TechSafe Solve - MS Intune Integration

Data Privacy and Security

Solution Overview

Data Collected

No device or user data is stored by default unless you are using our advanced asset management toolset. 
TechSafe only collects metadata about your fleet used within the dashboard views. EG the total number of Android 13 devices in your fleet overtime. 

Data Presented

Excluding the dashboard trend metrics, all information presented in the portal is fetched in real-time via the API integration. No user or device information is stored by default in the system.

Security

Penetration Testing

TechSafe has a third party conducting annual penetration tests, and the executive summary from our last review is attached or available on request.

Additionally, we have CrowdStrike running actively on our systems, Hacker Guardian scanning externally for vulnerabilities, and active patch management ensuring that all systems and services are monitored and up to date.

Furthermore, we are in the process of becoming ISO27001:2022 certified.

Authentication Controls

Authentication into the TechSafe Solve portal is via Single Sign-On (SSO), using integration with your Microsoft Entra ID or Google Suite platforms.All administrators must be invited to gain admin access. This means TechSafe stores no user credentials, and access to the system is lost once a user is disabled or removed from your organization.

Access Controls

All customer access and device actions are further secured with access controls within the platform, and access is verified for all actions.

Audit Logging

All actions taken in the portal, including the initial session login, are tracked and recorded in the system. Additionally, all housekeeping activities, such as dashboard statistics collections, are logged.
 

User audit reports, providing details of last login times for security reviews, are available on request and can also be automated and sent on a regular basis.

Full audit logs may be requested.

Integration Security

Integration for authentication and access to your Intune device details is managed via the MS Entra ID application, which is controlled within your environment. Access can be revoked immediately by your cloud administrator.

Our API integration requires us to store the Entra ID application ID and its associated secret value to generate the required token access code.

The secret value is encrypted at rest and secured within the platform database.

Permission

Description

How this used is by TechSafe

AuditLog.Read.All

Allows the app to read and query your audit log activities, without a signed-in user.

This allows the platform to report on users successful and failed login attempts.

This can be useful to help identify authentication or conditional access issues

Device.Read.All

Allows the app to read your organization’s devices’ configuration information without a signed-in user.

To report on devices in your fleet

DeviceManagementApps.Read.All

Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user.

Provides details on MAM policies within your organization.

DeviceManagementConfiguration.Read.All

Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user.

Allows us to report on the configuration policies and compliance status associated with a device.

DeviceManagementManagedDevices.

PrivilegedOperations.All

Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune, without a signed-in user.

Allows admin users to reset a devices passcode and remotely wipe a device.

DeviceManagementManagedDevices.

Read.All

Allows the app to read the properties of devices managed by Microsoft Intune, without a signed-in user.

To report on device details in your fleet

DeviceManagementServiceConfig.

Read.All

Allows the app to read Microsoft Intune service properties including device enrollment and third-party service connection configuration, without a signed-in user.

To report on device details in your fleet

Policy.Read.All

Allows the app to read all your organization’s policies without a signed in user.

Allows TechSafe to report on the policies associated with a device.

User.Read.All

Allows the app to read user profiles without a signed in user.

This is required to provide SSO into the platform and is also used to present user details, such as job title, location, email address against a given device.