Microsoft Workplace Join Part 2: Defusing the Security Timebomb

By Chris Higgins, Technical Support Engineer, Bitglass

timebomb countdown to Workplace Join infosecurity riskIn my last post, I introduced Microsoft Workplace Join. It’s a really convenient feature that can automatically log users in to corporate accounts from any devices of their choosing. However, this approach essentially eliminates all sense of security.

So, if you’re a sane and rational security professional (or even if you’re not), you clearly want to disable this feature immediately. Your options?

Option #1 (Most Secure, Most Convenient): Completely disable InTune Mobile Device Management for O365 and then disable Workplace Join

As Workplace Join can create serious security headaches, one of the most secure and most convenient options is to disable the InTune MDM for Office 365 and then disable Workplace Join completely. Obviously, these should quickly be replaced by other, less invasive security tools. In particular, organizations should consider agentless security for BYOD and mobile in order to protect data and preserve user privacy.

Option #2 (Least Convenient): Use InTune policies to block all personal devices

Microsoft does not provide a method of limiting this feature that does not utilize InTune policies. Effectively, you must either not use InTune at all, or pay to block unwanted access. However, the latter approach means blocking all BYO devices (reducing employee flexibility and efficiency) and introduces the complexity of downloading software to every device, raising additional costs.

Option #3 (Least Convenient and Least Secure): Whack-a-mole manual policing of new device registrations

As an administrator in Azure AD, deleting or disabling an account only prevents automated logins on each of that account’s registered devices—this has to be done manually every time a user links a new endpoint. Unfortunately, deactivation and deletion in Azure do not remove the “Join Workplace or School” link from the control panel of the machine in question. Additionally, deactivation still allows the user to manually log in, as does deletion—neither action prevents the user from re-enrolling the same device. In other words, pursuing this route means playing an endless game of deactivation and deletion whack-a-mole.