alexander benoit...familiar office experience •seamless “enrollment” into app management...
TRANSCRIPT
Alexander Benoit
http://it-pirate.com/
http://www.entermo.de/
https://www.sepago.de/alexander-benoit
http://www.faq-o-matic.net/author/alexanderbenoit/
Enterprise Mobility?
Employees Business partners Customers
Microsoft’s vision
Access everything from anywhere
Manage and secure productivity
Integrate with what you haveApps
Devices
Data
Users
Enroll• Provide a self-service Company
Portal for users to enroll devices
• Deliver custom terms and
conditions at enrollment
• Bulk enroll devices using Apple
Configurator or service account
• Restrict access to Exchange
email if a device is not enrolled
Retire• Revoke access to corporate
resources
• Perform selective wipe
• Audit lost and stolen devices
Provision• Deploy certificates, email, VPN,
and WiFi profiles
• Deploy device security policy
settings
• Install mandatory apps
• Deploy app restriction policies
• Deploy data protection policies
Manage and Protect• Restrict access to corporate
resources if policies are violated
(e.g., jailbroken device)
• Protect corporate data by
restricting actions such as copy,
cut, paste, and save as between
Intune-managed apps and
personal apps
• Report on device and app
compliance
User IT
Configuration Manager console (hybrid)Intune web console (cloud only)
Mobile devices and PCs Mobile devices
System Center Configuration
Manager
Domain joined PCs
Configuration Manager integrated with Intune (hybrid)Intune standalone (cloud only)
IT IT
Intune web console Configuration Manager console
Mobile devices and PCs
Intune standalone (cloud only)
IT
Intune web console
Manage and Protect
• No existing infrastructure necessary
• No existing Configuration Manager
deployment required
• Simplified policy control
• Simple web-based administration console
• Faster cadence of updates
• Always up-to-date
Devices Supported
• Windows PCs (x86/64, Intel SoC)
• Windows RT
• Windows Phone 8.x
• iOS
• Android
• OS X
Mobile devices
System Center Configuration
Manager
Domain joined PCs
Configuration Manager integrated with Intune (hybrid)
IT
Configuration Manager console
System Center 2012 R2 Configuration
Manager with Microsoft Intune
• Build on existing Configuration Manager
deployment
• Full PC management (OS deployment, endpoint
protection, application delivery control, custom
reporting)
• Deep policy control requirements
• Greater scalability
• Extensible administration tools (RBA, PowerShell,
SQL reporting services)
• Windows RT
• Windows Phone 8.x
• iOS
• Android
Devices Supported
• Windows PCs
(x86/64, Intel SoC)
• Windows to Go
• Windows Server
• Linux
• OS X
Mobile application management
PC managementMobile device management
ITUser
Microsoft Intune
ITUser
Actions upon device enrollment
• Deploy email, VPN, and WiFi profiles
• Deploy certificates
• Deploy and install apps
• Deploy managed app configuration policies
• Apply and enforce device configuration settings
• Collect hardware and software inventory data
Microsoft Intune
Devicesenrolled
Personal apps
Managed apps
Perform selective wipe via self-service
company portal or admin console
Remove managed apps and data
Keep personal apps and data intact
IT
IT
Conditional access policies
IP Range
Device State
Advanced
Windows 10
options
User Group
User
On-premises
Cloud
Corporate apps
Microsoft Intune
Corporate email server
IT
Deploy email profile upon enrollment
• Configure account settings and security restrictions
• Enable certificate authentication
• Synchronize email, task, contacts, and calendar
• Support for iOS, Samsung KNOX, and Windows Phone
Any email service supported by Exchange ActiveSync
User
Maximize mobile productivity and protect corporate resources
with Office mobile apps – including multi-identity support
Extend these capabilities to your existing line-of-business
apps using the Intune App Wrapping Tool
Enable secure viewing of content using the Managed Browser,
PDF Viewer, AV Player, and Image Viewer apps
Managed apps
Personal appsPersonal apps
Managed apps
ITUser
Corporate data
Personaldata
Multi-identity policy
Personal apps
Managed apps
Maximize productivity while preventing leakage of company
data by restricting actions such as copy, cut, paste, and save
as between Intune-managed apps and unmanaged apps
User
Familiar Office experience
• Seamless “enrollment” into app management
• Use for personal and corporate accounts
Comprehensive protection
• App encryption at rest
• App access control – PIN or credentials
• Save as/copy/paste restrictions
• App-level selective wipe
MDM mgmt. by Intune or third-party is optional
Extend protection to a file level with Azure RMS
Might be a good solution for these scenarios:
• BYOD when MDM is not required
• Extending app access to vendors and partners
• Already have an existing MDM solutionPersonal apps
Corporate apps
Azure Rights
Management
MDM policies
MAM policies
File policies
MDM – optional (Intune or 3rd-party)
Productivity
If compliant,
email access is
granted
7
Enrollment /
compliance
remediation
5
If not compliant,
push device into
quarantine
Quarantine
4
2
Quarantine email with
remediation steps
Link to enroll device
and compliance
remediation steps
Who does what?
Intune: Evaluate policy
compliance for device
Azure AD: Authenticate
user and provide device
compliance status
Exchange Online:
Enforces access to email
based on device state
Attempt
connection1
3
Azure Active Directory
Set device
management/
compliance
status
6Office 365
Mobile device
Microsoft Intune
