sean p. mcdonough national office 365 solution … · national office 365 solution manager cardinal...
TRANSCRIPT
Sean P. McDonoughNational Office 365 Solution ManagerCardinal Solutions Group
Sean P. McDonoughA little about me2
National Office 365 Solution Manager• Responsible for business productivity (primarily
Office 365 and EMS) strategy, capabilities
development, etc., at a national level
• Have been spending a lot of time providing
education, guidance, and POC development with
Microsoft’s EMS
Microsoft MVP for Office Development, Office
Servers and Services
Growth Locations TechnologyFounded
400+ FTEs20% YOY growth
$60M 2015 revenue
Cincinnati ColumbusCharlotteRaleighTampa
CloudDataWeb
Mobile
Founded in 1996Cincinnati, Ohio
Cardinal Solutions GroupWho we are3
• Why I’m talking about EMS
• What’s driving EMS?
• EMS capabilities and solutions
• Summaries and comparisons
4
What We’ll Cover Today
WHY I’M TALKING ABOUT EMS
Many of you have probably heard of EMS• Microsoft is spending lot of time talking about EMS and
adding capabilities to it
• Despite knowing that EMS stands for “Enterprise Mobility Suite,” many people don’t know what EMS really is
Confusion about Office 365, EMS, and other offerings• Where does Office 365 stop and EMS start?
What can I actually do with EMS?
Yeah, I’ve heard of that …Why I’m Talking About EMS6
WHAT’S DRIVING EMS?
The current identity reality…What’s driving EMS?
Our current reality
61% of workers mix personal
and work tasks in their
devices*
>80% of employees admit
to using non-approved
software-as-a-service (SaaS)
applications in their jobs**
>75% percent of network
intrusions exploited weak or
stolen credentials ***
We live in a mobile-first/cloud-first worldWhat’s driving EMS?
IT
Employees CustomersBusiness Partners
Devices Apps DataUsers
Axes of protectionWhat’s driving EMS?
At it’s core, EMS is about security
• Enhancing existing identity security
• Strengthening device security
• Protecting data, not just systems
• Extending security to on-premises systems
EMS is also about convenience
• Can be used by itself to easily enable SSO to cloud-based
and on-premises applications
• Maximum capability with minimum configuration
• Natural complement to Office 365
Security is the name of the gameWhat’s driving EMS?11
Identity
Application
Device
Data
A multi-axis protection exampleWhat’s driving EMS?
EMS is cross-platform
• iOS, Android, Windows
• 1000s of SaaS apps
• LOB apps, RemoteApp
Real-world solutions must go cross-platformWhat’s driving EMS?
• Always up to date
• Works with what you have
• Simple to set up and connect
At the end of the day, “it just works”What’s driving EMS?
EMS CAPABILITIES AND SOLUTIONS
The Mobility SuiteEMS capabilities and solutions
Microsoft IntuneMicrosoft Azure Active Directory
Premium
Microsoft Azure Rights Management Premium
Mobile Device & App Management
Identity & Access Management
Information Protection
Behavior based threat analytics
Advanced Threat Analytics
Easily manage identities across on-premises and cloud. Single sign-on &
self-service for any application
Manage and protect corporate apps and data
on almost any device with MDM & MAM
Encryption, identity, and authorization to secure
corporate files and email across phones, tablets, and
PCs
Identify suspicious activities and advanced threats in near
real time, with simple, actionable reporting
AZURE ACTIVE DIRECTORY PREMIUM
Self-service Singlesign on
•••••••••••
Username
Integrated Identity as the control planeAzure Active Directory Premium
Simple connection
Cloud
SaaSAzure
Office 365Publiccloud
Other Directories
Windows ServerActive Directory
On-premises Microsoft Azure Active Directory
One common identity
• Single sign-on (SSO) support for over
2600 SaaS applications in a variety of
different categories
• Many of the most common SaaS
applications in-use today are supported
• Salesforce
• WorkDay
• Dropbox
• GoToMeeting
Application SupportAzure Active Directory Premium
• With Office 365
• Self-service password management
• With EMS
• Self-service password reset
• Self-service group management
• Alleviates many of the day-to-day calls
that first-level support personnel deal with
in a typical organization
Self-Service CapabilitiesAzure Active Directory Premium
Azure Active Directory
Exposing On-Premises Applications (like SharePoint)
• Connectors are deployed on corporate
network
• Multiple connectors can be deployed for
redundancy and scale
• The connector(s) auto connect to the
cloud service
• User connects to the cloud service that
routes their traffic to the resources via the
connector(s) Co
rpo
rate N
etwo
rkD
MZ
https://sales-contoso.msappproxy.net
http://sales
https://sales.contoso.com
Azure Active Directory Premium
Security Benefits with Application Proxy
• All HTTP/S traffic is terminated in the cloud
blocking most HTTP level attacks such as the
Heartbleed bug.
• Unauthenticated traffic filtered in the cloud – will
not arrive on-premises.
• No incoming connections to the corporate
network – only outgoing connection to the Azure
AD Application Proxy service
• Internet facing service always up to date with
latest security patches and server upgrades
• Login abnormalities detection, reporting and
auditing by Azure AD
Azure Active Directory
App AppApp
Co
rpo
rate
N
etw
ork
DM
ZAzure Active Directory Premium
https://sales-contoso.msappproxy.net
• With Office 365
• Basic two-factor authentication
• With EMS
• On-premises MFA server
• Additional MFA methods
• Robust reporting
• One-time bypassing
• Customizable phone calls
• … and more
Multi-Factor AuthenticationAzure Active Directory Premium
INTUNE
• On pure device management, AirWatch is king.
• Microsoft’s strategy is more comprehensive, cloud-
centric, and cost-effective. It is also not a “point
solution”
• “Organizations that should consider Intune are those
that want to extend the Office 365 services to
mobile devices and ConfigMgr customers that value
client management and EMM integration over best-
of-breed EMM functionality.”
• “The combination of Azure Active Directory
Premium, Azure Rights Management and Intune
addresses some useful mobile scenarios, for
example, changing an Active Directory password
from a mobile device.”
How Gartner Sizes It UpIntune
Maximize mobile productivity and protect corporate resources
with Office mobile apps – including multi-identity support
Extend these capabilities to your existing line-of-business apps
using the Intune App Wrapping Tool
Enable secure viewing of content using the Managed Browser,
PDF Viewer, AV Player, and Image Viewer apps
Managed apps
Personal appsPersonal apps
Managed apps
ITUser
Corporate data
Personaldata
Multi-identity policy
Intune
Mobile application management
Personal apps
Managed apps
Maximize productivity while preventing leakage of
company data by restricting actions such as copy, cut,
paste, and save as between Intune-managed apps and
unmanaged apps
User
Mobile Application ManagementIntune
The perimeter cannot help protect data stored in the cloud Access control to corporate data today
Mobile devices
PCs
Web browsers
AppsData
Controlling Access to Corporate DataIntune
Enterprise Mobility Suite
Access control and data protection
integrated natively in the apps, devices,
and the cloud
SharePointOnline
ExchangeOnline
Protecting Data in a Mobile-First, Cloud-First WorldIntune
Conditional access policies
IP Range
Device State
Advanced
Windows 10
options
User Group
User
On-premises
Cloud
Corporate apps
Conditional access with EMSIntune
ITUser
Mobile data protection
Protect corporate data
accessed from devices
On-premises
Protect corporate data
stored on devices
Mobile Data ProtectionIntune
Typical EMM stack
Containers
Depends on specific DMZ infrastructure
Works on-premises only
SharePointServer
Exchange Server
Corporate network
Active Directory
Fire
wal
l
Fire
wal
l
DMZ/Perimeternetwork
SDK/wrapper, managed browser,
managed viewers
Custom SDK/wrapper enables line-of-business apps to be managed
Mobile application
management
Custom data container provides mobile productivity apps integrated with content and access systems
Custom email
app
Custom
file app
Custom collab
app
Native device MDMStandard MDM provides device configuration and management
Typical EMM StackIntune
Microsoft’s EMM stack
Standard on-premises integration
SharePointOnline
ExchangeOnline
Cloud integration
Intune App SDK
Intune App Wrapping ToolExtensibility based on Azure AD and Intune Enable business apps to interoperate with Office mobile apps
SharePointServer
Exchange Server
Corporate network
Active Directory
Fire
wal
l
Fire
wal
l
DMZ/Perimeternetwork
Managed Office
productivity and more
Office 365: Mobile productivity
Azure AD: Access control to Office 365 and SaaS apps
Intune: App restrictions for Office mobile and LOB apps
Azure Rights Management: Information protection at the file layer
Native device MDMIntune: Cross-platform MDM
Microsoft’s EMM StackIntune
AZURE RIGHTS MANAGEMENT SERVICE
Encrypt files and dataAzure Rights Management Service
RMS – How It WorksAzure Rights Management Service
1. Document author attempts to
protect a document
3. Author protects the document
4. Author distributes the document to
another user
5. User contacts the information
protection platform, is authenticated,
and receives a use license
2. Author obtains the certificates
necessary to participate in the
information protection platform
• Keep corporate email off the
Internet
• Prevent the forwarding of
confidential information
• Templates to centrally
manage policies
Email protectionAzure Rights Management Service
• Automatically protect email messages and documents that contain sensitive information
Automating protectionAzure Rights Management Service
• Information is persistently protected wherever it goes
• User experience is natural: Users don’t need to learn how to protect
or consume information, and user effort is minimal
• Protection can be automated (but without affecting the user’s
experience)
• Works with the cloud and with on-premises systems
• RMS can be integrated with most enterprise systems (web mail, MDM,
document libraries, ERP, and so on)
Summary of RMS BenefitsAzure Rights Management Service
ADDITIONAL PROTECTION
ATA
Devices and
servers
Behavioral
Analytics
Forensics for
known attacks
and issues
Advanced
Threat
Analytics
Profile normal
entity behavior
(normal vs.
abnormal)
Search for known
security attacks &
issues
Detect suspicious
user activities,
known attacks and
issues
SIEM Active DirectoryActive Directory
Microsoft Advanced Threat AnalyticsAdditional Protection
• Announced June 7th
• Microsoft is partnering with Lookout
• Lookout Mobile Threat Protection is being
added to EMS
• What is Mobile Threat Protection?
• Detects, remediates, and predicts mobile
threats
• Enables secure BYOD programs
• Provides visibility into mobile device
security without compromising employee
privacy
Hot off the pressesAdditional Protection
SUMMARIES AND COMPARISONS
Mobile device and app management
Access & Information protection
Enterprise Mobility Suite
RMS Protection via RMS for O365• Protection for content stored in Office
(on-prem or O365)• Access to RMS SDK• Bring your own Key
RMS for O365+ • Protection for on-premises Windows
Server file shares• Email notifications when sharing
documents• Email notifications when shared
documents are forwarded
Basic Mobile Device Management via MDM for O365•Device Settings Management• Selective Wipe• Built into O365 Mgmt. Console
MDM for O365+ • PC Management•Mobile App Management (prevent
cut/copy/past/save as from corporate apps to personal apps)• Secure content viewers• Certificate Provisioning• System Center integration
Basic Identity Mgmt. via Azure AD for O365:• Single Sign on for O365 • Basic Multifactor Authentication
(MFA) for O365
Azure AD for O365+• Single Sign on for all cloud apps • Advanced MFA for all workloads• Self Service group management and
password reset with write back to on prem directory• Advanced security reports•MIM (Server + CAL)
GA Dec 2014
Hybrid identity management
EMS Benefits for O365 CustomersSummaries and comparisons
Windows 10
Enterprise Mobility Suite
Mobile device and app management
Information protection
• Single sign-on for business cloud
apps
• Device set up and registration for
Windows devices
• Windows Store for Business
• Traditional domain join
manageability
• Manageability via MDM and MAM
• Encryption for data at rest and
generated on device
• Encryption for data included in
roaming settings
• Conditional access policies for
enhanced single sign on security
• MDM auto enrollment
• Self-service group and application
management
• Password reset with write-back to
on-premises directory
• Cloud based advanced security
reports
• Microsoft Identity Manager
• Mobile device management
• Mobile app management
• Secure content viewer
• Certificate, WiFi, VPN, email profile
provisioning
• Agent-based management of
Windows devices (domain joined
via ConfigMgr and internet-based
via Intune)
• Tracking and notifications for
shared documents
• Protection for content stored in
Office & Office 365
• Protection for on-premises
Windows Server file shares
• Behavioral analytics for advanced
threat detection
• Detection for known malicious
attacks and security issues
Identity and access management
EMS Benefits for WindowsSummaries and comparisons
Azure Active Directory Offering ComparisonSummaries and comparisons
MFA for O365/Azure Administrators
Windows Azure Multi-Factor Authentication / EMS
Azure MFA Offering ComparisonSummaries and comparisons
Category FeatureExchange ActiveSync
MDM for Office 365
Microsoft Intune (cloud only)
Intune + ConfigMgr (hybrid)
De
vice
co
nfi
gura
tio
n Inventory mobile devices that access corporate applications ● ● ● ●
Remote factory reset (full device wipe) ● ● ● ●
Mobile device configuration settings (PIN length, PIN required, lock time, etc.) ● ● ● ●
Self-service password reset (Office 365 cloud only users) ● ● ● ●
Off
ice
36
5
Provides reporting on devices that do not meet IT policy ● ● ●
Group-based policies and reporting (ability to use groups for targeted device configuration) ● ● ●
Root and jailbreak detection ● ● ●
Remove Office 365 app data from mobile devices while leaving personal data and apps intact (selective wipe) ● ● ●
Prevent access to corporate email and documents based upon device enrollment and compliance policies ● ● ●
Pre
miu
m
mo
bile
de
vice
&
ap
p m
anag
em
en
t
Self-service Company Portal for users to enroll their own devices and install corporate apps ● ●
App deployment (Windows Phone, iOS, Android) ● ●
Deploy certificates, VPN profiles (including app-specific profiles), email profiles, and Wi-Fi profiles ● ●
Prevent cut/copy/paste/save as of data from corporate apps to personal apps (mobile application management) ● ●
Secure content viewing via Managed Browser, PDF Viewer, Image Viewer, and AV Player apps for Intune ● ●
Remote device lock via self-service Company Portal and via admin console ● ●
PC
m
anag
em
en
t
Client PC management (e.g. Windows 8.1, inventory, antimalware, patch, policies, etc.) ● ●
PC software management ● ●Comprehensive PC management (e.g. Group Policy, login scripts, BitLocker management, virtual desktop and power management, custom reporting, etc.) ●
Windows Server/Linux/UNIX/Mac OS X support ●
OS deployment and imaging ●
Compare Microsoft Intune to MDM for Office 365
RMS for O365 Azure RMS (EMS)
Summaries and comparisons
Azure RMS Offering Comparison
Cost Effective
1 Okta Enterprise Edition as of 3/1/2015. 2 Airwatch Orange Management Suite-Cloud as of 3/1/2015.
3 50% savings over standalone offers
MicrosoftEMS
Othervendors
Identity and access management
Included $81
Mobile device and application management
Included $102
Data protection Included No similar products
Advanced threat detection Included No similar products
Total cost (per user/month)
Microsoft EMS
$8.753
Other vendors
$18
Cost Effectiveness of EMS vs. Point SolutionsSummaries and comparisons
Sean McDonoughNational Solution Manager
[email protected]: http://www.sharepointinterface.com
Contact Info
QUESTIONS