Enterprise Mobility + SecurityWhy should Office365 customers consider EMS?

David J. Rosenthal, VP & GM, Digital Business Solutions

Razor Technology

Microsoft Briefing Center, NYC February 23, 2017

Secure access

Single sign-on experience

augmented by self-service

capabilities.

Mobile management

Control how data within Office Mobile

apps (and other apps) is shared.

Advanced security

Protect against identity breaches

that can result in data loss.

Extending Office 365 capabilities through EMS

Secure access

Conditions

Device state• Allow

• Remediate

• Block access

• Wipe device

Actions

User

MFA

Microsoft AzureLocation (IP range)

User group

Risk

On-premises

applications

• Enforce MFA

Ensure the right people have access to

apps and files under the right conditions.

On-premises

applications

Microsoft Azure

Enable compliant users with

easy access to all resources. Adjust access policies in real

time with machine learning.

Empower users with

self-service options.

EMS connects your workforce to 1000s of cloud and on-premises applications using one unified identity.

Single sign-on to Office 365 and all other applications

User

SINGLE SIGN-ON TO ALL APPS

On-premises

applications

Microsoft Azure

Cloud HR

Web apps

(Azure Active Directory Application Proxy)

Integrated

custom apps

SaaS apps

HR and other directories

2500+ popular SaaS apps

Connect and sync on-premises directories

with Azure

Easily publish on-premises web apps via

Application Proxy + Custom apps

through a rich standards-based platform

Microsoft Azure AD

Risk severity calculation

Remediation recommendations

Risk-based conditional access automatically protects against suspicious logins and compromised credentials.

Gain insights from a consolidated view of machine learning based threat detection.

Risk-based

policies

MFA Challenge Risky Logins

Block attacks

Change bad credentials

Machine-Learning

Engine

Leaked credentials

Infected devices

Configuration vulnerabilities

Brute force attacks

Suspicious sign-in activities

Enforce on-demand, just-in-time administrative access when needed.

Gain more visibility through alerts, audit reports, and access reviews.

Global Administrator

Billing Administrator

Exchange Administrator

User Administrator

Password Administrator

Account, apps and group management

Self-service password reset

Application access requests

Integrated Office 365 app launching

Self-service capabilities in EMS include:

Mobile management

Protect Office Mobile app data with

• App encryption at rest

• App access control – PIN or credentials

• Save as/copy/paste restrictions

• App-level selective wipe

Extend protection to line of business and third-party apps

Personal apps

Corporate apps

MDM policies

MAM policies

MDM – optional (Intune or third party)

Azure Rights

Management

Microsoft Intune

Corporate data

Personaldata

Multi-identity policy

Intune gives you the option to manage the data, without the need to manage the device.

A great option for BYOD scenarios where your end users may be reluctant to enroll their personal devices.

Protect with and without enrollment

SECRET

CONFIDENTIAL

INTERNAL

NOT RESTRICTED

IT admin can set policies,

templates, and rules.

Classifications, labels and encryption can be applied automatically based on file source, context, and content.

EMS extends Office 365 manual protection of files

with automatic protection to ensure policy

compliance.

User can build on policies. User can track file and

revoke access if needed.

Revoke access in the case

of unexpected sharing

Track who accessed the data, when, and where

Sue

Bob

JaneJane Competitors

Jane’s access is revoked

Bob accessed from South America

Jane accessed from India

Joe blocked in North America

Jane blocked in Africa

Sue

Map View

Advanced security

Shadow

IT

Data breach

Employees

Partners

Customers

Cloud apps

Identity Devices Apps & Data

Transition tocloud & mobility

New attack landscape

Current defenses not sufficient

Identity breach On-premises apps

SaaS

Azure

Microsoft Advanced Threat Analytics brings the behavioral

analytics concept to IT and the organization’s users.

An on-premises platform to identify advanced security attacks and insider threats beforethey cause damage

Behavioral

Analytics

Detection of advanced

attacks and security risks

Advanced Threat

Detection

Shadow IT

Sanctioned

App Security

Visibility and

control

Compliance and

regulations

Integration with

existing systems and

workflows

Cloud security

expertise

Cloud Discovery

Cross-SaaS solution

• Shadow IT discovery

• Advanced visibility, data control, and protection

• Threat detection and prevention

Office 365 Advanced

Security Management

Enhanced visibility and control for Office 365

• Discovery for apps with similar functionality to Office 365

• App permissions and control

• Advanced security alerts

Cloud App Security

Enterprise Mobility + Security

Basic identity mgmt. via Azure AD for O365:

• Single sign-on for O365

• Basic multi-factor authentication (MFA) for O365

Basic mobile device management via MDM for O365

• Device settings management

• Selective wipe

• Built into O365 management console

RMS protection via RMS for O365

• Protection for content stored in Office (on-premises or O365)

• Access to RMS SDK

• Bring your own key

Advanced Security Management

• Insights into suspicious activity in Office 365

Azure Active Directory

• Risk based conditional access

• Advanced security reports

• Single sign-on for all apps

• Advanced MFA

• Dynamic Groups, Group based licensing assignment

• Privileged identity management

Identity and access management

Cloud App Security

• Visibility and control for all cloud apps

Advanced Threat Analytics

• Identify advanced threats in on premises identities

Identity-driven security

Intune

• Mobile app management

• Users self-service management

• Certificate provisioning

• PC management

Azure Information Protection

• Automated intelligent classification and labeling of data

• Tracking and notifications for shared documents

• Protection for on-premises Windows Server file shares

Information protection

Managed mobile productivity

Capabilities and features - details

Directory as a service (no object limit) ● ●

User and group management ● ●

Single sign-on for pre-integrated SaaS and custom applications● ●

Security/usage reports ● ●

Self-service password reset for cloud users ● ●

Company branding (logon pages/access panel customization) ● ●

Application proxy ● ●

SLA 99.9% ● ●

Self-Service Group and app Management/Self-Service application additions/ Dynamic Groups ● ●

Self-service password reset/change/unlock with write-back to on-premises directories ● ●

Multi-Factor Authentication (cloud and on-premises (MFA server))●

Limited cloud-only for Office 365 Apps●

MDM auto-enrollment, Self-service BitLocker recovery, additional local administrators to Windows 10 devices via Azure AD Join, Enterprise State Roaming ● ●

Group-based access management/provisioning ●

MIM CAL + MIM Server*** ●

Cloud app discovery ●

Connect Health ●

Conditional Access based on group/location/device state ●

Identity Protection ●

Privileged Identity Management ●

Join a Windows 10 device to Azure AD, Desktop SSO, Microsoft Passport for Azure AD, Administrator BitLocker recovery ●

*Default usage quota is 150,000 objects. An object is an entry in the directory service, represented by its unique distinguished name. An example of an object is a user entry used for authentication purposes. If you need to exceed this default quota, please contact support. The 500K object limit does not apply for Office 365,

Microsoft Intune, or any other Microsoft paid online service that relies on Azure Active Directory for directory services. **With Azure AD Free and Azure AD Basic, end-users are entitled to get single sign-on access for up to 10 applications. ***Microsoft Identity Manager Server software rights are granted with Windows Server

licenses (any edition). Since Microsoft Identity Manager runs on Windows Server OS, as long as the server is running a valid, licensed copy of Windows Server, then Microsoft Identity Manager can be installed and used on that server. No other separate license is required for Microsoft Identity Manager Server.

RMS for O365* Azure RMS (EMS)

Protection for Microsoft Exchange Online, Microsoft SharePoint Online, and Microsoft OneDrive for Business content ● ●

Bring Your Own Key (BYOK) for customer-managed key provisioning life cycle2 ● ●

Custom templates, including departmental templates ● ●

Protection for on-premises Exchange and SharePoint content via Rights Management Services (RMS) connector ● ●

RMS software developer kit for all platforms: Windows, Windows Mobile, iOS, Mac OSX, and Android ● ●

Protection for non-Microsoft Office file formats, including PTXT, PJPG, and PFILE (generic protection) ●** ●

RMS content consumption by using work or school accounts from RMS policy-aware apps and services ● ●

RMS content creation by using work or school accounts ●*** ●

Manual document classification and consumption of classified documents ● ●

Automated data classification and administrative support for automated rule sets ●

Hold Your Own Key (HYOK) that spans Azure RMS and Active Directory RMS for highly regulated scenarios ●

RMS connector with on-premises Windows Server file shares by using the File Classification Infrastructure (FCI) connector ●

Document tracking and revocation ●

*Some Office 365 subscriptions also include data protection using Microsoft Azure RMS. For information on those Office 365 subscriptions and the data protection capabilities they include, refer to Azure Information Protection licensing datasheet. **Azure subscription required to use configured key for Bring Your Own Key (BYOK).

***Currently, you can also use this free subscription to help protect documents and create new email messages with enhanced protection. However, the ability to author new protected content is intended for trial use only and might be removed in the future.

Cloud-based management for iOS, Android, and Windows Phone. ● ● ●

Devi

ce

config

ura

tio

n

Inventory mobile devices that access corporate applications ● ● ●

Remote factory reset (full device wipe) ● ● ●

Mobile device configuration settings (PIN length, PIN required, lock time, etc.) ● ● ●

Self-service password reset (Office 365 cloud only users) ● ● ●

Off

ice 3

65 Provides reporting on devices that do not meet IT policy ● ●

Group-based policies and reporting (ability to use groups for targeted device configuration) ● ●

Root cert and jailbreak detection ● ●

Remove Office 365 app data from mobile devices while leaving personal data and apps intact (Selective wipe) ● ●

Prevent access to corporate email and documents based upon device enrollment and compliance policies ● ●

Pre

miu

m m

ob

ile

devi

ce &

ap

p m

anag

em

ent

Self-service Company Portal for users to enroll their own devices and install corporate apps ●

Deploy certificates, VPN profiles (including app-specific profiles), and Wi-Fi profiles ●

Prevent cut/copy/paste/save as of data from corporate apps to personal apps (Mobile application management) ●

Secure content viewing via Managed browser, PDF viewer, Imager viewer, and AV player apps for Intune ●

Remote device lock via self-service Company Portal and via admin console ●

Enroll and manage collections of corporate-owned devices, simplifying policy and app deployment. ●

Deploy your internal line-of-business apps and apps in stores to users. ●

Enable more secure web browsing using the Intune Managed Browser app ●

PC

m

anag

em

ent Cloud-based management for Mac OS X and Windows PCs. ●

PC management (e.g. inventory, antimalware, patch, policies, etc.) ●

OS deployment (via System Center ConfigMgr) ●

PC software management ●

Single management console for PCs and mobile devices (through integration with System Center ConfigMgr) ●

Contact us for additional information & deployment offersDavid.Rosenthal@razor-tech.com