Microsoft Enterprise Mobility Suite
Standalone - overview
Peter Daalmans http://configmgrblog.com , [email protected] IT-Concern John MarcumEnterprise Client Management Architect / [email protected]
@pdaalmans
Enterprise Mobility Microsoft MVP Sn. Consultant, Author, Blogger So am I.
@SCCM_Marcum Enterprise Mobility Microsoft MVP
13 years end user device mgmt I enjoy a cold beer new and then
Agenda
Main EMS Components covered
• Azure AD Premium• Microsoft Intune • Azure RMS
What is MS EMS?
Enterprise Mobility Suite
• Azure Active Directory• Azure Rights Management Services • Azure Remote App
• Advanced Threat Analytics • Intune
• Identity Manager
Enterprise Mobility Suite
• Azure Active Directory
• Azure Rights Management Services
• Azure Remote App
• Advanced Threat Analytics
• Intune
Identity
Making hybrid identity simple
Azure AD Connect
Consolidated deployment assistant for your identity bridge components
(The difference is the Password)
ADFS use cases
Tighter AD integration Security Policy
Conditional Access
Smart Card Authentication
DirSync
Azure AD Sync FIM+Azure AD
Connector
Identity: Cloud, Sync or Federated?
Cloud identity provides a solution where all identity resides in the cloudFederated identity allows customers to retain all
authentication on-premises
Identity sync enables customers to bridge their existing identity into the cloud
Azure Active Directory Premium
Active Directory in the cloud
• Federation and identity provisioning
Centrally managed identities
• Synchronization
• Single User Identity (SSO)
Monitoring and protect access to cloud apps
• Authentication and Security reports • Multi-Factor Authentication (MFA)
Empower end Users
AAD editions comparison
500,000 Object Limit No Object Limit No Object Limit No Object limit for Office 365 user accounts No Limit 10 apps per user Self-Service Password Change for cloud users Yes Yes Yes Yes Identity Synchronization Tool (Windows Server Active Directory integration, Multi Forest) Yes Yes Yes Yes Security Reports 3 Basic Reports 3 Basic Reports Advanced Security Reports 3 Basic Reports Cloud App Discovery* Yes(Basic) Yes(Basic) Yes(Advanced)** Yes(Basic)
Premium + Basic Features
Group-based access management/provisioning Yes Yes Self-Service Password Reset for cloud users Yes Yes Company Branding (Logon Pages/Access Panel customization) Yes Yes
SLA Yes Yes Yes
Self-service group
management, including dynamic membership calculation in these groups and distribution lists, based on the user’s attributes.
Users can reset their passwords significantly reducing help desk burden and costs.
Users can edit their profile details to update and add missing information
Monitor and protect access on go-anywhere devices
Security reporting that tracks
inconsistent access patterns, analytics and alerts.
Built-in security features, like “you cant be in two places at once”.
Ensure secure access by enabling MFA
XXXXX
XXXXX
Multi-factor authentication
Any two or more of the following factors: Something you know: a password or PIN.
Premium Reports
Premium reports:
• Advanced application usage reporting • Password reset activity
• Selfservice activity
Integrate on-prem apps with Azure AD
End-user portal – Access Panel
Azure AD authentication capabilities:
• Username and password synced from on-prem AD
• Federated login to on-prem or other federation servers • Multi-factor authentication
• Customized login screen
• Authorization based on user or groups
• SSO to Office365, thousands of SaaS apps and all applications integrated with AAD
Reports, auditing and security monitoring based on big data and machine learning.
Azure Active Directory
Resource Resource Resource Co rp ora te N etwo rk DMZ Connector Connector
Application Proxy Access Panel Portal Authentication +
MFA
Reporting &
Demo
Microsoft Intune
Microsoft Intune
• Mobile Device Management
• Windows, Windows Phone/Mobile, IOS, Android and Mac OS X
• Policy and Application Management
• Compliance reporting
• Conditional Access to resources
• Selective Wipe Devices
Single management console for IT admins
Comprehensive lifecycle management
Enroll
• Provide a self-service Company Portal for users to enroll devices • Deliver custom terms and
conditions at enrollment
• Bulk enroll devices using Apple Configurator or service account • Restrict access to Exchange
email if a device is not enrolled
Retire
• Revoke access to corporate resources
• Perform selective wipe • Audit lost and stolen devices
Provision
• Deploy certificates, email, VPN, and WiFi profiles
• Deploy device security policy settings
• Install mandatory apps
• Deploy app restriction policies • Deploy data protection policies
Manage and Protect
• Restrict access to corporate resources if policies are violated (e.g., jailbroken device)
• Protect corporate data by restricting actions such as copy/cut/paste/save outside of managed app ecosystem • Report on device and app
compliance
Microsoft Intune
Company portal self-service experience
• Consistent experience across:
• Windows
• Windows Phone / Mobile • Android
• iOS
• Discover and install corporate apps • Manage devices and data
• Customizable terms and conditions • Ability to contact IT
Microsoft Intune
Enrolling Devices
Users can enroll devices that configure the device for management with Windows Intune; the user can then use the Company Portal for easy access to corporate
applications
Data from Windows Intuneis in sync with Configuration Manager, which provides unified management across both on-premises and in the cloud
Conditional access for Office 365
7
Enrollment/compliance remediation
5
If not compliant, push device into quarantine
Demo
Microsoft Intune
Mobile Application Management
What can we do?
• Force compliance before access to the app and data • Secure the data within the app
• Prohibit copy/paste • Prohibit screenshots • Prohibit save as
• Force encryption
• Disable Outlook Sync (MDM-less MAM Only)
• Secure app by PIN or corporate credentials • Secure LOB apps via App Wrapper
Mobile Application Management
Maximize mobile productivity and protect corporate resources with Office mobile apps
Extend these capabilities to existing line-of-business apps using the Intune app wrapper
Mobile Application Management
Copy Paste Save
Maximize productivity while preventing leakage of company data by restricting actions such as copy/cut/paste/save in your managed app ecosystem
Save to
personal storage Paste to
MDM-less MAM
Use cases MDM-less MAM:
• Apps running on devices that are not enrolled in any MDM solution.
Mobile App Config Policy
• Preconfigure iOS Apps with settings
Enterprise Data Protection
What is EDP?
• Protects data at rest, and wherever it rests or may roam to
• Seamless integration into the platform, no mode switching and use any app
• Corporate versus personal data identifiable wherever it rests on the device
• Prevents unauthorized apps from accessing business data
• IT has fully control of keys and data and can remote wipe data on demand
• Common experience across all Windows devices with cross platform support
Enterprise data protection
PROVISIONING: KEYS AND POLICIES
User
1
User enrolls with enterprise Intune or domain join
Intune or SCCM provisions policy and encryption keys 2
Policies:
Demo
Azure Rights Management
Azure Rights Management
“It uses encryption, identity and authorization
policies to help secure your files and email,
Azure Rights Management – Cool Features
Protection stays
with the file
Works both inside
and outside the
Demo
How to get started?
How to get started?
Go to ref.ms/ems > Try now
• Sign up• Setup AAD Connect (synchronize accounts) • Set MDM authority
• Configure platforms • Enroll!
Share your ideas
Share your voice / ideas!
• http://microsoftintune.uservoice.com/
