Microsoft Intune in Microsoft 365 GCC & GCC High with CMMC Applications
Microsoft Intune is now part of Microsoft Endpoint Manager, a suite that includes Intune and Configuration Manager. Microsoft Intune for Microsoft 365 GCC and GCC High is available as a standalone license or part of the Microsoft 365 EM+S E3 and E5 licenses.
What is Microsoft Intune for GCC and GCC High?
Microsoft Intune is now part of Microsoft Endpoint Manager, a suite that includes Intune and Configuration Manager. Microsoft Intune for Microsoft 365 GCC and GCC High is available as a standalone license or part of the Microsoft 365 EM+S E3 and E5 licenses.
Both products within Microsoft Endpoint Manager integrate with Azure Active Directory in Azure Government to give visibility and configuration management to mobile device access, while providing robust native control to IT leaders within small to large defense contractor organizations.
Remaining competitive requires a balanced approach between maintaining security while providing tools to enhance, and also increasing the productivity of your workers. Trying to keep up with technology while also keeping this balanced approach can be especially challenging for contractors in the Defense Industrial Base (DIB), as each policy and change has the potential to impact their regulatory compliance posture with DFARS 7012, CMMC, ITAR, and others.
For example, implementing a bring-your-own-device (BYOD) policy for employees can present unique security risks for DoD suppliers compared to other commercial businesses. Managing external endpoints can be especially challenging, mobile devices alone can span operating systems (MacOS, iOS, Android, Windows, Linux, etc) among other variables. In order to ensure they meet compliance, especially for CMMC Level 2 and DFARS/NIST, organizations must leverage Mobile Application Management (MAM) and Mobile device management (MDM) tools. Using Intune can allow organizations to provide a limited-use shared tablet experience for employees, ensure secure access to email and other resources within Microsoft 365, and help secure company provided devices as well as personal machines with certain limitations.
What are MAM and MDM tools?
MAM and MDM tools are designed to help organizations securely monitor, analyze, and manage the access of protected information/network systems by mobile devices and mobile applications. A MAM tool controls the provisioning, updating, access and interoperability, and removal of mobile applications on protected devices. An MDM tool grants mobile devices access to protected systems and networks, using policies to regulate how, where, and to what extent that device can access particular resources.
Organizations can set policies to control access depending on the device’s encryption, specific location, operating system, number of authentication attempts, etc. These policies, along with the built-in controls that are available from your cloud service provider are key in meeting NIST and CMMC compliance. A good MAM/MDM tool should integrate seamlessly with your existing cloud infrastructure and other security products to create a unified defense and analysis capability. IT leaders within the DIB also benefit from remote enrollment, configuration, locking, wiping of devices.
Properly configured MAM can limit the loss of data, for example, by restricting devices from copy and pasting between managed and unmanaged applications or blocking installations of unapproved apps. For contractors in Microsoft 365 GCC or GCC High, Microsoft Intune an MAM/MDM tool that can meet all of these requirements through proper configuration.
What isn’t supported by Intune in GCC High?
Microsoft Intune in GCC High is based on the commercial version of Intune, however to meet US government needs, Intune in GCC High is built on physically and logically isolated infrastructure in Azure Government. This benefits DIB suppliers in that Azure Government and the respective services hosted in Azure Government are certified to FedRAMP High standards - with all customer data, applications, and hardware residing in the continental United States as well. These unique features allow organizations using Microsoft Intune on GCC High to meet CMMC Level 3 compliance for multiple practices across several domains. However, those differences mean that there are some features available for the commercially available version of Intune that are not supported by Intune in GCC High. For example, Intune in GCC High is only available as a standalone Azure service and cannot be integrated with any third-party MDM or MAM tools or hosted through another IaaS provider.
Below are the key feature variations and differences between Intune for GCC High and its counterpart built on the Azure Commercial infrastructure.
- Intune for GCC High does not support legacy PC management with the Intune agent, however management of Windows 10 is supported via the modern Mobile Device Management channel.
- On-premises Exchange Connector is not supported.
- Windows Autopilot and Business Store features are not available at this time, though it is currently being planned and being tracked on the Microsoft 365 Roadmap.
- Microsoft Endpoint Manager’s Endpoint Analytics and Log Analytics features are not currently available for US Government customers.
- Mobile Threat Defense connected for Android and iOS devices is not supported. MTD essentially receives signals/alerts from 3rd party products like Symantec Endpoint Protection Mobile, Sophos Mobile, etc.
- Jamf Pro and Intune Integration for MacOS devices isn’t supported.
- Diagnostics settings and Workbooks are not currently available to US Government cloud customers.
- The Locations feature is not supported in GCC High for DoD and Government customers. Locations is a network fence that limits access to being physically connected to your server within a local or area network, however using conditional access policies in Azure, this can be achieved in part.
- Configure your MAM conditional launch policy to include Max allowed threat level signals from Microsoft Defender for Endpoint on iOS devices and Android devices. Choose to Block Access or Wipe Databased on whether or not the device meets the expected threat level.
What does Intune in GCC High support?
As noted above, Intune is designed to be an application and mobile device management solution, and despite the above features currently being unsupported, Intune in GCC High is still a robust solution that can help you meet specific CMMC requirements on devices that use the following operating systems:
Apple:
- iOS 12.0 or later
- iPadOS 13.0 or later
- MacOS X 13.0 or later
Android (Samsung Knox Device Recommended)
- Android 5.0
- Android Enterprise
Microsoft
- Surface Hub
- Windows 10 Home, Education and Enterprise
- Windows 10 Enterprise 2019 LTSC
- Windows 10 IoT Enterprise (x86, x64)
- Windows Holographic for Business
- Windows 10 Teams
- Windows 10 1709 (RS3) and Windows 8.1.
Does Microsoft Intune in GCC High Help Meet CMMC Level 3 Compliance?
Organizations can meet CMMC compliance for specific practices across several different domains using Microsoft Intune in GCC or GCC High in combination with configuration settings and policies in Azure Government and Microsoft Defender for Endpoint.
CMMC Level 3 has 130 practices that an organization will be assessed on. Organizations can meet 31 of these practices using Microsoft Intune in conjunction with other Microsoft products. While each domain and practice won’t be covered here, this blog will cover some of the key practices in the Access Control (AC) Domain.
Intune allows you to fulfill the requirements for practice AC.3.022, which requires organizations to encrypt CUI on mobile devices and mobile platforms. Using Intune combined with the native polices and configuration options in Azure, users can set device compliance policies and configure Conditional Access to deny access to unencrypted devices to your systems, ensuring compliance with this specific practice. This in addition to data and file encryption applied through Microsoft Information Protection allows organizations to encrypt the data and the container on mobile devices.
Organizations can also use Intune in GCC or GCC High to comply with practices AC.2.011 and AC.3.012. To meet the AC.2.011 practice, organizations can force specific authentication and authorization requirements and configurations (enrollment) on mobile devices before allowing access to Microsoft 365 and Azure. Though AC.3.012 is often applied to local networks and IoT devices, organizations must protect wireless access using authentication and encryption for cloud systems as well. This can be met by pre-issuing a security certificate to devices upon enrollment then using a conditional access policy that only allows these trusted devices access.
CMMC practice AC.2.005 requires organizations to provide privacy and security notices consistent with applicable CUI and FCI rules. With Intune in GCC High, organizations can require users to read and accept a terms of service notification before accessing systems and data during the enrollment process. This functionality can be used to ensure that system-use notification banners and system messages display the legal requirements of using the systems requiring users to click and agree to the displayed requirements of the system(s) they are accessing, each time they logon.
Here are the domains and practices that can be partially or mostly met for endpoints with Microsoft Intune:
Domain |
Practices |
Access Control |
AC.1.001, AC.1.004, AC.2.006, AC.2.010, AC.2.011, AC.2.015, AC.3.012, AC.3.020, AC.3.022 |
Audit and Accountability |
AU.2.042 |
Configuration Management |
CM.2.061, CM2.062, CM.2.063, CM.2.064, CM3.069 |
Identification and Authentication |
IA.1.076, IA.1.077, IA.2.081, IA.2.082, IA.3.083, IA.3.084 |
Media Protection |
MP.2.119, MP.2.119, MP.2.121, MP.3.123, MP.3.125 |
Physical Protection |
PE.3.136 |
System & Communication Protection |
SC.2.179, SC.3.188 |
System & Information Integrity |
SI.1.2.11, SI.1.212, SI.1.213 |
Final Note
If you’re considering moving to GCC or GCC High for compliance, Microsoft Intune’s integration with Microsoft Defender for Endpoint will play a large part in meeting and maintaining compliance, as many of the practices listed above require both products to systems and the device itself from advanced persistent threats. Read more about Microsoft Defender for Microsoft 365 GCC and GCC High here.
To see a demonstration of the capabilities of Microsoft Intune for CMMC compliance, check out the video below from Microsoft Senior Security Architect, Matt Soseman.