microsoft enterprise mobility suite | getting started
TRANSCRIPT
Microsoft Enterprise Mobility Suite | Getting started…
• Introduction
• What is EMS and why do you need it?
• How to get started
• Newly added features
Agenda
- Senior Consultant at Atea- Soon to be a father- Likes long walks on the beach….
- Email: [email protected]
- Twitter: @thomasrysgaard
Thomas Godsted Rysgaard
What's driving change?
User Devices Apps Data IT
!
More freedom increases risk
Security is more important than ever before
Enterprise Mobility SuiteAzure Active Directory Premium• Hybrid Identity Control panel• Multifactor Authentication• Password Reset
Microsoft Intune• Mobile and Device Management• Compliance settings• Mobile Application Management
Azure Rights Management• Information Protection• Document tracking• Bring your own key
First step - IdentityAzure Active Directory Premium
Files
Identity
AppsDevices
Self-service Single sign on
•••••••••••
Username
Identity as the foundation
Azure ADConnect
Cloud
SaaSAzure
Office 365Publiccloud
Other Directories
Windows ServerActive Directory
On-premises
Microsoft Azure Active Directory
Azure AD ConnectConsolidated deployment assistant for your identity bridge components• Express Settings• Multi-forest support• Password # Sync• Streamlined fed setup
with ADFS• Configurable Sync settings
Azure AD ConnectDirSync
Azure AD Sync
FIM+Azure AD
Connector
Sync Engine
On-boarding to Azure AD & Office 365
ADFS
http://blogs.technet.com/b/ad/archive/2014/12/15/azure-ad-connect-one-simple-fast-lightweight-tool-to-connect-active-directory-and-azure-active-directory.aspx
ADFS
ADFS is optional, can addresses complex enterprise deploymentsDomain Join SSO, Enforcement of AD login policy, Smart Card or 3rd party MFA
• Multi-factor authentication
• Group-based app access
• Advanced security reports and alerts
• Self-service Enablement
• Forefront Identity Manager (FIM)
• Enterprise SLA
Azure Active Directory Premium
A stand-alone Azure Identity and Access management service also included in Azure Active Directory Premium
Prevents unauthorized access to both on-premises and cloud applications by providing an additional level of authentication
Trusted by thousands of enterprises to authenticate employee, customer, and partner access.
Azure Multi-factor AuthenticationDEMO
Second step – Device ManagementMicrosoft Intune
Device choice. Simplified management.
Desktop virtualization
Access & information protection
Mobile device & application management
Hybrididentity
Simplified device enrollment and registration
Single console to manage all devices
Managed productivity with Office mobile appsConditional access to corporate resources
Desktop Virtualization
Mobile devices and PCs Mobile devices
System Center Configuration
Manager
Domain joined PCs
Configuration Manager integrated with Intune (hybrid)
Intune standalone (cloud only)
Deployment flexibility
IT IT
Intune web console Configuration Manager console
Single management console for IT admins
Configuration Manager console (hybrid)Intune web console (cloud only)
© EG A/S 18
Subscription requirementsANDROID
iOS WINDOWS RT WINDOWS PHONE 8
There are no configuration requirements for Android devices
1. Download a certificate service request from the Request APNs Certificate Service Request dialog box in Configuration Manager
There are no initial configuration requirements for enabling management of Windows RT devices
Add a code-signing certificate .pfx or .p12 file
2. Submit the CSR to the Apple Push Certificate Portal and download the APNs certificate (.pem file)
To enable installation of apps for Windows 8.1, add a valid code-signing certificate and sideloading keys to Configuration Manager
Upload signed company portal app
3. Upload the APNs certificate to Microsoft Intune
No action required prior to setup
No prior action required; the process can be completed later in the user interface (UI)
No action is required: a code-signing certificate and sideloading keys are set up in the UI for app publication
Require code-signing certificate and signed Company Portal app
Mobile application management
On-prem management
Mobile device management
Enterprise mobility management with Intune
Intune helps organizations provide their employees with access to corporate applications, data, and resources from virtually anywhere on almost any device, while helping to keep corporate information secure.
User IT
Company portal self-service experience
Consistent experience across:WindowsWindows PhoneAndroidiOS
Discover and install corporate appsManage devices and data
Ability to contact IT
Customizable terms and conditions
Raise of hands…
Conditional access to email
Policy verification
•••••••••
Username Microsoft Intune
Required settings defined by IT admin:
Enrolled device
Encrypted device
Passcode set
Admin console
Not jailbroken/rooted
ITITUser
Demo
Conditional Access for Exchange Online (quickest demo….. In the world!)
Corporate
Complete mobile application management
• Securely access corporate information using Office mobile apps, while preventing company data loss by restricting actions such as copy/cut/paste/save in your managed app ecosystem
• Extend these capabilities to existing line of business apps using the Intune app wrapper
• Enable secure viewing of content using the Managed Browser, PDF Viewer, AV Player, and Image Viewer apps
Manage all of your corporate apps and data with Intune’s mobile device and application management solution
Personal
Managed Browser &
Viewer Apps
MicrosoftIntune
Mobile Application Management with Microsoft Intune
Selective wipe
Personal apps
Managed apps Company Portal
Are you sure you want to wipe corporate data and applications from the user’s device?OK Cancel
Perform selective wipe via self-service company portal or admin console
Remove managed apps and data
Keep personal apps and data intact
ITIT
Demo
Create and Deploy Mobile Application Management Configuration
Conditional access policy• Ability to restrict access to Exchange on-premises email based upon device enrollment
• Ability to restrict access to Exchange Online email based upon device enrollment and compliance policies
Mobile app management
• Management of Office mobile apps (Word, Excel, PowerPoint) for iOS devices, including ability to restrict actions such as copy, cut, and paste outside of the managed app ecosystem
• Ability to extend application protection to existing line-of-business apps using the Intune App Wrapping Tool for iOS
• Managed Browser app for Android devices that controls actions that users can perform, including allow/deny access to specific websites
• PDF Viewer, AV Player, and Image Viewer apps for Android devices that help users securely view corporate content
Configuration policies andresource access
• Deployment of email, WiFi, VPN profiles as well as certificates
• Lockdown of Supervised iOS devices and devices using Samsung KNOX with Kiosk mode
• Targeting of policies and apps by device groups
• Enforcement of application install or uninstall
• Convenient access to internal corporate resources via per-app VPN configurations for iOS
• Application install allow/deny list
• Remote pin reset for Windows Phone 8.1 (currently supported for iOS and Android)
• Multi-factor authentication at enrollment for Windows 8.1 and Windows Phone 8.1 devices
• Ability to restrict administrator access to a specific set of user and device groups
• Ability to create configuration files using Apple Configurator and import these files into Intune to set custom iOS policies
• Lockdown of Windows Phone 8.1 devices with Assigned Access mode using OMA-URI settings
• Ability to set additional policies on Windows Phone 8.1 devices using OMA-URI settings
Ongoing support for device platforms
• Service account enrollment
• Customizable terms and conditions
• Enhanced user interface for Intune administration console
• Ability to push free store apps to iOS devices
• Support for Apple Configurator
Conditional access policy• Ability to restrict access to SharePoint Online (includes OneDrive for Business) based upon device enrollment and compliance
• Ability to restrict access to Exchange on-premises for Exchange ActiveSync clients on Android devices
Mobile app management• Management of the Office Mobile app (access, view, and edit Word, Excel, and PowerPoint documents) for Android phones
• Management of OneNote and OneDrive apps
• Management of Work Folders app for iOS devices
Configuration policies andresource access
• Ability to require encryption on Windows 8.1 (x86) devices
• Ability to set minimum classification of platform updates to be installed automatically on Windows 8.1 (x86) devices
• Ability to restrict the number of devices a user can enroll in Intune
• Support for Cisco AnyConnect per-app VPN configurations for iOS devices
• Deployment of WiFi profiles for Windows devices using XML import and Windows Phone devices using OMA-URI (currently supported for iOS and Android)
• Ability to create WiFi profiles with pre-shared keys (PSK) for Android devices
• Ability to resolve certificate chains on Android devices without the need to deploy each intermediate certificate individually
• Ability to deploy .appx files and .appx bundles to Windows Phone 8.1 devices
Ongoing support for device platforms
• Support for Apple Device Enrollment Program (DEP)
• Ability to browse and install apps on Windows Phone 8.1 devices using Intune Company Portal website
• Ability to manage Windows Defender on Windows 10 PCs running Windows 10 Technical Preview without need for separate Microsoft Intune Endpoint Protection agent to be installed
• Combined Microsoft Intune Company Portal websites for PCs and mobile devices to provide a more consistent user experience across platforms
• Enhanced user interface for overview pages within Intune admin console
Hybrid configuration (ConfigMgr)• Restrict access to Exchange Online email only if device is managed and compliant
• Ability to create custom WiFi profiles with pre-shared keys (PSK) for Android devices
Conditional access policy
• Ability to restrict access to Outlook app based on device enrollment and compliance
Mobile app management
• Intune App SDK for iOS
• Intune app Wrapping tool for Android
• Support for MAM in Outlooks app
• Multi-identity
Ongoing support for device platforms
• Support of Apple Volume Purchase Program (VPP)
• Windows 10 support
• Mac OS X support
Roadmap
Settings management
Comprehensive security policies are enforced on each platform
Reporting available on each setting whether it is applicable, conformant or has an error
Extensive configuration settings are available for each platform
Policies can be applied to user and device groups
User
Third step – Data ProtectionAzure Rights Management
Azure RMS is built on…
Encryption: documents are strongly encrypted at rest, in motion and in-use
Identity and access management: user identities are used to restrict access
Policy enforcement: granular rights control (who can print/edit/save/forward)
Access logging: a document access is logged whenever and whenever it is used
Integration
BYO Key
Authentication and collaboration
Sync
Azure RMS
Connector
Authorization Requests
Optional
Rights management service provided in Azure cloudMinimal sync of AD info to Azure AD (~13 properties)End users access Azure RMS from desktops and mobile; IT workloads connect via Azure RMS Connector (proxy)Simple, secure collaboration to external organizations for Azure AD Trust Fabric
Azure Rights Management
Integration with Office 2010/13
Across devices – Windows, iOS, Android
Windows Shell Extensions
Native Applications and Generic protection using Protected File (PFILE)
Custom administrator defined policies
I can protect and share information securely across device types
RMS ApplicationDEMO
The Document Tracking site
39
User tracks a document he sends to his staff
Summary View
Timeline View
Map View
43
User wants to revoke the document
http://blogs.technet.com/b/rms/archive/2015/06/03/rms-protection-tool-ga.aspx
$lic = New-RMSProtectionLicense -UserEmail [email protected] -Permission EDIT Protect-RMSFile -License $lic -File "C:\Users\thomas\Desktop\Confidential"
Multiple layers of data protection
ITUser
Enterprise Mobility Suite
Identify and authorize user
Apply device policies
Apply application policies
Apply content policies
Active Directory Premium
Rights Management
aka.ms/EnterpriseMobilitySuite
Q&A
© 2014 Atea A/S. All rights reserved.This presentation is for informational purposes only. Atea A/S makes no warranties, express or implied, in this summary.
Specialists in IT infrastructure