3.1.18 BYOD identification and authorization
Environment: GCCH (Intune & Entra)
Current configuration
All employees are authorized to access the non-CUI email system (CRMA) since they've signed a BYOD agreement. We go through the following process:
- User signs into corporate email system through the managed Outlook app
- We get an alert
- We update hardware database to include the phone if all seems well
___
In hindsight this seems dubious. Would assessors be dissatisfied with granting access before explicitly identifying and authorizing a specific device? I'm not even sure how I'd be able to identify the device beforehand and add it to a BYOD group anyway.