Impact of Intune's NFC restriction setting on IC card reading and Nearby Share
Hello, I'm managing Android Enterprise devices via Intune and would like to confirm the behavior of a specific device restriction setting related to NFC. ■ Device: AQUOS wish4 (Android), enrolled as a fully managed device ■ Policy applied: Device configuration profile with "Beam data using NFC (work-profile level)" set to Block ■ Policy configuration path in Intune Admin Center: Microsoft Intune Admin Center > Devices > Manage devices > Configuration Platform: Android Enterprise Profile type: Template > Device restrictions Configuration settings > General - Beam data using NFC (work-profile level): Block ○ Background and expectation: My understanding is that this setting is intended to block NFC-based data transfer (i.e., Android Beam) within the work profile. However, I initially assumed it might also block general NFC usage, such as reading contactless transit cards or using mobile wallet services. ○ Test scenario and results: After applying the policy to a fully managed AQUOS wish4 device, I observed the following: The NFC toggle remains available and functional under: Settings > Connection settings > More connection settings > NFC I installed an app that reads contactless transit cards used for public transportation (e.g., Suica or PASMO in Japan) and confirmed that it successfully retrieved the card balance via NFC ○ Interpretation: Based on this behavior, I suspect that the policy only affects the deprecated Android Beam feature, which used NFC for peer-to-peer file sharing. It does not block general NFC functionality such as card reading or mobile payments, nor does it impact newer sharing technologies like Nearby Share or Quick Share, which rely on Bluetooth and Wi-Fi Direct. ■ Questions: Is my understanding correct that "Beam data using NFC (work-profile level)" only restricts Android Beam functionality and does not affect general NFC usage? Is there a way to restrict Nearby Share / Quick Share on fully managed Android devices via Intune, or would that require a different configuration or approach? Any insights, documentation references, or shared experiences would be greatly appreciated. Thank you!
Securing your Business: Checklist for Android device offboarding
Modern workplaces are full of digital footprints. From day one, employees leave a digital trail, from corporate email accounts to VPN access and social media updates. So, to ensure a secure exit, it's vital to have an offboarding process in place. Companies must carefully decouple an employee's digital footprint to mitigate risks like data breaches and unauthorized access. To help you with this, we've created a checklist of things to consider when offboarding an employee. While the exact process will vary from organization to organization, read on for some handy tips. IT Admins: Checklist for a Secure Exit Once the employee offboarding process has been initiated, you’ll need to consider the level of remote access the employee should retain. It may be a good idea to reduce this in stages, affording the employee enough time to backup personal and corporate data appropriately. Or depending on the level of sensitivity, more immediate restrictions may be appropriate. Identify the user’s device(s): Use your MDM solution to locate the employee’s device. Limit access: If your company leverages SSO, you can immediately revoke a user's access to all apps by revoking their SSO tokens. Otherwise, you will need to consider the following: Email: Disable the user's email account. Redirect incoming emails to an appropriate recipient or archive them. Company Apps: Remove the user's access to company-specific apps, or third party apps that were previously authorized. Revoke app licenses, if applicable. Cloud Storage: Revoke the user's access to cloud storage services (e.g., Google Drive, Dropbox). Remove the user from shared folders and documents. Collaboration Tools: Remove the user from collaboration tools (e.g. Google Workspace, Microsoft Teams). Revoke access to shared documents and projects. VPN and Remote Access: Disable the user's VPN and remote access privileges. Revoke any VPN certificates or keys. Data Retention and Archiving: Determine the appropriate retention period for the employee's data and implement necessary archiving procedures. Ensure compliance with data privacy regulations. Deactivate User Account: Deactivate the user's account to prevent future access, while allowing other employees to still access any documents associated with the deactivated account. Configure Factory Reset Protection policies: To ensure a seamless offboarding process for company-owned Android devices, it's crucial to properly configure Factory Reset Protection (FRP). If you've already configured your FRP policies, you can skip to step 4. Otherwise, let's dive into the details. Factory Reset Protection (FRP) is a security feature designed to protect Android devices from unauthorized access after a factory reset. It requires authentication with the Google account last used on the device. While this is a valuable security measure, it can complicate device management, especially during employee offboarding. To ensure a smooth offboarding process, consider these two approaches: Enable Enterprise Factory Reset Protection (EFRP): Designed for Enterprise, EFRP allows you to specify which Google Accounts can activate a device that has been factory reset and locked by FRP. These approved users can unlock company-owned devices that have been factory reset, without the need for the previous user’s Google account details. This approach provides a balance between security and manageability. Disable FRP: Disabling FRP allows you to factory reset devices without requiring the previous user's Google account credentials. This can simplify the offboarding process, but it also reduces the device's security. Use with caution, particularly for devices that are at risk of loss or theft. Important Note: Resetting a device through the Settings app typically doesn't trigger FRP, except in specific scenarios involving company-owned devices with Work Profiles and EFRP enabled. Therefore, it's crucial to disable FRP or enable EFRP before initiating a factory reset to prevent potential lockouts. Remote wipe: After allowing the user a brief period to back up personal data on company-owned devices, or transfer ownership to work files, remotely wipe the device. Depending on the device’s enrollment method either: Factory Reset: For company-owned devices, instigate a factory reset to erase all work apps and data from the device without physical access. Remove Work Profile: For BYOD devices, use your MDM solution to remove the user's Work Profile from the device. This will eliminate company apps, data, and settings from the device. Note, personal data is unaffected by the removal of the Work Profile so does not require backup. Revoke device access: Deactivate the device from your MDM solution. This will prevent the device from receiving updates, policies, and security patches. Asset retrieval: Create a comprehensive inventory of all physical assets assigned to the employee (e.g., laptops, phones, keys, badges). Ensure all physical assets are returned or disposed of securely. Update device inventory: Update your device inventory to reflect the device's status (e.g. retired, reassigned). Employees: Your Role in a Secure Exit Data Backup: Use a personal cloud storage service or external storage to back up any personal data that you want to keep before the device is wiped or reset. Following your company's guidelines for data backup, ensure that all company data is backed up to the appropriate location or cloud storage. App Removal Clear the data and cache for these apps to remove any sensitive information. Uninstall any company-owned or work-related apps that you no longer need. This may include email, calendar, and productivity apps. Network Access: Disconnect from any company VPN connections. Remove any VPN profiles or certificates. Forget any saved company Wi-Fi networks. Personal Cloud Storage: Download and save any personal files from company-provided cloud storage. Revoke access to personal accounts linked to company devices. Assets: Depending on company policy, return all corporate devices and accessories to the IT department or designated location. Ensure that the device is in good condition and free of any damage. Social Media Accounts: Review and remove any company-related content from personal social media accounts. Update privacy settings to limit public visibility. Best Practices From the off, it’s good to keep handover in mind. After all, the more structure in place when setting up, the easier handover will be. With this in mind we've put together some tips and best practices to consider when starting out, or even implementing further along. Setting Up Devices and Profiles Separate Profiles: Create separate profiles for work and personal data to improve security and privacy. Use work profiles to enforce company policies and manage company-owned apps. Corporate email accounts: The improved Android sign-up process makes it easier for IT admins to sign-up and access Google services using their corporate email addresses. This eliminates the need for personal Gmail accounts, leading to cleaner handovers when an employee leaves. Plus, certain setup tasks can be managed centrally through the Google Admin console, again making it much easier to keep track, document and handover tasks. Centralized Management Avoid the hassle of being locked out of corporate Google accounts when the time comes for the admin that set up the account to embrace a new opportunity. Maintaining a centralized approach avoids having a sole owner of any Google accounts, making it easier to manage and maintain control and access to business Google accounts in the event of a handover. IT admins can also easily track, document, and hand over administrative tasks in this way. Default Settings: Configure default settings for devices and profiles to streamline the onboarding process and ensure consistency. Consider using templates or scripts to automate device setup. App Management: Use Google Managed Play to create a customized and secure app store for different business needs and user roles and have more control over which apps employees can install and use. Policy Enforcement: Implement policies to enforce security measures such as password complexity, screen lock timeout, and data encryption. Use conditional access policies to restrict access to company resources based on device compliance. Employee Training Remember, documented procedures and workflows are vital for mitigating risks associated with employee turnover. Proactive documentation ensures business continuity and minimizes disruptions during employee transitions. Provide employees with clear guidelines and training on their responsibilities during the offboarding process. Educate employees on data security best practices and the importance of returning company assets. Regular Reviews Review and update your offboarding procedures regularly to ensure they remain effective and aligned with evolving security threats. Conduct periodic security audits to identify and address any potential gaps. A well-executed offboarding process is crucial for safeguarding your organization's sensitive data and maintaining security. By following the checklist provided, you can effectively mitigate risks, minimize disruptions, and ensure a seamless transition for both the departing employee and your organization. Like and share this post to help others secure their organization's digital footprint! Let us know your thoughts and experiences in the comments below. Do you have any additional tips for a smooth offboarding process?5 overlooked benefits of Android Enterprise
Android Enterprise is more than just a set of management tools; it's designed to address the complex needs of modern businesses. Here are 5 insights that often go overlooked: 1. Privacy you can trust Ever worried about mixing work and personal life on your phone? Or, as a business, concerned about invading your employees' privacy? Android Work Profile acts as a secure, separate container on your device. Think of it like having two phones in one, but without the extra bulk! Your work data stays within this container, completely isolated from your personal apps and information. This means: Employee privacy: Your company only sees and manages work data, not your personal photos or messages. Did you know you can see exactly what data your IT admin can see? Simply go to: Settings > Security & privacy > Your work policy info > Device info your IT admin can see. Data security: Your company's sensitive information is protected from accidental leaks or unauthorized access. Peace of mind: You can use your personal device for work without compromising your privacy or security. It's not just about security; it's about building trust. 2. Instant deployment Zero-touch enrollment allows for rapid and consistent configuration. It's not just about saving time; it ensures every device is configured correctly from the start, minimizing errors and getting your team working faster. Zero-touch enrollment enables efficient device rollouts, minimizing setup errors for a smoother user experience. Direct shipping to employees is a strategic win for businesses, bypassing central warehousing and significantly reducing costs. 3. Security that runs deep Android Enterprise isn't just an add-on; it's built into the core of the Android operating system. This means security policies are enforced at a system level. This deep integration allows for very precise control over device settings and data access. Explore Android’s multi-layered approach to security and granular control in our security paper and community podcast series. 4. Secure app distribution Think of Managed Google Play as your own private app store. You can curate and distribute approved apps to your employees, ensuring they only use safe and compliant software. This eliminates the risk of employees downloading malicious apps from unknown sources. Remote app management and updates simplify administration. 5. Future-proofing The Android ecosystem is vast and constantly evolving. By choosing Android Enterprise, you're tapping into a platform that's backed by Google's continuous investment. Plus the open nature of Android naturally enables constant innovation. This means you'll have access to a wide range of compatible devices, EMM solutions, and support - explore our partner ecosystem. As Android evolves, so will Android Enterprise, ensuring your mobile strategy remains relevant and effective. What's Next? Join the community discussion to share your insights and experiences. We'd love to hear from you: What are your experiences with Android Enterprise? What features are you most interested in? Share your thoughts in the comments below!
Google Messages App: SMS to shortcode not able to send
Our Provider (Vodafone Germany) is using a SMS shortcode number to be able to order an upgrade on dataplans by sms. Once the monthly contract plan (e.g. 1 GB) have been used users will receive a sms from 70997 to inform that you can answer the SMS with "1" or "2" to restore your data connectivity. We ran into the issue that the Google Messages app seems to have some sort of bug with sending SMS to this kind of shortcode number as it alway says "Not sent" in red error text. Provider tech support told me that the Google messages app is prefixing the number with "49" resulting in a wrong / unknown number (4970997). They cannot fix that from their side as the issue is within Google messages app and asked me to install a 3rd party messages app.... *ugly* Is this something I can request to investigate from here? I will also create a case with Samsung tech support as we are mainly using Samsung devices as our corp. device fleet. Thank you! Kind Regards Daniel
Enabled FRP and now I'm stuck
We're building an Emm solution so while testing I enabled FRP and thought of giving it a shot. So, after factory resetting all i can see is a google window asking me to verify with the account that was previously in the device. What I cannot understand is there was no account signed in except the one google created ( the managed account with the briefcase thingy ). I'd like to understand how can i recover it now? i do have some of the device details on enterprise.devices.get endpoint. Any help would be much appreciated! Rino.Cybersecurity Month
Original Post Date: 29-10-2024 Its Cyber Security Awareness Month so here are three use links for you: https://threatmap.fortiguard.com/ - Fortinet’s map offers a dynamic, global view of cyber threats by showing live attacks based on its network. It tracks the types of attacks, their origins, and targets, making it a useful tool for understanding the scale and type of threats occurring in real-time. Forrester research has found businesses could save up to $2.6 million in cybersecurity costs by using Chrome Enterprise Core. You can read the full report in the resources section of the community here: https://chromeos.community/community/396/resources https://threatmap.checkpoint.com/ - FireEye’s map visualizes live cyber threat activity and provides a filter to see specific types of attacks, like malware or botnets, as well as their geographical locations. This map can also help you understand current cybersecurity trends globally.
