Gordon McKennaMartyn Coupland

Inframon Ltd

Empowering Your Users and Protecting Your Corporate Data

Why are we concerned about BYOD\CYOD?Enrolling devices with Windows IntuneManaging device complianceDevice securityProtecting corporate informationCompetition

Session agenda

Why are we concerned?

Business Needs and IT Challenges

How can IT maintain user productivity and protect against evolving threats

How can IT reduce complexity and scale back infrastructure requirements

IT NeedsLower operational

costs

Business NeedsAgility and Flexibility

57% of smartphone owners use their personal device to access corporate data.

Source: OVUM/Logicalis – 3,796 responses

70% of tablet owners use their personal device to access corporate data.

Source: OVUM/Logicalis – 3,796 responses

46% of BYOD use is unmanaged by employers or ignored.

Source: OVUM/Logicalis – 3,796 responses

46% of BYOD use is unmanaged potentially exposing corporate data.

Source: OVUM/Logicalis – 3,796 responses

Anytime… anywhere

Registering and Enrolling Devices

IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the users identity. Multi-factor authentication can be used through Windows Azure Active Authentication.

Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device

Users can enroll devices which configure the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications

As part of the registration process, a new device object is created in Active Directory, establishing a link between the user and their device

Data from Windows Intune is sync with Configuration Manager which provides unified management across both on-premises and in the cloud

Web Application Proxy

ADFS

Unified Device Management

IT

Mac OS X

Windows PCs(x86/64, Intel SoC),

Windows to GoWindows Embedded

Windows RT, Windows Phone 8

iOS, Android

Single AdminConsole

Microsoft System Center 2012 R2

Configuration Manager

Support for email profilesiOS 7 MDM feature supportRemote lock and remote password resetApplication control – allow or deny appConditional email accessBrowser management and URL filteringBulk device enrollment

New Windows Intune Features

Conditional Access Policy Managed Office Mobile Apps Protected Data Managed Corporate Devices

New Enterprise Mobility Blog http://aka.ms/Ae0ffp

Whats Next (announced today)

Demo

Device Enrollment to a Unified Management Infrastructure

Device Compliance

Security and ComplianceSettings ManagementConfigMgr MP Baseline ConfigMgr Agent

WMI XML

Registry IISMSI

Script SQL

SoftwareUpdates

File

ActiveDirectory

Baseline Configuration Items

Auto RemediateOR

Create Alert (to Service Manager)

!

Improved functionalityCopy settingsTrigger console alertsRicher reporting

Enhanced versioning and audit trackingAbility to specify versions to be used in baselinesAudit tracking includes who changed what

Pre-built industry standard baseline templates through IT Governance, Risk & Compliance(GRC) Solution Accelerator

Assignment to collections Baseline drift

VPN Profile Management

Support for major SSL VPN vendors

DNS name-based initiation support for Windows 8.1 and iOSApplication ID based initiation support for Windows 8.1

Automatic VPN connection

Support for VPN standards

SSL VPNs from Cisco, Juniper, Check Point, Microsoft, Dell SonicWALL, F5 Subset of vendors have Windows Windows RT VPN plug-in

PPTP ,L2TP, IKEv2

Wi-Fi and Certificate Profiles

Wi-Fi settings Manage and distribute certificatesDeploy trusted root certificates

Support for Security Center Endpoint Protection(SCEP) protocol

Manage Wi-Fi protocol and authentication settings Provision Wi-Fi networks that device can auto connectSpecify certificate to be used for Wi-Fi connection

Demo

Managing Settings for Off Premise Devices

Device Security

Comprehensive Protection Stack Building enterprise grade platform security

MANAGEMENT

ANTIMALWARE

System Center Configuration Manager and Endpoint Protection

Windows

Available only in Windows 8.x

Endpoint Protection Management

Software Updates +

SCUP

Operating System Deployment

Settings Management

System Center 2012 Endpoint Protection

Antimalware Dynamic Translation

Behavior Monitoring

Software Distribution

Vulnerability Shielding

Windows Defender

Offline

Internet Explorer BitLockerAppLockerAddress Space

Layout Randomization

Data Execution Prevention

User Access Control

Secure Boot through UEFI

Windows Resource Protection

Measured BootEarly Launch Antimalware

(ELAM)

Exchange Connector

Enhanced in Windows 8.x (or Internet Explorer 10)

ELAM & Measured Boot

Cloud clean restore

PLATFORM

DYNAMIC CLOUD UPDATES

Mic

roso

ft M

alw

are

Pro

tect

ion C

ente

r

Dynam

ic S

ignatu

re S

erv

ice

Behavior Monitoring and Dynamic Signature ServiceLive system monitoring identifies new threatsTracks behavior of unknown processes and known bad processesMultiple sensors to detect operating system anomaly

Updates for new threats delivered through the cloud in real timeReal time signature delivery with Microsoft Active Protection ServiceImmediate protection against new threats without waiting for scheduled updates

RESEARCHERS REPUTATIONREAL-TIME SIGNATURE DELIVERY

BEHAVIOR CLASSIFIERS

Properties/Behavior

Real-time signature

Samplerequest

Samplesubmit

Cloud Clean Restore

Advanced system file cleaning through replacement

Replaces infected system files with clean versions from a cloud source.

Uses a trusted Microsoft cloud source for the replacement file

Restart requirements orchestrated on system and wired to client UI (for in use file replacement).

System file compromise detected

(RTP or scan)

Compromised file

replaced

Request new file

Download replacement

file

Windows 7

Malware is able to boot before Windows and Anti-malwareMalware able to hide and remain undetectedSystems can be compromised before AM starts

Secure Boot loads Anti-Malware early in the boot processEarly Load Anti-Malware (ELAM) driver is specially signed by MicrosoftWindows starts AM software before any 3rd party boot driversMalware can no longer bypass AM inspection

Trusted Boot: Early Load Anti-Malware

BIOSOS Loader (Malware)

3rd Party Drivers

(Malware)

Anti-Malware Software

Start

Windows Logon

Windows 8 Native UEFIWindows 8OS Loader

Anti-Malware Software

Start

3rd Party Drivers

Windows Logon

For Windows 8 and Windows Server 2012Windows 8.1 and Windows Server 2012 R2 SupportAlert toasts on the Modern UXSupports Resilient File System (ReFS) and Cluster Shared Volumes (CSV)Support for scanning and remediating modern apps

Engine improvements now available in SCEP:

Latest Common Anti-Malware Platform (CAMP)Automatic RemediationEarly Launch Anti-Malware (ELAM) detection supportImproved performanceEnhanced telemetryImproved rootkit remediation with Windows Defender OfflineImproved hardening

Enhancements in R2

Demo

Overview of System Center Endpoint Protection

Protecting Corporate Information

Encrypt a computer before a user receives it

Microsoft Deployment Toolkit (MDT)System Center Configuration Manager

Enable users to encrypt their computers after policy

Simplifies TPM InitializationGroup Policy drivenExclude specific hardware

PolicyHardware Compatibility

Simplify BitLocker Deployment

MBAM System Overview

Recovery Password Data

Compliance Data

HTTPS

MBAM Client

Group Policy:

AD, AGPM

Key Recovery Service

Helpdesk UX for Key Recovery

Compliance ReportsCentral Administration

Compliance Service

User claimsUser.Department = Finance

User.Clearance = High

ACCESS POLICY

Applies to: @File.Impact = HighAllow | Read, Write | if (@User.Department == @File.Department) AND

(@Device.Managed == True)

Device claimsDevice.Department = Finance

Device.Managed = True

Resource propertiesResource.Department =

FinanceResource.Impact = High

AD DS

31

Rights management access policies File

Server

Expression based access controlManage fewer security groups by using conditional expressions

x 50Country

50 GroupsBranch x 20 1000 Groups

Customers

100,000 Groups!

Flexible access control lists based on document classification and multiple identities (security groups).

Centralized access control lists using Central Access Policies.

Expression based access conditions

100,000 groups170 groups with conditional expressionsMemberOf(US) AND MemberOf(Seattle_Branch) AND MemberOf(Contoso_Customer)

x 100

Hybrid identity managementMobile device managementAzure rights managementSelf-service password resetsMulti-factor authenticationSelective wipe of applicationsSync between cloud and on-premises directories

Enterprise Mobility Suite – PCIT In a Box

Demo

Azure Rights Management

BYOD/CYOD is happening, if you don’t have a plan make one now.Microsoft offer device and corporate data protection through “defense in depth”System Center Configuration Manager, Intune and Azure provide the “complete solution”Protect your organisation today

Session summary

Competition time…

Three volunteers: Windows Phone, iOS and AndroidDownload the company portal from your app storeEnroll your device using these credentials:

Username: intune.demo@inframon.comPassword: Pa$$w0rd

When the portal finishes loading, raise your handThe quickest person wins, simple!

On your marks… Prizes to be won

We are around all week@mrcoups@gordodamom

We blog as wellwww.martyncoupland.co.ukblogs.Inframon.com

Reach out…

Related content

PCIT-B212 Design Considerations for BYOD

PCIT-B214 Using Dynamic Access Control and Rights Management for Information Protection

PCIT-B213 Access Control in BYOD and Directory Integration in a Hybrid Identity Infrastructure

PCIT-B314 Understanding Microsoft’s BYOD Strategy and an Introduction to New Capabilities in Windows Server 2012 R2

DCIM-IL201 Implementing Desired State configuration

Breakout Sessions and Hands on labs

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

msdn

Resources for Developers

http://microsoft.com/msdn

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Complete an evaluation and enter to win!

Evaluate this session

Scan this QR code to evaluate this session.

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.