<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Valentin Picard, Auteur</title>
	<atom:link href="https://www.riskinsight-wavestone.com/en/author/valentin-picardwavestone-com/feed/" rel="self" type="application/rss+xml" />
	<link>https://www.riskinsight-wavestone.com/author/valentin-picardwavestone-com/</link>
	<description>The cybersecurity &#38; digital trust blog by Wavestone&#039;s consultants</description>
	<lastBuildDate>Thu, 02 Jul 2026 08:27:55 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	

<image>
	<url>https://www.riskinsight-wavestone.com/wp-content/uploads/2024/02/Blogs-2024_RI-39x39.png</url>
	<title>Valentin Picard, Auteur</title>
	<link>https://www.riskinsight-wavestone.com/author/valentin-picardwavestone-com/</link>
	<width>32</width>
	<height>32</height>
</image> 
	<item>
		<title>Securing mobile devices : Introduction to MDM (Mobile Device Management) </title>
		<link>https://www.riskinsight-wavestone.com/en/2026/07/securing-mobile-devices-introduction-to-mdm-mobile-device-management/</link>
					<comments>https://www.riskinsight-wavestone.com/en/2026/07/securing-mobile-devices-introduction-to-mdm-mobile-device-management/#respond</comments>
		
		<dc:creator><![CDATA[Valentin Picard]]></dc:creator>
		<pubDate>Wed, 01 Jul 2026 15:23:48 +0000</pubDate>
				<category><![CDATA[Cybersecurity & Digital Trust]]></category>
		<category><![CDATA[Focus]]></category>
		<category><![CDATA[Enterprise Mobility Management]]></category>
		<category><![CDATA[Mobile Application Management]]></category>
		<category><![CDATA[Mobile Device Management]]></category>
		<category><![CDATA[Mobile Threat Detection]]></category>
		<category><![CDATA[Securing mobile devices]]></category>
		<guid isPermaLink="false">https://www.riskinsight-wavestone.com/?p=30299</guid>

					<description><![CDATA[<p>The increased professional use of mobile devices, mobile phones and tablets, as well as the forced adoption of remote work during the Covid crisis, have led to a multiplication of mobile work situations in companies. Two cases can be distinguished: remote work...</p>
<p>Cet article <a href="https://www.riskinsight-wavestone.com/en/2026/07/securing-mobile-devices-introduction-to-mdm-mobile-device-management/">Securing mobile devices : Introduction to MDM (Mobile Device Management) </a> est apparu en premier sur <a href="https://www.riskinsight-wavestone.com/en/">RiskInsight</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p style="text-align: justify;"><span data-contrast="auto">The increased professional use of mobile devices, mobile phones and tablets, as well as the forced adoption of remote work during the Covid crisis, have led to a multiplication of mobile work situations in companies. Two cases can be distinguished: remote work situations (at home, in a coworking space, etc.) and nomadic work situations (while travelling, in an airport, train, hotel, etc.).</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p style="text-align: justify;"><span data-contrast="auto">These new mobile uses, increasingly based on smartphones and tablets, introduce </span><b><span data-contrast="auto">new risks</span></b><span data-contrast="auto"> that must be controlled. Indeed, the company’s </span><b><span data-contrast="auto">attack surface</span></b><span data-contrast="auto"> increases considerably because of the very nature of these devices. The main risks associated with the use of mobile devices include :</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<ul style="text-align: justify;">
<li><span data-contrast="auto">Theft or loss of the device, and therefore in particular of locally stored data, which may lead to remote access to company data</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><span data-contrast="auto">The use of unmanaged mobile devices. This lack of control may enable risky behaviours such as the use of uncontrolled networks (e.g., public Wi-Fi), the installation of unmanaged third-party applications, delays in O/S security updates, or even mobile device jailbreaking</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><span data-contrast="auto">Risky wired or wireless data exchange with other devices (e.g., USB synchronisation with a computer, AirDrop, etc.)</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
</ul>
<p> </p>
<p style="text-align: justify;"><span data-contrast="auto">The observations below confirm the reality of these threats. Indeed :</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<ul style="text-align: justify;">
<li><span data-contrast="auto">53% of mobile devices have access to more sensitive data than a year ago </span><i><span data-contrast="auto">(source: Akamai)</span></i><span data-contrast="auto">,</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><span data-contrast="auto">45% of organisations have recently faced a mobile-related compromise </span><i><span data-contrast="auto">(source: CTM)</span></i><span data-contrast="auto">,</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><span data-contrast="auto">85% of mobile phishing attacks occur outside email apps, through other vectors linked to mobile uses </span><i><span data-contrast="auto">(source: Verizon)</span></i><span data-contrast="auto">.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
</ul>
<p style="text-align: justify;"> </p>
<p style="text-align: justify;"><i><span data-contrast="auto">Securing mobile devices cannot be effective without a clear corporate strategy defining authorised uses, control levels and associated responsibilities.</span></i><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559685&quot;:864,&quot;335559737&quot;:864,&quot;335559738&quot;:200,&quot;335559740&quot;:278}"> </span></p>
<p> </p>
<p style="text-align: justify;"><span data-contrast="auto">Mobile security has been postponed for a few years, with efforts focused on workstations, even though it can directly threaten the security of the information system. Thus, while GPOs (</span><i><span data-contrast="auto">Group Policy Objects</span></i><span data-contrast="auto">) were commonly used to manage computer fleets, mobile devices did not simply inherit this approach.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p style="text-align: justify;"><span data-contrast="auto">To meet this need, historical providers of computer security solutions (Microsoft, Ivanti, IBM, etc.), as well as new players (ManageEngine), offer SaaS or on-premises software to address the need to manage and secure mobile devices: MDM solutions (</span><i><span data-contrast="auto">Mobile Device Management</span></i><span data-contrast="auto">).</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p style="text-align: justify;"><span data-contrast="auto">Beyond actively contributing to securing a company’s mobile fleet, MDM improves the user experience by ensuring that users have an up-to-date device that continuously complies with company requirements.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p style="text-align: justify;"><span data-contrast="auto">In this article, we explain how to secure </span><span data-contrast="auto">corporate mobile devices</span><span data-contrast="auto"> using an MDM solution, which is a </span><i><span data-contrast="auto">must-have</span></i><span data-contrast="auto"> in the race to secure information systems, and share recommendations on their configuration.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p style="text-align: justify;"> </p>
<h1 style="text-align: justify;" aria-level="1"><span data-contrast="none">Mobile usage policies : a corporate strategy to define</span><span data-ccp-props="{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:278}"> </span></h1>
<p style="text-align: justify;"> </p>
<p style="text-align: justify;"><span data-contrast="auto">In companies, mobile device usage policies have evolved significantly.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p style="text-align: justify;"><span data-contrast="auto">Today, we distinguish three of the most common usage models in organisations (detailed at the end of this section in Figure 1):</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<ul style="text-align: justify;">
<li><span data-contrast="auto">COBO – </span><i><span data-contrast="auto">Corporate-owned, business only</span></i><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><span data-contrast="auto">COPE – </span><i><span data-contrast="auto">Corporate-owned, personal enabled</span></i><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><span data-contrast="auto">BYOD – </span><i><span data-contrast="auto">Bring your own device</span></i><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
</ul>
<p style="text-align: justify;"> </p>
<p style="text-align: justify;"><span data-contrast="auto">First, it is necessary to define the company’s strategy for these mobile uses: are mobile accesses authorised and legitimate from a business perspective? If so, many additional questions must be addressed when defining the corporate strategy:</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<ul style="text-align: justify;">
<li><span data-contrast="auto">Which users are authorised (VIPs only, all internal users, external users as well, etc.)?</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><span data-contrast="auto">Which types of mobile devices are authorised (company-owned, personal, or both)?</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><span data-contrast="auto">Which applications or data may be accessed (email only, the full collaborative suite, etc.)?</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
</ul>
<p style="text-align: justify;"> </p>
<p style="text-align: justify;"><span data-contrast="auto">This strategy is central to provide direction and guide the subsequent security efforts. It will make it possible to better target the risks applicable to the company, better control its information system and define rules that are consistent with authorised or unauthorised uses, while providing users with clarity on accepted and prohibited practices.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p style="text-align: justify;"><span data-contrast="auto"> </span><span data-ccp-props="{&quot;134245418&quot;:true,&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559740&quot;:278}"> <img fetchpriority="high" decoding="async" class="aligncenter size-full wp-image-30305" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2026/07/Image4.png" alt="" width="801" height="499" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2026/07/Image4.png 801w, https://www.riskinsight-wavestone.com/wp-content/uploads/2026/07/Image4-307x191.png 307w, https://www.riskinsight-wavestone.com/wp-content/uploads/2026/07/Image4-63x39.png 63w, https://www.riskinsight-wavestone.com/wp-content/uploads/2026/07/Image4-768x478.png 768w" sizes="(max-width: 801px) 100vw, 801px" /></span></p>
<p style="text-align: center;"><strong><i>Figure 1 : Mobile device management profiles</i> </strong></p>
<p style="text-align: justify;"> </p>
<h1 style="text-align: justify;" aria-level="1"><span data-contrast="none">Securing mobile devices through 4 tools : MDM, MAM, EMM and MTD</span><span data-ccp-props="{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:278}"> </span></h1>
<p style="text-align: justify;"> </p>
<p style="text-align: justify;"><span data-contrast="auto">Before going into detail on MDM-like tools, it is worth to remind that several complementary solutions exist for securing mobile devices. These tools operate at several stages:</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<ul style="text-align: justify;">
<li><strong>MDM (<i>Mobile Device Management</i></strong><span data-contrast="auto"><strong>) :</strong> fleet management and corporate device security tool (mainly at OS level)</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><strong>MAM (<i>Mobile Application Management</i></strong><span data-contrast="auto"><strong>) :</strong> application management and security tool (mainly at application level)</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><strong>EMM (<i>Enterprise Mobility Management</i></strong><span data-contrast="auto"><strong>) :</strong> a tool centralising MDM and MAM functionalities</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><span data-contrast="auto"><strong>MTD (Mobile Threat Detection) :</strong> a tool for detecting attacks on mobile devices, similar to Endpoint Detection &amp; Response (EDR) for laptops (OS and application layers)</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
</ul>
<p style="text-align: justify;"> </p>
<p style="text-align: justify;"><span data-contrast="auto">The figure below illustrates this ecosystem within a mobile device:</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p style="text-align: justify;"><span data-ccp-props="{&quot;134245418&quot;:true,&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559740&quot;:278}"> <img decoding="async" class="aligncenter size-full wp-image-30307" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2026/07/Image3.png" alt="" width="903" height="570" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2026/07/Image3.png 903w, https://www.riskinsight-wavestone.com/wp-content/uploads/2026/07/Image3-303x191.png 303w, https://www.riskinsight-wavestone.com/wp-content/uploads/2026/07/Image3-62x39.png 62w, https://www.riskinsight-wavestone.com/wp-content/uploads/2026/07/Image3-768x485.png 768w" sizes="(max-width: 903px) 100vw, 903px" /></span></p>
<p style="text-align: center;"><strong><i>Figure 2 : The enterprise mobility security ecosystem</i></strong><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:200,&quot;335559740&quot;:240}"> </span></p>
<p style="text-align: justify;"> </p>
<p style="text-align: justify;"><span data-contrast="auto">An MDM, MAM or MTD does not address the same needs and secures the mobile fleet at different levels. The next sections of this article focus only on MDM.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p style="text-align: justify;"><span data-contrast="auto">MDM solutions address the need to secure devices </span><b><span data-contrast="auto">owned by the company</span></b><span data-contrast="auto">, and therefore the </span><b><span data-contrast="auto">COBO</span></b><span data-contrast="auto"> and </span><b><span data-contrast="auto">COPE</span></b><span data-contrast="auto"> policies described above.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p style="text-align: justify;"><span data-contrast="auto">A key consideration on BYOD: it is important to keep in mind that devices not owned by the company cannot be fully configured by the company. To secure the BYOD use case, i.e. access to company data and applications from an unmanaged device, MAM solutions can address the need by securing applications and creating a professional container.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p style="text-align: justify;"><span data-contrast="auto">In the rest of this article, the BYOD case is considered out of scope. Since the device belongs to the user or to a partner company, the company does not truly control the configuration and security of these devices, as it can hardly require the user to install certain configurations or applications, or to share certain device data. However, it is possible to harden access to the information system to make BYOD usage impossible, but this requires an in-depth impact analysis, considering all use cases (multi-factor authentication on mobile, management of partners and external providers, conflicts between fleet management tools, access to training, etc.).</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p style="text-align: justify;"> </p>
<h1 style="text-align: justify;" aria-level="1"><i><span data-contrast="none">Mobile Device Management</span></i><span data-contrast="none"> at the heart of securing corporate mobile devices</span><span data-ccp-props="{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:278}"> </span></h1>
<p style="text-align: justify;"> </p>
<p style="text-align: justify;"><i><span data-contrast="auto">Mobile Device Management</span></i><span data-contrast="auto"> tools make it possible to effectively administrate and secure a complete fleet of mobile devices through three core functions, which are detailed below:</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<ul style="text-align: justify;">
<li><b><span data-contrast="auto">Fleet management :</span></b><span data-contrast="auto"> know and configure the devices accessing the information system, and deploy company or third-party applications.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><b><span data-contrast="auto">Compliance control :</span></b><span data-contrast="auto"> ensure that devices comply with the company’s security policies and standards.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><b><span data-contrast="auto">Security and hardening :</span></b><span data-contrast="auto"> implement security measures on devices to strengthen protection against threats.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
</ul>
<p style="text-align: justify;"><strong><i>Note:</i></strong><i><span data-contrast="auto"> The following paragraphs aim to present features offered by most MDM solutions; the availability of the desired features should be verified before subscribing to any MDM solution.</span></i><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p style="text-align: justify;"> </p>
<h2 style="text-align: justify;" aria-level="2"><span data-contrast="none">Administering the corporate mobile device fleet: inventory, administration and provisioning</span><span data-ccp-props="{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:278}"> </span></h2>
<p style="text-align: justify;"> </p>
<p style="text-align: justify;"><span data-contrast="auto">In response to security and regulatory requirements for device management, MDM centralises many mobile device management features in a single interface:</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<ul style="text-align: justify;">
<li><b><span data-contrast="auto">Deploy/remove :</span></b><span data-contrast="auto"> MDM facilitates the provisioning of new corporate devices for IT teams, potentially remotely with installation of company configurations and business applications, as well as the removal of these configurations and the deletion of company-related data when needed, for example at end of device life, in case of suspected compromise or theft (wipe-out function).</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><b><span data-contrast="auto">Manage :</span></b><span data-contrast="auto"> MDM inventories all corporate mobile devices and presents their key attributes, for example OS type, OS version, owner name, encryption status, IMEI, last connection date, etc., while ensuring compliance with the General Data Protection Regulation (GDPR).</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><b><span data-contrast="auto">Monitor :</span></b><span data-contrast="auto"> alerts can be configured in MDM solutions to monitor the health of the fleet and identify any deviation from the rules previously defined by the company.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><b><span data-contrast="auto">Support :</span></b><span data-contrast="auto"> MDM includes remote-control and device diagnostic features to facilitate interventions by IT teams.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
</ul>
<p style="text-align: justify;"> </p>
<p style="text-align: justify;"><span data-contrast="auto">By providing up-to-date data on the mobile fleet, MDM can help meet various </span><b><span data-contrast="auto">regulatory requirements</span></b><span data-contrast="auto">, particularly regarding knowledge of and ability to manage the fleet, as well as reaction capability in the event of compromission. Several regulations, for example ISO 27002 (section 5.9 Inventory of Information &amp; Other Associated Assets), require companies to identify and manage their devices.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p style="text-align: justify;"><span data-contrast="auto">This centralisation provides an overall view of the fleet, while also enabling classification for better administration. In particular, device tagging or grouping systems make it easy to manage subsets of devices that may have configuration variations or exceptions (depending on business needs, for example network teams, VIP users, etc.).</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p style="text-align: justify;"> </p>
<h2 style="text-align: justify;" aria-level="2"><span data-contrast="none"><strong>Compliance policies :</strong> assessing the compliance of mobile devices accessing company data and applications</span><span data-ccp-props="{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:278}"> </span></h2>
<p style="text-align: justify;"> </p>
<p style="text-align: justify;"><span data-contrast="auto">More than just fleet management software, MDM solutions can assess the mobile fleet against corporate security policies, known as compliance policies.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p style="text-align: justify;"><span data-contrast="auto">Highlighting non-compliant devices can be essential in order to take targeted action: for example, removing their access to the information system through conditional access if the device is jailbroken or does not run the latest OS versions. Since this assessment can be performed at each device connection, fleet compliance can be considered continuously up to date.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p style="text-align: justify;"><span data-contrast="auto">This major MDM feature should be fully leveraged. A non-compliant device represents a risk to the company and its information system (presence of unpatched vulnerabilities, etc.). To avoid harming team productivity, the user can be notified as soon as non-compliance is detected, and access rights to company data can be removed through conditional access if the non-compliance is not resolved, by adjusting the compliance status validity period.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p style="text-align: justify;"> </p>
<h2 style="text-align: justify;"><a name="_Toc232070766"></a>Configuration profiles : configuring devices deployed by the company</h2>
<p style="text-align: justify;"> </p>
<p style="text-align: justify;"><span data-contrast="auto">When corporate mobile devices are provided to employees, a configuration should be applied to protect these devices and align them with a predefined baseline: this is made possible through configuration profiles.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p style="text-align: justify;"><span data-contrast="auto">To secure mobile devices, it is possible to </span><i><span data-contrast="auto">customise</span></i><span data-contrast="auto"> the baseline in order to </span><i><span data-contrast="auto">professionalise</span></i><span data-contrast="auto"> the device, across various platforms (iOS, Android). Common baseline hardening measures include:</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<ul style="text-align: justify;">
<li><span data-contrast="auto">Hardening of security configurations and feature restrictions;</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><span data-contrast="auto">Deployment of company configuration;</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><span data-contrast="auto">Restriction of third-party application installation outside the application store.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
</ul>
<p style="text-align: justify;"> </p>
<p style="text-align: justify;"><span data-contrast="auto">Devices can then check for the latest configuration profile updates and apply them (frequency to be defined &#8211; recommendation: once a day). This setting helps ensure the device remains as close as possible to security best practices at all times.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p style="text-align: justify;"><span data-contrast="auto">We recommend the following </span><b><span data-contrast="auto">measures</span></b><span data-contrast="auto"> when using an MDM solution:</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<ul style="text-align: justify;">
<li><b><span data-contrast="auto">Push the security configuration during device enrolment</span></b><span data-contrast="auto">, including at least:</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><b><span data-contrast="auto">Hard drive encryption</span></b><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><b><span data-contrast="auto">Hardened authentication policy</span></b><span data-contrast="auto"> (six-digit passcode or biometrics, with simple passcodes blocked)</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><span data-contrast="auto">Deploy </span><b><span data-contrast="auto">OS and application patches</span></b><span data-contrast="auto"> directly</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><b><span data-contrast="auto">Detect and block non-compliant devices</span></b><span data-contrast="auto"> (at minimum, jailbroken devices)</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><b><span data-contrast="auto">Deploy an action plan</span></b><span data-contrast="auto"> for non-compliant devices (alerts, blocking, etc.)</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
</ul>
<p style="text-align: justify;"> </p>
<h1 style="text-align: justify;" aria-level="1"><span data-contrast="none">In summary, MDM is a fundamental building block and a prerequisite for securing access to the information system</span><span data-ccp-props="{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:278}"> </span></h1>
<p style="text-align: justify;"> </p>
<p style="text-align: justify;"><span data-contrast="auto">MDM solutions offer numerous interfaces, particularly with other security tools.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p style="text-align: justify;"><span data-contrast="auto">In particular, to fully benefit from MDM, it is common and recommended to interface it with the company’s </span><i><span data-contrast="auto">Identity Provider</span></i><span data-contrast="auto"> (</span><i><span data-contrast="auto">IDP</span></i><span data-contrast="auto">). Integrating MDM with the identity and access management solution for the information system enables conditional access based on device compliance or attributes (for example, removing remote access to company data for mobile devices that do not comply with the compliance policies defined in the MDM). This contributes to Zero Trust strategies by strengthening the company’s posture through greater control over access to its information system.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p style="text-align: justify;"><span data-contrast="auto">It is also possible to connect the MDM tool with </span><i><span data-contrast="auto">Mobile Threat Defense</span></i><span data-contrast="auto"> (</span><i><span data-contrast="auto">MTD</span></i><span data-contrast="auto">) solution. This interface with a complementary mobile device protection tool enables information to send back device compliance and health information to the MDM, or whether it presents compromise risks (malware, connection to an unsecured network, etc.). This analysis of the device and its risks can then condition access to the corporate information system.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p style="text-align: justify;"><span data-contrast="auto">Finally, although accumulating MDM solutions is not recommended, it is sometimes necessary to interface the MDM solution with other MDM solutions in order to centralise information and manage the entire fleet centrally. For example, it is common to interface Microsoft Intune with Apple Business Manager MDM, which may contain the full database of iOS devices.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p style="text-align: justify;"> </p>
<h1 style="text-align: justify;" aria-level="1"><span data-contrast="none">Conclusion : key elements to effectively secure a mobile device fleet</span><span data-ccp-props="{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:278}"> </span></h1>
<p style="text-align: justify;"> </p>
<p style="text-align: justify;"><span data-contrast="auto">In a context of increasing mobility in companies, MDM clearly stands out as a </span><i><span data-contrast="auto">must-have</span></i><span data-contrast="auto"> in the race to secure access to corporate information systems.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p style="text-align: justify;"><span data-contrast="auto">More than a simple centralised inventory of mobile devices, this solution also simplifies the end-user experience by providing a hardened and secure turnkey device that complies with corporate policies.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p style="text-align: justify;"><span data-contrast="auto">To implement an MDM solution effectively, organisations should :</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<ul style="text-align: justify;">
<li><b><span data-contrast="auto">Cover all mobile devices</span></b><span data-contrast="auto"> in the fleet (all types, brands, platforms and business functions): the robustness of an information system is assessed by its weakest links</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><span data-contrast="auto">Formalise a </span><b><span data-contrast="auto">mobile device management policy</span></b><span data-contrast="auto"> adapted to the company’s needs, without major constraints for end users, in order to avoid user misbehaviours and reduce business impact</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><span data-contrast="auto">Translate this policy into </span><b><span data-contrast="auto">configuration profiles</span></b><span data-contrast="auto"> and </span><b><span data-contrast="auto">compliance policies, and keep them up to date</span></b><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><span data-contrast="auto">Raise </span><b><span data-contrast="auto">user awareness</span></b><span data-contrast="auto"> of the chosen corporate policy by sharing a corporate mobile device usage charter with users, explaining the benefits of centralised management and respect for user privacy, which requires a clear corporate strategy</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><span data-contrast="auto">Consider </span><b><span data-contrast="auto">mobile security as a whole</span></b><span data-contrast="auto">, and in particular </span><b><span data-contrast="auto">address BYOD in parallel</span></b><span data-contrast="auto"> to avoid workarounds through this channel, by combining MDM deployment with MAM deployment, in order to cover, for example:</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><span data-contrast="auto">The risk of data leakage (local storage on an unmanaged device, synchronisation with personal cloud services such as Google Drive, unintentional sharing via unsecured applications)</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><span data-contrast="auto">The risk of data interception over unsecured connections (cafés, hotels, transport)</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li><span data-contrast="auto">The risk of malware propagation across the information system</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
<li style="text-align: justify;"><span data-contrast="auto">In summary, while MDM is now an essential foundation for securing corporate mobile devices, its effectiveness depends above all on a clear corporate strategy and a sufficient level of device hardening.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></li>
</ul>
<p style="text-align: justify;"> </p>
<p style="text-align: justify;"><span data-contrast="auto">The most mature organisations can then complement this foundation with MAM and MTD solutions, following a progressive approach adapted to their challenges (in particular, deploying MAM to enable BYOD use cases). It should be noted that MTD solutions are currently not widely deployed, with priority given to implementing the MDM and MAM combination which, when properly configured, can cover a large majority of mobile use cases, from managed corporate phones to personal phones.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}"> </span></p>
<p>Cet article <a href="https://www.riskinsight-wavestone.com/en/2026/07/securing-mobile-devices-introduction-to-mdm-mobile-device-management/">Securing mobile devices : Introduction to MDM (Mobile Device Management) </a> est apparu en premier sur <a href="https://www.riskinsight-wavestone.com/en/">RiskInsight</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://www.riskinsight-wavestone.com/en/2026/07/securing-mobile-devices-introduction-to-mdm-mobile-device-management/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>MS365 101: Manage Azure AD B2B Guest Identities</title>
		<link>https://www.riskinsight-wavestone.com/en/2022/08/ms365-101-manage-azure-ad-b2b-guest-identities/</link>
					<comments>https://www.riskinsight-wavestone.com/en/2022/08/ms365-101-manage-azure-ad-b2b-guest-identities/#respond</comments>
		
		<dc:creator><![CDATA[Valentin Picard]]></dc:creator>
		<pubDate>Wed, 03 Aug 2022 13:21:16 +0000</pubDate>
				<category><![CDATA[Cloud & Next-Gen IT Security]]></category>
		<category><![CDATA[Focus]]></category>
		<category><![CDATA[Azure]]></category>
		<category><![CDATA[Azure AD]]></category>
		<category><![CDATA[Collaboration]]></category>
		<category><![CDATA[identity]]></category>
		<category><![CDATA[O365]]></category>
		<guid isPermaLink="false">https://www.riskinsight-wavestone.com/?p=18362</guid>

					<description><![CDATA[<p>The use of &#8220;guest&#8221; identities to facilitate collaboration externally   The need for collaboration externally entails risks for companies Companies have always needed to collaborate with each other by sharing resources and exchanging data. To do this, their collaborators must...</p>
<p>Cet article <a href="https://www.riskinsight-wavestone.com/en/2022/08/ms365-101-manage-azure-ad-b2b-guest-identities/">MS365 101: Manage Azure AD B2B Guest Identities</a> est apparu en premier sur <a href="https://www.riskinsight-wavestone.com/en/">RiskInsight</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<h1 style="text-align: justify;">The use of &#8220;guest&#8221; identities to facilitate collaboration externally</h1>
<h2> </h2>
<h2 style="text-align: justify;">The need for collaboration externally entails risks for companies</h2>
<p style="text-align: justify;">Companies have always <strong>needed to collaborate</strong> with each other by sharing resources and exchanging data. To do this, their collaborators must be able to <strong>interact securely </strong>with users outside their environment.</p>
<p style="text-align: justify;">Several<strong> use cases</strong> can be applied, including <strong>time-bound collaboration with partners</strong>, external service providers, suppliers or B2B customers.</p>
<p style="text-align: justify;">Additionally, it is common to observe<strong> continuous collaboration between subsidiaries</strong> of the same group that have access to the resources and data of the company whilst not necessarily requiring to share the same Information Systems.</p>
<p style="text-align: justify;">Historically, collaboration could be achieved in several ways. However, collaboration also comes with certain disadvantages:</p>
<ul style="text-align: justify;">
<li>By <strong>successive exchange of emails</strong> &#8211; which can be inefficient and can result in a loss of control of the data exchanged;</li>
<li>By <strong>using solutions dedicated</strong> to share documents with third parties &#8211; which can be costly and unsuitable from a user experience point of view;</li>
<li>By <strong>creating a new identity in legacy systems</strong> (Active Directory, etc.), and by providing third-party entities with a means to access the company&#8217;s IS (VPN, virtual machines, physical machines, etc.) &#8211; which can significantly increase the company&#8217;s attack surface.</li>
</ul>
<h2> </h2>
<h2 style="text-align: justify;">Microsoft introduced Azure AD B2B to address the need for collaboration</h2>
<p style="text-align: justify;">Today, using Azure AD B2B allows two or more entities to <strong>collaborate within the host company&#8217;s Azure tenant</strong>.  Shared resources can be apps, documents, SharePoint sites, OneDrive, or Teams teams.</p>
<p style="text-align: justify;">In effect, the Azure B2B solution allows an external user to <strong>access the host company tenant through their regular account by</strong> creating a &#8220;guest&#8221; identity within the company&#8217;s Azure Active Directory (AAD).</p>
<p style="text-align: justify;">The &#8220;client&#8221; tenant then fully or partially trusts the &#8220;external&#8221; tenant for authentication via a token exchange mechanism.</p>
<p style="text-align: justify;">There are three native possibilities for creating a &#8220;guest&#8221; identity:</p>
<ul style="text-align: justify;">
<li>Directly from the <strong>Azure portal</strong>;</li>
<li>Via <strong>document sharing</strong> on OneDrive/SharePoint/Teams;</li>
<li>Through the use of the<strong> GRAPH API.</strong></li>
</ul>
<p> </p>
<p><em><img decoding="async" class="wp-image-18366 size-full aligncenter" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Image1.png" alt="" width="4150" height="2385" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Image1.png 4150w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Image1-332x191.png 332w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Image1-68x39.png 68w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Image1-120x70.png 120w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Image1-768x441.png 768w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Image1-1536x883.png 1536w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Image1-2048x1177.png 2048w" sizes="(max-width: 4150px) 100vw, 4150px" /></em></p>
<p style="text-align: center;"><em>Figure 1 &#8211; Native Operation: Authentication and Identity Creation</em></p>
<p style="text-align: justify;"> </p>
<p style="text-align: justify;">At the level of the host tenant, the owner can choose to authorize the sharing of data to external users while also being able to administer guest accounts (creation, deactivation, deletion etc.).</p>
<p style="text-align: justify;">A direct benefit of this solution is the <strong>ease of use</strong> for users who are familiar with Microsoft environments.</p>
<p style="text-align: justify;">The second advantage is the<strong> cost of the solution</strong>. A &#8220;guest&#8221; identity has a licensing cost whereby up to a ceiling of 50,000 &#8220;guest&#8221; identities, their license is free. Beyond this and depending on the company&#8217;s subscriptions, a license may cost between €0.003 and €0.015 / month / user, which is then added on to a fixed fee of €0.029 for each multi-factor authentication attempt. This pricing policy is out of step with the usual price of an M365 license, which is between €10 and €50 / month / user depending on the license plan.</p>
<p style="text-align: justify;"> </p>
<h2 style="text-align: justify;">However, Azure AD B2B has a default configuration that is too open, which creates risks for the company</h2>
<p style="text-align: justify;">Azure AD B2B introduces several factors that can lead to <strong>risk</strong>:</p>
<ul style="text-align: justify;">
<li>The <strong>creation of</strong> guest identities is very simple and uncontrolled (no identity manager, no traceability, no restrictions etc.);</li>
<li>The <strong>number of</strong> guest identities may increase in an uncontrolled manner, which makes managing their lifecycles difficult.</li>
<li>The company does <strong>not control the security</strong> of the initial holder of the &#8220;guest&#8221; identity;</li>
<li>No <strong>conditional access rules</strong> are set up by default (no strong authentication, no restriction of access to the Azure A D portal, etc.);</li>
<li>The &#8220;guest&#8221; identity <strong>has access to the Azure AD attributes</strong> of other users.</li>
</ul>
<p style="text-align: justify;">These factors create risks for the company&#8217;s data since the &#8220;guest&#8221; identity may have rights to a significant number of documents and information about its host owner.</p>
<p style="text-align: justify;">We can consider two triggering events for the different threat scenarios:</p>
<ul style="text-align: justify;">
<li>A <strong>malicious</strong> &#8220;guest&#8221; identity;</li>
<li>A &#8220;guest&#8221; identity <strong>compromised</strong> by an attacker.</li>
</ul>
<p style="text-align: justify;">An attacker would then have the opportunity to:</p>
<ul style="text-align: justify;">
<li><strong>Retrieve confidential data </strong>that the identity has access to;</li>
<li><strong>Destroy all data</strong> accessible by this identity;</li>
<li><strong>Compromise AD</strong> by assigning roles to this identity;</li>
<li><strong>Perform social engineering</strong> through their access to all user data.</li>
</ul>
<p style="text-align: justify;"> </p>
<h1 style="text-align: justify;">Depending on the level of maturity of the company and the willingness to hedge risk, it is necessary to implement a number of measures</h1>
<h2> </h2>
<h2 style="text-align: justify;">To get started: harden the default configuration</h2>
<h4> </h4>
<h4 style="text-align: justify;">Master the means to add &#8220;guest&#8221; identities on the tenant</h4>
<p style="text-align: justify;">The first step is to <strong>cut off access to the Azure portal</strong> to non-administrator employees of the company so that it is no longer a vector for creating &#8220;invited&#8221; identities.</p>
<p><img loading="lazy" decoding="async" class="aligncenter wp-image-18370 size-full" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Screen1.png" alt="" width="1595" height="761" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Screen1.png 1595w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Screen1-400x191.png 400w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Screen1-71x34.png 71w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Screen1-768x366.png 768w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Screen1-1536x733.png 1536w" sizes="auto, (max-width: 1595px) 100vw, 1595px" /></p>
<p style="text-align: center;"><em>Figure 2 &#8211; Restricting access to the Azure AD console</em></p>
<p style="text-align: justify;"> </p>
<p style="text-align: justify;">It should be noted that it is also possible <strong>to restrict the population who can invite external users to collaborate</strong>. However, this will not be applicable to all companies &#8211; especially those wishing to decentralize the management of this population. The idea of restricting this population forces the creation of a service dedicated to the creation of these identities. This goes against the very principle of this service, which is to leave it in the hands of the user.</p>
<p style="text-align: justify;">Finally, there is a feature to<strong> apply constraints to the email addresses of &#8220;guest&#8221; identities</strong>, via white-listing or domain name blacklisting. However, before embarking on this action, it is necessary to consider the complexity of its implementation and the potential low level of associated risk reduction.</p>
<h4> </h4>
<h4 style="text-align: justify;">Restrict what these identities can access</h4>
<p style="text-align: justify;">It is also possible <strong>to restrict what can be accessed</strong> by the invited identities, so that they are unable to retrieve a large volume of information on the host tenant.</p>
<p><img loading="lazy" decoding="async" class="aligncenter wp-image-18374 size-full" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Screen3.png" alt="" width="1603" height="647" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Screen3.png 1603w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Screen3-437x176.png 437w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Screen3-71x29.png 71w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Screen3-768x310.png 768w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Screen3-1536x620.png 1536w" sizes="auto, (max-width: 1603px) 100vw, 1603px" /></p>
<p style="text-align: center;"><em>Figure 3 &#8211; Restrict access for &#8220;guest&#8221; identities</em></p>
<p style="text-align: justify;"> </p>
<h2 style="text-align: justify;">Strengthen authentication and access control of &#8220;guest&#8221; identities</h2>
<p style="text-align: justify;">The <strong>multi-factor authentication (MFA)</strong> mechanism for a &#8220;guest&#8221; identity is almost native and reduces the risk of spoofing by an attacker. It is also possible to set up a <strong>conditional access policy</strong> that specifically targets these &#8220;guest&#8221; identities.</p>
<p> </p>
<p><img loading="lazy" decoding="async" class="aligncenter wp-image-18372 size-full" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Screen2.png" alt="" width="1063" height="446" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Screen2.png 1063w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Screen2-437x183.png 437w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Screen2-71x30.png 71w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Screen2-768x322.png 768w" sizes="auto, (max-width: 1063px) 100vw, 1063px" /></p>
<p style="text-align: center;"><em>Figure 4 &#8211; Multi-Factor Authentication</em></p>
<p style="text-align: justify;"> </p>
<p style="text-align: justify;">However, challenges can still complicate this operation and need to be considered:</p>
<ul style="text-align: justify;">
<li>Managing <strong>change management</strong> on these &#8220;guest&#8221; populations remains complex to perform, even if user onboarding operations are simple and carefully guided.</li>
<li>Managing <strong>second-factor reset processes</strong> in the event of loss or theft can be costly and complex if left unchecked.</li>
</ul>
<p style="text-align: justify;"> </p>
<h2 style="text-align: justify;">Educate users about risks and best collaboration practices</h2>
<p style="text-align: justify;">The major complexity of the Azure AD B2B solution is <strong>the lack of a mechanism for managing &#8220;guest&#8221; identities</strong>. Users are therefore the <strong>main actors</strong> of the management strategy and must be informed at the right level by emphasizing:</p>
<ul style="text-align: justify;">
<li>Collaboration <strong>best practices</strong>: when should they use the solution, how to create a guest, and more;</li>
<li><strong>Proper management of their access</strong>: they must be removed as soon as possible in order to avoid subsequent illegitimate access;</li>
<li><strong>Disabling identities when they are no longer in use</strong>, especially for service providers/partners, ensuring that the documents produced are not lost.</li>
</ul>
<p style="text-align: justify;"> </p>
<h2 style="text-align: justify;">Protect the data that guests can access</h2>
<p style="text-align: justify;">We must also not forget to protect the data to which a legitimate guest can have access to, which gives rise to several measures:</p>
<ul style="text-align: justify;">
<li>It is possible to set up constraints for &#8220;guest&#8221; identities via <strong>conditional access rules </strong>that include: mandatory use of thin clients (web clients), the prohibition of data downloading, constraints on the terminals to be used, etc.</li>
<li>If the company has deployed the Azure Identity Protection (AIP) classification tool, an alternate solution is to <strong>create a privacy label</strong> that encrypts the data for &#8220;guest&#8221; identities. This label can also be used to restrict certain actions for this population: modification restriction (via associated permissions), download restriction (via a DLP rule), etc.</li>
</ul>
<p style="text-align: justify;">Moving a step further, a <strong>Cloud Access Security Broker</strong> (such as Microsoft&#8217;s MS Defender for Cloud Apps) can enable the implementation of advanced and targeted rules, such as preventing uploads to specific Sharepoint spaces as an example.</p>
<p style="text-align: justify;"> </p>
<h2 style="text-align: justify;">Managing the Lifecycle of Guest Identities: 3 Scenarios to Consider</h2>
<p style="text-align: justify;">As mentioned earlier, the key topic is <strong>managing the lifecycle of &#8220;guest&#8221; identities</strong> i.e., the creation, deletion, and review of access. As such, there are 3 scenarios to be considered. These scenarios depend on the desired <strong>risk coverage</strong>, <strong>the level of maturity </strong>of identity and access management, and the <strong>cost of implementing</strong> the scenario.</p>
<p><img loading="lazy" decoding="async" class="aligncenter wp-image-18368 size-full" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Image2.png" alt="" width="4457" height="2512" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Image2.png 4457w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Image2-339x191.png 339w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Image2-69x39.png 69w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Image2-768x433.png 768w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Image2-1536x866.png 1536w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Image2-2048x1154.png 2048w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/08/Image2-800x450.png 800w" sizes="auto, (max-width: 4457px) 100vw, 4457px" /></p>
<p style="text-align: center;"><em>Figure 5 &#8211; Guest Identity Lifecycle Management Scenarios</em></p>
<p style="text-align: justify;"> </p>
<h3 style="text-align: justify;">Scenario 1 &#8211; Stay pragmatic on a budget: use native tools and configurations</h3>
<p style="text-align: justify;">In this scenario, the company <strong>creates a certain group typology for “External” groups</strong>, and therefore to the creation of guests. The distinction can be made by the use of language by the group. For example: all external groups must start with &#8220;X_&#8221;.</p>
<p style="text-align: justify;">It can thus carry out checks more easily on this limited perimeter of groups.</p>
<p style="text-align: justify;">The main prerequisite is <strong>to block the addition of &#8220;guest&#8221; identities to “Internal” groups. </strong>This is possible in two ways:</p>
<ul style="text-align: justify;">
<li>If the company has deployed the AIP classification tool on SharePoint and Teams spaces: a <strong>dedicated label</strong> can be used to prevent external sharing on these spaces. For example, the creation of an &#8220;Indull&#8221; label that blocks sharing with &#8220;guest&#8221; identities;  &#8211; <a href="https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view=o365-worldwide">LINK</a></li>
<li><strong>Via a PowerShell script: </strong>block sharing with &#8220;guest&#8221; identities for &#8220;Internal&#8221; groups by identifying them via classifications. &#8211; <a href="https://docs.microsoft.com/en-us/microsoft-365/solutions/per-group-guest-access?view=o365-worldwide">LINK</a></li>
</ul>
<h4 style="text-align: justify;">Creating a &#8220;guest&#8221; identity</h4>
<p style="text-align: justify;">The only way to create a &#8220;guest&#8221; identity is to add<strong> them as external users to &#8220;External&#8221; group types.</strong></p>
<p style="text-align: justify;">If the company needs to give its tenant access to a subsidiary or an entire entity, it is possible to regularly synchronize their AD or Azure AD, and thus create their identities as a &#8220;guest&#8221; in the tenant of the company.</p>
<h4 style="text-align: justify;">Deleting a &#8220;guest&#8221; identity</h4>
<p style="text-align: justify;">The process of deleting identities is simple through the <strong>deletion of inactive &#8220;guest&#8221; identities. </strong>For example, using a PowerShell script based on the frequency of &#8220;Sign-In Activity&#8221;. Alternatively, it is also possible to remove &#8220;guest&#8221; identities that do not have access to any group via a PowerShell script.</p>
<h4 style="text-align: justify;">Review of &#8220;guest&#8221; access</h4>
<p style="text-align: justify;">It is possible <strong>to expire access for &#8220;guest&#8221; identities</strong> on SharePoint groups or OneDrives after 60 days. Note that the owner of the SharePoint or OneDrive group will be notified of the expiration 21 days beforehand.</p>
<p><img loading="lazy" decoding="async" class="aligncenter wp-image-18348 size-full" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2022/07/Picture7.png" alt="" width="1027" height="372" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2022/07/Picture7.png 1027w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/07/Picture7-437x158.png 437w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/07/Picture7-71x26.png 71w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/07/Picture7-768x278.png 768w" sizes="auto, (max-width: 1027px) 100vw, 1027px" /></p>
<p style="text-align: center;"><em>Figure 6 &#8211; Guest Access Expiration</em></p>
<p style="text-align: justify;"> </p>
<p style="text-align: justify;">Finally, it is possible to use the &#8220;Guest Access Review&#8221; feature for external groups. It should be noted, however, that this feature requires advanced licenses (AAD P2) assigned to the users who carry out the reviews i.e. all the owners of the groups (normally a small number).</p>
<p style="text-align: justify;"><strong>This scenario is an efficient way that reduces guest risk, maintains a near-native solution, and doesn’t require too much investment.</strong></p>
<p style="text-align: justify;"><strong> </strong></p>
<h3 style="text-align: justify;">Scenario 2 &#8211; To go further in the level of security: develop a guest management application</h3>
<p style="text-align: justify;">In this second scenario, the company wants to <strong>have complete control over the lifecycle management of &#8220;guest&#8221; identities</strong>. To do this, the company <strong>creates an application</strong> (for example by using Power App) to manage this lifecycle, making it the single point of creation and deletion.</p>
<p style="text-align: justify;">Once this lifecycle is in place, it is necessary to set the SharePoint sharing setting to &#8220;Existing guest only&#8221; mode, allowing only content to be shared with &#8220;guest&#8221; identities that already exist in the Azure AD tenant. This prevents the creation of new identities through this vector.</p>
<p><img loading="lazy" decoding="async" class="aligncenter wp-image-18350 size-full" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2022/07/Picture8.png" alt="" width="1048" height="585" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2022/07/Picture8.png 1048w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/07/Picture8-342x191.png 342w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/07/Picture8-71x39.png 71w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/07/Picture8-768x429.png 768w" sizes="auto, (max-width: 1048px) 100vw, 1048px" /></p>
<p style="text-align: center;"><em>Figure 7 &#8211; Restricting Sharing Opportunities</em></p>
<h4 style="text-align: justify;">Creating a &#8220;guest&#8221; identity</h4>
<p style="text-align: justify;">In this scenario, users <strong>use the dedicated application to create the &#8220;guest&#8221; identities</strong> by entering an end date. The user then designates the owner of the identity created.</p>
<h4 style="text-align: justify;">Deleting an &#8220;invite&#8221; identity</h4>
<p style="text-align: justify;">To delete identities, it is possible <strong>to trigger an automatic workflow</strong> before the end date by asking the owner of the identity in question whether to delete it or extend its end date. It should be noted that if the owner has left the company without making the change of ownership, consideration can be given to reassigning the guest to his or her supervisor.</p>
<h4 style="text-align: justify;">Review of &#8220;guest&#8221; access</h4>
<p style="text-align: justify;">With this type of &#8220;in-house&#8221; application, it is complicated to go much further in the management of the lifecycle &#8211; especially when it comes to access review.</p>
<p style="text-align: justify;">It is still possible, as in Scenario 1, to expire guest access or to use the &#8220;Guest Access review&#8221; feature (with the same constraints as stated above).</p>
<p style="text-align: justify;">To go further, we can also consider the use of third-party tools such as IDECSI or Sharegate that make it possible to manage these access journals automatically and intuitively.</p>
<p style="text-align: justify;"><strong>This scenario changes the native behavior and enables better control of the lifecycle, but at a significant blow with regard to the deployment and the management of the change to be implemented.</strong></p>
<h3 style="text-align: justify;">Scenario 2&#8242; &#8211; Integrating &#8220;guest&#8221; identities into traditional IAM processes</h3>
<p style="text-align: justify;">The last scenario to consider is a variant of the previous scenario, where the company still wants to have control over the lifecycle management of &#8220;guest&#8221; identities. In this case, the company can<strong> integrate &#8220;guest&#8221; identity management into its identity and access management (IAM) tools</strong> in the same way as &#8220;external&#8221; identities.</p>
<p style="text-align: justify;">The IAM tool then becomes the <strong>authoritarian source</strong> for this type of population and its management is done directly there.</p>
<p style="text-align: justify;">In this scenario, as in the previous one, you must also set the SharePoint sharing setting to &#8220;Existing guest only&#8221; mode.</p>
<h4 style="text-align: justify;">Creating a &#8220;guest&#8221; identity</h4>
<p style="text-align: justify;">Identities are created on external <strong>creation forms</strong> from IAM tools by choosing the &#8220;guest&#8221; type for the identity. The &#8220;guest&#8221; identity can then be provisioned automatically in the Azure AD by IAM tools.</p>
<h4 style="text-align: justify;">Deleting a &#8220;guest&#8221; identity</h4>
<p style="text-align: justify;">The removal of the identity is also <strong>done by the IAM tool</strong> according to the positioned end date and the workflows already defined.</p>
<h4 style="text-align: justify;">Reviews of &#8220;guest&#8221; access</h4>
<p style="text-align: justify;">In the event that the company&#8217;s IAM tools are used to manage rights on Sharepoint spaces, it is possible to use the <strong>access review capabilities of these tools</strong> to review access to sensitive resources for which &#8220;guest&#8221; identities have access.</p>
<p style="text-align: justify;">Alternatively, a second option is to use access governance features via IAM solutions, such as Sailpoint OneIdentity, or via dedicated Identity and Access Governance solutions, such as Brainwave or Varonis. We can imagine retrieving the rights assigned directly in the Azure AD and having them verified to the owners of the resources through these tools.</p>
<p style="text-align: justify;"><strong>This scenario is a variant of Scenario 2, which allows the most mature companies in identity and access management to capitalize on existing tools and processes.</strong></p>
<h2> </h2>
<h2 style="text-align: justify;">Finally, do not neglect the surveillance of this exposed population</h2>
<p style="text-align: justify;">It is useful to build a form of <strong>adapted reporting using KPIs and dashboards</strong>. A pool of information is available natively in the Azure AD (date of last connection, activity on the tenant as well as on Office 365 via the &#8220;unified audit logs&#8221;). This information can be interacted with via visualization tools, like Power Bi, for the generation of dashboards.</p>
<p style="text-align: justify;">Secondly, it is important to <strong>monitor the activities of these particularly exposed populations</strong>. Two levels of detection can be set up depending on monitoring capabilities:</p>
<ul style="text-align: justify;">
<li>Implement <strong>native DLP rules</strong> or <strong>classic alert scenarios</strong> in the Microsoft console: some alert scenarios are preconfigured, such as mass deletion of documents, elevation of privilege etc.</li>
<li>Implement<strong> advanced DLP rules</strong> and detection scenarios or specific thresholds for guests<strong> with the support of the company&#8217;s SOC</strong>. For example, the data download threshold allowed for a guest may be lower than the threshold allowed for an intern.</li>
</ul>
<p style="text-align: justify;">We can imagine the use of the <strong>Azure AD Identity Protection</strong> module to trigger alerts for guests with a high level of risk.</p>
<p style="text-align: justify;"> </p>
<h1 style="text-align: justify;">In conclusion, AAD B2B greatly facilitates collaboration, but its configuration needs to be hardened to reduce the level of risk induced by the solution</h1>
<p style="text-align: justify;">AAD B2B greatly <strong>simplifies</strong> collaboration with users outside the company, but entails risks<strong> related to the default operation</strong> of the solution. To control these risks, it is necessary to <strong>reduce </strong>the level of open access, and <strong>to control the lifecycle of these identities</strong> at a deeper level, depending on the potential level of investment that is planned. Finally, it is necessary to focus on <strong>monitoring</strong> via native tools or tools used by the company given the high exposure of these populations.</p>
<p style="text-align: justify;"> </p>
<p>Cet article <a href="https://www.riskinsight-wavestone.com/en/2022/08/ms365-101-manage-azure-ad-b2b-guest-identities/">MS365 101: Manage Azure AD B2B Guest Identities</a> est apparu en premier sur <a href="https://www.riskinsight-wavestone.com/en/">RiskInsight</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://www.riskinsight-wavestone.com/en/2022/08/ms365-101-manage-azure-ad-b2b-guest-identities/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
	</channel>
</rss>
