What’s one of the new and exciting upcoming features of Intune? EPM!
What is Microsoft Intune Endpoint Privilege Management (EPM)? What are the benefits of using EPM, and how can an organization get started with EPM? What are the important concepts to understand while configuring EPM?
Microsoft Intune Endpoint Privilege Management (EPM) is a powerful tool that allows organizations to give their users the ability to complete tasks requiring elevated privileges, while running as a standard user without administrative rights. This ensures that a broad user base is running with least privilege, supporting your organization’s zero-trust journey.
To get started with Endpoint Privilege Management, organizations can activate the product by navigating to the Microsoft Intune Admin Center and having a Global Administrator or Intune Service Admin activate the product experience. During Public Preview, there is no need to obtain a license to try it out!
Once activated, organizations can deploy an elevation settings policy to activate EPM on the client device, as well as to configure settings specific to the client. Additionally, elevation rule policies can be deployed to link an application or task to an elevation action, allowing for granular control over the elevation behavior of applications.
However, it’s important to understand some key concepts before widely deploying EPM. One such concept is the “run with elevated access” option, which appears when EPM is activated on a device. When this option is used, the device’s elevation rules policies are checked for a match to determine how that file can be elevated to run in an administrative context.
EPM allows users without administrative privileges to run processes in the administrative context by creating an elevation rule that proxies the target of that rule to run with administrator privileges on the device. There are two options for elevation behavior: automatic elevation rules and user confirmed rules. Automatic elevation rules allow EPM to automatically elevate applications without input from the user, while user confirmed rules require the end-user to complete additional requirements before the application is allowed to elevate. This provides an extra layer of protection by making the user acknowledge that the app will run in an elevated context before that elevation occurs.
To use Endpoint Privilege Management, Intune provisions a small set of components on the device that receive elevation policies and enforce them. Endpoint Privilege Management can be disabled from within an elevation settings policy, which is also required to remove Endpoint Privilege Management from a device. Once the device has received an elevation settings policy requiring EPM to be disabled, Intune immediately disables the client-side components, and EPM will remove the EPM component after a period of seven days.
Finally, to manage Endpoint Privilege Management, your account must be assigned an Intune role-based access control (RBAC) role that includes the necessary permissions. These permissions include View Reports, Read, Create, Update, Delete, and Assign. There are several built-in RBAC roles, such as Endpoint Privilege Manager, Endpoint Privilege Reader, and Endpoint Security Manager, that include the necessary rights for managing Endpoint Privilege Management policies in the Intune console, including reports.