01/29/2018 – secRMM has a security property that applies specifically to mobile devices. secRMM can verify when a mobile device is connected to a Windows computer over a USB cable if that device is enrolled in your organizations MDM. If it is not, secRMM can either unmount the device or prevent files from being copied to it. secRMM gets the list of mobile devices from either Microsoft Intune (Microsoft’s MDM) or from Microsoft System Center Configuration Manager (a complete enterprise configuration management and security tool) (SCCM). Below, are some of the relevant screenshots of how the components get tied together and just what they look like if you have not seen them.
SCCM and Intune exchange mobile device information thru a data connector. You define the data connector in the SCCM console (screen shot below). Microsoft calls this a “Microsoft Intune Subscription”. This terminology matches up with how you buy Intune (as a service subscription).
SCCM/Intune data connector
The next screen shot below is of the Intune console within Azure. It is a list of the mobile devices that are defined in our organizations cloud instance. This instance is used for our development purposes only.
Microsoft Azure Intune portal
When the Intune/SCCM data connector is active, then you can see the mobile devices in Intune show (and are managed) by SCCM (see screenshot below).
SCCM console for mobile devices
From the SCCM console (with the secRMM SCCM Console Extension installed), you can use SCCM to configure secRMM so that when the mobile device is connected to a Windows computer over USB, secRMM will see if it is enrolled in either Intune or SCCM.
The screenshot below shows how to tell secRMM whether to use Intune or SCCM data to verify if the mobile device is enrolled.
SCCM console to configure ‘RequreMDMEnrollment’
One important configuration item is the secRMM MDM Cache. Using the secRMM MDM Cache improves runtime performance and minimizes the number of times it will call into Intune or SCCM.
The last configuration step is associating the mobile device as it is defined in Intune or SCCM with the mobile device firmware serial number that secRMM uses when it is connected to a Windows computer over a USB cable. To make this association, there is a secRMM “link mobile device” utility (see screen shot below).
secRMM link mobile devices utility
secRMM link mobile devices utility
You get the firmware serial number that secRMM uses to identify the mobile device from the secRMM event data (screen shot below).
secRMM ONLINE event for a mobile device
If the mobile device is not enrolled, the end user will get a pop-up error (screenshot below).
mobile device is not MDM enrolled user pop-up error message
As the system or security administrator, you will see an error generated by secRMM as shown in the secRMM Excel AddIn utility (screenshot below).
secRMM error ONLINE event for mobile device not MDM enrolled
We understand there are many pieces to line up. Feel free to contact Squadra Technologies support to help in getting this powerful security feature up and running in your environment. Visit http://www.squadratechnologies.com for more information about secRMM.
squadra technologies 