Microsoft Enterprise Mobility Suite | Getting started....
Download as PPTX, PDF2 likes2,108 views
The document provides an overview of Microsoft's Enterprise Mobility Suite (EMS) for securing access to corporate resources from mobile devices. EMS combines Azure Active Directory Premium, Microsoft Intune, and Azure Rights Management to provide identity and access management, mobile device management, and information protection capabilities. The summary outlines the key components of EMS - using Azure AD Premium for identity management, Intune for mobile device and application management, and Azure Rights Management for data protection and rights management.
Microsoft Enterprise Mobility Suite | Getting started....
- 1. Microsoft Enterprise Mobility Suite | Getting started…
- 2. • Introduction • What is EMS and why do you need it? • How to get started • Newly added features Agenda
- 3. - Senior Consultant at Atea - Soon to be a father - Likes long walks on the beach…. - Email: Thomas.Godsted.Rysgaard@Atea.dk - Twitter: @thomasrysgaard Thomas Godsted Rysgaard
- 4. What's driving change? User Devices Apps Data IT
- 7. Enterprise Mobility Suite Azure Active Directory Premium • Hybrid Identity Control panel • Multifactor Authentication • Password Reset Microsoft Intune • Mobile and Device Management • Compliance settings • Mobile Application Management Azure Rights Management • Information Protection • Document tracking • Bring your own key
- 8. First step - Identity Azure Active Directory Premium
- 10. Self-service Single sign on ••••••••••• Username Identity as the foundation Azure AD Connect Cloud SaaS Azure Office 365Public cloud Other Directories Windows Server Active Directory On-premises Microsoft Azure Active Directory
- 11. Azure AD Connect Consolidated deployment assistant for your identity bridge components • Express Settings • Multi-forest support • Password # Sync • Streamlined fed setup with ADFS • Configurable Sync settings DirSync Azure AD Sync FIM+Azure AD Connector Sync Engine On-boarding to Azure AD & Office 365 ADFS http://blogs.technet.com/b/ad/archive/2014/12/15/azure-ad-connect-one-simple-fast-lightweight-tool-to-connect-active-directory-and-azure-active-directory.aspx ADFS ADFS is optional, can addresses complex enterprise deployments Domain Join SSO, Enforcement of AD login policy, Smart Card or 3rd party MFA
- 12. • Multi-factor authentication • Group-based app access • Advanced security reports and alerts • Self-service Enablement • Forefront Identity Manager (FIM) • Enterprise SLA
- 13. A stand-alone Azure Identity and Access management service also included in Azure Active Directory Premium Prevents unauthorized access to both on-premises and cloud applications by providing an additional level of authentication Trusted by thousands of enterprises to authenticate employee, customer, and partner access. Azure Multi-factor Authentication DEMO
- 14. Second step – Device Management Microsoft Intune
- 15. Desktop virtualization Access & information protection Mobile device & application management Hybrid identity Simplified device enrollment and registration Single console to manage all devices Managed productivity with Office mobile apps Conditional access to corporate resources Desktop Virtualization
- 16. Mobile devices and PCs Mobile devices System Center Configuration Manager Domain joined PCs Configuration Manager integrated with Intune (hybrid)Intune standalone (cloud only) Deployment flexibility IT IT Intune web console Configuration Manager console
- 17. Single management console for IT admins Configuration Manager console (hybrid)Intune web console (cloud only)
- 18. © EG A/S 18
- 20. Consistent experience across: Windows Windows Phone Android iOS Discover and install corporate apps Manage devices and data Ability to contact IT Customizable terms and conditions
- 21. Raise of hands…
- 22. Conditional access to email Policy verification ••••••••• Username Microsoft Intune Required settings defined by IT admin: Enrolled device Encrypted device Passcode set Admin console Not jailbroken/rooted IT ITUser
- 23. Demo Conditional Access for Exchange Online (quickest demo….. In the world!)
- 25. Corporate Complete mobile application management • Securely access corporate information using Office mobile apps, while preventing company data loss by restricting actions such as copy/cut/paste/save in your managed app ecosystem • Extend these capabilities to existing line of business apps using the Intune app wrapper • Enable secure viewing of content using the Managed Browser, PDF Viewer, AV Player, and Image Viewer apps Manage all of your corporate apps and data with Intune’s mobile device and application management solution Personal Managed Browser & Viewer Apps Mobile Application Management with Microsoft Intune
- 26. Selective wipe Personal apps Managed apps Company Portal Are you sure you want to wipe corporate data and applications from the user’s device? OK Cancel Perform selective wipe via self-service company portal or admin console Remove managed apps and data Keep personal apps and data intact ITIT
- 27. Demo Create and Deploy Mobile Application Management Configuration
- 28. Conditional access policy • Ability to restrict access to Exchange on-premises email based upon device enrollment • Ability to restrict access to Exchange Online email based upon device enrollment and compliance policies Mobile app management • Management of Office mobile apps (Word, Excel, PowerPoint) for iOS devices, including ability to restrict actions such as copy, cut, and paste outside of the managed app ecosystem • Ability to extend application protection to existing line-of-business apps using the Intune App Wrapping Tool for iOS • Managed Browser app for Android devices that controls actions that users can perform, including allow/deny access to specific websites • PDF Viewer, AV Player, and Image Viewer apps for Android devices that help users securely view corporate content Configuration policies and resource access • Deployment of email, WiFi, VPN profiles as well as certificates • Lockdown of Supervised iOS devices and devices using Samsung KNOX with Kiosk mode • Targeting of policies and apps by device groups • Enforcement of application install or uninstall • Convenient access to internal corporate resources via per-app VPN configurations for iOS • Application install allow/deny list • Remote pin reset for Windows Phone 8.1 (currently supported for iOS and Android) • Multi-factor authentication at enrollment for Windows 8.1 and Windows Phone 8.1 devices • Ability to restrict administrator access to a specific set of user and device groups • Ability to create configuration files using Apple Configurator and import these files into Intune to set custom iOS policies • Lockdown of Windows Phone 8.1 devices with Assigned Access mode using OMA-URI settings • Ability to set additional policies on Windows Phone 8.1 devices using OMA-URI settings Ongoing support for device platforms • Service account enrollment • Customizable terms and conditions • Enhanced user interface for Intune administration console • Ability to push free store apps to iOS devices • Support for Apple Configurator
- 29. Conditional access policy • Ability to restrict access to SharePoint Online (includes OneDrive for Business) based upon device enrollment and compliance • Ability to restrict access to Exchange on-premises for Exchange ActiveSync clients on Android devices Mobile app management • Management of the Office Mobile app (access, view, and edit Word, Excel, and PowerPoint documents) for Android phones • Management of OneNote and OneDrive apps • Management of Work Folders app for iOS devices Configuration policies and resource access • Ability to require encryption on Windows 8.1 (x86) devices • Ability to set minimum classification of platform updates to be installed automatically on Windows 8.1 (x86) devices • Ability to restrict the number of devices a user can enroll in Intune • Support for Cisco AnyConnect per-app VPN configurations for iOS devices • Deployment of WiFi profiles for Windows devices using XML import and Windows Phone devices using OMA-URI (currently supported for iOS and Android) • Ability to create WiFi profiles with pre-shared keys (PSK) for Android devices • Ability to resolve certificate chains on Android devices without the need to deploy each intermediate certificate individually • Ability to deploy .appx files and .appx bundles to Windows Phone 8.1 devices Ongoing support for device platforms • Support for Apple Device Enrollment Program (DEP) • Ability to browse and install apps on Windows Phone 8.1 devices using Intune Company Portal website • Ability to manage Windows Defender on Windows 10 PCs running Windows 10 Technical Preview without need for separate Microsoft Intune Endpoint Protection agent to be installed • Combined Microsoft Intune Company Portal websites for PCs and mobile devices to provide a more consistent user experience across platforms • Enhanced user interface for overview pages within Intune admin console Hybrid configuration (ConfigMgr) • Restrict access to Exchange Online email only if device is managed and compliant • Ability to create custom WiFi profiles with pre-shared keys (PSK) for Android devices
- 30. Conditional access policy • Ability to restrict access to Outlook app based on device enrollment and compliance Mobile app management • Intune App SDK for iOS • Intune app Wrapping tool for Android • Support for MAM in Outlooks app • Multi-identity Ongoing support for device platforms • Support of Apple Volume Purchase Program (VPP) • Windows 10 support • Mac OS X support Roadmap
- 32. Settings management Comprehensive security policies are enforced on each platform Reporting available on each setting whether it is applicable, conformant or has an error Extensive configuration settings are available for each platform Policies can be applied to user and device groups User
- 33. Third step – Data Protection Azure Rights Management
- 34. Azure RMS is built on… Encryption: documents are strongly encrypted at rest, in motion and in-use Identity and access management: user identities are used to restrict access Policy enforcement: granular rights control (who can print/edit/save/forward) Access logging: a document access is logged whenever and whenever it is used
- 35. Integration BYO Key Sync Azure RMS Connector Azure Rights Management
- 36. Native Applications and Generic protection using Protected File (PFILE) Custom administrator defined policies I can protect and share information securely across device types RMS Application DEMO
- 37. The Document Tracking site
- 38. User tracks a document he sends to his staff
- 39. Summary View
- 40. Timeline View
- 41. Map View
- 42. 43 User wants to revoke the document
- 44. http://blogs.technet.com/b/rms/archive/2015 /06/03/rms-protection-tool-ga.aspx $lic = New-RMSProtectionLicense -UserEmail thomas.godsted.rysgaard@atea.dk -Permission EDIT Protect-RMSFile -License $lic -File "C:UsersthomasDesktopConfidential"
- 45. ITUser Enterprise Mobility Suite Identify and authorize user Apply device policies Apply application policies Apply content policies Active Directory Premium Rights Management
- 47. Q&A
- 48. © 2014 Atea A/S. All rights reserved. This presentation is for informational purposes only. Atea A/S makes no warranties, express or implied, in this summary. Specialists in IT infrastructure