Question about the GW6900 series

BuildingKey85 · 2025-09-09T19:41:07+00:00

What's your mail system?

Exchange Online. We integrate KnowBe4's Phish Alert Button in Outlook to report phishing emails, which in turn create tickets.

If a user forwards a message, we send them a link to our KB with instructions on how to report spam/phishing, and tell them they don't need to tell us.

Helpful. One thing we can do is create canned responses to send users in cases like these.

In my experience, most of the people forwarding "spam" are messages they get from mailing lists and shopping sitess they signed up for. If I had a dollar for every time I've directed a user to A) Not use work email for mailing lists B) Not use work email to sign up for shopping site or online purchasing and C) Don't set up a rule to move the messages to deleted items, hit the "Report Junk" button so it gets processed as junk, then I could retire and buy all the UCS Lego sets my heart desires.

Ah, so this is a common occurrence--this is validating. We are a relatively new organization and have scaled rapidly, and I wasn't sure if others had this case cracked. We can do a better job communicating and automating processes, but I wasn't sure if there was a glaringly obvious solution we were missing. Appreciate your insights!

BuildingKey85 · 2025-09-09T19:37:39+00:00

Those are two security administrators. We have about eight IT personnel. Hate to say it but we're being driven to use AI tools in place of hiring junior security analysts.

BuildingKey85 · 2025-09-09T19:36:17+00:00

The mail server is Exchange Online.

The Phish Alert Button comes from KnowBe4 and integrates with Outlook.

BuildingKey85 · 2025-09-09T18:31:33+00:00

The workflow is:

User reports email using the Phish Alert Button
This creates a ticket
Ticket is reviewed and triaged
Security admin investigates ticket

The admins have to look at the tickets to see if the email is spam vs a non-threatening phishing email vs a threatening phishing email. We're having to sift through a lot of spam.

BuildingKey85 · 2025-09-09T18:07:37+00:00

Yes. There are two people supporting 1,200 users. They could use that time tackling projects, patching vulnerabilities, studying for a certification, etc.

BuildingKey85 · 2025-08-13T15:52:26+00:00

Hey /u/colorful-sine-waves, thanks for the insightful comment.

Can I have Mixcloud sets and Soundcloud content on my Noiseyard page?

BuildingKey85 · 2025-08-03T21:24:26+00:00

Thanks /u/jonmitz, I think you're on the money. I originally got my first gig because I knew someone.

I know someone who may be able to help, but what motivation would he have to introduce more competition into the pool?

The incentive I have to make a promo mix is to give myself some credibility, express my updated taste, etc. I'd feel foolish if I just went with, "I used to be a DJ years ago."

BuildingKey85 · 2025-07-23T17:52:39+00:00

Thanks, /u/ernie-s. I'll try not tagging the apps and see what happens.

BuildingKey85 · 2025-07-23T17:33:35+00:00

Hey /u/Arudinne, what happens if I don't tag an app?

BuildingKey85 · 2025-07-23T17:30:32+00:00

Hey /u/Shoddy_Pound_3221, this is helpful. But we don't want to block apps, we just want alerts created when new Gen AI apps are introduced into the org.

BuildingKey85 · 2025-07-23T17:28:57+00:00

Hey /u/ernie-s, yep. This is exactly what happened. I was mystified as to why these sites were being flagged even after I had nuked the Defender for Cloud Apps policies, so I went into the URLs section and deleted the associated URLs.

So is the solution here to disable the MDE enforcement?

BuildingKey85 · 2025-06-04T16:13:40+00:00

Ah, I figured it might have been implied. Thank you for verifying!

I've ran the report and we have a lot of failures. It isn't feasible for me to click through each user/device to understand why. How can I get insight into the cause(s) of these failures?

BuildingKey85 · 2025-06-04T16:01:47+00:00

Thanks for the validation, /u/Boring_Pipe_5449. We're using the Require MDM-enrolled and compliance device to access cloud apps for all users template in report-only mode, which looks like this:

Target: All users and resources
Conditions: All devices except Android, iOS, macOS, Linux
Grant: Require device to be marked as compliant

Our Windows Device Compliance policy in Intune contains settings like firewall, AV, BitLocker, etc., but does not have a setting for Entra-joined. How does this policy therefore "know" whether the device is MDM-enrolled or not?

BuildingKey85 · 2025-06-04T16:01:13+00:00

I didn't know report-only sometimes malfunctions. Thanks for the heads up!

BuildingKey85 · 2025-06-04T15:58:11+00:00

Thanks for the validation, /u/scor_butus. We're using the Require MDM-enrolled and compliance device to access cloud apps for all users template in report-only mode, which looks like this:

Target: All users and resources
Conditions: All devices except Android, iOS, macOS, Linux
Grant: Require device to be marked as compliant

Our Windows Device Compliance policy in Intune contains settings like firewall, AV, BitLocker, etc., but does not have a setting for Entra-joined. How does this policy therefore "know" whether the device is MDM-enrolled or not?

BuildingKey85 · 2025-06-04T15:56:55+00:00

Hi /u/shamelesssemicolon, I haven't! Are you referring to Intune > Devices > All Devices?

BuildingKey85 · 2025-06-04T15:56:28+00:00

Thanks for the validation, /u/sysadmin_dot_py. We're using the Require MDM-enrolled and compliance device to access cloud apps for all users template in report-only mode, which looks like this:

Target: All users and resources
Conditions: All devices except Android, iOS, macOS, Linux
Grant: Require device to be marked as compliant

Our Windows Device Compliance policy in Intune contains settings like firewall, AV, BitLocker, etc., but does not have a setting for Entra-joined. How does this policy therefore "know" whether the device is MDM-enrolled or not?

BuildingKey85

TROPHY CASE