When using a shared computer or unmanaged device it is important to ensure data from one user does not become available to anyone else.
Typically, applications locally do cache data and work on the assumption that the device will provide protection for the data at rest.
For managed devices these will have protections enabled such as device encryption at rest, only be accessible to someone with user level permissions and require a per user username/password to access.
On a shared computer or unmanaged device, Organisations should ensure they have policies around the following minimum Operating System platform security capabilities as it is not currently possible to technically enforce these through Office 365 controls:
- Ensure that the operating system is configured to install automatic updates from the Operating System provider (for Microsoft systems, this can be accomplished via Windows Update).
- Ensure that the device is encrypted (for Microsoft Systems bitlocker is enabled), and the key or account used to access the device is secured.
- Ensure that the device has anti-virus capabilities enabled (for Microsoft systems Windows Defenderis built into the operating system).
- Use separate user accounts for each user of the device.
- Do not grant, or use, administrator privileges for non-administrative functions (such as browsing the web, running Teams, etc).
If any of the above cannot be implemented, utilise browser security capabilities instead:
Use private browsing sessions to minimise data that persists to disk. For example, use inPrivate browsing in Microsoft Edge, Incognito browsing in Google Chrome, or the capabilities your specific browser offers for browsing privately.
Changing the system behaviour to engage private browsing by default is recommended.
Use Outlook on the web and the Teams web app (sometimes called the web client) not an email programme like Outlook/a built in email client or the downloadable Teams client.
When finished using the shared system, you must:
The items above are not a comprehensive list of best practices or security controls covering all cases, and there may be extra actions that can be taken in your environment.
For additional information on Windows Devices:
Bitlocker in Configuration Manager
Bitlocker for Windows 10 in Intune
Endpoint security in Intune
Enable Microsoft Defender Antivirus in your Windows Security and run scans
Microsoft Defender security centre article
Teams web client/teams web app
Security and Microsoft Teams