Middlebury

Difference between revisions of "Secure Storage MDM Enrollment"

 
(35 intermediate revisions by 3 users not shown)
Line 1: Line 1:
  
<br/> <span style="font-size:larger">'''Introduction'''</span>
+
=== <span style="font-size:larger">'''Introduction'''</span> ===
  
Zero-Touch deployment is a new method for provisioning College-issued, primary-user&nbsp;PC computers. This method of deployment replaces&nbsp;the need for an ITS staff member&nbsp;to prepare computers before they are deployed to the client. With Zero-Touch, a computer can be delivered directly to a client without ever needing to be physically handled by ITS.
+
Middlebury is introducing secure storage for sensitive data. We will use Microsoft Teams and its underlying SharePoint infrastructure to store this data, restrict access to appropriate users and secured devices, and ensure organizational compliance with our DCP (Data Classification Policy).
  
=== <span style="font-size:larger">'''How does it work?'''</span> ===
+
The [https://www.middlebury.edu/office/information-technology-services/policies/information-security-policies/data-classification-policy DCP can be found here.]
  
Microsoft has a pair of programs,&nbsp;Autopilot and Intune, which allow&nbsp;organizations to register devices to automatically receive software and policies over the internet.&nbsp;When a registered computer is turned on for the first time, it checks Microsoft's Autopilot servers to determine any intial settings to apply. Middlebury machines then provide a streamlined Out of Box Experience (OOBE) and prompt&nbsp;for Middlebury user credentials.&nbsp;
+
ITS will work with your team to configure secure storage. Once setup is complete, a “Sensitive” label will be visible for the secure team at the top of the Teams app and the top of its SharePoint site.
  
These credentials are used to join the device to our authentication domain (Azure Active Directory) as well as enroll it in Intune, our Mobile Device Management (MDM) service. Intune will install required software (such as Antivirus) and enforce essential policies (such as drive encryption). It will also install the "Company Portal", providing a streamlined interface for optional software you may want installed (such as Firefox, Zoom,&nbsp;Office 365, etc...).
+
[[File:SecureStorage-TeamLabel.png|500px|SecureStorage-TeamLabel.png]]
  
=== <span style="font-size:larger">'''Deployment Steps:'''</span> ===
+
One requirement to access sensitive data normally is that your device is enrolled in Middlebury’s MDM, or Mobile Device Management. This allows Middlebury to remotely install software, determine if your device is encrypted and compliant with organizational policies, as well as lock or erase the device if it is lost or otherwise compromised.
  
You will go through a customized version of the Windows 10 "Out Of Box Experience". If you have purchased and setup your own Windows PC, most of this will look familiar.&nbsp;For the most part, this is simply a matter of getting your computer connected to the internet, clicking "Next" multiple times and logging in with your Middlebury email address and password. Here are the steps and screens you can expect to see.
+
If you attempt to access sensitive data from an unmanaged device, you will be blocked from access via an error page. &nbsp;
  
First, unbox and plug your computer into a wall power outlet. '''Connect directly to your network via an ethernet cable if possible and power on the computer. If you are connected to ethernet and the device is running the latest version of Windows, it will automatically go to step 8.'''
 
  
*MFA Note: the MFA prompts will not appear if you are performing setup on campus.&nbsp;
 
  
#Choose the region. This defaults to the United States, so you can simply press "enter" or click "Yes".<br/> [[File:AutopilotSetup-1.jpg|400px|AutopilotSetup-1.jpg]]&nbsp;<br/> #Choose your keyboard layout. This defaults to a US keyboard, so you can simply press "enter" or click "Yes".<br/> [[File:AutopilotSetup-2.jpg|400px|AutopilotSetup-2.jpg]]&nbsp;<br/> #Unless needed, skip adding a second keyboard layout.<br/> [[File:AutopilotSetup-3.jpg|400px|AutopilotSetup-3.jpg]]&nbsp;<br/> #A hard-wired ethernet connection is best, but you are welcome to connect via WiFi if that is the only internet connection available.<br/> [[File:AutopilotSetup-4.jpg|400px|AutopilotSetup-4.jpg]]<br/> [[File:AutopilotSetup-5.jpg|400px|AutopilotSetup-5.jpg]]&nbsp;<br/> #Once connected, confirm you want to allow network discovery (click yes).<br/> [[File:AutopilotSetup-6.jpg|400px|AutopilotSetup-6.jpg]]&nbsp;<br/> #Click “Next” after the connection is complete.<br/> [[File:AutopilotSetup-7.jpg|400px|AutopilotSetup-7.jpg]]&nbsp;<br/> #The computer will reboot.<br/> [[File:AutopilotSetup-8.jpg|400px|AutopilotSetup-8.jpg]]&nbsp;<br/> #Enter your Middlebury email address (complete with “@middlebury.edu”). This setup phase links your computer to Middlebury resources and makes you a local administrator.<br/> [[File:AutopilotSetup-9.jpg|400px|AutopilotSetup-9.jpg]]&nbsp;<br/> #Enter your Middlebury password.<br/> [[File:AutopilotSetup-10.jpg|400px|AutopilotSetup-10.jpg]]&nbsp;<br/> #Complete the MFA (multi-factor authentication) process if you are off-campus. This step will not happen if you are connected to the Middlebury campus network.<br/> [[File:AutopilotSetup-11.jpg|400px|AutopilotSetup-11.jpg]]&nbsp;<br/> #Your computer will now automatically install settings from Middlebury. This can take between 5-25 minutes depending on your internet speeds. The computer will reboot once or twice during this phase while it installs essential apps like Antivirus and OneDrive.<br/> [[File:AutopilotSetup-12.jpg|400px|AutopilotSetup-12.jpg]]<br/> [[File:AutopilotSetup-13.jpg|400px|AutopilotSetup-13.jpg]]<br/> [[File:AutopilotSetup-14.jpg|400px|AutopilotSetup-14.jpg]]&nbsp;<br/> #Login, allow initial account setup to complete, and complete the MFA prompt a second time if you are off-campus. The MFA prompt will not appear if you are connected to the Middlebury campus network.<br/> [[File:AutopilotSetup-15.jpg|400px|AutopilotSetup-15.jpg]]<br/> [[File:AutopilotSetup-16.jpg|400px|AutopilotSetup-16.jpg]]<br/> [[File:AutopilotSetup-17.jpg|400px|AutopilotSetup-17.jpg]]&nbsp;<br/> #It will now show the setup screen again while it installs user specific applications and settings. Unless the computer is connected to the Middlebury Ethernet or wireless networks during setup, you should NOT click “Continue anyway”, as there may be another sign in request prompt (and that will not appear once you are logged in).<br/> [[File:AutopilotSetup-18.jpg|400px|AutopilotSetup-18.jpg]]&nbsp;<br/> #You are now logged in and ready to access Middlebury apps and other resources. You may install your preferred browser and other apps now.<br/> [[File:AutopilotSetup-19.jpg|400px|AutopilotSetup-19.jpg]]&nbsp;<br/> #To access the “Company Portal” for many Middlebury provided apps, go to the start menu and click on “Company Portal”. You can also search in the taskbar search field.[[File:Company Portal in Start.png|400px|Company Portal in Start.png]]&nbsp;<br/> #Here you can install apps like Microsoft Office, Pulse VPN, and Jabber.<br/> [[File:Company Portal.png|400px|Company Portal.png]]&nbsp;
+
=== <span style="font-size:larger">'''Windows MDM Enrollment Steps'''</span> ===
  
From here you can download and install whatever applications&nbsp;you need, including Zoom, third party browsers, or any other specialized software. We are constantly working on streamlining the process, so you can expect to find more apps present in the Company Portal over time.
+
#First, please click here to start the enrollment process: [ms-device-enrollment:?mode=mdm enroll] &nbsp;
 +
#Confirm that you want to switch apps by clicking “Open”.<br/> [[File:MDM-TryingToOpenMicrosoftAccount.PNG|500px|MDM-TryingToOpenMicrosoftAccount.PNG]] &nbsp;  
 +
#Enter your Middlebury email address and password, then complete the MFA prompt if you are off campus.<br/> [[File:MDM-SetupWorkOrSchool.png|500px|MDM-SetupWorkOrSchool.png]]
 +
#If authentication is successful, you will see the following screen.<br/> [[File:MDM-SettingUp.png|500px|MDM-SettingUp.png]]
 +
#To confirm that your device is enrolled, open the “Settings” app, then navigate to Accounts”, then “Access work or school” and you can see that you are connected to Middlebury College MDM.<br/> [[File:MDM-SettingsConfirmation.png|500px|MDM-SettingsConfirmation.png]]
  
&nbsp;<br/> &nbsp;
+
&nbsp;
 +
 
 +
=== <span style="font-size:larger">'''Mac MDM Enrollment Steps'''</span> ===
 +
 
 +
#Open the "Self Service" application.
 +
#Search for "Microsoft" to find&nbsp;"Microsoft Endpoint Manager" and click "Secure Mac"<br/> [[File:SelfService MEM.png|500px|SelfService MEM.png]]<br/> &nbsp;
 +
#Click "Secure Mac" again to start installing the "Company Portal"<br/> [[File:SelfService MEM 2.png|500px|SelfService MEM 2.png]]<br/> &nbsp;  
 +
#Once installation is complete, the Company Portal app will open. Click "Sign In"<br/> [[File:Mdm-mac-CompanyPortal.png|500px|Mdm-mac-CompanyPortal.png]]
 +
#Login with your Middlebury email address and password, completing MFA if necessary.
 +
#Enter your password again at the macOS keychain prompt and click "Allow"<br/> [[File:Mdm-mac-keychain.png|500px|Mdm-mac-keychain.png]]
 +
#Once you are logged in, the app will inform you of your device registration, then showing this success screen:<br/> [[File:Mdm-mac-complete.png|500px|Mdm-mac-complete.png]]
 +
#Jamf Self Service moves onto final cleanup steps (now that the device is registered), then reports as finished.<br/> [[File:Mdm-mac-installing.png|500px|Mdm-mac-installing.png]]
 +
#Note that while the Company Portal bears some resemblance to the Jamf Self Service app, they serve different complementary functions. This banner is found at the bottom of the Company Portal:<br/> [[File:Mdm-mac-banner.png|500px|Mdm-mac-banner.png]]
 +
#Upon next login with the Company Portal, there will be a prompt to allow/block notifications from the application.
 +
 
 +
&nbsp;
 +
 
 +
[[Category:Pages with broken file links]]

Latest revision as of 18:32, 4 December 2020

Introduction

Middlebury is introducing secure storage for sensitive data. We will use Microsoft Teams and its underlying SharePoint infrastructure to store this data, restrict access to appropriate users and secured devices, and ensure organizational compliance with our DCP (Data Classification Policy).

The DCP can be found here.

ITS will work with your team to configure secure storage. Once setup is complete, a “Sensitive” label will be visible for the secure team at the top of the Teams app and the top of its SharePoint site.

SecureStorage-TeamLabel.png

One requirement to access sensitive data normally is that your device is enrolled in Middlebury’s MDM, or Mobile Device Management. This allows Middlebury to remotely install software, determine if your device is encrypted and compliant with organizational policies, as well as lock or erase the device if it is lost or otherwise compromised.

If you attempt to access sensitive data from an unmanaged device, you will be blocked from access via an error page.  


Windows MDM Enrollment Steps

  1. First, please click here to start the enrollment process: enroll  
  2. Confirm that you want to switch apps by clicking “Open”.
    MDM-TryingToOpenMicrosoftAccount.PNG  
  3. Enter your Middlebury email address and password, then complete the MFA prompt if you are off campus.
    MDM-SetupWorkOrSchool.png
  4. If authentication is successful, you will see the following screen.
    MDM-SettingUp.png
  5. To confirm that your device is enrolled, open the “Settings” app, then navigate to Accounts”, then “Access work or school” and you can see that you are connected to Middlebury College MDM.
    MDM-SettingsConfirmation.png

 

Mac MDM Enrollment Steps

  1. Open the "Self Service" application.
  2. Search for "Microsoft" to find "Microsoft Endpoint Manager" and click "Secure Mac"
    SelfService MEM.png
     
  3. Click "Secure Mac" again to start installing the "Company Portal"
    SelfService MEM 2.png
     
  4. Once installation is complete, the Company Portal app will open. Click "Sign In"
    Mdm-mac-CompanyPortal.png
  5. Login with your Middlebury email address and password, completing MFA if necessary.
  6. Enter your password again at the macOS keychain prompt and click "Allow"
    Mdm-mac-keychain.png
  7. Once you are logged in, the app will inform you of your device registration, then showing this success screen:
    Mdm-mac-complete.png
  8. Jamf Self Service moves onto final cleanup steps (now that the device is registered), then reports as finished.
    Mdm-mac-installing.png
  9. Note that while the Company Portal bears some resemblance to the Jamf Self Service app, they serve different complementary functions. This banner is found at the bottom of the Company Portal:
    Mdm-mac-banner.png
  10. Upon next login with the Company Portal, there will be a prompt to allow/block notifications from the application.

 

Powered by MediaWiki