Device management by Microsoft Endpoint manager (Intune)

Microsoft Intune is a cloud-based service supporting management of desktop and mobile devices. In HKUST, our implementation will first focus on window10 devices. Desktop or notebooks will be managed with emphasize on security enhancement.

Details

Under Intune, devices are configured to join the Microsoft Cloud base Azure AD.  Benefits include

  • Support Window logon using ITSC accounts (even when off-campus), with the benefits of single sign-on to most Microsoft services
  • Window Security configurations (e.g. Firewall setting, Anti-virus) and Window Update are configured centrally, reducing the risk of being tampered
  • Software version of Window10 OS and O365 are managed centrally, avoiding the risk of having security vulnerability after reaching End-of-Life 

In addition, devices will be protected by the powerful Microsoft Endpoint Advanced Threat Protection (ATP).

ATP leverages modern cybersecurity technologies (e.g. AI based behaviour detection, cloud-based sandbox verification) which are not available in traditional signature based Anti-virus tools like F-secure.  Our pilot rollout in some departments has proven that ATP prevents a lot of attacks which cannot be detected by F-secure.

All university owned Window10 devices used for administrative purpose are expected to be managed under Intune and protected by ATP in order to meet the Minimum Security standard defined in our Cybersecurity policy.

Intune service is provided to users on departmental basis.

Please contact the Cybersecurity Coordinator of your department for enrollment.

Available To
Staff (enrolled on departmental basis via CSC)
Service Fee

Free

Service Hours

7x24

Enrollment

Enroll on departmental basis. Please contact your department Cyber Security Coordinator (CSC).

Participating departments must assign either their CSC (or other colleague) to take up the role of desktop support coordinator. He/She will work with ITSC Intune administrative team for the followings:

  • Produce inventory for their department PC and work with ITSC for the enrollment
  • assist their department users to remediate insecure configuration if discovered (e.g. window update has paused)
  • work with ITSC for major upgrade (e.g. Window10 version reaching EOL)
  • handle security alerts (e.g. machine infected by malware)

 

Roles of users and ITSC

  • Users, department CSC and ITSC work jointly to protect the devices

  • Users, usually granted with local administrator privilege of the device, will manage installation of applications

  • They should also follow security practise provided on and off by ITSC (via their CSC)  e.g. responding to security update prompt,  upgrade OS and software to the latest versions,  do not install unsafe software

  • ITSC will define and mandate most security configurations on their devices,  by referencing Enterprise level security best practice suggested by Microsoft

  • By leveraging Intune and ATP, ITSC will detect security incident promptly and inform affected users for quick remediations

Mininum Requirements

  • The device to be enrolled must be running win10 version 1703 or later and are domain joined.
  • If you device is not AD domain joined, or you have a new device,  please refer to the procedure for joining Cloud Azure AD only below

 

Privacy

When you enroll a device, you give your organization permission to view certain pieces of information on your device, such as device model and hardware configuration. Your organization uses this information to help protect the corporate data on the device.  Please refer to the HKUST data privacy policy statement.

Also, 

  • ITSC would not examine the data stored in the PC
  • The system configurations of the PC and the software installed are recorded for the purpose of providing the Intune services
  • If security incident happens (e.g. malware infection, unsafe software being installed, users clicking a malicious URL), ITSC will be alerted and may perform investigation by examining the security log files.

 

Learn More

 

Procedure for devices joining cloud Azure AD only  (not hybrid join)

  • available soon

 

    More Tips on securing Windows 10

     

    Reveiwing security status of your software

    Tips on Enabling Automatic Updates for popular Applications