Microsoft Intune is a cloud-based service supporting management of desktop and mobile devices. In HKUST, our implementation will first focus on Windows devices that are owned by the university. These desktops and notebooks will be managed with enforcement policies regarding device compliance and security baseline.
With Microsoft Intune services, devices are configured to join the Microsoft Cloud-based Azure AD and registered under Microsoft Defender for Endpoint. Benefits include
- Support Windows logon using ITSC accounts (even when off-campus), with the benefits of single sign-on to most Microsoft services as well as on premise domain resources
- Enablement of passwordless authentication via device pin or biometric authentication (if equipped)
- Windows Security enforcement via Microsoft Defender Antivirus and Windows Update will be configured centrally to reduce the risk of being tampered
- Software version of Windows system and Office 365 are managed centrally, avoiding the risk of having security vulnerability after reaching end-of-life
- Microsoft Defender for Endpoint leverages modern cybersecurity technologies (e.g., AI based behavior detection, cloud-based sandbox verification) which are not available in traditional signature based Anti-virus tools like F-secure.
- Refresh the device when it needs to transfer ownership.
- Locate and wipe device when it is lost or stolen.
All university owned Windows 10/11 devices used for administrative purpose are expected to be managed under Microsoft Intune and protected by Microsoft Defender for Endpoint in order to meet the Minimum Security Standard as defined in our Cybersecurity policy.
7x24
Enrollment
Enrollment is currently available for new or re-installed university owned PC / Notebook. We also provide a procedure for existing non domain joined device to enroll.
For on premise domain joined devices, ITSC recommends continuing using them until next replacement or re-installation. ITSC will also study the option to join domain joined device to Intune at a later time.
Departments must assign either their Cybersecurity Coordinator (CSC) or other colleague to take up the role of desktop support coordinator. He / She will work with ITSC Intune administrative team for the followings:
- Assist their department users to remediate insecure configuration or vulnerable software if discovered (e.g., Windows update has paused)
- Work with ITSC for major upgrade (e.g., Windows 10/11 version reaching end-of-life)
- Handle security alerts (e.g., machine infected by malware)
Roles of users, departments and ITSC
-
Users, departmental desktop support coordinator and ITSC work jointly to protect the devices
-
Device owner, usually granted with local administrator privilege of the device, will manage installation of applications
-
They should also follow security practice provided by ITSC (via their CSC) e.g., responding to security update prompt, upgrading OS and software to the latest versions, uninstalling unsafe software
-
ITSC will define and mandate most security configurations on their devices, by referencing Enterprise level security best practice suggested by Microsoft
-
By leveraging Intune and Microsoft Defender for Endpoint, ITSC will detect security incident promptly and inform affected users for quick remediation
Minimum Requirements
- The device to be enrolled must be running Windows 10 version 1703 or later.
Privacy
When you enroll a device to Intune, you give ITSC permission to view certain pieces of information on your device, such as device model, hardware configuration and software version. ITSC uses this information to help protecting the corporate data on the device. Please refer to the HKUST Data Privacy Policy Statement.
Generally speaking,
- ITSC will not examine the data stored in the PC
- The system configurations of the PC and the software installed will be recorded for the purpose of providing the endpoint management services
- If security incident happens (e.g., malware infection, unsafe software being installed, users clicking a malicious URL), ITSC will be alerted and may perform investigation by examining the security log files.