AD3.12 Module Summary

Module Summary

This module deployed the third layer of your security improvement sequence: device compliance. With identity controls catching credential attacks (Module AD1) and email protection reducing phishing delivery (Module AD2), device compliance now ensures that only healthy, managed devices can access corporate data — closing the gap that AiTM token replay attacks exploit.

You built compliance policies for every platform: Windows (BitLocker, OS version, firewall, Defender AV, Secure Boot), macOS (FileVault, SIP, OS version, firewall), iOS (jailbreak detection, passcode, OS version), and Android (root detection, encryption, screen lock, OS version). Each policy was deployed gradually — low-impact checks first, higher-impact checks added over weeks — to minimize disruption while achieving complete coverage.

You transitioned CA003 from report-only to enforced, adding the device check to every authentication to Exchange Online, SharePoint, and Teams. The pre-enforcement audit identified enrollment gaps, predicted compliance failures, and drove remediation before a single user was blocked. BYOD devices were handled through app protection policies — protecting corporate data within managed applications without requiring personal device enrollment.

You built the exception workflow for devices that genuinely can't meet every requirement — each exception with a documented justification, alternative control, approved owner, and quarterly review date. And you established the monitoring cadence that catches compliance drift before it becomes a security gap: monthly PowerShell reports, weekly scheduled compliance notifications, and quarterly exception reviews.

What you built

• Windows compliance policy (BitLocker, OS, firewall, AV, Secure Boot)
• macOS compliance policy (FileVault, SIP, OS, firewall)
• iOS compliance policy (jailbreak, passcode, OS)
• Android compliance policy (root, encryption, screen lock, OS)
• BYOD app protection policies for Outlook and Teams
• CA003 enforced with device compliance + app protection OR grant
• BitLocker silent deployment configuration profile
• Device compliance exception register
• Monthly compliance monitoring script (PowerShell)
• Complete quarterly report with three-layer security metrics

What changed at NE

NE's device posture moved from 2/10 to 7/10. Compliance rate went from 0% (no policies) to 97%. Encryption coverage went from "deployed but not verified" to 100% verified via compliance policy. Unmanaged device access went from unrestricted to blocked by conditional access. The three-layer defense (identity + email + device) is now operational — each layer catching what the previous ones miss. The 10-week security improvement plan from Module AD0 is now past the halfway point, with the highest-impact controls deployed and measured.

What's next

Module AD4 covers data protection fundamentals — sensitivity labels, basic DLP policies, and SharePoint external sharing controls. Module AD5 covers security monitoring and alert triage. Module AD6 covers basic incident response. Module AD7 covers security governance and program documentation. With the three core security layers operational, the remaining modules build the operational cadence and the governance framework that sustains the security program long-term.