1 microsoft Intune Privacy and data Protection over view March 2018. microsoft Intune Privacy and data Protection Overview The microsoft Intune service can help organizations manage and secure mobile devices, applications, and PCs across Windows , Windows Phone, Apple iOS and MacOS, and Google Android platforms. Because it is cloud-based and hosted in microsoft 's data centers, Intune requires no additional infrastructure, but organizations can use the service to extend existing management infrastructure into the cloud. In addition to enhancing device security by providing update and policy management, Intune can help organizations give employees access on their own devices to the apps and resources they need, making Bring Your Own Device (BYOD) programs a reality. Relying on microsoft Intune to manage organizations'. microsoft takes its responsibility to protect Physical devices requires trust, but before customers give that customers' data seriously, and we are committed to security trust, they want to know the providing the answers you Security for the service starts in answer to questions like: need to trust Intune .
2 We have the data center. The microsoft applied our many years of Cloud Infrastructure and Who can access their cloud and on-premises Operations Group (MCIO). data and how it is it experience with security and delivers the core infrastructure used? Privacy to our management of and foundational technologies Where does microsoft Intune . for microsoft 's more than 200. store their data ? This white paper offers an online businesses, including How is their data secured Overview of how we help Bing, Hotmail, MSN, microsoft in the data center and on secure your data and protect Office 365, Xbox Live, and the the move? its Privacy . Of course, the microsoft Azure platform. Is the Privacy of their technical details in this white MCIO hosts microsoft Intune in data assured, and who paper are subject to change, its data centers, which are owns the data ? but our commitment to the strategically located around What organizations have Protection of your data and the world. It brings all of this independently verified devices will not waver.
3 Experience to Intune . microsoft Intune ? microsoft Intune Privacy AND data Protection 2. microsoft Intune MCIO controls personnel physical access to data centers by using two-tier authentication, including proxy card access readers and biometric readers. On a quarterly basis, a microsoft security officer sends reports to personnel with authority to approve data center access. Authorized personnel regularly review the list to verify that all people on that list still require access and have the least privileged access level necessary to perform their job functions. Respected non- microsoft registrars and accreditation physical or logical access organizations regularly audit Personnel controls. Background checks MCIO data centers in support security are re-performed on a regular of multiple industry and cadence for any employees or Security starts with people, and regulatory certifications. The contingent staff with access to Intune is no exception. complete list is located on the customer data .
4 To protect the Beginning with the hiring microsoft Trust Center website, Privacy of its employees and process, all microsoft categorized by service offering. subcontractors, microsoft does employees and contingent staff not share the results of with access to customer data microsoft recognizes that background checks with go through standard security is an ongoing process, customers. background checks as not a steady state. Therefore, permitted by law. For experienced and trained Security awareness, data based personnel, this includes a personnel constantly maintain, Protection , and Privacy are key review of candidates'. enhance and verify our topics of this training. education, employment, and infrastructure. We use up-to- microsoft also requires that all criminal history. In addition to date software, hardware personnel complete business standard background checks technologies, and processes conduct training each year. for all new personnel, for designing, building, personnel must undergo operating, and supporting our We follow principles of additional background checks services.
5 To learn more about segregation of duties and least if they are to have access to MCIO, visit http:/ privilege. Although physical customer data or manage key access to data centers is datacenters. microsoft Intune Privacy AND data Protection 3. microsoft Intune generally limited to MCIO staff, Identity and from the Apple Push select microsoft Intune authentication Certificates Portal, to talk to personnel have logical access microsoft System Center the Apple Mobile Device to the microsoft Intune service Configuration Manager Management service. For and data hosted in the data current versions of Windows centers. Employees are Client installation and Phone, the Windows 10 Push accountable for their handling enrollment on mobile Notification Service is used and of customer data . microsoft devices and PCs for Android devices, Google enforces this accountability Each mobile platform uses Cloud Messaging is used. For through a process that includes their own proprietary more information about system controls, such as the use processes and security models planning and setting up of unique user names, role- to help secure client management of mobile based access, and multi-factor installation on mobile devices.
6 Devices, see the following authentication. As with physical For example, the security article: https://. access to the data centers, we measures of the Windows review logical access Store, Google Play, and Apple device-enrollment. periodically to help ensure that App Store contribute to the only appropriate access is security of the client software. The PC enrollment process is granted to relevant customer microsoft follows the rules documented in the article data , such as contact each store has set up for Manage computers with information, machine details, publishing our Company Portal microsoft Intune at https://. and user information. apps into them. Intune -classic/deploy-use/. Architecture For Android, iOS mobile devices and Windows Phone, manage- Windows -pcs-with- microsoft - Intune . security microsoft uses Secure Sockets Layer (SSL) to help secure Only a customer's Intune The following sections offer an communication between each administrator can use the Overview of security for device and the Intune service.
7 Administrator portal to architectural components, Intune communicates with iOS download client software. End including: devices by using the Apple users with existing Intune Client installation and Notification Service. Intune accounts can download and enrollment on PCs uses a certificate, which the install client software from the Mobile devices, such as administrator must download Company Portal after they smart phones and tablets Account, Administrator, and Company Portals Client Mobile Account Identity, System Center installation devices Administrator, authentication Configuration on PCs Company Manager Portals microsoft Intune Privacy AND data Protection 4. microsoft Intune complete the self-enrollment Account, Administrator, an inactivity timeout that is, process. after a period of no activity, the and Company Portals user's session is ended, and the Client installation requires Intune provides the following user must sign into the portal elevated permissions, which portals: again.
8 Helps protect the PC from NOTE Organizations can con- Azure Management portal This malicious installation. (You can figure the Remember Me portal provides the service and deploy the client software to option in Active Directory user account management standard users by using Group interface to the Intune online Federation Services (AD FS) to Policy or an electronic software service. The account automatically sign users in for a distribution [ESD] system like Administrator uses this portal specific time frame. This System Center Configuration to manage user accounts, user configuration supersedes the Manager.) If organizations groups, domain names, total timeout in Intune . choose to distribute the client passwords, if configured, and software by using a file share subscriptions for the Intune Identity and or an ESD system, they should service. The Admin can also set take steps to prevent authentication policies and enrollment rules. unauthorized access to it (for Intune uses Azure Active Learn more about microsoft example, use access control Intune in the Azure portal in the Directory (Azure AD) as its lists to secure it).
9 Following articles: authentication platform. To provide users with a single Intune /what-is- Intune sign-on (SSO) experience, Mobile businesses can connect their Application Intune /ui-changes on-premises directories with Azure AD. The Intune Management Company portal Users can see administrator then adds users to the Intune user group, microsoft Intune allows you, as machine status, download giving them seamless access to the IT admin, to manage the software, and contact their Intune when they sign into the mobile apps that your company's IT support through corporate network. There are company's workforce uses. the web-based Company two options for authentication This functionality allows Portal. To access the Company when connected to Azure AD: Admins to perform a variety of Portal, a user must be granted Federation with AD FS and App management capabilities, access by the administrator and Password Sync. With AD FS, including protecting company enroll their device. users' credentials never leave data in Apps with App the domain network while with Protection policies.
10 To learn Additionally, a Silverlight Password Sync the hash of more about App-based console application/portal users' passwords is conditional access with Intune , exists to support legacy synchronized to the cloud. the see the following article: Window PC client management domain network while with capabilities. Password Sync the hash of All three portals use SSL to users' passwords is Intune /app-based- secure communication with the synchronized to the cloud. conditional-access- Intune web browser. Sessions have microsoft Intune Privacy AND data Protection 5. microsoft Intune Use the latest directory System Center Intune queues messages for integration tools from Configuration Manager System Center Configuration microsoft in order to configure Manager, and the site uploads Organizations can integrate single sign for Intune . For more or downloads them. Intune Intune with System Center information about connecting does not initiate Configuration Manager. This on-premises directories to the communications with System combination helps provide a cloud, see the article at Center Configuration Manager.