devices
before you can create a device group
to a sign of policy to
some of the ways you can use device policies you can use. It was conditional access again if then, then that you could make sure condition is met before access is given.
You can use it without conditional access. If you want to gather numbers and information about your environment devices that are enrolled in the intern,
it doesn't take any action, but the devices or more
and the policy. You can see the logs and the analysis of it
the policies or great to stage
because you don't want to create it
and then just enable it without understanding exactly how it's gonna affect your users. That's where a policy without conditional access is really handy
to toxic. Conditional access with Intern
Device, based at based
compliance criteria, is used as a conditional access signal.
Condition is a compliant isn't not. That's the condition,
creating conditional access policies based on compliance.
It's pretty simple,
so we're gonna get into the Microsoft in point Manager Admin Center were on click on devices
because we're doing it. Based home devices
on the policy would go to compliance policy
when that comes up with cooking policies and create policy.
Simple is that
when you create a policy, it'll immediately ask you about the platform because their platform specific right? So in this ring shot, we can choose what platform we want this device policy to apply to.
For example, we're gonna use IOS compliance policy,
give it a name, give a description when we go to compliant settings. This is where we can actually take our signals and craft them into a policy
for this example. We want to block Joburg and devices.
We don't want them aloud, so we're going to select that as a compliance policy.
If it's Joe Birkin,
we don't want it. You're gonna not be compliant as part of this policy.
Actions for noncompliance
is we want a market noncompliant.
We want to say that Hey,
this job working devices not compliant
once is Martin noncompliant. Then we can use that
as a measuring stick, and we can apply the trigger to it.
We're sign it we have all users a sign and then we're gonna review and create.
So we're gonna create a
noncompliant policy for Joe Birkin devices with Iris.
If you have a android job working device you're rolling into this policy will not apply
because it doesn't follow under the eye of this platform.
Quist on. Write me out.
I cried myself up sometime. You can't picture crystalline me out, right? Right. Me out.
Hopefully I've got our old room. Yes.
So I deep saw it. Oh,
all of that would be wonderful. Quist
device based and at base for the two types of conditional access with an intern.
or false? What do you think?
Great answer is true.
based conditional access
that is really two times
monitor and roll devices in tune stores. Audit logs of all activities that generate changes.
History of devices are available as well as the history of actions
such as actions by policy
taken against or for those devices.
So recaps the lesson
the vice compliance policies could be using in tune To make sure specific settings or configured
by spineless, he's gonna have conditional access associations
or no action associate ID to be a reporting or discovery policy.
Both have their unique cases and both of beneficial in their own
in tune audits and logs device events.
Have you learned a little bit about
the vice policies?
Hope to see for the next lesson. Thank you.