 Hello everyone, it is time for our mobile device management and in-tune webinar. Thank you for joining us. My name is Shelly Reed. I am the manager of the Legal Services National Technology Assistance Project and we're happy that you've joined us today. I'm going to turn the presentation over to Tony Liu and they're going to give you introductions on everyone speaking today. So thank you for joining and let's get started. Great. Thank you, Shelly. So to start off, we'll just go over the roadmap for our presentation today on the agenda. So we'll talk generally about what MDM is and what in-tune offers and then go into a discussion about basic process for implementation, some policy decision discussion and then training. Training looks like the slides are training and help desk issues and then the discussion about how MDM and bring your own device overlaps and then we'll have some time for some question and answer. Before we dive in, some introductions. So I am Tony Liu. I'm a senior consultant at Just Tech. And with us, we also have Amanda Rebels, who's the chief operating officer at the Michigan Advocacy Project and Joseph Mello, the director of engineering at Just Tech. I think we might have skipped a slide or sorry, maybe my slides are out of order. Okay, we could try the next slide, please. Okay. Well, so before we talk about MDM and in-tune, we're going to do a quick poll just to understand your role and who's in attendance right now. So if we could see the poll results once we have a good number of responses. Okay, so it looks like, you know, almost half IT staff, which sounds about right for something that's potentially with the title that sounds so technical. But it's also good to know that there are some management level folks as well as other staff here to learn about this topic. Yeah, and you know, the presentation kind of covers some of the more technical aspects, but also a lot of the policy and kind of internal business culture aspects as well. So hopefully there's going to be something for everyone in this presentation. So, next slide please. Let's start off with a conversation about what MDM or mobile device management is. So generally it's, you know, you can think of it as the administration of mobile devices and applications and contents on those mobile devices. But there are a lot of specific terms and acronyms that you might hear. So, MDM or mobile device management is regarded kind of more specifically as management of devices themselves, so smartphones, tablets, laptops. MDM came first out of that came in need to kind of expand management as mobile devices became more complex and so another term called enterprise mobility management or EMM kind of grew out of that. It's kind of like an MDM plus right so it's also about managing applications and contents on those devices and and has, you know, more advanced analytics and security features than, you know, the original MDM solutions and then there's also a term called unified endpoint UEM and that often is, you know, referring to things like internet connected printers and other other types of Internet of Things types devices. All of these terms sometimes get used interchangeably and in overlapping ways. So just for our purposes today when we say MDM, we are talking about not just managing mobile devices but also sometimes the applications and the contents on those devices. But, you know, I think a lot of in a lot of ways MDM has come to sort of be the generic term that a lot of people use and Joseph, can you tell us a little bit about Microsoft in tune specifically. Sure. Hi everyone. So Microsoft in tune, I'd say has evolved quite a bit since when it first came out. And in usual Microsoft fashion they're sort of cobbling things together to fit into the world of in tune and I'm sure at some point they'll probably change the name to it. But right now it essentially can do the mobile device management side of things for users and devices. I'll get to that in a second. There's also the capabilities to do app deployment and management. So if you wanted to be able to roll out say they'll be read it to every everyone's like laptops essentially you could do it that way through the app deployment. There's also a lot of policy based type of things that you could do inside in tune. So there's application policies, the vice policies, the vice policies are kind of like group policy in the regular on-prem active directory. There's compliance policies so you could you could set something that says you must have this version of the operating system in order for you to be considered compliant. There's conditional policies that you can set like requiring that somebody has MFA turn on or that you're within the United States and that's considered within the conditional policy. In tune is also capable of doing endpoint detection and response. So it's it's Microsoft's like any virus product. There's also autopilot which can do the like OS deployment type of situation. You can essentially get a computer and have autopilot get Windows provision and the applications deployed to the device. And there's also the baked in Windows updates you can control Windows updates which essentially replaces the the old on-premise products that existed before. Great. Yeah, that's a that's a lot and we'll dive into some of that some more but maybe Amanda you can talk to us a little bit about why why an organization might need this. Sure. So I will say that number one, I think maps biggest reason for moving to Microsoft and in tune was because we needed a more efficient process, both for our device deployment and also for our device management. And I think that was both our IT support team side as well as our end user side. Map has grown. We've actually tripled almost in size since the beginning of COVID. So with that comes triple the amount of machines that you have to maintain, manage, you know, send updates to make sure that stay up to date. And I will say that when map moved to the Microsoft platform, we made a really big change inside our organization because not only did we begin to use in tune we also worked with Dell to begin to use autopilot. And we also moved about 11 on premise file servers Linux file servers to SharePoint. So this was a huge change for our organization and part of the reason why we made that change was all because of cost and efficiency our our previous process was just it was very manual it was very time consuming it require a lot of IT overhead and time. It just wasn't an efficient system. Also think that with in tune, we have a really increased our security and visibility, as far as all the devices that we have in our program. And in tune just requires much less time to manage. I think it makes it much easier for our IT team to enforce policies on laptop smartphones, both. I will also say I know we talk about this later, but personal devices as well as map owned devices. And it also gives us control when a device goes lost stolen misplace what happens with that device and the data on that device. It's also talking about SharePoint it's also made us much more efficient, because we can now back up all of our SharePoint sites to one place so we don't have to maintain all that equipment that we had with our on premise file servers. And I think last I think it's much better for our help desk support. We have images that depending on when they were deployed, they were all different. So our help desk staff never knew when they connected to a machine, which image was on that machine with in tune, you know our help desk staff can connect to a machine. Everything is is set up the same. It's all very consistent they can see an in tune which apps that machine has which versions of those apps they have it's it's all very transparent as opposed to our old setup that we had. Great. Thanks. Next slide please. So this is just a kind of a visual representation of a lot of the features that that Joseph and Amanda were kind of referencing. And to just to kind of give you a sense of, you know, how, how comprehensive it can be and how effective it can kind of be to give it and an organization the ability to kind of handle all of this in one specific platform. So, now we're going to talk a little bit about the process for implementing it is, it's not necessarily something that you just flip a switch. So, Amanda, if you wouldn't mind talking a little bit about your process. Sure. I think one of the biggest things that we had to look at in the beginning was our equipment. Any other nonprofit we did have some older equipment that was, say, five, six years old. And so one of our concerns was if the equipment that we had would be up to date enough to facilitate this, this upgrade to in tune. I will say that we only we had a very small handful of machines that actually were not that we were not able to to use once we went through this whole change so that was actually a pleasant surprise for us. There was a lot of communication with staff several months prior to this change. What would take place, what they could expect one those things will occur and I think that that communication of staff was very helpful for users just to adapt a little bit more easily when all of these changes happen. I will say also, this is kind of one of those things hindsight you look back right after making this change. I will say just months after this change. And so we did purchase a pretty large amount of laptops that obviously we're all new devices worked very well and in tune, but had we not made this change to to begin to use in tune. We would, it would have been a must for us to try to order all these laptops, get them out to staff fund them to the office to their houses, get them all registered get people logged in account setup. Because we were using that autopilot process to Dell, we did we were able to just ship those machines, and they were all set up and ready to go so that was a huge time saving for us at a time when we were already kind of buried in work so one important thing I think to note is the way that we set up our into setup, it did require us to move from at the time we had a free Microsoft licensing process setup to taxi. We did have to move to a Microsoft 365 e three license, which does have a cost associated to it. But I think that through tech soup we were able to get about a 75% discount off of the retail price from Microsoft. And I know this, this whole of it are mostly focused on in tune but I will say, talking about preparation because we also decommissioned all those on print file servers to SharePoint sites. That was probably one of the biggest hurdles that we had was migrating all of that data to SharePoint. That was a huge undertaking. I think anybody who's thinking about that that's an important thing I just want to note to kind of keep in mind. It was because of bandwidth it just took us, it was very, very time consuming to get all of that migrated over to SharePoint. Great and Joseph, can you talk a little bit about the the app deployment management and monitoring reporting. Yeah. So with the app deployment which was one of the things that I mentioned earlier that in tune can do. One of the, the more easier methods would be, you can go to the Microsoft store using in tune and essentially say I wanted to deploy what's in the Microsoft catalog and Microsoft of course has a lot of things that are in there. That's available to you I mentioned something like Adobe reader or something like the office 365 like applications Word Excel PowerPoint etc. But you may find that an application that you're looking to deploy is not in the catalog and it happens. Microsoft of course is going to continue to add things into the Microsoft store but in the meantime, you know, they provide a way for you to do these kinds of deployments and there's a couple of steps involved. You know, you would have to get your application and then converted into a special in tune file extension that they have and Microsoft provides you a tool to use that for free. But again, it requires a little skill behind for you to essentially run the tool, tell it here's the package I want and it essentially spits out what it is that you need to upload into in tune and then you can program how you want that deployment to work. So a little effort there on that part. If you're not as tech savvy in those kinds of situations there are third party tools that you can use that will again they have the ability to sort of take a package for you and then they do that conversion. You know, for a small price essentially and then they connect to your in tune environments that really makes it very seamless you go to their catalog you choose the product and it gets employed deployed through the in tune system at for price, of course. And then it comes to monitoring reporting into another lot of that. So just by bait when you sign into in tune there's just going to be a lot of overview pages dashboards and widgets to be able to tell you right from the get go what's in your environment. But then of course there's a lot of reporting and monitoring that you could do in the environment. Some of the things you're going to want to look at or be able to see in the environment is going to say who's logged into the device what kind of device it is where they've logged in from it's going to show location IP address, that sort of thing. There's also going to be one of the major things it's going to be about is what applications are installed on the device, or whether the device is considered compliant based on how you have everything programmed right so if you're looking for a Windows and running this version is that compliant yes or no and it gives you sort of that that type of information and you could set up within in tune sort of what you do if the device is not compliance right you can send the message to the user and say you're not compliant and you have two days to fix this or else we mark you as not compliant and then maybe you have rules or policies in place that sort of specify what happens if you're not compliant maybe you don't get access to office 365 because you're not compliant. So a lot of that is baked in already an in tune and if you want to go beyond that of course Microsoft provides you things like graph API essentially to be able to do things like analytics within Azure all that is sort of beyond the normal stuff that's baked into into but and it requires some skill level to be able to do but it's there. Great. Thank you. So now we'll talk a little bit about the policy decisions that need to be made. When you're considering the implementation. So if we could go to the next slide. Amanda can you talk a little bit about your policies and how how and why you set those up. Sure. So we started with a pretty basic set of policies I think when we first got started I will say over time that has obviously grown right because as you start to learn in tune and learn how it works and know all of its power. Obviously those security policies have really grown over time. I think that when we first started we started with a pretty basic set of, you know, security probably want bit locker enabled we want secure boot enabled we want to require an antivirus we want to require obviously a password on any device that accesses map data. We want to have that that device to have a device lock if it's idle for an amount of time. We want to require a password when it returns from that idle state just kind of basic things like that. So you have some conditional access policies out there so that machines can't access map data unless they are compliant. So those are some of the types of things that we set up in the beginning. Another kind of, I tried to think of some, some kind of different ones that we set up in the beginning, we did have an issue with Adobe pro when we started rolling all this out. We had Adobe pro to update for users because it wanted an admin password so we had to put users that devices that had Adobe pro into a group so that we could run a script that would go out and check for updates, and then a lot of those updates to run, and then also make sure that pro was always set as their default. So just things like that are just kind of some examples of stuff that we've set up and are using. We've used groups for troubleshooting and testing at times, you know we've had because of autopilot sometimes will with our autopilot provisioning process will hit a hiccup somewhere where it won't go through the whole process so we may create a group to put a machine to say okay you know maybe exclude it from this policy and then see if the autopilot will run and all the provisioning will finish so I think there's a lot of things that you can do with with policies and groups and things but it just kind of until you get a hang of what how much you can do is that you know you start out with kind of the basics, and then I think you also have to kind of remember you don't want those policies to conflict either. So as you start to go out and create these policies, you want to have good policies in place for users so that they're obviously keeping your data safe but you also don't want to restrict them so much that either those policies start to conflict with each other, or they start to really inhibit people's work. Okay, and Joseph, can you talk a little bit about implementing policies and phases and what that what that might look like. Right and so Amanda mentioned this just a few seconds ago it's it's about sort of how you want to sort of roll this out and whether it's the comfort level of your IT staff or the comfort level of your users or just generally how your organization operates, you know you know your employees best of all, and if you're introducing something like in tune you may have a lot of things in mind that you want to set in terms of policies right maybe you want to require everyone on a smartphone to have a pin, which is what I think you should have, but not everyone has a pin on their smartphone currently so that's a little bit of a you know possibly a learning curve for your users. There's also requiring that say your iPhone or Android or even computers must be Windows 10 or must be this version of iOS or Android, which again there's probably going to be some users that don't have that version. Maybe they have a very old iPhone. So you may be excluding people out of whatever you're doing with in tune whatever your policies are, or getting used to pushing applications out to devices or you set more security based policies right you want to prevent people from taking screenshots on a smartphone, or copy and pasting data out of one like say application someone gets an outlook email it says information in the email they copy and they want to paste it into a text message that may go to someone that's outside the organization. So you set a policy that prevents that from happening. So you could do a lot of things here, but it's really going to be a matter of are you going to do it like ripping a bandaid off and all these policies go in at one time and you kind of make that announcement to your users or do you sort of do this bit by bit in phases essentially get everyone used to sort of what you're doing with into and introduce things as you go along requiring bit locker disabling us be storage so people can pop a flash drive in that sort of thing. And then it's, it's going to come down to again as you grow and Amanda could probably speak to this as well at some point but you know it's it's some you're going to have to create a group, maybe specifically for this or that or the other thing like the immigration group needs to be able to get this app deployment and bankruptcy group needs to be able to do this or that and so you add complexity to what you're building out there so documentation is going to be very important with what you're doing and into and you want to be able to remember, I've set these policies up for a reason here's why these policies affect these people and here's why. And you know frankly if it people come and go right and so if you hire somebody new or your IT staff is sort of dealing with a ticket, they should be aware of what's actually configured and that it's actually there for everyone. Yeah, and Amanda you mentioned, you know, the security groups and the policies have changed over time you started with about 10 to 12 groups and how many are you up to know. Oh boy, I guess over 50 I don't know what off the top of my head. So that's a great point that I will say we do have one funder that requires much higher levels of security than our other funders. And because of that, again, we've had to use them, some security groups to limit those users who are who are funded by that funder, where they may be able to not say down one things from our browser or not allow them to sync one driver, you know things like that where some of other funders don't have those restrictions so you may not have to place those on on all your staff, but for anybody covered by that one funder it's required. And have you ever have you rolled out any policies where the user experience ended up being like this just isn't working for us and you've had to kind of roll it back because this sort of, you know as Joseph was talking about there's there's balance between trying to make sure you're being as protective as possible but also your users have to be able to use the systems right so has that ever happened for you guys. It has I can think of a time or two where not so much, maybe it interfered with the user per se but it either may be conflicted with another policy or it just it restricted things more than what we had actually thought about and didn't actually, you know, our full our full intention didn't, you know, just we didn't get the result we wanted so. Right. Yeah, so I mean I think the takeaway is that these policies. It's, it's kind of an evolving living thing that it's never going to be like we just sit down and figure this out right at all down and we're done. But yeah, so it's definitely a very active part of the ongoing use of MDM. I will say we're very fortunate here at map we have, I think a few staff and every part of our organization that are very useful and always happy to help us test things. So, you know, test test test right if you're going to roll something out to an entire section of your organization that could maybe have some negative impact test it first and see what happens and I mean we do kind of always use that as a rule of thumb and do that before we roll something out to a whole entire group of people so. Great, that's great advice. Great, so I think we have another poll coming up. So not to put people on the spot, but regarding security groups in your organization and policies does your organization have written documentation that someone could, you know, someone could follow if you're, if your admin disappeared. I'll just take a couple of seconds. Well, I'm, I'm encouraged to see 18 or 45% said yes, you know, the 18% and the 36% that said no or what policies. There's definitely a lot that you can kind of glean from this presentation but I'm sure, you know, we'll be continuing to find ways for the community to share about about what they've done because really there's no reason to necessarily reinvent the wheel as much as you have to kind of fine tune the stuff for your organization. There's a lot of basics that I think we can all kind of learn from one another. So, Joseph, and Amanda, if you guys wouldn't mind talking a little bit about the training and help desk issues that come up with implementing MDM. Sure, I could start Amanda. I'd say probably one of the, some of the more typical things is forgetting whether a license, the actual license that is required for internet supply to the user account. It's, it's easy to forget. It's also something that I'd say I've even seen sometimes some functions work without the license. With an into that's more Microsoft sort of back end. I know you're not allowed to use their products without the licensing but some things are a bit of a loophole and you can get in and start using it I don't suggest doing that you should certainly follow the the you love the end user license agreement for Microsoft but one of the very first things that you come across if let's say you open a ticket with Microsoft support and say why isn't this working. That's going to be one of the first things they're going to look at is the user account properly licensed to be able to use it. Other things that are coming going to come up and I talked about this earlier right is if you have a policy that states, you know, whether you have to have a certain version of like an operating system. And then a user calls up and says hey is not working right and you forget that you have that set in your policy. That's something you're going to miss right these are just basic training and help desk type of issues that you sort of want to look for. Another one to look out for. And I think a man has got some information on this one as well as if you're if you're going to be doing enrollment of like say bring your own device people's personal devices. And you discover that a lot of them have max right and maybe you weren't prepared for supporting max. And so that's that's a big thing to sort of look out like what are the devices that are being enrolled or what are what are the devices that people are using. And do you know a Mac does it it staff know how to function with a Mac like what where's the line that you're sort of drawing with that kind of support. More things could just be simple stuff like if you're doing app deployments and maybe the device doesn't have enough storage space right or if it's going to be something like a friction like if you have a policy for preventing data from leaving your organization right being able to do that copy and paste. And I've been in these situations before right I learned that I have a policy in place that does not allow you to take data out from one Microsoft application and putting it something outside of Microsoft, like in Gmail or something like that. And it doesn't work right and then you discover that hey the users actually have a business purpose for this and it's like okay well like Tony says, not everything set in stone here right you have to go back into the policy and maybe change the way that you have your policies configured or you do exceptions right you're allowing this application because people actually use it, you didn't know about it shadow it and then now it's part of the sort of the policy. Yeah, I. I'm sorry I was just going to say the only thing I would recommend is communication communication communication with your users but go ahead. Yes yes we we have a bit of an usual setup I think here at map because we had Google workspace we made this move to Microsoft but we kept Google. And so we use the two of them together, which a lot of people told us was a bad idea. But we proceeded anyway and it's worked wonderfully I will say. We, we use Google for our single sign on our map our staff use personal soft ones for multi factor authentication. We did encounter some hurdles when we first got into rolling with because of the Google Microsoft setup that we have. We were able to work through quite a few of those either with Microsoft support or by basically Googling other organizations that were doing the same thing and had already resolved some of the issues that we were seeing. I will, I will agree that Max are not a pleasant experience if you have a lot of Max and they're moving to in tune it's it's not a good experience. We actually got thrown into that during COVID because we didn't have enough machines laptop laptop for me to work remotely. And so some staff were using personal Max for a period of time just so they could continue to work and it did not go well we we did we got thrown into it with only one staff who was really and new Max well. And, but I think you know we even the same way through, through Microsoft support and some Googling and just trying to figure out each, each issue that we saw, we worked through it but thankfully now we've got all map equipment for all staff so there are are no more Max and I shouldn't say no more we do have a few, but not that so it's great. I think that we spent a ton of like I said communication to staff. And we still do when things change of, you know, this is what you're going to see here's what you should expect. When we did this roll out we sent to it staff to each office when we rolled out that into an appointment in their offices and I think that really made them feel better just to have to it people that are dedicated to help them in person to answer their questions I think that really makes a huge difference. Yeah. Great. Yeah and just can you talk a little bit about your experience in terms of training and how you go about supporting rollouts. Yeah, a lot of it is just the communication side of things right that the proper screenshots, the documentations that that users understand sort of what's happening and having even your own it staff be aware of it right they have to be aware of what you're doing before you know the day you're enabling the stuff that everyone sort of all hands on deck to be able to solve those kinds of issues and especially if your team doesn't have experience with in tune itself right there's you should have a bit of a training with your staff so that they are familiar with into before it actually goes live right maybe you set up a beta environment with just the it team right enroll your devices roll enroll your smartphones around with the policies right internally just within 90 and then you can go back to your management team your executive team and be like here's what we found works and what doesn't work and here's what we recommend should be turned on right and the management team. Or the executive team you know sort of you work with them on what their expectations are and I'll guarantee you once it rolls out right there's going to be some other changes that are going to happen. Just because nobody was aware of x y and z. So, a lot of it is that is going to be that piece. Flipping switches is easy. From an IT perspective going in and setting something from a yes tour nor adding a check spot checkbox is fine but it's the ramifications that you have to deal with. Right. Yeah, it's all well and good to like have your configuration set perfectly if there's until there's like a user riot over all over how much change they're being asked to absorb. Great. So we've been talking about the process and some of the things you have to think through and prepare when we talk a little bit about the benefits. On the next slide. Some of the benefits of implementing MDM and into and we've touched on some of these things but definitely I think it's it's worth repeating some of the ways this will will help your organization. So, yeah, Joseph, you want to get us started. Sure. I'd say one of the main things that I've seen a lot of organizations are really interested in into an or sort of MDM type of product is primarily two things it's going to be because they want to be able to wipe a device. If say a user loses or gets a device stolen, or more importantly, if a user decides to leave the organization what's happening to the data that they have. And if you're an organization that had enough money to be able to buy a laptop for all of your, you know, staff and even interns then much less of an issue you just get that device back hopefully you get the device back I've been in situations where that has not happened either. But if you're allowing the BYOD type of environment bring your own device. What's happening to all the data that was sitting on someone's personal device and from an IT perspective I have no idea what they're doing on that device I have no idea what's installed on that device. Is it up to date and then are they saving things locally to their their own personal laptop and then they say goodbye and they're taking all that data with them. Now that is that that level of control to be able to wipe a device remotely or wipe, at least the company data off the device maybe not the entire sort of device itself depends on the situation. And then a lot of it is going to be data leakage as well. And I mentioned this earlier right being able to control where that data is allowed to go to so you don't want to let somebody do a screen capture on the phone you don't want to be able to sort of copy and paste that data out of an environment and into something else, right you could turn that on you can even turn on the capability to prevent printing from like a smartphone for instance and, again, depends on your environment I've been in situations where that's usually what I recommend for people to do and then the organization says yes, and then they discover oh wait no we actually need to be able to print from XYZ because someone's at a courthouse for instance right and so that you sort of backtrack and you make the change again. So it's really a lot of that enhanced security to be able to do that type of things. The other PCA and Amanda mentioned this earlier is is streamlining sort of what that device management is like you get devices purchased they come from Dell they get pushed out with autopilot they get they all get the same kind of applications right you sort of know what you're getting when you you set up sort of that process. It's going to be also just a user productivity right everyone knows what everyone should have the IT staff knows what should be there. If there was a situation where a laptop blew up, and you need to give them a new laptop right it's the same build and they know what they're getting when they open it back up right it's not going to be a different experience oh I on my last computer I had Adobe pro but now this is nuance. I don't know how to use nuance right so you keep everything consistent in that way. I'm sorry about that. Great. And Amanda you want to talk a little bit about some of the cost savings and efficiency games. Sure, sure I, you know what's funny I would, I would say that efficiency and cost savings are the two probably biggest things that we've accomplished with this change but it's also security and visibility and a ton of that that we couldn't see before, you know, and in in tune being able to see devices and, you know, now we can see the last IP address that connected to last no location. The applications with access we can see so many more things now that we used to not be able to see what are the old platform that we had. We've obviously saved a ton of time and costs from, you know, we used to have devices shipped here to one location in ipsy and take them to tender for location in, you know, southeast or Michigan which seems crazy now but that's what we used to do. You know that's all mileage and it time and everything that, you know, just we don't have to do now that the machines to stall ship right to the locations the user signs into it. You know, the autopilot provisioning kicks on loads all of our policies all their, I mean it's great it's a great experience and so much easier to manage. I think, again, for our help desk it's, it's also just light yours better because every time they connect to machine they know what they're going to see. And I think it's also easier to troubleshoot things, because if you see an issue on one machine, you know that you may likely see that on five, you know, what other machines are in that same group of devices with whatever they have access to, you know, I think one other benefit from Intune also is that, you know, Microsoft does come up with new new new options every day inside of Intune, and you get to take advantage of those options. Most are good sometimes they might break something else which is a bad day but 99% of the time they're all good advancements and so you get to take advantage of all of those in real time and I think that's great to. It's great you can also we can also now basically deploy any app to any device. We use the company portal. That's how we send out apps to our staff, and you can just send it to everybody in the organization very quickly, which is that we used to not be able to do that prior to having Intune either so. Yeah, great. So definitely, yeah, definitely a lot of upside for organizations and sounds like from your experience that upside far outweighs the, you know, the learning curve and the change that you guys had to undergo. Great. So the next topic is is a pretty big one, probably one that, you know, would generate a lot of discussion within an organization but so you know we want to talk a little bit about the overlap of MDM and bring your own device. Bring, you know, staff bringing their own devices using their own devices for organization work so just what does it mean to enroll a user's personal device into an MDM platform. And that means that you as the organization has have some level of control over the device. And that's the scary sort of language that you know some users will kind of say no I well I don't want that. Right and my Microsoft and we share this in a later slide Microsoft has a link that that sort of explains what it is that an organization can see when a device is enrolled so that's helpful for you to look at. And, you know, have users understand, you know, if I enroll my smartphone my personal smartphone, what, what is it that you can do what what can I do. Briefly, I can push out an application to your device. Do you like that maybe you do maybe you don't right from a personal user perspective. But you know I'm pushing out something like outlook maybe because that's something you're going to need most likely to check your work email on so it makes sense, but that also means I could probably push out something like right which, again, you're not going to want. There's also other things right like I won't be able to read your text messages, for instance from your smartphone or like see your browser history on your computer. But it's, it's where sort of the line is drawn right there's a little bit of a misconception of what can be done and what can be seen. But there's a bit of a gray area right if if I'm pushing out an application that's allowing me to do like team viewer for I could remotely connect to your device right into itself is doesn't give me the privilege but now that the bad application does give me the ability to get to your device and do things to it. So it's again it's it's, it's going to be a big conversation in your environment. I'm going to be able to see who signed into it like the name that's on there the type of device you have the serial number of it the inventory of the software that's there. So if you look at the graphical location right I'll look at your IP address it's going to show that it's from New York, or from Boston or somewhere else I know where you are, based on your signing in. And that's not even generally due to enrollment just Microsoft when you sign into office 365 eyes and admin can look at the logs and see that you are vacationing in Japan and good for you for being on vacation. But I know you're in Japan right and that's going to be important for your policies because if you had a policy setup that says you're only allowed to log into your office 365 from within the United States and you decide to go on vacation and you really should not be working when you're on vacation. But if you do, and it doesn't let you in, you know the user is going to call in and say hey I can't work, sadly from when I'm on vacation in Japan. And it's like okay well I have to set an exception and to allow you sort of in from your environment right. But it's, it's, you know, it could be seen in both ways whether it's intrusive or it's helpful. And I've seen in my personal experience of a lot of organizations that there is pushback from users and users like to have that control I've seen attorney sort of use their phone to be able to communicate with their clients that send the text message have these phone calls send files over and they do it all the time but from an organization perspective if they're if the organization is telling you this is how it's going to be done that's when the user pushes back like I want to be able to say what I do not have the organization tell me what to do. So it is it is a sensitive discussion to have and unless you have your organization has money to essentially buy smartphones for everyone, and by laptops for everyone, then you may have no choice but to do the yod. And it's important to protect the company data and I think any attorney would understand that as well right that the importance of securing that information. So two things one. There was a question in the chat about what kind of security risks. Have you seen when there's when you allow bring your own device and then can you just for the sake of kind of maybe establish some context kind of talk about like the difference between saying if you need Microsoft outlook on a mobile device you can push it out but what's to stop the user from just going to the app store and downloading outlook and signing in directly right so can you kind of. Right, so two things right you could push out the application just because in advance you know that they're going to need it and you're being helpful. You could instruct users to go out and download outlook because you know they need the work device but you could set up policies and this goes back to the compliance policies right is your device enrolled you could have that as part of your policy and if your device is not enrolled, then you can access Office 365 email right so short download outlook as much as you like try to sign in. And when you do it'll pop up and be like well you can't do that because you're not enrolled. So now you're requiring people to be enrolled in order for you to be able to access that company data so that's how you could secure that piece of it. In terms of what the security risk is for people's personal devices. I'd say in a lot of ways with in tune you're you're minimizing the security risk now because now you're requiring people to be on a certain OS version or that the devices bitlockered and encrypted. Or that it has a pin on the smartphone, you're making up the rules, and if they don't follow it they can access the data. But some of the risks could be, for instance, especially on someone's personal device right I don't know what any buyers to have installed on their computer. You've seen organizations sort of do the the low budget way of saying like everyone on paper right policy paper policy, everyone needs to have any virus installed on their, their personal devices and everyone will nod their head and maybe you set up a system where they have to send you a screenshot or the it admin has to like log into your device remotely in some way to demonstrate yes I have any virus installed but you know maybe you do a check every month for everyone to do that but there's one that stops the user from ending the call and then uninstalling the antivirus right, or that they, you know they purchased McAfee for three months and then after three months it's not working anymore because they haven't paid for it anymore and now it's out of date right so there's a lot of holes with not using something like into because now if you do have into it and you use the endpoint detection and response components right that's that's being pushed out to these devices. So you're protecting these devices with your Microsoft products. And now, whether they had an antivirus or not right they have something that is actually protecting the company data on there. Right so. You know, MDM is to kind of plug the holes of bring your own device policies that expose a lot of risk to organizations and kind of what we were talking about earlier. A lot of these applications are, you know the data is cloud based or you know the applications, the clients are easy to install. You know, independently and I know that, like, you know, a man was alluding to the fact that you were fortunate to kind of be have been moving into this prior to the pandemic a lot of organizations when the pandemic struck, you know we're just saying you have a computer at home user computer at home. And so people were probably installing Microsoft teams and outlook and accessing data directly through those client apps without a lot of these kind of, you know, protections of an MDM system to be able to really control what you know how that data was being used and kept and, you know, potentially saved and transmitted, you know, through other applications on the laptop. Can you talk a little bit about web filtering on on BYOD and issues around. I guess web filtering but also, you know, like you can, you know, there's outlook online so wouldn't you be able to just, you know, access outlook in the web browser and, and circumvent, you know, something if the device isn't registered. Yeah, so I do know that into that is not something I've personally played with too much with it into but yes in tune does have the capability to do web filtering and it most like most other web filtering products it goes based on categories. So there's you know there's the database that sort of says, you know, Google comm is this type of website less search engine. But if you're visiting something like a legal organization or if you're visiting some sort of gun website or weapon website they fall under different categories and you define what you're doing with those categories whether you're allowing them in or not. And just like any other web filtering sort of capabilities you're going to come across issues where maybe a website's been miscategorized. So you may need to either, you know, submit some sort of feedback to Microsoft or your web filtering sort of provider and say hey this is wrong it should be changed and you could set up exceptions right. Or maybe some users need to be able to visit these types of websites but not other users so you could set up that that sort of policy stuff with it into. And that that can apply to it would be yod like you, you can set up web filtering to prevent access to certain sites. Yes, I say though, I'd say though that a lot of it with in tune and again I'm not an expert with sort of the web filtering stuff but I do know that in tune does want you to use more edge as sort of the web browsing. Software you're using on the device because of course Microsoft it's going to have more control over what it could do with an edge then versus a Chrome or anything else. So if you're looking to do things like the from a Windows 10 device like adding certificates or trusted websites or things of that nature then it's most likely going to try to push you towards using edge instead. Right, so it could be a scenario where for work purposes, the official browser is edge but you know if it's personal device people can continue to use Chrome for their own, their own internet browsing yeah. And then just that other question so is there potentially a loophole with being able to get into outlook from any web browser is that also something that can be controlled. Yeah, I mean it's going to depend on how you set up your policies. And so, you know, from an administrative perspective, you should have the right policies in place for what you want to do like for instance you could set up a policy that says you. And I mentioned this earlier right you, you must be enrolled and compliant, not just enrolled but you have to be compliant in order for you to access email. And so it's possibility that device becomes no longer compliant because maybe was looking for any virus and now it's been uninstalled by the user so therefore it's not compliant. It'll show up as non compliant and in tune. Right, but then what do you do with that information right you could set up the policies is if you're not compliant you don't get access to email and simple as that right like that it's going to be dependent on how you set up your policies and what you want to do with it. Right. Yeah, and Amanda, can you talk a little bit about your experience, kind of, and rolling this out and having conversations with your staff about bring your own device and, and what you've heard. Yeah, we obviously during again during coven everything goes back to coven. We did have to staff to use personal machines for for a good part of the time while we waited, you know, everything was backed up because of coven. We couldn't get laptops couldn't get, you know, it took forever. We did have staff and roll devices. We didn't, I will say didn't get a lot of pushback from staff on that I've heard other organizations that you know have really had a lot of resistance to that. Our staff use their personal cell phones for multi factor. We've never had pushback on that. We do allow staff to access things on cell phones, they do have to enroll the devices and in tune if they're going to access anything, any map data, and it's just like any other map device that has to be compliant in order to access any of those things. We do keep personal and map devices and two different groups. You know, one thing I guess to kind of keep in mind is, well at least I can only speak for for map, you know, we know all of the policies that we have out there for map devices, we obviously wouldn't want to push all those out to personal devices right. So we do keep those into separate groups. We do keep some of the, some of the restrictions for personal devices like it has to have a pin on it or a password it has to lock, you know after a certain period of time if it's off the idle things like that for obviously security purposes but we don't obviously push all of our security policies out to personal devices. Yeah, so that's a great example of like if somebody is really just intent on not enrolling their device at the very least, you know, use your just get the authenticator app and use it for MFA, you know we can't see anything about your device we're not you know you're installing it yourself you can delete it yourself, you know but you know it's still helping at least with the security of, you know, of your systems in that way. And I think this is a obviously a very, very rich topic for discussion. I'm sure there's probably a lot of thoughts going through everyone's heads right now about this. And maybe a lot of organizations that haven't really thought through their brain brain your own device and this is, you know, definitely a good opportunity now to start to really start thinking about it because from our experience bring your own device policy and organizations that allow bring your own device that don't have systems like this. It's almost inevitable that there's going to be data living on on people's personal devices in one way or another, right, whether, you know, on a mobile phone you've downloaded a file because you want to use it in a different and it's sitting in your files folder or the same thing on on on a laptop and and so I think this is as good a time as any to get started because because that that stuff is only going to continue to grow as as we continue to exist in a hybrid work world. Yeah, so where does that take us next. That's a good slide. You know, where do we go from here there's, you know, I do think that for organization, or the devices owned by the organization it's definitely a lot less controversial. And it's more just about learning to adapt to changes and I think with bring your own device that is definitely a big discussion that has to be had internally with with your with your staff to kind of understand and from my perspective in preparing for this one thing that really occurred to me it's really about the organization expressing its expectations of of its staff right like you know, we want you to enroll your devices because we need you to be able to check email at court, and we can't afford to give you a mobile device right and. And so that we need you to be accessible if you're going to be at court for half the day and you know those types of conversations and and if that's not if it's still, you know, something that staff are just really not willing to do them trying to think, you know, negotiate alternatives like what are some some options that whatever what are things that we can do to kind of figure out how we accomplish you know accommodate a certain need that the organization has or that the staff person has. So, you know, that that balance of maintaining, you know, maintaining organizational data and security versus employees privacy, like that, you know, and their own comfort level is is definitely I think one of the main issues with bring your own device is when it comes to just organizational devices I think it's like, hopefully, you know, Joseph and Amanda have given you guys a lot of food for thought if you don't already have a system like this in place but seems like there's really not a lot of downside to to really trying to simplify and streamline processes and make it a lot easier to administer your machines. Yeah, and I don't know Amanda do you want to talk a little bit about sort of change management. I think your desk your desk phone versus soft phone. That is always a great example you know I think it's, I think it if there's one thing I've learned it's the more you communicate change to people the better they accept it, and they had better they adapt to it and I think them, I think the more you communicate to people the benefits of the change and why you're making that decision. They also accept it, you know, much more positively than if you just tell them, we're doing this and, and, and you have no say in the matter and this is that this is that is, you know, I think if you communicate to them and you explain it I think it, it has a much more, you know, positive outcome and I do I like to tell the ring central story because, you know, it's we we moved during central during coven right before and I explained to people that ring central hasn't had an app they have a soft for a soft phone platform for your, for your laptop. Everybody still wanted desk phones so I think I ordered almost 200 desphones for people because nobody wanted to part with their desk phone. And I think currently in our server room we probably have 145 desphones because nobody wants the desk ones right they just they all adapted. And once they got used to it after you know two week period. Nobody wanted those desphones anymore so it was just, I think it's just a it's a process for people to adapt to change and I think the more you communicate to them. The reasons why you're doing something and the positive effect and the good change from it I think, you know, they'll accept it and I think, you know, it's, it's just kind of one of those things everybody has to adjust. I think that's a great example of, of kind of how change management is sometimes just has to happen the way it has to happen. So, I don't know if there were any other questions that we didn't get to looks like we're at the top of the hour so here are some useful links I think the slides are available to all attendees, and then the recording will be posted as well. And then I think we were meant to put our email addresses on the contact us so maybe when in the, in the version that gets distributed we can update update the slides so that if you have any questions. You can send them to us. And I guess with that Shelley up has it back to you to close this out. That was awesome I know that I picked up a few things learned a few things about even my own organization and how things worked. And I do want to invite everyone if you're interested in learning more about the be a BYOD. We are having the webinar on the 24th that will give a little more information about that. We will have this posted to our YouTube channel in just a few days. And that will include the slides. Welcome suggestions. If you are not a member of our Ellison tap listserv community you can join right on our homepage at Ellison tap.org. And thank you very much for joining us and I look forward to seeing what our next webinar.