business needs and it challenges how can it maintain user productivity and protect against evolving...
TRANSCRIPT
Gordon McKennaMartyn Coupland
Inframon Ltd
Empowering Your Users and Protecting Your Corporate Data
Why are we concerned about BYOD\CYOD?Enrolling devices with Windows IntuneManaging device complianceDevice securityProtecting corporate informationCompetition
Session agenda
Why are we concerned?
Business Needs and IT Challenges
How can IT maintain user productivity and protect against evolving threats
How can IT reduce complexity and scale back infrastructure requirements
IT NeedsLower operational
costs
Business NeedsAgility and Flexibility
57% of smartphone owners use their personal device to access corporate data.
Source: OVUM/Logicalis – 3,796 responses
70% of tablet owners use their personal device to access corporate data.
Source: OVUM/Logicalis – 3,796 responses
46% of BYOD use is unmanaged by employers or ignored.
Source: OVUM/Logicalis – 3,796 responses
46% of BYOD use is unmanaged potentially exposing corporate data.
Source: OVUM/Logicalis – 3,796 responses
Anytime… anywhere
Registering and Enrolling Devices
IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the users identity. Multi-factor authentication can be used through Windows Azure Active Authentication.
Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device
Users can enroll devices which configure the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications
As part of the registration process, a new device object is created in Active Directory, establishing a link between the user and their device
Data from Windows Intune is sync with Configuration Manager which provides unified management across both on-premises and in the cloud
Web Application Proxy
ADFS
Unified Device Management
IT
Mac OS X
Windows PCs(x86/64, Intel SoC),
Windows to GoWindows Embedded
Windows RT, Windows Phone 8
iOS, Android
Single AdminConsole
Microsoft System Center 2012 R2
Configuration Manager
Support for email profilesiOS 7 MDM feature supportRemote lock and remote password resetApplication control – allow or deny appConditional email accessBrowser management and URL filteringBulk device enrollment
New Windows Intune Features
Conditional Access Policy Managed Office Mobile Apps Protected Data Managed Corporate Devices
New Enterprise Mobility Blog http://aka.ms/Ae0ffp
Whats Next (announced today)
Demo
Device Enrollment to a Unified Management Infrastructure
Device Compliance
Security and ComplianceSettings ManagementConfigMgr MP Baseline ConfigMgr Agent
WMI XML
Registry IISMSI
Script SQL
SoftwareUpdates
File
ActiveDirectory
Baseline Configuration Items
Auto RemediateOR
Create Alert (to Service Manager)
!
Improved functionalityCopy settingsTrigger console alertsRicher reporting
Enhanced versioning and audit trackingAbility to specify versions to be used in baselinesAudit tracking includes who changed what
Pre-built industry standard baseline templates through IT Governance, Risk & Compliance(GRC) Solution Accelerator
Assignment to collections Baseline drift
VPN Profile Management
Support for major SSL VPN vendors
DNS name-based initiation support for Windows 8.1 and iOSApplication ID based initiation support for Windows 8.1
Automatic VPN connection
Support for VPN standards
SSL VPNs from Cisco, Juniper, Check Point, Microsoft, Dell SonicWALL, F5 Subset of vendors have Windows Windows RT VPN plug-in
PPTP ,L2TP, IKEv2
Wi-Fi and Certificate Profiles
Wi-Fi settings Manage and distribute certificatesDeploy trusted root certificates
Support for Security Center Endpoint Protection(SCEP) protocol
Manage Wi-Fi protocol and authentication settings Provision Wi-Fi networks that device can auto connectSpecify certificate to be used for Wi-Fi connection
Demo
Managing Settings for Off Premise Devices
Device Security
Comprehensive Protection Stack Building enterprise grade platform security
MANAGEMENT
ANTIMALWARE
System Center Configuration Manager and Endpoint Protection
Windows
Available only in Windows 8.x
Endpoint Protection Management
Software Updates +
SCUP
Operating System Deployment
Settings Management
System Center 2012 Endpoint Protection
Antimalware Dynamic Translation
Behavior Monitoring
Software Distribution
Vulnerability Shielding
Windows Defender
Offline
Internet Explorer BitLockerAppLockerAddress Space
Layout Randomization
Data Execution Prevention
User Access Control
Secure Boot through UEFI
Windows Resource Protection
Measured BootEarly Launch Antimalware
(ELAM)
Exchange Connector
Enhanced in Windows 8.x (or Internet Explorer 10)
ELAM & Measured Boot
Cloud clean restore
PLATFORM
DYNAMIC CLOUD UPDATES
Mic
roso
ft M
alw
are
Pro
tect
ion C
ente
r
Dynam
ic S
ignatu
re S
erv
ice
Behavior Monitoring and Dynamic Signature ServiceLive system monitoring identifies new threatsTracks behavior of unknown processes and known bad processesMultiple sensors to detect operating system anomaly
Updates for new threats delivered through the cloud in real timeReal time signature delivery with Microsoft Active Protection ServiceImmediate protection against new threats without waiting for scheduled updates
RESEARCHERS REPUTATIONREAL-TIME SIGNATURE DELIVERY
BEHAVIOR CLASSIFIERS
Properties/Behavior
Real-time signature
Samplerequest
Samplesubmit
Cloud Clean Restore
Advanced system file cleaning through replacement
Replaces infected system files with clean versions from a cloud source.
Uses a trusted Microsoft cloud source for the replacement file
Restart requirements orchestrated on system and wired to client UI (for in use file replacement).
System file compromise detected
(RTP or scan)
Compromised file
replaced
Request new file
Download replacement
file
Windows 7
Malware is able to boot before Windows and Anti-malwareMalware able to hide and remain undetectedSystems can be compromised before AM starts
Secure Boot loads Anti-Malware early in the boot processEarly Load Anti-Malware (ELAM) driver is specially signed by MicrosoftWindows starts AM software before any 3rd party boot driversMalware can no longer bypass AM inspection
Trusted Boot: Early Load Anti-Malware
BIOSOS Loader (Malware)
3rd Party Drivers
(Malware)
Anti-Malware Software
Start
Windows Logon
Windows 8 Native UEFIWindows 8OS Loader
Anti-Malware Software
Start
3rd Party Drivers
Windows Logon
For Windows 8 and Windows Server 2012Windows 8.1 and Windows Server 2012 R2 SupportAlert toasts on the Modern UXSupports Resilient File System (ReFS) and Cluster Shared Volumes (CSV)Support for scanning and remediating modern apps
Engine improvements now available in SCEP:
Latest Common Anti-Malware Platform (CAMP)Automatic RemediationEarly Launch Anti-Malware (ELAM) detection supportImproved performanceEnhanced telemetryImproved rootkit remediation with Windows Defender OfflineImproved hardening
Enhancements in R2
Demo
Overview of System Center Endpoint Protection
Protecting Corporate Information
Encrypt a computer before a user receives it
Microsoft Deployment Toolkit (MDT)System Center Configuration Manager
Enable users to encrypt their computers after policy
Simplifies TPM InitializationGroup Policy drivenExclude specific hardware
PolicyHardware Compatibility
Simplify BitLocker Deployment
MBAM System Overview
Recovery Password Data
Compliance Data
HTTPS
MBAM Client
Group Policy:
AD, AGPM
Key Recovery Service
Helpdesk UX for Key Recovery
Compliance ReportsCentral Administration
Compliance Service
User claimsUser.Department = Finance
User.Clearance = High
ACCESS POLICY
Applies to: @File.Impact = HighAllow | Read, Write | if (@User.Department == @File.Department) AND
(@Device.Managed == True)
Device claimsDevice.Department = Finance
Device.Managed = True
Resource propertiesResource.Department =
FinanceResource.Impact = High
AD DS
31
Rights management access policies File
Server
Expression based access controlManage fewer security groups by using conditional expressions
x 50Country
50 GroupsBranch x 20 1000 Groups
Customers
100,000 Groups!
Flexible access control lists based on document classification and multiple identities (security groups).
Centralized access control lists using Central Access Policies.
Expression based access conditions
100,000 groups170 groups with conditional expressionsMemberOf(US) AND MemberOf(Seattle_Branch) AND MemberOf(Contoso_Customer)
x 100
Hybrid identity managementMobile device managementAzure rights managementSelf-service password resetsMulti-factor authenticationSelective wipe of applicationsSync between cloud and on-premises directories
Enterprise Mobility Suite – PCIT In a Box
Demo
Azure Rights Management
BYOD/CYOD is happening, if you don’t have a plan make one now.Microsoft offer device and corporate data protection through “defense in depth”System Center Configuration Manager, Intune and Azure provide the “complete solution”Protect your organisation today
Session summary
Competition time…
Three volunteers: Windows Phone, iOS and AndroidDownload the company portal from your app storeEnroll your device using these credentials:
Username: [email protected]: Pa$$w0rd
When the portal finishes loading, raise your handThe quickest person wins, simple!
On your marks… Prizes to be won
We are around all week@mrcoups@gordodamom
We blog as wellwww.martyncoupland.co.ukblogs.Inframon.com
Reach out…
Related content
PCIT-B212 Design Considerations for BYOD
PCIT-B214 Using Dynamic Access Control and Rights Management for Information Protection
PCIT-B213 Access Control in BYOD and Directory Integration in a Hybrid Identity Infrastructure
PCIT-B314 Understanding Microsoft’s BYOD Strategy and an Introduction to New Capabilities in Windows Server 2012 R2
DCIM-IL201 Implementing Desired State configuration
Breakout Sessions and Hands on labs
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Complete an evaluation and enter to win!
Evaluate this session
Scan this QR code to evaluate this session.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.