Enterprise Mobility Suite Overview Joe Kuster Catapult Systems
52% 90% >80% 52% of information workers across 17 countries report using three or more devices for work* 90% of enterprises will have two or more mobile operating systems to support in 2017** >80% of employees admit to using non-approved softwareas-a-service (SaaS) applications in their jobs*** * Forrester Research: BT Futures Report: Info workers will erase boundary between enterprise & consumer technologies, Feb. 21, 2013 ** Gartner Source: Press Release, Oct. 25, 2012, http://www.gartner.com/newsroom/id/2213115 *** http://www.computing.co.uk/ctg/news/2321750/more-than-80-per-cent-of-employees-use-non-approved-saas-apps-report
Security Realities No one wants to be the next
USERS DEVICES APPS DATA
USERS DEVICES APPS DATA MANAGEMENT ACCESS PROTECTION
MICROSOFT AZURE ACTIVE DIRECTORY PREMIUM Security reports, and audit reports, multi-factor authentication Self-service password reset and group management Connection between Active Directory and Azure Active Directory Mobile device settings management WINDOWS INTUNE Mobile application management Selective wipe MICROSOFT AZURE RIGHTS MANAGEMENT SERVICE Information protection Connection to on-premises assets Bring your own key
Identity
MICROSOFT AZURE ACTIVE DIRECTORY PREMIUM Security reports, and audit reports, multi-factor authentication Self-service password reset and group management Connection between Active Directory and Azure Active Directory Mobile device settings management WINDOWS INTUNE Mobile application management Selective wipe MICROSOFT AZURE RIGHTS MANAGEMENT SERVICE Information protection Connection to on-premises assets Bring your own key
What is Multi-Factor Authentication and why you should care
Azure Multi-Factor Authentication What You Know + What You Have = Access Limits Stolen/Hacked Password Abuse Use a Mobile App, Phone Call or Text Supports IP Whitelisting Extensible on-prem for additional token options
Multi-Factor Authentication Server Bring Office 365 s Multi-Factor Authentication s Security and Ease of Use to On-Premises Integrates with many of your pre-existing applications through IIS, Windows Authentication, LDAP & Radius Presents Real-Time Monitoring Capabilities & Threat Reporting Software Development Kit (SDK) Allows Integration into Custom Apps
MICROSOFT AZURE ACTIVE DIRECTORY PREMIUM Security reports, and audit reports, multi-factor authentication Self-service password reset and group management Connection between Active Directory and Azure Active Directory Mobile device settings management WINDOWS INTUNE Mobile application management Selective wipe MICROSOFT AZURE RIGHTS MANAGEMENT SERVICE Information protection Connection to on-premises assets Bring your own key
Comprehensive lifecycle management Enroll Provide a self-service Company Portal for users to enroll devices Deliver custom terms and conditions at enrollment Bulk enroll devices using Apple Configurator or service account Restrict access to Exchange email if a device is not enrolled Provision Deploy certificates, email, VPN, and WiFi profiles Deploy device security policy settings Install mandatory apps Deploy app restriction policies Deploy data protection policies User IT Retire Revoke access to corporate resources Perform selective wipe Audit lost and stolen devices Manage and Protect Restrict access to corporate resources if policies are violated (e.g., jailbroken device) Protect corporate data by restricting actions such as copy/cut/paste/save outside of managed app ecosystem Report on device and app compliance
Conditional access to email User IT IT Username Microsoft Intune
Intuitive end user experience Restrict access for: Non-managed devices Non-compliant devices Assistance with remediating issues Steps provided on how to enroll devices and remediate compliance issues Quick compliance remediation and evaluation Intune automatically remediates most of the policy issues End user can retrigger compliance evaluation in the Company Portal To access your Contoso e-mail and other company resources, this device needs to be enrolled with Contoso. Part of this process includes installing the Company Portal. Click first link below to begin this process. Step 1 Enroll your device. Step 2 Once you ve enrolled your device, click here to Activate your enrollment.
Consistent experience across: Discover and install corporate apps Manage devices and data Customizable terms and conditions Ability to contact IT
Consistent experience across: Discover and install corporate apps Manage devices and data Customizable terms and conditions Ability to contact IT
Mobile application management policies Enforce corporate data access requirements Prevent data leakage on the device Enforce encryption of app data at rest App-level selective wipe
Mobile application management Managed apps User Personal apps Maximize productivity while preventing leakage of company data by restricting actions such as copy/cut/paste/save in your managed app ecosystem
Office mobile apps Intune viewer apps Intune app wrapping tool Intune SDK Microsoft Office mobile apps are natively manageable with Intune Intune provides apps for secure content viewing Make any app manageable without modifying code Build your apps from the ground-up with Intune SDK Word Excel PowerPoint Outlook Web Access (OWA) OneDrive for Business Managed Browser PDF Viewer AV Player Image Viewer Wrap internal line-ofbusiness (LOB) apps to manage with Intune MAM policies Developers can easily integrate applications for manageability Provide more control over user experience with SDK (vs. app wrapping)
Options for corporate data removal Full wipe Restore device to factory defaults All data on the device is removed Device is reset to factory defaults Typically used for lost/stolen devices or resetting corporate-owned devices Selective wipe Remove company assets from device Company resources (apps, data, profiles, certificates, settings, and email) are removed MAM support adds ability to remove only corporate data from multi-account applications Typically used for personal-owned devices
Managed corporate-owned devices Bulk enrollment Bulk enroll devices with a service account Support for Apple Configurator Support for Apple Device Enrollment Program Configuration policies Custom ios policy Device lockdown Policies and apps targeted to devices Application install allow/deny list
Intune standalone (cloud only) Configuration Manager integrated with Intune (hybrid) IT IT Intune web console Configuration Manager console System Center Configuration Manager Mobile devices and PCs Domain joined PCs Mobile devices
User Installs Company Portal Native Applications Loaded Supported Apps are Configured Native Email, Managed Browser SaaS Apps Available in MyApps Windows Apps presented through RemoteApp or RDP User is fully provisioned
Enterprise Mobility Suite MICROSOFT AZURE ACTIVE DIRECTORY PREMIUM Security reports, and audit reports, multi-factor authentication Self-service password reset and group management Connection between Active Directory and Azure Active Directory Mobile device settings management WINDOWS INTUNE Mobile application management Selective wipe MICROSOFT AZURE RIGHTS MANAGEMENT SERVICE Information protection Connection to on-premises assets Bring your own key
Files Services Server Server Rights Management
EMS benefits for O365
Security reports and multi-factor authentication. Hybrid identity and single sign-on for Office 365. Multi-factor authentication for Office 365. Cloud-based information protection for Office 365. Self-service password reset and group management. Connection between Active Directory and Azure Active Directory. Mobile device settings management. Mobile application management. Selective wipe. Information protection. Connection to on-premises assets. ON-PREMISES SOLUTION CLOUD SOLUTION
EMS IT Manageability benefits for O365 customers CLOUD AND HYBRID IDENTITY MANAGEMENT MOBILE DEVICE MANAGEMENT INFORMATION PROTECTION Enterprise Mobility Suite
Conditional access for Office 365 Who does what? Intune: Evaluate policy compliance for device Azure AD: Authenticate user and provide device compliance status Exchange Online: Enforces access to email based on device state Attempt email connection 1 Office 365 7 If compliant, email access is granted 4 If not compliant, push device into quarantine Quarantine 3 2 Quarantine email with remediation steps Azure Active Directory 5 Microsoft Intune 6 Set device management/ compliance status Link to enroll device and compliance remediation steps Enrollment / compliance remediation Mobile device
Azure Active Directory offering comparison
Azure MFA offering comparison
RMS for O365 Azure RMS (EMS)
Pricing
Next Steps Contact Catapult to arrange an EMS or Azure RemoteApp POC, Pilot or Production Deployment To find out more about Enterprise Mobility Suite visit: http://www.microsoft.com/ems http://www.catapultsystems.com/applica tion/enterprise-mobility Joe Kuster Senior Lead Consultant Catapult Systems Email: Joe.Kuster@catapultsystems.com Blog: MicrosoftMercenary.com Twitter: @Joe_Kuster