Apps Users Data Devices Mobile Device Management Unify your environment On-premises and cloud-based...
-
Upload
joanna-bryan -
Category
Documents
-
view
216 -
download
0
Transcript of Apps Users Data Devices Mobile Device Management Unify your environment On-premises and cloud-based...
Protecting Your Corporate Data with System Center Configuration Manager and Windows IntuneDilip Radhakrishnan, Lead Program ManagerAseem Kohli, Senior Program Manager
PCIT-B325
AgendaPCIT strategy overviewEmerging trends in data protectionData Protection in Windows Intune todayThe road ahead
AppsUsers
DataDevices
Mobile Device management challenges
Mobile Device Management
Unify your environment
On-premises and cloud-based management of devices within a single console.
Simplified, user-centric application management across devices
Comprehensive settings management across platforms, including certificates, VPNs, and wireless network profiles
Enable users
Access to company resources consistently across devices
Simplified registration and enrollment of devices
Synchronized corporate data
Protect your data
Protect corporate information by selectively wiping apps and data from retired/lost devices
A common identity for accessing resources on-premises and in the cloud
Identify which mobile devices have been compromised
√
Data Protection TrendsPC
Secu
rity
• Data protection through device lockdown (Group Policy, app mgmt., OSD, compliance)
• Hardening devices against attack (patch, anti-malware, etc.)
Earl
y M
obile
secu
rity • Device Policies
tied to Mailbox• PIN• Encryption• Device restrictions
• Full wipe of device
MD
M • Mobile Device
Management• Granular device policy controls
• Provision access to corp resources (Email, VPN etc)
• Selective wipe
MA
M • Mobile application management:• Corporate data containerization
• Per application policy restrictions
• Compliance based access control to corporate resources
Mobile Data Protection approach
Mobile data protection
Protect corporate data cached ‘on the device’
• Emails, Attachments
• Cached documents
• Apps syncing corp data
• Apps sharing corp data
Protect corporate data accessed ‘from the device’
• Email & collab services
• Network services – VPN,Wifi
• Intranet sites
• On Prem File Shares
On Premise SharePoint
On PremiseFile Server
Cloud based email/collab services
BYOD and Corp owned Mobile devices
Remote access services (VPN, App Proxy etc) DMZ
Data Protection with Configuration Manager & Intune Today
Sign Up for a Trialhttp://manage.microsoft.comSet the Management Authority
Select Intune Standalone or HybridHybrid requires CM 2012 R2
OS RequirementsWindows Phone: Code Signing CertificateiOS: APNS certificateAndroid: No Prerequisites
Intune – Up & Running
Demo – Getting Started
Aseem Kohli
Secure access to corporate IT services Features
Deploy Profiles to control resource accessVPN ProfilesEmail ProfilesWifi Profiles
Restrict these services to use certificate based authentication
Secure Access to Corporate Resources
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Certificate enrollment1. Certificate
profile deployed to device
2. Device sends SCEP request
3. Challenge is validated
4. Certificate is issuedNetwork Device
Enrollment Serv ice (NDES)
CA
SCCM
SCCM Connector
Desktop Admin
Device
IW
Intune
Certificate Registration
Point
SCCM plug-in
Demo – Secure access configurationAseem Kohli
Leverage OS platform specific controls for enhancing security of devices connecting to corporate network
FeaturesPasscode/PIN policies
Require PIN, Don’t allow simple passcode Require Device encryption
Device RestrictionsAllow CameraAllow WifiRemoval StorageEtc.
Security Policies
MDM agent is part of the iOS platformDownload Company Portal application from iTunesIntune supports iOS 6.0+APNs certificate required for push notificationsKey Settings
Lock Screen controlCloud Syncing (iCloud, etc)Allow user to accept untrusted TLS certificatesDisable browserDisable Store
iOS platform support
Reduce inadvertent corporate data leakage Feature
Data Sharing restrictions using ‘Open in Manage’ settings (iOS7 +)Restrict managed app(Work apps) data to be opened only in other managed apps Restrict whether unmanaged app(personal app) data can be opened in managed apps
Data Sharing restrictions
Company Portal application contains custom OMA-DM agentIntune supports Android 4.0+Key Settings
Password managementDisable CameraEncryptionCustom OMA URIs
Android Support
Android Company Portal Architecture
Android Package
Private Internal Storage
Windows Intune
GCM Service
Refresh PolicyIntent
Compliance / Enrollment
ChangedIntent
Read CertificatesRead/Write StateWrite Certificates
Read/Write State
Policy (Syncml)
MDM Gateway
Company Portal
Enrollment ServiceIW Service
EnrollmentAndroid SSP BL
SSP View Model
SSP View
Enroll / Re-enroll / Un-enroll
SSP Shared Library
Portal Content
OMADM Client Service
Alarm Broadcast Receiver
Boot Broadcast Receiver
Policy ProvidersPolicy Engine
GCM Broadcast Receiver
GCM Notifcation
Public Storage
Logging Logging
Write CertificatesRead/Write State
Support for KNOX Standard (formerly Samsung SAFE)Will be adding additional settings soonKNOX Premium provides additional container support
Intune support TBD
Samsung KNOX Support
KNOX Standard SettingsRequire Password
Allow Diagnostic Data Submission (i.e. Google Crash Reports)
Allow Removable Storage
Minimum Password Length Allow Google Backup Allow Wi-Fi
No. of repeated sign-in failures allowed before device is wiped
Allow web browser Allow Geolocation
Minutes of inactivity before screen turns off Allow Autofill Allow NFC
Password Expiration in days Allow pop up blocker Allow voice roaming
Remember Password History Allow active scripting (i.e. Javascript) Allow Data Roaming
Prevent reuse of previous passwords (only if remember password history is on)
Allow Fraud Warning Allow voice assistant
Password Quality Allow Cookies Allow voice dialing
Require Encryption Allow Application Store Allow copy/paste
Allow Camera Allow video conferencing Allow Bluetooth
Allow Screen Capture Require encryption on storage cards
Allow Clipboard Share between applications
Runs periodically on the deviceHeuristics based approach
Detect if a super user account has been createdCheck if ‘su’ binaries are installed on deviceExistence of BusyBox binariesCheck that the OS is provided by an OEMCheck if the permission of specific system folders has changed
Continuously updating detection logic
Root Detection
New Windows Phone 8.1 SettingsScreen Capture Disable Internet ExplorerFile encryption on mobile device Disable USB syncAllow simple password Disable WiFiAlphanumeric Password required Near field communication (NFC)
Idle time before mobile device is locked (minutes) Prevent user initiated un-enrollment/ disable PC settings
Minimum complex characters Removable storage (Any external storage device)Minimum password length (characters) Disable Application StoreNumber of failed logon attempts before device is wiped Disable Internet Sharing over WiFi (Tethering)
Number of passwords remembered Disable Wi-Fi Offloading Password complexity Wi-Fi Hotspot reporting Password expiration in days Disable Custom Email Account (all or nothing)Blue Tooth Allow Microsoft Account
Demo – Device & Data sharing RestrictionsAseem Kohli
IT Administrator can remotely lock a device from IntuneLock command is processed within seconds using push notifications to the target device
Remote Lock
Platform Remote Lock
iOS Supported
Android Supported
Windows Phone 8 Not Supported
Windows RT 8.1 and Windows RT Supported
Windows 8.1 Supported
IT Administrator can reset the device’s pin from IntuneIntune will auto-generate a new pinIT Administrator can give the temporary pin to end userEnd user must enter the temporary pin to access device, otherwise device is wiped
Pin Reset
Platform Passcode Reset
iOS Supported for clearing the passcode from a device. Does not create a new temporary passcode.
Android Supported and a temporary passcode is created.
Windows Phone/Windows Not Supported
Retire/WipeFull Wipe• Effects depend on the platform and management type (EAS or native)
• iOS, Android, WP: Complete wipe and reset to factory defaults • Android: EAS mailbox removal only • Windows RT and Windows 8: Only EAS mailbox removal if managed through EAS
Retire• User or Admin initiated• Removes the record of the device from the system• Disables further MDM app installation and settings management on the device• Selectively wipes corporate app data
• Uninstalls MDM-installed apps and removes data• Removes enterprise EFS certs and email• NEW - iOS and WinPhone 8.1 email selective wipe
Demo – Remote Tasks
Aseem Kohli
Architecture of a Remote Policy Push
GCM Intune
1. Intune sends Sender ID to device
2. Device passes Sender ID to GCM
3. GCM returns a Registration ID to device
4. Device returns Registration ID to Intune
5. Intune sends notifications using Sender
ID, Registration ID
Full and Selective WipeWindows 8.1 (x86/RT OMA-DM managed)
Windows 8 RT Windows Phone 8
iOS Android KNOX
Full Wipe
Selective Wipe
Email (Mail App) (Mail App)
Company apps and data
Apps uninstalled. Sideloading keys removed.
Data removed.
Sideloading keys removed but apps remain installed.
Uninstalled and data removed.
Uninstalled and data removed.
Apps and data remain
installed.
Uninstalled and data removed
VPN and Wi-Fi profiles
Removed. Not applicable. Not applicable. Removed.
VPN: Not applicable.
WiFi: Removed
VPN: Not applicable.
Wi-Fi: Removed
Certificates Removed and revoked. Not applicable. Not applicable.Removed
and revoked.Revoked. Revoked.
Settings Requirements removed.Requirements
removed.Requirements
removed.Requirements removed.
Requirements removed.
Requirements Removed.
Management Client
Not applicable. Management agent is
built-in.
Not applicable. Management agent is
built-in.
Not applicable. Management agent
is built-in.
Management profile is removed.
Device Administrator
privilege is revoked.
Device Administrator
privilege is revoked.
Data Protection with Configuration Manager & Intune – The Road Ahead
Protected Corporate Email and Collaboration
Secure access to email and
corp resources
• Access email and documents only if device is managed
• Deny access if device falls out of compliance• Deploy certificates to Wi-Fi, VPN & Email
profiles• Provide access to internal resources via per-app
VPN
Mobile App & Data
Protection
• Contain corporate data to corporate apps and services
• Push, publish and uninstall apps centrally• Provision iOS managed apps and accounts• Wrapper for protected internal LoB apps• Protected web browser, PDF, audio, video• Selective wipe for managed apps and
documents
Secure access to Email
Compliance PoliciesAllows IT administrators to define criteria for a devices to be considered compliantCriteria: PIN/Passcode required, PIN/Password requirements, encryption, jailbreak
Conditional access rules Allows IT administrator to define criteria for accessing servicesCriteria: User ID, group membership, Devices compliance stateActions: Block email
Quarantine Email server “quarantines” devices to block their access and guide the user to get compliant
Solution Concepts
Azure AD
EAS Client
Office 365 EAS Service
IntuneAttempt email
connection1
Is Device
Managed &
Compliant 2
Quarantine
If not compliant,
Push device into quarantine
4
Set device managemen
t/ compliance
status
6
Solution architecture – Secure email in O365
Who does what?
Intune: Evaluate policy compliance for device
Azure AD: Auth user, provide device compliance status
Exchange Online: Enforces access to email based on device state.
Return Device
state
3
Enrollment / Compliance Remediation
5Quarantine email with remediation
steps
Link to enroll device/Compliance Remediation steps
7
If compliant, email access is
granted
EAS Client
On Prem Exchange
Server Intune
Attempt email
connection2 Quarantin
e
If not managed, Push
device into quarantine
3
Solution architecture – Secure email in On Prem Exchange Server
Who does what?
Intune: Evaluate and manage device state
Exchange Server: Provides API and infrastructure for quarantine
5
Allow managed device
Block non Managed devices
1
Device Enrollment 4
Quarantine email with remediation
steps
Link to enroll device
6
If managed, email access is
granted
End User Experience Quarantine emails for:
Non managed devicesNon compliant devices
Redirection to Intune portals
Links for enrollment and policy non compliance remediation
End user can retrigger compliance reevaluation
Secure access to corp resources
Create a secure connection between your Line of business or Productivity applications and the corporate networkConcepts
Traditional VPN :VPN tunnel established at the device level Introduces risk of providing corporate access to unauthorized appsDepending on VPN infrastructure, can impact end user’s internet access speeds Privacy issue associated with routing user’s personal traffic to corporate servers
Per App VPNOn demand VPN connectionRoutes only specific app’s data to corporate VPN
Per App VPN
Specify VPN profile to be used for App VPN
Configuring per app VPN
Specify apps that will be associated with the VPN
Configuring per app VPN
Mobile app and data protection
Mobile app protection policiesAllows IT administrators to define policies to prevent data leak from applications accessing corporate data.
Managed Office productivityAllows IT administrators to secure Office applications without any special ‘app wrapping’ efforts.Office apps will ship with native support for Intune app protection policies.
Companion apps for non-office contentAllows IT administrators to provide internet access through a protected browser and also managed Pdf and video viewers.
App wrapper for internal LoB apps
Mobile app and data protection
Restrict data leakage Allow/Block Copy/PasteAllow/Block Screen CaptureAllow/Block Print Prevent file backup to unauthorized locations Restrict sharing of data between applications
Enforce corporate data access requirementsRequire a PIN for launching the appRequire authentication using corporate credentials before launching the appRequire compliance to device policies for launching the app
Enforce encryption of app data at restApp level selective wipe
Mobile App protection policies
Native E-mail
Secure Browser
LoB app
Managed App productivity
LoB app
Policies to restrict device behaviors. Eg: PIN, Encryption, Camera etc.
App specific policies to restrict data leakage, enforce corporate data protection, data encryption at rest and App level selective wipe
WindowsIntune
Azure RMS
Azure AD
Enterprise Mobility Suite
Rights management policies to protect data when it roams inside or outside the organization boundaries.
Beyond containers
What other MAM vendors do
• Attempt to isolate corporate data on device
How they do it• Proprietary apps for
email, web, file• Proprietary wrappers
and SDKs
Side effects• Poor end user
experience• App layer protection
only• Proprietary,
incompatible technology
Today’s MAM Containers
Our vision• Protect corporate data
across layers: device, app and data
How we do it• Protected Office email
and collab managed by Intune
• Enterprise Mobility Suite extends Office’s mobile data protection
Why this is better• Superior experience
using the apps you already love
• Comprehensive protection at device, app and data layers
• Integration across AD, Office, System Center, EMS, O365
Protected Mobile Productivity
Microsoft continues to expand its mobile device management solution into a broader enterprise mobility solution.Microsoft is building manageability and data protection into apps to help end-users stay productive and enable organizations to meet compliance requirements.
Key Takeaways
Mobile Device Management Review
Unify your environment
On-premises and cloud-based management of devices within a single console.
Simplified, user-centric application management across devices
Comprehensive settings management across platforms, including certificates, VPNs, and wireless network profiles
Enable users
Access to company resources consistently across devices
Simplified registration and enrollment of devices
Synchronized corporate data
Protect your data
Protect corporate information by selectively wiping apps and data from retired/lost devices
A common identity for accessing resources on-premises and in the cloud
Identify which mobile devices have been compromised
√
48
Hybrid Identity Management
Mobile Device Management
Data Protection
• Group management & Self Service Password Reset• Security audit reports & MultiFactor Authentication• Connection between AD / Azure AD
• Information protection• Connection to on-premises assets
• Mobile device settings management• Mobile app management• Selective wipe
Enterprise Mobility Suite
Enterprise Agreement Prices starting at $4 per user per month*
* Limited time EA Level A promo pricing. Requires 250 seat minimum purchase and underlying CAL Suite license (CoreCAL/ECAL/BridgeCAL)
EMS will enable customers with:
Enabled via Azure Active Directory Premium:
Enabled via Windows Intune:
Enabled via Azure Rights Management Service:
Related contentSession Title Timeslot
FDN02 Enabling Enterprise Mobility with Windows Intune, Microsoft Azure, and Windows Server
Monday, May 12 11:00 AM - 12:00 PM
PCIT-B212 Design Considerations for BYOD Tuesday, May 13 10:15 AM - 11:30 AM
PCIT-B213 Access Control in BYOD and Directory Integration in a Hybrid Identity Infrastructure
Wednesday, May 14 3:15 PM - 4:30 PM
PCIT-B310 Empowering Your Users and Protecting Your Corporate Data Monday, May 12 1:15 PM - 2:30 PM
PCIT-B313 Hybrid Identity: Extending Active Directory to the Cloud Monday, May 12 4:45 PM - 6:00 PM
PCIT-B314 Understanding Microsoft’s BYOD Strategy and an Introduction to New Capabilities in Windows Server 2012 R2
Tuesday, May 13 8:30 AM - 9:45 AM
PCIT-B321 Deploying the New RMS for Cloud-Friendly and Cloud-Reluctant Customers Tuesday, May 13 5:00 PM - 6:15 PM
PCIT-B322 Deploying and Managing Work Folders Wednesday, May 14 10:15 AM - 11:30 AM
PCIT-B324 How to Rapidly Design and Deploy an Active Directory Federation Services Farm: The Do's and the Don'ts
Wednesday, May 14 8:30 AM - 9:45 AM
PCIT-B326 Providing SaaS Single Sign-on with Microsoft Azure Active Directory Thursday, May 15 10:15 AM - 11:30 AM
PCIT-B327 Introducing Web Application Proxy in Windows Server 2012 R2: Enable Work from Anywhere
Wednesday, May 14 3:15 PM - 4:30 PM
PCIT-B328 Microsoft Identity Manager vNext Overview Wednesday, May 14 5:00 PM - 6:15 PM
PCIT-B330 Active Directory + BYOD = Peace of Mind Thursday, May 15 8:30 AM - 9:45 AM
Breakout Sessions
Related content
Code Title Time
FDN02 Enabling Enterprise Mobility with Windows Intune, Microsoft Azure, and Windows Server Mon, May 12 11:00 AM
PCIT-B311
What's New in Enterprise Management with Microsoft System Center Configuration Manager and Windows Intune Mon, May 12 1:15 PM
PCIT-B215
What's New in Microsoft System Center 2012 R2 Configuration Manager Infrastructure Mon, May 12 3:00 PM
PCIT-B410
Microsoft System Center 2012 Configuration Manager: MVP Experts Panel Mon, May 12 4:45 PM
PCIT-B216
Infrastructure Deployment for Mobile Device Management with Microsoft System Center Configuration Manager and Windows Intune
Tue, May 13 8:30 AM
PCIT-B317
Enrollment and Management of Mobile Devices with Microsoft System Center Configuration Manager and Windows Intune
Tue, May 13 1:30 PM
PCIT-B320
Microsoft System Center Configuration Manager Community Jewels Tue, May 13 5:00 PM
PCIT-B323
Application Management with Microsoft System Center Configuration Manager and Windows Intune Wed, May 14 8:30 AM
PCIT-B325
Protecting Your Corporate Data with Microsoft System Center Configuration Manager and Windows Intune Wed, May 14 10:15 AM
PCIT-B340
What’s New with OS Deployment in Configuration Manager and the Microsoft Deployment Toolkit Wed May 14 5:00 PM
PCIT-B336
Managing Mac OS X Clients and Linux Servers Using Microsoft System Center Configuration Manager Thu May 15 8:30 AM
PCIT-B339
How Microsoft IT Manages Their Microsoft System Center Configuration Manager Application Lifecycle with Zero Touch
Thu, May 15 10:15 AM
PCIT-B333
How Microsoft IT Solves BYOD Using Microsoft System Center 2012 R2 Configuration Manager and Windows Intune
Thu, May 15 1:00 PM
Related contentInstructor Led Labs
Code Title Time
PCIT-IL200
Introduction to Microsoft System Center 2012 R2 Configuration Manager Mon, May 12 3:00 PMWed, May 14 5:00 PM
PCIT-IL201
Upgrading from Configuration Manager 2012 SP1 to Microsoft System Center 2012 R2 Configuration Manager
Thu, May 15 10:15 AM
PCIT-IL300
Deploying Windows 8.1 to Bare Metal Clients Wed, May 14 1:30 PMThu, May 15 1:00 PM
PCIT-IL305
Basic Software Distribution with Microsoft System Center 2012 R2 Configuration Manager Tue, May 13 5:00 PMWed, May 14 3:15 PM
PCIT-IL306
Implementing Endpoint Protection in Microsoft System Center 2012 R2 Configuration Manager Tue, May 13 10:15 AMThu, May 15 8:30 AM
PCIT-IL307
Managing Microsoft Software Updates in Microsoft System Center 2012 R2 Configuration Manager Tue, May 13 1:30 PMWed, May 14 8:30 AM
PCIT-IL308
Migrating from Configuration Manager 2007 to Microsoft System Center 2012 R2 Configuration Manager
Wed, May 14 10:15 AM
Related contentHands On Labs
Code Title
PCIT-H302
Deploying a Microsoft System Center 2012 R2 Configuration Manager Hierarchy
PCIT-H303
Deploying Microsoft System Center 2012 R2 Configuration Manager
PCIT-H304
Deploying Windows 8.1 to Bare Metal Clients
PCIT-H309
Implementing App-V 5.0 in Microsoft System Center 2012 R2 Configuration Manager
PCIT-H310
Implementing Endpoint Protection in Microsoft System Center 2012 R2 Configuration Manager
PCIT-H311
Implementing Linux Clients in Microsoft System Center 2012 R2 Configuration Manager
PCIT-H312
Implementing Role-Based Administration in Microsoft System Center 2012 R2 Configuration Manager
PCIT-H314
Managing Clients with Microsoft System Center 2012 R2 Configuration Manager
PCIT-H315
Managing Content in Microsoft System Center 2012 R2 Configuration Manager
PCIT-H316
Managing Software Updates in Microsoft System Center 2012 R2 Configuration Manager
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Complete an evaluation and enter to win!
Evaluate this session
Scan this QR code to evaluate this session.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.