What We'll Do
In the v2.0 model, security does not depend on controlling user devices. Instead, we protect data at the layers we fully control: identity (who can sign in), applications (how M365 apps behave), and data (what can be shared and where). This approach works whether someone is on a company desktop at the office, a personal laptop at home, or a phone on the go.
This phase configures four protection layers: Mobile Application Management (MAM) for app-level data protection, Data Loss Prevention (DLP) to catch sensitive data before it leaves the organization, Sensitivity Labels to classify and encrypt confidential documents, and Defender for Office 365 P1 for email threat protection.
Traditional IT assumes you control the device. In a WFH-first model where agents use personal PCs and phones, that assumption does not hold. MAM and DLP protect the data inside the apps regardless of who owns the device. An agent's personal photos, apps, and files are never touched. Only company data inside M365 apps is managed.
Mobile Application Management (MAM)
App Protection Policies control what happens to company data inside Outlook, OneDrive, Teams, and Office apps on phones and tablets — without enrolling the device in Intune. The device stays personal. Only the work data inside Microsoft apps is managed.
iOS & Android Policy
These policies apply to Outlook, OneDrive, Teams, Word, Excel, and PowerPoint on mobile devices:
| Setting | Value |
|---|---|
| Send org data to other apps | Policy-managed apps only |
| Save copies of org data | Blocked (OneDrive for Business and SharePoint only) |
| Cut/copy/paste to unmanaged apps | Blocked |
| Printing | Allowed (agents need to print contracts) |
| Encrypt org data | Required |
| PIN for access | Required (4-digit minimum, no simple PINs like 1234) |
| Biometric unlock | Allowed (Face ID / fingerprint) |
| Offline grace period | 12 hours |
| Jailbroken / rooted devices | Blocked |
| Max PIN attempts | 5 (then selective wipe of app data) |
Windows (Edge MAM)
Windows MAM is newer and less mature than iOS/Android. We start with a permissive policy that protects M365 web app access through Microsoft Edge only. This means company data accessed via the browser is protected without enrolling the Windows PC in Intune.
When an employee opens Outlook or OneDrive on their phone for the first time, they will be asked to set a PIN. This is normal — it is the MAM policy protecting company data. Their personal apps, photos, and messages are completely unaffected. If they leave the company, only the work data inside these apps is wiped — nothing personal is touched.
Data Loss Prevention (DLP)
Microsoft Purview DLP policies detect sensitive information — like Social Security numbers, bank account numbers, or client contract language — and prevent it from being shared inappropriately. DLP works across Exchange Online, SharePoint, OneDrive, and Teams.
| Policy | Triggers On | Action |
|---|---|---|
| Financial Data Protection | SSN, bank account numbers, credit card numbers | Low volume: warn user with policy tip. High volume: block external sharing. |
| Client Contract Protection | Keywords: purchase agreement, closing disclosure, deed, escrow, HUD-1, settlement statement | Warn user, restrict external sharing to approved domains only. |
| Block Personal Email Forwarding | Outbound email to gmail.com, yahoo.com, hotmail.com with sensitive attachments | Block with override (user must provide business justification). |
These policies are designed to catch mistakes, not to slow down legitimate work. An agent emailing a closing disclosure to a client at their personal address gets a warning — they can override it with a justification. An agent accidentally forwarding 50 SSNs to a Gmail account gets blocked. The goal is proportional protection for a real estate firm that handles financial data daily.
Sensitivity Labels
Sensitivity Labels classify and optionally encrypt documents and emails based on their content. Labels can be applied manually by users or automatically when the system detects sensitive content.
| Label | Visual Marking | Encryption | Auto-Apply |
|---|---|---|---|
| Public | None | None | No |
| Internal | Footer text | None | No |
| Confidential — Client Data | Header + footer | Encrypt, restrict to @boardwalkrealestate.com | Yes — when SSN, bank account, or contract keywords detected |
| Highly Confidential | Header + footer + watermark | Encrypt, restrict to specific users, block forwarding | Manual only |
Defender for Office 365 P1
Defender for Office 365 Plan 1 is mandatory in this proposal. Without device-level endpoint protection (EDR), email security becomes the primary defense layer against phishing, malware, and impersonation attacks. This is the most important add-on in the entire stack.
| Feature | Configuration |
|---|---|
| Safe Links | Rewrite all URLs in email, track clicks, block known malicious URLs at time of click |
| Safe Attachments | Dynamic Delivery mode — delivers the email body immediately, scans attachments in a sandbox, replaces with clean version |
| Anti-Phishing | Impersonation protection for Mike Joly and Karen. First-contact safety tip enabled (warns when receiving email from a new sender for the first time) |
In the v1.0 proposal, Defender P1 was listed as optional because every PC would run Defender for Business (full EDR). In v2.0, we do not manage devices, so we cannot guarantee endpoint protection. Email is the #1 attack vector for small businesses — Safe Links and Safe Attachments close that gap at the cloud layer. At $2/user/month ($40 total), this is the highest-value security investment in the entire proposal.
User Onboarding — Self-Service Setup
Without Autopilot deploying pre-configured PCs, each user completes a simple self-service setup. We provide a step-by-step PDF guide and send it via email before go-live.
- Sign in at portal.office.com with temporary password
- Set a new password (12+ characters, per company policy)
- Set up MFA using the Microsoft Authenticator app
- Download and install Office apps from the portal (Word, Excel, Outlook)
- Set up OneDrive backup (OneDrive Settings → Sync and backup → Manage backup → turn on Desktop, Documents, Pictures)
- Add SharePoint shortcut to OneDrive (for company file access in File Explorer)
- Set up Outlook on phone (Authenticator app will prompt for MAM PIN)
- Add office printer via IP address (if working from the office)
Autopilot (in the v1.0 proposal) automated all of this. The self-service approach takes 15–20 minutes per user instead of being fully automatic. The tradeoff: no device management overhead, no Intune enrollment, and users keep full control of their personal PCs. For a team of 20, the one-time setup cost is about 5–7 hours of guided support.
PC Recommendations (Not Requirements)
Unlike the v1.0 proposal where new PCs were mandatory for Autopilot enrollment, existing PCs work fine in the v2.0 model. Here are the guidelines:
| Category | Requirement | Notes |
|---|---|---|
| Minimum (any user) | Any device with a modern browser (Edge, Chrome, Firefox) | M365 web apps work on anything with a browser |
| Recommended (for desktop Office) | Windows 10 or 11, 8GB RAM, SSD | Required for desktop Word/Excel/Outlook + OneDrive sync |
| Must replace | Windows XP and Windows 7 machines | Cannot run modern browsers securely — ~5 units at ~$750 each |
| Optional upgrades | Remaining older Windows 10 PCs | Can be phased over 6–12 months as budget allows |
Hardware Cost (v2.0)
| Item | Your Cost | Client Price (10% markup) | Notes |
|---|---|---|---|
| PCs — XP/Win7 replacement (~5 units) | ~$3,750 | ~$4,125 | Must-replace only |
| FIDO2 security keys for admins (2x) | ~$100 | ~$110 | Phishing-resistant admin MFA |
| Hardware Total | ~$3,850 | ~$4,235 |
The v1.0 proposal required 15–20 new PCs at $13,200–$19,800 (with markup). The v2.0 model requires only ~5 must-replace units at ~$4,235 — saving approximately $9,000–$15,500 in upfront hardware costs. Remaining PC upgrades become optional and can be spread over time.
What Happens to Old XP & Win7 PCs
Windows XP and Windows 7 machines must be removed from the network. These operating systems cannot run modern browsers, cannot connect to M365 securely, and represent an active security risk. Hard drives will be erased following NIST SP 800-88 guidelines. We will provide a certificate of destruction for your records.
SOP Compliance — Security Gap Analysis
The v2.0 model meets most security requirements through cloud-layer controls. Two gaps exist where device-level enforcement is not possible on unmanaged PCs:
| Requirement | v2.0 Implementation | Gap? |
|---|---|---|
| EDR on managed endpoints | Cannot enforce on personal devices | Accepted risk — mitigated by Defender P1 (email layer) + MAM (app layer) |
| Encryption at rest (local PC) | Cloud data encrypted by Microsoft. MAM encrypts mobile app data. Desktop: BitLocker recommended but not enforceable | Partial gap on unmanaged Windows PCs |
| No org data on personal storage | MAM blocks Save As on mobile. DLP warns on desktop sharing | Partial gap — cannot fully prevent local saves on desktop |
| Device screen lock timeout | Cannot enforce on personal PCs | Minor gap — session timeout (12hr) mitigates |
These gaps are appropriate for a 20-person WFH real estate company where the prior security posture was: zero MFA, unpatched Windows XP machines on the production network, an Exchange server with no security patches for 2+ years, and no encryption of any kind. Any M365 security layer is a massive improvement over the current baseline. The v2.0 model trades device-level control for faster deployment, lower cost, and zero disruption to how employees work.