Enterprise Mobility Suite Overview - Catatpult...
Transcript of Enterprise Mobility Suite Overview - Catatpult...
Enterprise Mobility
Suite Overview
Joe Kuster
Catapult Systems
52% of information workers
across 17 countries report
using three or more devices
for work*
>80% of employees admit to
using non-approved software-
as-a-service (SaaS) applications
in their jobs***
90% of enterprises will have
two or more mobile operating
systems to support in 2017**
52% 90% >80%
* Forrester Research: “BT Futures Report: Info workers will erase boundary between enterprise & consumer technologies,” Feb. 21, 2013** Gartner Source: Press Release, Oct. 25, 2012, http://www.gartner.com/newsroom/id/2213115*** http://www.computing.co.uk/ctg/news/2321750/more-than-80-per-cent-of-employees-use-non-approved-saas-apps-report
Security RealitiesNo one wants to be the next _______
USERS DEVICES APPS DATA
MANAGEMENT | ACCESS | PROTECTION
DATAAPPSDEVICESUSERS
WINDOWS INTUNE
Mobile device settings management
Mobile application management
Selective wipe
MICROSOFT AZURE ACTIVE DIRECTORY PREMIUM
Security reports, and audit reports, multi-factor authentication
Self-service password reset and group management
Connection between Active Directory and Azure Active Directory
MICROSOFT AZURE RIGHTS MANAGEMENT SERVICE
Information protection Connection to on-premises assets
Bring your own key
Identity
MICROSOFT AZURE RIGHTS MANAGEMENT SERVICE
Information protection Connection to on-premises assets
Bring your own key
WINDOWS INTUNE
Mobile device settings management
Mobile application management
Selective wipe
WINDOWS INTUNE
Mobile device settings management
Mobile application management
Selective wipe
MICROSOFT AZURE ACTIVE DIRECTORY PREMIUM
Security reports, and audit reports, multi-factor authentication
Self-service password reset and group management
Connection between Active Directory and Azure Active Directory
MICROSOFT AZURE RIGHTS MANAGEMENT SERVICE
Information protection Connection to on-premises assets
Bring your own key
What is Multi-Factor Authentication…and why you should care
Azure Multi-Factor Authentication
What You Know + What You Have = Access
Limits Stolen/Hacked Password Abuse
Use a Mobile App, Phone Call or Text
Supports IP Whitelisting
Extensible on-prem for additional token options
Multi-Factor Authentication Server Bring Office 365’s Multi-Factor Authentication’s Security and Ease
of Use to On-Premises
Integrates with many of your pre-existing applications through IIS, Windows Authentication, LDAP & Radius
Presents Real-Time Monitoring Capabilities & Threat Reporting
Software Development Kit (SDK) Allows Integration into Custom Apps
MICROSOFT AZURE ACTIVE DIRECTORY PREMIUM
Security reports, and audit reports, multi-factor authentication
Self-service password reset and group management
Connection between Active Directory and Azure Active Directory
WINDOWS INTUNE
Mobile device settings management
Mobile application management
Selective wipe
MICROSOFT AZURE RIGHTS MANAGEMENT SERVICE
Information protection Connection to on-premises assets
Bring your own key
MICROSOFT AZURE ACTIVE DIRECTORY PREMIUM
Security reports, and audit reports, multi-factor authentication
Self-service password reset and group management
Connection between Active Directory and Azure Active Directory
MICROSOFT AZURE RIGHTS MANAGEMENT SERVICE
Information protection Connection to on-premises assets
Bring your own key
Comprehensive lifecycle management
Enroll• Provide a self-service Company
Portal for users to enroll devices
• Deliver custom terms and
conditions at enrollment
• Bulk enroll devices using Apple
Configurator or service account
• Restrict access to Exchange
email if a device is not enrolled
Retire• Revoke access to corporate
resources
• Perform selective wipe
• Audit lost and stolen devices
Provision• Deploy certificates, email, VPN,
and WiFi profiles
• Deploy device security policy
settings
• Install mandatory apps
• Deploy app restriction policies
• Deploy data protection policies
Manage and Protect• Restrict access to corporate
resources if policies are violated
(e.g., jailbroken device)
• Protect corporate data by
restricting actions such as
copy/cut/paste/save outside of
managed app ecosystem
• Report on device and app
compliance
User IT
Conditional access to email
•••••••••
Username Microsoft Intune
ITITUser
Intuitive end user experience
Restrict access for:• Non-managed devices
• Non-compliant devices
Assistance with remediating issues• Steps provided on how to enroll devices and remediate compliance
issues
Quick compliance remediation and evaluation• Intune automatically remediates most of the policy issues
• End user can retrigger compliance evaluation in the Company Portal
To access your Contoso e-mail and other company resources, this device needs to be enrolled with Contoso. Part of this process includes installing the Company Portal. Click first link below to begin this process.
Step 1Enroll your device.
Step 2Once you’ve enrolled your device, click here to Activate your enrollment.
Consistent experience across:
Discover and install corporate apps
Manage devices and data
Ability to contact IT
Customizable terms and conditions
Consistent experience across:
Discover and install corporate apps
Manage devices and data
Ability to contact IT
Customizable terms and conditions
Mobile application management policies
Enforce corporate data
access requirements
Prevent data leakage
on the device
Enforce encryption
of app data at rest
App-level
selective wipe
Mobile application management
Personal apps
Managed apps
Maximize productivity while preventing leakage of company
data by restricting actions such as copy/cut/paste/save in
your managed app ecosystem
User
Microsoft Office mobile apps are natively manageable with Intune
• Word
• Excel
• PowerPoint
• Outlook Web Access
(OWA)
• OneDrive for Business
Office mobile apps
Intune provides apps for secure content viewing
• Managed Browser
• PDF Viewer
• AV Player
• Image Viewer
Intune viewer apps
Make any app manageable without modifying code
• ‘Wrap’ internal line-of-
business (LOB) apps to
manage with Intune
MAM policies
Intune app wrapping tool
Build your apps from the ground-up with Intune SDK
• Developers can easily
integrate applications for
manageability
• Provide more control
over user experience
with SDK (vs. app
wrapping)
Intune SDK
Options for corporate data removal
Restore device to factory defaults
• All data on the device is removed
• Device is reset to factory defaults
• Typically used for lost/stolen devices or resetting
corporate-owned devices
Full wipe
Remove company assets from device
• Company resources (apps, data, profiles,
certificates, settings, and email) are removed
• MAM support adds ability to remove only
corporate data from multi-account applications
• Typically used for personal-owned devices
Selective wipe
Managed corporate-owned devices
• Bulk enroll devices with a service account
• Support for Apple Configurator
• Support for Apple Device Enrollment Program
Bulk enrollment
• Custom iOS policy
• Device lockdown
• Policies and apps targeted to devices
• Application install allow/deny list
Configuration policies
Mobile devices and PCs Mobile devices
System Center Configuration
Manager
Domain joined PCs
Configuration Manager integrated with Intune (hybrid)Intune standalone (cloud only)
IT IT
Intune web console Configuration Manager console
User Installs
Company Portal
Native Applications
Loaded
Supported Apps are
Configured – Native
Email, Managed
Browser
SaaS Apps Available
in MyApps
Windows Apps
presented through
RemoteApp or RDP
User is fully
provisioned
MICROSOFT AZURE RIGHTS MANAGEMENT SERVICE
Information protection Connection to on-premises assets
Bring your own key
MICROSOFT AZURE ACTIVE DIRECTORY PREMIUM
Security reports, and audit reports, multi-factor authentication
Self-service password reset and group management
Connection between Active Directory and Azure Active Directory
Enterprise Mobility SuiteMICROSOFT AZURE ACTIVE DIRECTORY PREMIUM
Security reports, and audit reports, multi-factor authentication
Self-service password reset and group management
Connection between Active Directory and Azure Active Directory
WINDOWS INTUNE
Mobile device settings management
Mobile application management
Selective wipe
WINDOWS INTUNE
Mobile device settings management
Mobile application management
Selective wipe
ServerFiles Services
ServerRights Management
EMS benefits for O365
Hybrid identity and single sign-on for Office 365.
Multi-factor authentication for Office 365.
Cloud-based information protection for Office 365.
Security reports and multi-factor authentication.
Self-service password reset and group management.
Connection between Active Directory and Azure Active Directory.
Mobile device settings management.
Mobile application management.
Selective wipe.
Information protection.
Connection to on-premises assets.
ON-PREMISES SOLUTION CLOUD SOLUTION
EMS IT Manageability benefits for O365 customers
CLOUD AND HYBRID IDENTITY MANAGEMENT
MOBILE DEVICE MANAGEMENT
INFORMATION PROTECTION
Enterprise Mobility Suite
Productivity
Conditional access for Office 365
If compliant,
email access is
granted
7
Enrollment /
compliance
remediation
5
If not compliant,
push device into
quarantine
Quarantine
4
2
Quarantine email with
remediation steps
Link to enroll device
and compliance
remediation steps
Who does what?
Intune: Evaluate policy
compliance for device
Azure AD: Authenticate user
and provide device
compliance status
Exchange Online: Enforces
access to email based on
device state
Attempt
connection1
3
Azure Active Directory
Set device
management/
compliance
status
6Office 365
Mobile device
Microsoft Intune
Azure Active Directory offering comparison
Azure MFA offering comparison
RMS for O365 Azure RMS (EMS)
Pricing
Next Steps• Contact Catapult to arrange an EMS or
Azure RemoteApp POC, Pilot or
Production Deployment
• To find out more about Enterprise
Mobility Suite visit:
http://www.microsoft.com/EMS
http://www.catapultsystems.com/applica
tion/enterprise-mobility
Joe Kuster
Senior Lead Consultant
Catapult Systems
Email: [email protected]
Blog: MicrosoftMercenary.com
Twitter: @Joe_Kuster