EmpowerEnterprise Mobility

Kris Wagner, Microsoft MVPSr. Manager, Cloud PlatformsTahoe Partners

Companies gain an extra __ hours of work/year from employees due to

mobile working?

of employees use personal devices for work purposes.*

of employees that typically work on employer premises, also frequently work away from their desks.***

of all software will be available on a SaaS delivery by 2020.**

66% 25% 33%

*CEB The Future of Corporate ITL: 203-2017. 2013.**Forrester Application Adoption Trends: The Rise Of SaaS***CEB IT Impact Report: Five Key Findings on Driving Employee Productivity Q1 2014.

Cost

Risk

Change drives complexityVDI Solutions

Data Security Solutions

MDM Solutions

System Center

ID Solutions

?

?

?

??

New Solution

Cost

Risk

Cost

Risk

Cost

Risk

Cost

Risk

Com

plex

ityCo

mpl

exity

Com

plex

ity Com

plex

ity Com

plex

ity Com

plex

ity

Cost

Risk

?

Microsoft’s unified approach

Cost

Risk

Com

plex

ity

Progress

Devices Apps Data

Company Portal

IT Administrator

Corporate devices Personal devices

Cloud services Line of business apps SaaS apps Store apps

Microsoft’s Enterprise Mobility solution

provides user-centric device and information

management

UserThe logos above may be the property of their respective owners.

Single ID

Single sign-on

Self-service experiences

Conditional/Contextual access

SaaS applications

Desktop Virtualization

Access & information protection

Mobile device & application

management

Hybrididentity

What is Enterprise Mobility Suite ?

Hybrid Identity Management w/Azure Active Directory Premium

Mobile Device & Application Mgmt w/Microsoft Intune

Single-sign on to over 2,400 SaaS Applications Multi-factor Authentication (MFA)Self-service password reset Group-based SaaS provisioningCentralized application access managementFIM CALs for on premise usageSLAAdvanced security reportingCloud App Discovery

Information Protection w/Azure Rights Management

User’s identity

•••••••••••••

Username

?

ITUser

Cloud

On-premises

User’s identity

•••••••••••••

New device

ITUser

Cloud

On-premises

Policy controlSaaS discovery

User’s identity

ITUser

Cloud

On-premises

Discover all SaaS apps in use within your organization

Accelerate  your  organization.

What’s  next  in  Identity  and  Access  Management  (IAM)?

Empower  your  users.Support  end  user  devices  and  end  user  self-­‐service.

Bring  Your  Own  DeviceWorkplace  Join

End  User  Self-­‐ServicePassword  resetGroup  management

Unify   your  environment.One  user,  one  identity.

One  IdentityImprove  user  experienceUnify  cloud  and  on-­‐premReduce   compliance   riskReduce   IT  overhead

Many  OrganizationsAdministrative  UnitsB2B  (future)

Protect  your  data.Maintain  control  while  getting  out  of  the  way.

Control  AccessMulti-­‐Factor  AuthConditional  AccessRBACCloud  domain  join  (W10)Next  gen  creds  (W10)

Encrypt  DataRMS  Data  Protection

Maintain   VisibilitySecurity  reportsHeuristic   based  analytics

Deliver  apps  faster.Discover,  manage,  and  develop  apps  faster.

Discover  applicationsCloud  app  discovery

Manage   applicationsSaaS  App  ManagementAzure  AD  App  Proxy

Develop  applicationsSecure,   scalable  platformStandards  based  APIsDevStudio  integrationB2C  (preview)

15

Enriched user experience through a single, verified identity

Unified across cloud and on-premises with single sign-on

Integrated identity solution reduces risk across the business

Reduced IT burden of creating and managing multiple identities

__% respondents believe their company effectively controls what can be done

on the mobile device?

Desktop Virtualization

Access & information protection

Mobile device & application

management

Hybrididentity

Consistent user experience

Simplified device enrollment and registration

Single console to manage devices

What is Enterprise Mobility Suite ?

Hybrid Identity Management w/Azure Active Directory Premium

Mobile Device & Application Mgmt w/Microsoft Intune

Single-sign on to over 2,400 SaaS Applications Multi-factor Authentication (MFA)Self-service password reset Group-based SaaS provisioningCentralized application access managementFIM CALs for on premise usageSLAAdvanced security reporting

Cross-platform mobile device mgmt (Windows, iOS, Android)

Hardware & software inventoryApplication distributionPolicy settingsFull & selective wipe of corporate date

Information Protection w/Azure Rights Management

Microsoft Intune integrated with System Center 2012 R2 Configuration Manager

Mac OS X

Windows PCs(x86/64, Intel SoC),

Windows to GoWindows Embedded

Windows RT, Windows Phone 8

iOS, Android

Manage mobile productivity and protect data with Office Mobile apps for iOS and AndroidManage policy for existing iOS line of business apps (so called “app wrapping”)Managed browser and PDF/Audio/Video viewers

Provide access to Exchange and OneDrive for Business resources only to managed devicesDeny access if a device falls out of compliance

Enable IT to bulk enroll corporate-owned task-worker devicesSupport for Apple Configurator

Manage mobile productivity without compromising compliance

Conditional Access Policy to Email and Documents

Enroll and Manage Corporate-owned Devices

Manage Mobile Productivity and Protect Datawith Office

Personal

Corporate

ManagedBrowser

Native E-mail

1. Susan tries to set up her new unmanaged tablet to connect to Exchange and is blocked.

2. She enrolls the tablet into Windows Intune and is then granted access to Exchange.

3. Susan tries to save attachment to OneDrive, and is blocked since OneDrive is not managed by IT.

4. She saves attachment to OneDrive for Business, which is allowed since it is managed by IT.

5. She then tries to copy/paste content into a PowerPoint slide, and is successful.

6. Susan tries to copy text from her attachment and paste it into another, unmanaged app. This action is blocked since this app is not managed by IT.

7. Susan later leaves the company, and a selective wipe is performed on her tablet, removing corporate apps and data while leaving her personal content on the device.

Native E-mail

ManagedBrowser

LoB

Layer 1 – Mobile device lockdown via MDM

Protects corporate data by…

Gaps it leaves open

Restricting device behaviors: PIN, encryption, wipe, disable screen capture and cloud backup, track compliance, etc.

Provisioning credentials that enable corporate resource access control

Apps may share corporate data with other apps outside IT control

Apps may save corporate data to consumer cloud services

Layer 2 – Application and data containers (aka “managed mobile productivity”)

Protects corporate data by…

Gaps it leaves open

Preventing apps from sharing data with other apps outside of IT control

Preventing apps from saving data to stores outside of IT control

Encrypting app data to supplement device encryption

Only protects corporate data that resides on devices. Cannot protect data beyond a device.

Applies same protection to all data that an app touches. Does not allow for specific protection per document.

Layer 3 – Data wrapping

Protects corporate data by…

Gaps it leaves open

Protecting data wherever it resides

Providing granular, content specific protection – e.g. time bomb vision docs

Requires enlightened applications

Requires all data to be protected if not complemented by Layers 1 and 2

LoB

This roadmap contains two Windows Intune releases. Dates are subject to change.

Wave H.0

November December

Wave H.1

Deployment of email profilesDeployment of certificatesDeployment of VPN profiles Deployment of WiFi profilesConfigure EAS email only if device is managed (Exchange on-prem)

Deployment of free store apps for iOSConvenient access to internal corporate resources via per-app VPN configurations for iOSRequired app install/uninstall

Remote pin reset for WP 8.1 (currently supported for iOS and Android)MFA at enrollmentGroup filtering within admin console (RBAC lite)

Service account enrollment

Device lockdown via Supervisor mode (iOS) and Kiosk mode (KNOX)Policies and apps targeted to devicesApplication install allow/deny list

Customizable terms of use

Configure EAS email only if device is managed (O365)Configure MOWA email only if device is managedConfigure documents only if device is managed **Restrict access if device falls out of compliance policy

Managed Office mobile apps – Word, Excel, PowerPointApp wrapper for existing iOS line-of-business apps *

Managed browserPDF viewer, AV player, Image viewerSelective wipe of managed apps and data

Support for Apple Configurator

Device lockdown via Assigned Access mode (WP 8.1)URL allow/deny (via Managed browser)

* SSO not supported in December release** OD4B team dependency – possible delay

Today’s MAM Containers Protected Mobile Productivity

Desktop Virtualization

Access & information protection

Mobile device & application

management

Hybrididentity

Dynamic Access Control

Rights management

Secure access to work files

FPO

What is Enterprise Mobility Suite ?

Hybrid Identity Management w/Azure Active Directory Premium

Mobile Device & Application Mgmt w/Microsoft Intune

Single-sign on to over 2,400 SaaS Applications Multi-factor Authentication (MFA)Self-service password reset Group-based SaaS provisioningCentralized application access managementFIM CALs for on premise usageSLAAdvanced security reporting

Cross-platform mobile device mgmt (Windows, iOS, Android)

Hardware & software inventoryApplication distributionPolicy settingsFull & selective wipe of corporate date

Information Protection w/Azure Rights Management

Share RMS protected documents with anyone on any deviceOn-premise use for hybrid scenarios with no infrastructure

v

ITUser

v

ITUser

Productivity

SecurityMobility

Businesses must keep up by fostering productivity, enabling mobility and ensuring security.Microsoft can help.

EMS

Employee productivity−anywhere, any device

"With employees using the self-service password reset feature in Azure AD Premium, we’ve been able to reduce annual help-desk costs by $20,000.”

Empower users to do more with single sign-on, self-service password reset, and managed access to appsèProvide single sign-on to apps and

data from personal or corporate devices based on user identity

è Enable self-service password resetwith multi-factor authentication

è Let users register personal devices and install IT-approved apps through a web-based, company-specific app store (Company Portal)

Sign-on

Single Sign-on Self-service password reset Company

Portal

***Download

apps

Enable your mobile workforce

“With Windows Azure MFA, we have a stronger level of protection for Office 365…so we have all of our external services well protected.”

Authenticated access to apps and data Make sure users are who they say they areèVerify identity with multi-factor

authentication (call, text, mobile app)

èChoose who can read, copy, print, save, forward, and edit−and set when these rights expire

è Let users download only the apps they’re authorized to use through the Company Portal

Multi-factor authentication

Data Apps Docs

Double-check identity through text, call or app

Log on to any device

Help protect corporate data, apps and docs

“Now we can deploy, secure, and manage mobile apps that staff use to move faster than the competition and drive business.”

Remote device management across platformsDeliver an up-to-date andsecurity-enhanced experience on nearly any deviceèRemotely manage & help protect

Windows, iOS, and Android devices

èHandle device theft and loss withremote wipe: selectively removecorporate apps, data, and policies

èBetter protect corporate data as users and devices travel

èDeploy policies and updates, andinventory HW and SW via the cloud

AndroidiOSWindows

IT

Simplified, device management via the cloud

Company Portal

IT Administrator

Corporate devices Personal devices

Cloud services Line of business apps SaaS apps Store apps

Microsoft’s Mobile Management solution provides user-centric

device and information management

UserThe logos above may be the property of their respective owners.

66%of enterprise seats covered with System Center Configuration Manager

240mUser accounts in Microsoft Azure Active Directory

…lets you build on your investments

14B+Microsoft Azure Active Directory authentications per week

Sunil TahilramaniFind a partner

link

PLA would like to help your organization gain clarity on how to manage your mobile workforce Bring Your Own Device (BYOD) challenges. Microsoft’s Enterprise Mobility Suite can help make this dream a reality and allow you to proactively control your evolving mobile users and their devices.

Topics include:

q End-User Mobilityq Implementing Hybrid Identity Managementq Mobile Device & Application Managementq Access & Information Protectionq Self-service Password reset

For more information contact PLA at EMS@projectleadership.net or call (877) 752-0451

Enterprise Mobility Suite½ Day Strategy Assessment

Each person that completes a ½ day EMS Strategy Assessment by 12/31 will be entered into a

drawing to win a Surface Pro 3

Online Survey Link - http://1drv.ms/1s2YnMl

Thank you!