BIO 12.02.01 ISO A.6.2.1

BYOD Enrollment Geblokkeerd

πŸ“… 2025-10-30
β€’
⏱️ 6 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Het gebruik van enrollment van personally-owned devices (BYOD) in Intune om corporate data access te beperken tot company-owned managed devices.

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
7/10
Implementatie
12u (tech: 4u)
Van toepassing op:
βœ“ Intune
βœ“ Device Management

BYOD creates security/compliance risks: (1) Data residency - Corporate data op ongecontroleerde personal devices, (2) Device security - Personal devices hebben weak security (no BitLocker, outdated OS, no antivirus), (3) gegevenslekken - Personal apps kunnen corporate data access, backup to personal cloud, (4) Lost devices - Personal devices hoger theft/loss risk, geen corporate tracking, (5) Compliance - GDPR, sector regulations vereisen controlled devices voor sensitive data. For organizations met classified data, healthcare PHI, financial PII: BYOD PROHIBITED. Alternative: Corporate-owned devices alleen (Azure AD Join, Autopilot), BYOD met MAM-only (app bescherming zonder volledige device management).

PowerShell Modules Vereist
Primary API: Microsoft Graph
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Intune enrollment restrictions: Block personally-owned voor iOS, Android, Windows. alleen corporate-owned devices kunnen enrollen. configureer via: Intune β†’ Devices β†’ Enrollment restrictions β†’ Maak restriction β†’ Platform restrictions β†’ Block personally-owned.

Vereisten

  1. Intune subscription
  2. Decision: Corporate-owned alleen of MAM for BYOD
  3. Corporate device procurement program
  4. Device lifecycle management
  5. Alternative BYOD approach: MAM-only (app bescherming zonder enrollment)

Implementatie

Gebruik PowerShell-script byod-enrollment-blocked.ps1 (functie Invoke-Monitoring) – Verify BYOD enrollment blocked for alle platforms.

  1. Intune β†’ Enrollment restrictions β†’ Maak restriction
  2. iOS: Block personally-owned
  3. Android: Block personally-owned
  4. Windows: Block personally-owned
  5. Assign: alle users
  6. Priority: boven default

monitoring

Gebruik PowerShell-script byod-enrollment-blocked.ps1 (functie Invoke-Monitoring) – Controleren.

  1. Enrollment attempts: Personal devices blocked?
  2. Corporate device enrollment success rate
  3. MAM-only app bescherming for BYOD if applicable

Compliance en Auditing

  1. BIO 12.02 - Mobile device management
  2. ISO 27001 A.6.2.1 - Mobile device policy
  3. GDPR - Data controller responsibility
  4. Sector-specific (healthcare, finance) - BYOD restrictions

Remediatie

Gebruik PowerShell-script byod-enrollment-blocked.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS BYOD Enrollment Blocked .DESCRIPTION Device enrollment restrictions in Intune must block personal device enrollment for all platforms. .NOTES Filename: byod-enrollment-blocked.ps1 Author: Nederlandse Baseline voor Veilige Cloud Version: 2.0 Related JSON: content/m365/device-compliance/byod-enrollment-blocked.json #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()]param([switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "BYOD Enrollment Blocked" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Write-Host "Monitoring:" -ForegroundColor Yellow Connect-MgGraph -Scopes "DeviceManagementServiceConfig.Read.All" -ErrorAction Stop $restrictions = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations" -ErrorAction Stop $result = @{ isCompliant = $false totalRestrictions = $restrictions.value.Count byodBlockedCount = 0 restrictionDetails = @() } if ($restrictions.value.Count -eq 0) { Write-Host " No enrollment restrictions found" -ForegroundColor Red } else { Write-Host "`n Enrollment Restrictions:" -ForegroundColor Cyan foreach ($restriction in $restrictions.value) { if ($restriction.'@odata.type' -eq '#microsoft.graph.deviceEnrollmentPlatformRestrictionsConfiguration') { $platformRestrictions = $restriction.platformRestriction # Check if personal devices are blocked for key platforms $iosPersonalBlocked = $platformRestrictions.iosRestriction.personalDeviceEnrollmentBlocked -eq $true $androidPersonalBlocked = $platformRestrictions.androidRestriction.personalDeviceEnrollmentBlocked -eq $true $windowsPersonalBlocked = $platformRestrictions.windowsRestriction.personalDeviceEnrollmentBlocked -eq $true if ($iosPersonalBlocked -and $androidPersonalBlocked -and $windowsPersonalBlocked) { $result.byodBlockedCount++ $result.isCompliant = $true Write-Host " COMPLIANT: $($restriction.displayName)" -ForegroundColor Green Write-Host " iOS Personal: Blocked" -ForegroundColor Gray Write-Host " Android Personal: Blocked" -ForegroundColor Gray Write-Host " Windows Personal: Blocked" -ForegroundColor Gray } else { Write-Host " NOT FULLY RESTRICTED: $($restriction.displayName)" -ForegroundColor Yellow Write-Host " iOS Personal: $(if($iosPersonalBlocked){'Blocked'}else{'Allowed'})" -ForegroundColor Gray Write-Host " Android Personal: $(if($androidPersonalBlocked){'Blocked'}else{'Allowed'})" -ForegroundColor Gray Write-Host " Windows Personal: $(if($windowsPersonalBlocked){'Blocked'}else{'Allowed'})" -ForegroundColor Gray } } } } Write-Host "`n Summary: $($result.totalRestrictions) restrictions | $($result.byodBlockedCount) fully blocking BYOD" -ForegroundColor Cyan if ($result.isCompliant) { Write-Host "`nCOMPLIANT: BYOD enrollment blocked" -ForegroundColor Green exit 0 } else { Write-Host "`nNON-COMPLIANT: BYOD enrollment not fully blocked" -ForegroundColor Red exit 1 } } catch { Write-Host "`nERROR: $_" -ForegroundColor Red Write-Host " Configure in: Intune > Devices > Enroll devices > Enrollment restrictions" -ForegroundColor Yellow exit 2 } } function Invoke-Remediation { try { Write-Host "Remediation:" -ForegroundColor Yellow Write-Host " Manual configuration required in Microsoft Endpoint Manager:" -ForegroundColor Yellow Write-Host " 1. Go to Endpoint Manager > Devices > Enroll devices > Enrollment restrictions" -ForegroundColor Gray Write-Host " 2. Select or create Device type restrictions" -ForegroundColor Gray Write-Host " 3. For iOS, Android, Windows: Set 'Allow personally owned' to Block" -ForegroundColor Gray Write-Host " 4. Assign to All Users" -ForegroundColor Gray exit 0 } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Revert { try { Write-Host "Revert:" -ForegroundColor Yellow Write-Host " Manual configuration required in Microsoft Endpoint Manager" -ForegroundColor Yellow Write-Host " Set 'Allow personally owned' to Allow for platforms" -ForegroundColor Gray exit 0 } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Revert) { Invoke-Revert } elseif ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Use: -Monitoring | -Remediation | -Revert" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan }

Risico zonder implementatie

Risico zonder implementatie
High: HIGH risk - corporate data op ongecontroleerde personal devices. Data breach bij device loss, compliance overtredingen, weak device security. For organizations met sensitive data: BYOD enrollment MUST be blocked. Alternative: MAM-only for BYOD (app bescherming zonder device enrollment).

Management Samenvatting

Blokkeer BYOD enrollment in Intune. alleen corporate-owned devices. For BYOD needs: Use MAM-only app bescherming. Voldoet aan BIO 12.02, ISO 27001 A.6.2.1. Implementatie: 4-12 uur including communication + MAM alternative setup.