Microsoft Enterprise Mobility Suite Standalone - overview Peter Daalmans http://configmgrblog.com, peter@daalmans.com IT-Concern John Marcum Enterprise Client Management Architect / johnmarcum@outlook.com BABC
John Marcum Peter Daalmans @SCCM_Marcum @pdaalmans Enterprise Mobility Microsoft MVP Enterprise Mobility Microsoft MVP 13 years end user device mgmt Sn. Consultant, Author, Blogger I enjoy a cold beer new and then So am I.
Agenda Main EMS Components covered Azure AD Premium Microsoft Intune Azure RMS How to get started?
Enterprise Mobility Suite
What is MS EMS? Enterprise Mobility Suite Azure Active Directory Azure Rights Management Services Azure Remote App Advanced Threat Analytics Intune Identity Manager
Identity Azure AD Premium
Making hybrid identity simple DirSync Azure AD Sync Azure AD Connect Azure AD Connect Consolidated deployment assistant for your identity bridge components FIM+Azure AD Connector (The difference is the Password) ADFS use cases Tighter AD integration Security Policy Conditional Access Smart Card Authentication
Identity: Cloud, Sync or Federated? Cloud identity provides a solution where all identity resides in the cloud Identity sync enables customers to bridge their existing identity into the cloud Federated identity allows customers to retain all authentication on-premises B2B federated identity allows customers to securely share and collaborate with each other
Azure Active Directory Premium Active Directory in the cloud Federation and identity provisioning Centrally managed identities Synchronization Single User Identity (SSO) Monitoring and protect access to cloud apps Authentication and Security reports Multi-Factor Authentication (MFA) Empower end Users Self-Service password reset
AAD editions comparison 500,000 Object Limit No Object Limit No Object Limit No Object limit for Office 365 user accounts No Limit 10 apps per user Self-Service Password Change for cloud users Yes Yes Yes Yes Premium + Basic Features Identity Synchronization Tool (Windows Server Active Directory integration, Multi Forest) Yes Yes Yes Yes Security Reports 3 Basic Reports 3 Basic Reports Advanced Security Reports 3 Basic Reports Cloud App Discovery* Yes(Basic) Yes(Basic) Yes(Advanced)** Yes(Basic) Group-based access management/provisioning Yes Yes Self-Service Password Reset for cloud users Yes Yes Company Branding (Logon Pages/Access Panel customization) Yes Yes SLA Yes Yes Yes Limited Cloud only features for accessing Office 365
Other premium features
Self service experience for users Users can edit their profile details to update and add missing information Users can reset their passwords significantly reducing help desk burden and costs. Self-service group management, including dynamic membership calculation in these groups and distribution lists, based on the user s attributes.
Monitor and protect access on go-anywhere devices Built-in security features, like you cant be in two places at once. XXXXX Security reporting that tracks inconsistent access patterns, analytics and alerts. XXXXX Ensure secure access by enabling MFA XXXXX
Multi-factor authentication Any two or more of the following factors: Something you know: a password or PIN. Something you have: a phone, credit card or hardware token. Something you are: a fingerprint, retinal scan or other biometric. Stronger when using two different channels (out-of-band).
Premium Reports Premium reports: Advanced application usage reporting Password reset activity Selfservice activity Identify unexpected logon behavior
Premium Reports
Integrate on-prem apps with Azure AD End-user portal Access Panel Azure Active Directory Azure AD authentication capabilities: Username and password synced from on-prem AD Federated login to on-prem or other federation servers Multi-factor authentication Customized login screen Authorization based on user or groups SSO to Office365, thousands of SaaS apps and all applications integrated with AAD Authorization Authentication + MFA Reporting & Auditing Application Proxy Security Monitoring Access Panel Portal Reports, auditing and security monitoring based on big data and machine learning. DMZ Connector Connector Resource Resource Resource Corporate Network
Demo Azure Active Directory Premium
Microsoft Intune MDM, MAM and more
Microsoft Intune Mobile Device Management Windows, Windows Phone/Mobile, IOS, Android and Mac OS X Policy and Application Management Compliance reporting Conditional Access to resources Selective Wipe Devices Reset passcode / unlock devices Hybrid / Cloud solution
Single management console for IT admins Intune web console (cloud only) Configuration Manager console (hybrid)
Comprehensive lifecycle management Enroll Provide a self-service Company Portal for users to enroll devices Deliver custom terms and conditions at enrollment Bulk enroll devices using Apple Configurator or service account Restrict access to Exchange email if a device is not enrolled Provision Deploy certificates, email, VPN, and WiFi profiles Deploy device security policy settings Install mandatory apps Deploy app restriction policies Deploy data protection policies User IT Retire Revoke access to corporate resources Perform selective wipe Audit lost and stolen devices Manage and Protect Restrict access to corporate resources if policies are violated (e.g., jailbroken device) Protect corporate data by restricting actions such as copy/cut/paste/save outside of managed app ecosystem Report on device and app compliance
Microsoft Intune Company Portal(s)
Company portal self-service experience Consistent experience across: Windows Windows Phone / Mobile Android ios Discover and install corporate apps Manage devices and data Customizable terms and conditions Ability to contact IT Force the Policy refresh Retire/wipe
Microsoft Intune Device Enrolment The new way Conditional access
Internal Connector Enrolling Devices Connector Data from Windows Intuneis in sync with Configuration Manager, which provides unified management across both on-premises and in the cloud Dirsync w Pwd Sync Users can enroll devices that configure the device for management with Windows Intune; the user can then use the Company Portal for easy access to corporate applications
Conditional access for Office 365 2 Attempt email connection 1 4 3 Set device management/ compliance status If not compliant, push device into quarantine 6 7 5 Enrollment/compliance remediation
Demo Device Enrollment The new way Conditional access
Microsoft Intune Application Management
Mobile Application Management What can we do? Force compliance before access to the app and data Secure the data within the app Prohibit copy/paste Prohibit screenshots Prohibit save as Force encryption Disable Outlook Sync (MDM-less MAM Only) Secure app by PIN or corporate credentials Secure LOB apps via App Wrapper See for an up to date list of apps: http://ref.ms/mamlist
Mobile Application Management Maximize mobile productivity and protect corporate resources with Office mobile apps Extend these capabilities to existing line-of-business apps using the Intune app wrapper Personal apps Enable secure viewing of content using the Managed Browser, PDF Viewer, AV Player, and Image Viewer apps
Mobile Application Management Copy Paste Save Paste to personal app Save to personal storage Maximize productivity while preventing leakage of company data by restricting actions such as copy/cut/paste/save in your managed app ecosystem
MDM-less MAM Use cases MDM-less MAM: Apps running on devices that are not enrolled in any MDM solution. Apps running on devices that are enrolled in a third party MDM solution
Mobile App Config Policy Preconfigure ios Apps with settings App need to support ios App Config Policy See for more info: http://ref.ms/mamlist
Enterprise Data Protection What is EDP? Protects data at rest, and wherever it rests or may roam to Seamless integration into the platform, no mode switching and use any app Corporate versus personal data identifiable wherever it rests on the device Prevents unauthorized apps from accessing business data IT has fully control of keys and data and can remote wipe data on demand Common experience across all Windows devices with cross platform support Available as from Windows 10 Redstone
Enterprise data protection PROVISIONING: KEYS AND POLICIES User enrolls with enterprise Intune or domain join 1 Intune or SCCM provisions policy and encryption keys User 2 Policies: Enterprise allowed apps Network policies App restriction policy
Demo Mobile Application Management
Azure Rights Management Protecting the data
Azure Rights Management It uses encryption, identity and authorization policies to help secure your files and email, and it works across multiple devices.
Azure Rights Management Cool Features Protection stays with the file Works both inside and outside the company Easy Audit and monitoring On-prem (RMS Connector) and O365 support
Demo Rights Management
How to get started? With Microsoft EMS
How to get started? Go to ref.ms/ems > Try now Sign up Setup AAD Connect (synchronize accounts) Set MDM authority Configure platforms Enroll! And that is what we are going to do after the break!
Share your ideas Share your voice / ideas! http://microsoftintune.uservoice.com/ http://configurationmanager.uservoice.com/
Questions
And Then