AD3.10 Reporting Device Security to Management

The device metrics that matter for management

Add these four metrics to your quarterly report under a "Device Security" section:

1. Compliance rate (target: 95%+). "97% of all managed devices meet our security compliance requirements — encryption enabled, OS current, antivirus active, firewall on." This single number communicates that nearly every device in the organization meets a verified security standard. The trend over quarters shows maintenance: "compliance has held at 96-98% for three consecutive quarters."

2. Encryption coverage (target: 100% Windows, 100% macOS). "Every Windows laptop and macOS device accessing corporate data has full disk encryption enabled." This is the metric that matters most for data breach risk: a lost or stolen encrypted laptop is a hardware loss, not a data breach. An unencrypted laptop is a potential notification event.

3. Unmanaged device blocks. "Conditional access blocked 15 sign-in attempts from unmanaged devices this quarter." This demonstrates that the control is working — attempts to access corporate data from devices that don't meet your security standards are being caught. For management context: "Each of these blocks could have been an attacker replaying stolen credentials from their own device. The compliance requirement stopped them."

4. Exception count and status. "3 active device compliance exceptions, each with documented alternative controls and quarterly review dates." This shows that gaps are managed, not ignored. Transparency about exceptions builds credibility — it demonstrates mature risk management rather than a false claim of zero gaps.

Connecting device compliance to the AiTM narrative

The most powerful way to explain device compliance to management is through the AiTM attack narrative. In Module AD1, you explained AiTM: the attacker captures session tokens that bypass MFA. In Module AD2, you showed that Safe Links catches the phishing page. Device compliance is the third defense:

"Even if an attacker captures a fully authenticated session token through a sophisticated phishing proxy — bypassing MFA — they cannot use that token because our conditional access policy requires a managed device. The attacker's laptop isn't enrolled in our device management system. The stolen token is useless without a compliant device. This quarter, conditional access blocked 15 sign-in attempts from unmanaged devices — any of these could have been an attacker."

This narrative connects technical controls to business risk in a way that non-technical stakeholders understand: we have three layers of protection, each catching what the previous one misses, and all three are operational and measured.

Extracting device metrics for the report

Use these specific queries and portal locations to pull the four metrics for your quarterly report:

Metric 1 — Compliance rate. Run Get-ComplianceReport.ps1 from AD3.9. Record the overall percentage. Also record the per-platform breakdown — this answers the follow-up question "what about the Macs and phones?"

Metric 2 — Encryption coverage. From the same script, record the Windows encryption percentage. For macOS, check intune.microsoft.com → Devices → macOS → filter by compliance → check FileVault status. Report as: "100% of Windows devices and 100% of macOS devices have full disk encryption verified and active."

Metric 3 — Unmanaged device blocks. Query the sign-in log for CA003 failures:

Connect-MgGraph -Scopes "AuditLog.Read.All"
$quarterStart = (Get-Date).AddDays(-90).ToString("yyyy-MM-ddTHH:mm:ssZ")
$signIns = Get-MgAuditLogSignIn -Filter "createdDateTime ge $quarterStart" -All

$caBlocks = $signIns | Where-Object {
    $_.ConditionalAccessPolicies | Where-Object {
        $_.DisplayName -like "*CA003*" -and $_.Result -eq "failure"
    }
}

Write-Host "CA003 blocks this quarter: $($caBlocks.Count)"
$caBlocks | Group-Object UserPrincipalName |
    Select-Object Name, Count |
    Sort-Object Count -Descending | Format-Table

Report as: "Conditional access blocked [X] sign-in attempts from non-compliant or unmanaged devices this quarter." If any of these correspond to unusual IPs or users who shouldn't be accessing M365 from personal devices, note them as potential security events caught by the device compliance layer.

Metric 4 — Exception count. Count the active exceptions in your register from AD3.8. Report as: "[X] devices have documented compliance exceptions with alternative controls. All exceptions reviewed quarterly. [Y] expired exceptions were remediated this quarter."

Writing the executive summary paragraph

Combine all three layers into a single executive summary paragraph for the top of your report. Here's the template adapted for NE:

"This quarter, our security program protected Northgate Engineering against credential attacks (89 blocked by MFA, zero successful compromises), phishing delivery (47 emails blocked by Safe Links and Safe Attachments, 12 malicious clicks caught by URL protection), and unmanaged device access (15 sign-in attempts blocked by device compliance — each potentially an attacker attempting to use stolen credentials from their own device). All 180 devices are encrypted and verified compliant. Three devices have documented exceptions with compensating controls. DMARC is progressing from monitoring to enforcement — domain spoofing protection will be complete by end of next quarter. Zero security incidents from protected attack vectors this quarter."

That's the entire quarterly report executive summary. One paragraph. Every number is real, pulled from the tools you configured in Modules AD1-AD3. No jargon. No hedging. Specific, measurable, and directly connected to business risk. Print this paragraph, hand it to any executive, and they understand exactly what you've done and why it matters.

Structuring the full quarterly report

The executive summary paragraph goes on page 1. Below it, structure the full report as three sections with specific numbers and one-sentence explanations:

Section 1 — Identity Protection (Module AD1)

• MFA coverage: 100% (210/210 users)
• Legacy authentication: blocked (0 sign-ins using legacy protocols)
• Credential attacks blocked: 89 (password spray, brute force, credential stuffing)
• Compromised accounts: 0 this quarter
• Conditional access policies: 3 active (CA001 MFA, CA002 Block Legacy, CA003 Compliant Device)
• MFA exceptions: 1 (conference room account, reviewed quarterly)

Section 2 — Email Protection (Module AD2)

• Phishing emails blocked: 47 (Safe Links: 23, Safe Attachments: 8, Anti-phishing: 16)
• User phishing clicks blocked by Safe Links: 12
• User-reported phishing: 15 reports, 4 confirmed threats, 11 false positives
• DMARC status: p=quarantine (progressing to p=reject next quarter)
• Email authentication: SPF ✓, DKIM ✓, DMARC monitoring active

Section 3 — Device Protection (Module AD3)

• Device compliance rate: 97% (174/180 devices compliant)
• Encryption coverage: 100% Windows, 100% macOS
• Unmanaged device access blocked: 15 sign-in attempts
• Compliance exceptions: 3 (all with documented alternative controls, next review: Q3)
• Platforms covered: Windows (145), macOS (10), iOS (25), Android (0 — no corporate Android)

Each section takes 5 minutes to compile using the PowerShell scripts and portal dashboards you've built. The entire report takes 20 minutes to produce quarterly — because the data collection is automated and the structure is templated.

Tracking trends across quarters

After your second quarterly report, you can show trends — and trends are more powerful than snapshots. Create a simple tracking spreadsheet with one row per quarter:

After three quarters, the trend line tells a story: "Security controls have maintained 97%+ compliance for three consecutive quarters with zero security incidents from covered attack vectors." A sustained trend is stronger evidence than any single quarter's numbers — it demonstrates that the security program is operational, not just a one-time project.

If a metric declines (compliance drops from 97% to 92%), the trend catches it immediately and the quarterly report explains why and what remediation is underway. This transparency builds credibility: you're not hiding problems, you're managing them visibly.

Presenting to different audiences

The same data supports different conversations:

For your direct manager: Focus on the numbers and the time investment. "These results took 30 minutes per week to maintain after the initial 6-week deployment. The controls are automated — I'm monitoring, not manually operating."

For the IT director or CTO: Focus on risk reduction and cost. "We eliminated the three most common M365 attack vectors (credential theft, phishing delivery, unmanaged device access) using controls already included in our E3 license — zero additional cost. The remaining risk areas are data protection and security monitoring, which are the next two phases."

For the board or CEO (if asked): Focus on business impact. "No security incidents from email or credential attacks this quarter. Every company laptop is encrypted — a lost device is a hardware loss, not a data breach. We blocked 15 attempts to access company data from unauthorized devices." Keep it to 3 sentences maximum.