Agenda item

The Panel had requested an update on the Council’s implementation of Microsoft Intune, part of Microsoft EndPoint Manager. Microsoft Intune was used in the Council to control how devices were used including mobile phones, laptops and tablets. It enforced a conditional access policy that ensured that devices were compliant with the Government’s security standards. Connectivity to Council services was no longer allowed from devices that were not verified as compliant with the above standards.

The Cabinet Member and the Strategic Director were in attendance to respond to any questions. The Cabinet Member commented that he had personally been affected by this change, which had resulted in his device suddenly not working. A potential solution was being sought which would balance the needs of security and efficiency. The Strategic Director explained that there was a balance to be reached between having data readily available on all devices and ensuring the system was secure. It was essential that the Council was in a position whereby other organisations were willing to share their data with us for all aspects of Council work.

The Panel was informed of the background to this issue that in February the Council had undergone its reaccreditation of Public Services Network (PSN) but had failed due to the position taken on managing mobile phones. The Council were, however, informed that a pass would be granted if the Council committed to implementing full conditional access of all mobile phones to corporate data by the end of April 2022. The Panel was advised that accreditation with PSN was crucial for the Council and therefore the implementation of Microsoft Intune had been taken to ensure accreditation was confirmed.

The Enterprise Architect advised that mobile device management solutions were not designed for users who had separate identities and profiles in different organisations. Since becoming aware of the issue that some Councillors had faced with software from different organisations being used on the same device, meaning they couldn’t access their emails and diary from this Council, a solution to the problem was being actively sought. There was an acknowledgement and apology that communication and testing of Councillors devices before Microsoft Intune had been implemented could have been better. In looking for a workable solution, with Microsoft, discussions were taking place as to the possibility of whether a ‘shared tenant’ arrangement could be introduced, which would be a trusted arrangement whereby identities were shared with other tenants, this however, was not a solution at this stage. 

Members expressed their frustration that this situation had been allowed to happen and the inconvenience that they had experienced being unable to access the Council system on their device. They were dismayed that they had not been consulted or received any communication or guidance about what was happening or offered any advice about what they could do.  They were concerned at the idea that their device could be wiped of data, despite the assurance that consultation would take place beforehand. Members understood the security issue that had been explained but felt strongly that they wanted a solution which would enable them to be able to use one device to access all systems used at any time, for co-ordination and efficiency reasons. They also did not appreciate the idea of new phones being purchased, because of the negative environmental impact of such a move. They felt that being able to access all of their needs on one device was something that should be achievable and expected that urgent work was ongoing to solve this problem.

The Strategic Director apologised that the change had not been communicated better to Members and that he could understand members frustration. It was  confirmed that seeking an urgent way forward was being sought. A meeting was being held later that week with technical staff in the Cabinet Office who oversaw the PSN accreditation process to seek a solution to the situation. The strength of the Panel’s views would be conveyed at that meeting. 

A Member asked whether the Local Government Association (LGA) had been approached to find out about other Councils’ experience in this area. The Enterprise Architect advised that he would raise this at the next meeting of the LGA Cyber Security Group. The One Worcestershire Information Technology group were also discussing this problem and would ensure that any approach would be standardised across Councils.

It was agreed that the Panel’s views would be articulated at the meeting with the technical staff at the Cabinet Office, following which the outcome would be reported back to the Panel.