Configure and document Azure Endpoint Manager & Azure VPN

Configure and document Azure Endpoint Manager & Azure VPN

Resume

Setup Azure VPN

Setup Azure Endpoint Manager (Intune) configuration profiles

Setup Bit locker security (create policies for bitlocker and windows defender)

Advise on design and implementation

Documentation

Current setup

Currently we have assigned Intune Device licenses to all shop users within the company. Only the device located in our shops are currently registered in MS Endpoint Manager. Some basic policies are created which should be reviewed.

For the backoffice we don’t have an setup yet. We need advice in setup and Intune licensing.

Azure VPN

A VPN resource should be set up and all devices should be connected to this VPN. All traffic should be routed through this VPN.

Split VPN scenario: In the backoffice and shop networks which are by default connected with a Site-to-Site VPN the VPN client on the endpoint should not be started. This should only be the case when the endpoint is connected to a foreign network.

Only whitelisted websites can be accessed.

Backoffice devices

We have 1 backoffice with 20 devices (PC’s) owned by the company and 25 backoffice users which should have the following requirements:

- Users are not an administrator on the device

- System Administrators role/group is admin on the device

- It is only possible to login with a @[login to view URL] AAD account

- O365 apps (Word, Outlook, Excel) are installed

- Desktopshortcuts to web-apps (Edge)

- Kaspersky Antivirus is installed/Microsoft Defender is configured

- Xelion 7 from the Microsoft App Store is installed

- Splunk universal forwarder is installed

- A company image is set on the user’s desktop background (Company Branding)

- The device name is visible on the desktop

- Users can not install any apps themselves

- All traffic is routed through a VPN (Azure) when connected to a foreign network

- It is not possible to save data locally, only onedrive is allowed.

- It is only possible to use company USB flash drives, it is not possible to transfer data from or to devices not registered in MS Endpoint Manager

- RDP access only available through VPN

- Pre-configurerd WiFi access

- Lock screen within 10 minutes

- Not allowed to configure Windows PIN code

- Customize Windows Start menu with predefined apps

- Windows automatic updates after work hours (after 20:00 a clock)

Shop devices

We have 35 shops with 70 shop devices (laptops) owned by the company and 300 shop users which should have the following requirements:

- Users are not an administrator on the device

- System Administrators role/group is admin on the device

- It is only possible to login with a @[login to view URL] AAD account

- Desktopshortcuts to web-apps (Edge)

- Microsoft defender is configured

- Splunk universal forwarder is installed

- A company image is set on the user’s desktop background (Company Branding)

- The device name is visible on the desktop

- Only Microsoft Edge can be used

- MFA is enabled (kiosk mode does not support this)

- All traffic is routed through a VPN (Azure) when connected to a foreign network.

- It is not possible to save data locally, only onedrive is allowed.

- RDP access only available through VPN

- Pre-configurerd WiFi access

- Lock screen within 10 minutes

- Not allowed to configure Windows PIN code

- Customize Windows Start menu with predefined apps

- USB drive is blocked for USB flash devices

- USB should be still available for barcode scanners

- Windows automatic updates after work hours (after 20:00 a clock)

About provisioning devices

What is the best way to register shared endpoints in Microsoft Endpoint Manager? We are currently creating a new user for every 5 devices.

We require someone who can advise us with the requirements above and help us with the implementation and documentation.

Microsoft Azure Office 365 Powershell VPN

Identifikační číslo projektu: #32177325

O projektu