Middlebury

Difference between revisions of "Secure Storage MDM Enrollment"

Line 2: Line 2:
 
=== <span style="font-size:larger">'''Introduction'''</span> ===
 
=== <span style="font-size:larger">'''Introduction'''</span> ===
  
Zero-Touch deployment is a new method for provisioning College-issued, primary-user&nbsp;PC computers. This method of deployment replaces&nbsp;the need for an ITS staff member&nbsp;to prepare computers before they are deployed to the client. With Zero-Touch, a computer can be delivered directly to a client without ever needing to be physically handled by ITS.
+
Middlebury is introducing secure storage for sensitive data. We will use Microsoft Teams and its underlying SharePoint infrastructure to store this data, restrict access to appropriate users and secured devices, and ensure organizational compliance with our DCP (Data Classification Policy).
  
=== <span style="font-size:larger">'''How does it work?'''</span> ===
+
The DCP can be found here:&nbsp;[https://www.middlebury.edu/office/information-technology-services/policies/information-security-policies/data-classification-policy https://www.middlebury.edu/office/information-technology-services/policies/information-security-policies/data-classification-policy]
  
Microsoft has a pair of programs,&nbsp;Autopilot and Intune, which allow&nbsp;organizations to register devices to automatically receive software and policies over the internet.&nbsp;When a registered computer is turned on for the first time, it checks Microsoft's Autopilot servers to determine any intial settings to apply. Middlebury machines then provide a streamlined Out of Box Experience (OOBE) and prompt&nbsp;for Middlebury user credentials.&nbsp;
+
ITS will work with your team to configure secure storage. Once setup is complete, a “Sensitive” label will be visible for the secure team at the top of the Teams app and the top of its SharePoint site.
  
These credentials are used to join the device to our authentication domain (Azure Active Directory) as well as enroll it in Intune, our Mobile Device Management (MDM) service. Intune will install required software (such as Antivirus) and enforce essential policies (such as drive encryption). It will also install the "Company Portal", providing a streamlined interface for optional software you may want installed (such as Firefox, Zoom,&nbsp;Office 365, etc...).
+
One requirement to access sensitive data normally is that your device is enrolled in Middlebury’s MDM, or Mobile Device Management. This allows Middlebury to remotely install software, determine if your device is encrypted and compliant with organizational policies, as well as lock or erase the device if it is lost or otherwise compromised.
  
=== <span style="font-size:larger">'''Deployment Steps:'''</span> ===
+
If you attempt to access sensitive data from an unmanaged device, you will be limited to “web only” access. Essentially, you will be able to view and change Office files using the web interface, but you will not be able to download, print, or sync data to your device.
  
You will go through a customized version of the Windows 10 "Out Of Box Experience". If you have purchased and setup your own Windows PC, most of this will look familiar.&nbsp;For the most part, this is simply a matter of getting your computer connected to the internet, clicking "Next" multiple times and logging in with your Middlebury email address and password. Here are the steps and screens you can expect to see.
+
=== <span style="font-size:larger">'''MDM Enrollment Steps'''</span> ===
  
First, unbox and plug your computer into a wall power outlet. '''Connect directly to your network via an ethernet cable if possible and power on the computer. If you are connected to ethernet and the device is running the latest version of Windows, it will automatically go to step 8.'''
+
#First, [[Ms-device-enrollment:?mode=mdm|click here to start the enrollment process.]]  
 
+
#Confirm that you want to switch apps by clicking “Yes”.  
*MFA Note: the MFA prompts will not appear if you are performing setup on campus.&nbsp;
+
#Enter your Middlebury email address and password, then complete the MFA prompt if you are off campus.  
 
+
#If authentication is successful, you will see the following screen.  
#Choose the region. This defaults to the United States, so you can simply press "enter" or click "Yes".<br/> [[File:AutopilotSetup-1.jpg|400px|AutopilotSetup-1.jpg]]&nbsp;<br/> #Choose your keyboard layout. This defaults to a US keyboard, so you can simply press "enter" or click "Yes".<br/> [[File:AutopilotSetup-2.jpg|400px|AutopilotSetup-2.jpg]]&nbsp;<br/> #Unless needed, skip adding a second keyboard layout.<br/> [[File:AutopilotSetup-3.jpg|400px|AutopilotSetup-3.jpg]]&nbsp;<br/> #A hard-wired ethernet connection is best, but you are welcome to connect via WiFi if that is the only internet connection available.<br/> [[File:AutopilotSetup-4.jpg|400px|AutopilotSetup-4.jpg]]<br/> [[File:AutopilotSetup-5.jpg|400px|AutopilotSetup-5.jpg]]&nbsp;<br/> #Once connected, confirm you want to allow network discovery (click yes).<br/> [[File:AutopilotSetup-6.jpg|400px|AutopilotSetup-6.jpg]]&nbsp;<br/> #Click “Next” after the connection is complete.<br/> [[File:AutopilotSetup-7.jpg|400px|AutopilotSetup-7.jpg]]&nbsp;<br/> #The computer will reboot.<br/> [[File:AutopilotSetup-8.jpg|400px|AutopilotSetup-8.jpg]]&nbsp;<br/> #Enter your Middlebury email address (complete with “@middlebury.edu”). This setup phase links your computer to Middlebury resources and makes you a local administrator.<br/> [[File:AutopilotSetup-9.jpg|400px|AutopilotSetup-9.jpg]]&nbsp;<br/> #Enter your Middlebury password.<br/> [[File:AutopilotSetup-10.jpg|400px|AutopilotSetup-10.jpg]]&nbsp;<br/> #Complete the MFA (multi-factor authentication) process if you are off-campus. This step will not happen if you are connected to the Middlebury campus network.<br/> [[File:AutopilotSetup-11.jpg|400px|AutopilotSetup-11.jpg]]&nbsp;<br/> #Your computer will now automatically install settings from Middlebury. This can take between 5-25 minutes depending on your internet speeds. The computer will reboot once or twice during this phase while it installs essential apps like Antivirus and OneDrive.<br/> [[File:AutopilotSetup-12.jpg|400px|AutopilotSetup-12.jpg]]<br/> [[File:AutopilotSetup-13.jpg|400px|AutopilotSetup-13.jpg]]<br/> [[File:AutopilotSetup-14.jpg|400px|AutopilotSetup-14.jpg]]&nbsp;<br/> #Login, allow initial account setup to complete, and complete the MFA prompt a second time if you are off-campus. The MFA prompt will not appear if you are connected to the Middlebury campus network.<br/> [[File:AutopilotSetup-15.jpg|400px|AutopilotSetup-15.jpg]]<br/> [[File:AutopilotSetup-16.jpg|400px|AutopilotSetup-16.jpg]]<br/> [[File:AutopilotSetup-17.jpg|400px|AutopilotSetup-17.jpg]]&nbsp;<br/> #It will now show the setup screen again while it installs user specific applications and settings. Unless the computer is connected to the Middlebury Ethernet or wireless networks during setup, you should NOT click “Continue anyway”, as there may be another sign in request prompt (and that will not appear once you are logged in).<br/> [[File:AutopilotSetup-18.jpg|400px|AutopilotSetup-18.jpg]]&nbsp;<br/> #You are now logged in and ready to access Middlebury apps and other resources. You may install your preferred browser and other apps now.<br/> [[File:AutopilotSetup-19.jpg|400px|AutopilotSetup-19.jpg]]&nbsp;<br/> #To access the “Company Portal” for many Middlebury provided apps, go to the start menu and click on “Company Portal”. You can also search in the taskbar search field.[[File:Company Portal in Start.png|400px|Company Portal in Start.png]]&nbsp;<br/> #Here you can install apps like Microsoft Office, Pulse VPN, and Jabber.<br/> [[File:Company Portal.png|400px|Company Portal.png]]&nbsp;
+
#To confirm that your device is enrolled, open the “Settings” app, then navigate to Accounts”, then “Access work or school” and you can see that you are connected to Middlebury College MDM.  
 
 
From here you can download and install whatever applications&nbsp;you need, including Zoom, third party browsers, or any other specialized software. We are constantly working on streamlining the process, so you can expect to find more apps present in the Company Portal over time.
 
  
 
&nbsp;<br/> &nbsp;
 
&nbsp;<br/> &nbsp;

Revision as of 15:25, 8 September 2020

Introduction

Middlebury is introducing secure storage for sensitive data. We will use Microsoft Teams and its underlying SharePoint infrastructure to store this data, restrict access to appropriate users and secured devices, and ensure organizational compliance with our DCP (Data Classification Policy).

The DCP can be found here: https://www.middlebury.edu/office/information-technology-services/policies/information-security-policies/data-classification-policy

ITS will work with your team to configure secure storage. Once setup is complete, a “Sensitive” label will be visible for the secure team at the top of the Teams app and the top of its SharePoint site.

One requirement to access sensitive data normally is that your device is enrolled in Middlebury’s MDM, or Mobile Device Management. This allows Middlebury to remotely install software, determine if your device is encrypted and compliant with organizational policies, as well as lock or erase the device if it is lost or otherwise compromised.

If you attempt to access sensitive data from an unmanaged device, you will be limited to “web only” access. Essentially, you will be able to view and change Office files using the web interface, but you will not be able to download, print, or sync data to your device.

MDM Enrollment Steps

  1. First, [here to start the enrollment process.]
  2. Confirm that you want to switch apps by clicking “Yes”.
  3. Enter your Middlebury email address and password, then complete the MFA prompt if you are off campus.
  4. If authentication is successful, you will see the following screen.
  5. To confirm that your device is enrolled, open the “Settings” app, then navigate to Accounts”, then “Access work or school” and you can see that you are connected to Middlebury College MDM.