ASD's Blueprint for Secure Cloud

Device Configuration

This section describes the design decisions associated with Device Configuration for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 5 minutes

Device Configuration Profiles provide the ability to control settings and features on supported endpoints. These include device and user settings, browser settings and hardware settings. Device Configuration Profiles can be deployed to specific users or devices by using Entra ID groups.

There are many supported platforms, each of which have several profile sub-types that they offer configuration for. The following platforms are supported:

  • Android device administrator
  • Android Enterprise
  • iOS/iPadOS
  • macOS
  • Windows Phone 8.1
  • Windows 8.1 and later
  • Windows 10 and later

Within each platform there are number of profile types enabling many settings to be configured. The profile types and settings that are configurable vary depending on the platform. In general terms configuration profiles either enable configuration of the device for use by a user, or to enable security of the device through application of controls. Custom profiles can be created for a platform although this should be considered a last resort if the settings are not available in any other way.

In a co-managed state, these settings may be superfluous to existing Group Policies and Standard Operating Environment (SOE) settings.

Cloud native deployments

Hybrid deployments

Device configuration sets

Different sets of Microsoft Intune Configuration Profiles are used to configure device settings and features based on the security requirements of the activities being performed. These are aligned with the access roles:

  • Control Plane - Highly privileged access for administering the platform.
  • Management Plane - Privileged Access for deploying and managing workloads and data.
  • User / Application Plane - Standard access to applications and websites.
Device Configuration SetAccess Roles
SAWPlatform Administrators
SOEInformation Workers, Remote Developer, Local Developer, Researcher

Device configuration set profiles

Endpoint Manager Configuration Profiles apply settings and features to devices. A collection of Configuration Profiles are assigned to devices as a Configuration Set depending on the machine usage. A naming convention is used to indicate which Configuration Profiles belong to which Configuration Set, the device components the settings relate to and the source for the setting.

Microsoft Intune applies settings through different types of Configuration Profiles, some due to legacy profiles (Administrative Templates, Custom Profiles), others due to group settings in other related settings (Microsoft Defender for Endpoint). Where available, Configuration Settings should use the modern Setting Catalogue profile type for applying settings. This enables easier resolution of setting conflicts.

The deployment of the settings, including any conflicts caused by implementation of a setting, can be monitored within Microsoft Intune Device Profile Monitor.

Security & Governance

  • None identified

Design

  • None identified

References

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra