NHSmail Device Security Baseline

This article provides an introduction to the upcoming Security Baseline rollout.

What is the Security Baseline?

The Security Baseline is a set of Intune policies that will help to ensure devices connecting to NHSmail are equally protected at a fundamental level. The baseline will ensure that a minimum set of controls are in place when consuming M365 apps and services.

The scope consists of:

  1. App Protection Policies (APP) ensure a minimum criteria is being met on mobile devices belonging to users with a M365 Enhanced license , in order to access M365 apps (such as Outlook or Teams) using their @nhs.net account.
  2. Device Compliance Policies allow Local Administrators to easily see which Intune-managed devices are not meeting the minimum expected level of compliance (e.g. jailbroken device, OS out-of-date).

The plan is for the baseline to be automatically rolled out over a series of releases to all users of the NHSmail Enhanced Service, starting with organisations onboarded to NHSmail Intune.

Further details on schedule and next steps will be communicated in due course.

Important Note:

The baseline will not conflict with local Intune policies configured by Local Administrators. If you have existing policies that are more secure than those being introduced, these will not be affected.

Why is it needed?

Organisations may have different security configurations to suit their individual needs. Whilst some controls will always be determined locally, introducing the new baseline will ensure that devices belonging to Intune users and accessing NHSmail services meet a minimum level of compliance that we should all be adhering to.

This will help us to further secure our environment as the baseline is aligned to the National Cyber Security Centre (NCSC) and Center for Internet Security (CIS) to satisfy what we are all expected to have in place, to keep NHS data and users secure.

It is important to note, the baseline is designed to support your organisation’s current environment, with changes not affecting any of your organisation’s policies that are more secure than those being introduced.

What are App Protection and Device Compliance Policies?

App Protection Policies

Intune App Protection Policies (APP) are used to keep your organisation’s data safe within core M365 apps on mobile devices.

They protect data at the application level, not the device level so, even if the user’s device isn’t enrolled in Intune, the App Protection Policies will still be able to manage how NHS data is shared and accessed.  As part of the new baseline, App Protection Policies can be used to secure NHS data on both personal and corporate devices, by applying controls to core M365 apps.

Device Compliance Policies

Intune Device Compliance Policies determine what settings are expected to be met on Intune-managed devices, for them to be considered compliant.  They improve the security status and compliance of managed devices by ensuring that devices adhere to specific standards.

If a managed device does not meet one or more of the compliance checks, then it will be marked as non-compliant in Intune.  This will help Local Administrators when viewing devices and understanding potential reasons for non-compliance.  As part of the new baseline, device Compliance Policies will only be applied to Intune-managed devices.

Who will be affected?

At this initial stage, only Intune-licensed users with Intune toggled on in the NHSmail Portal will be subject to the new baseline, which will apply to both Intune managed and unmanaged devices.

What to expect next

In the next few weeks, you will receive an email to join an introductory webinar where we will be presenting an overview of the upcoming changes and what you can expect.  This will be an opportunity for you to ask any questions and provide feedback ahead of any changes that will come into place.

Last Reviewed Date 02/07/2024
Updated on 15/07/2024

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top