This document discusses Microsoft's Enterprise Mobility Suite (EMS) solution for managing mobile devices and enabling a productive mobile workforce. EMS provides hybrid identity management, mobile device and application management, access and information protection. It allows single sign-on, self-service password reset, and centralized application access management. EMS also provides remote device management for Windows, iOS and Android devices and helps protect corporate data on devices through features like selective wiping. The solution aims to foster employee productivity through mobility while ensuring security.
2. Companies gain an extra __ hours of
work/year from employees due to
mobile working?
3. of employees use personal
devices for work purposes.*
of employees that typically
work on employer premises,
also frequently work away
from their desks.***
of all software will be available
on a SaaS delivery by 2020.**
66% 25% 33%
*CEB The Future of Corporate ITL: 203-2017. 2013.
**Forrester Application Adoption Trends: The Rise Of SaaS
***CEB IT Impact Report: Five Key Findings on Driving Employee Productivity Q1 2014.
4. Cost
Risk
Change drives complexity
VDI Solutions
Data Security Solutions
MDM Solutions
System Center
ID Solutions
?
?
?
?
?
New Solution
Cost
Risk
Cost
Risk
Cost
Risk
Cost
Risk
ComplexityComplexityComplexityComplexityComplexityComplexity
Cost
Risk
?
Microsoft’s unified approach
Cost
Risk
Complexity
Progress
6. Company Portal
IT Administrator
Corporate devices Personal devices
Cloud services Line of business apps SaaS apps Store apps
Microsoft’s Enterprise
Mobility solution
provides user-centric
device and information
management
User
The logos above may bethe property of their respective owners.
7. Single ID
Single sign-on
Self-service experiences
Conditional/Contextual access
SaaS applications
Desktop
Virtualization
Access &
information
protection
Mobile device &
application
management
Hybrid
identity
8. What is Enterprise Mobility Suite ?
Hybrid Identity Management
w/AzureActiveDirectory Premium
Mobile Device & Application Mgmt
w/Microsoft Intune
Single-sign on to over 2,400 SaaS Applications
Multi-factor Authentication(MFA)
Self-servicepassword reset
Group-based SaaSprovisioning
Centralized application access management
FIM CALs for on premise usage
SLA
Advanced securityreporting
Cloud App Discovery
Information Protection
w/Azure Rights Management
15. Accelerate your organization.
What’s next in Identity and Access Management (IAM)?
Empower your users.
Support end user devices
and end user self-‐service.
Bring Your Own Device
Workplace Join
End User Self-‐Service
Password reset
Group management
Unify your environment.
One user, one identity.
One Identity
Improve user experience
Unify cloud and on-‐prem
Reduce compliance risk
Reduce IT overhead
Many Organizations
Administrative Units
B2B (future)
Protect your data.
Maintain control while
getting out of the way.
Control Access
Multi-‐Factor Auth
Conditional Access
RBAC
Cloud domain join (W10)
Next gen creds (W10)
Encrypt Data
RMS Data Protection
Maintain Visibility
Security reports
Heuristic based analytics
Deliver apps faster.
Discover, manage, and
develop apps faster.
Discover applications
Cloud app discovery
Manage applications
SaaS App Management
Azure AD App Proxy
Develop applications
Secure, scalable platform
Standards based APIs
DevStudio integration
B2C (preview)
15
16. Enriched user experience through a single, verified identity
Unified across cloud and on-premises with single sign-on
Integrated identity solution reduces risk across the business
Reduced IT burden of creating and managing multiple identities
17. __% respondents believe their company
effectively controls what can be done
on the mobile device?
19. What is Enterprise Mobility Suite ?
Hybrid Identity Management
w/AzureActiveDirectory Premium
Mobile Device & Application Mgmt
w/Microsoft Intune
Single-sign on to over 2,400 SaaS Applications
Multi-factor Authentication(MFA)
Self-servicepassword reset
Group-based SaaSprovisioning
Centralized application access management
FIM CALs for on premise usage
SLA
Advanced securityreporting
Cross-platformmobiledevicemgmt (Windows, iOS, Android)
Hardware& softwareinventory
Application distribution
Policy settings
Full & selectivewipeof corporatedate
Information Protection
w/Azure Rights Management
20.
21. Microsoft Intuneintegrated with System Center 2012 R2
Configuration Manager
Mac OS X
Windows PCs
(x86/64, Intel SoC),
Windows to Go
Windows Embedded
Windows RT,
Windows Phone 8
iOS, Android
22. Manage mobile productivity andprotect data with Office Mobile
apps for iOS and Android
Manage policy for existing iOS line of business apps (so called
“app wrapping”)
Managed browser and PDF/Audio/Videoviewers
Provide access to Exchange and OneDrive for Business resources
only to managed devices
Deny access if a device falls out of compliance
Enable IT to bulk enroll corporate-owned task-worker devices
Support for Apple Configurator
Manage mobile productivity without compromising compliance
Conditional Access
Policy to Email and
Documents
Enroll and Manage
Corporate-owned
Devices
Manage Mobile
Productivity
and Protect Data
with Office
Personal
Corporate
23. Managed
Browser
Native
E-mail
1. Susan tries to set up her new unmanaged tablet to connect to Exchange
and is blocked.
2. She enrolls the tablet into Windows Intune and is then granted access to Exchange.
3. Susan tries to save attachment to OneDrive, and is blocked since OneDrive is not managed by IT.
4. She saves attachment to OneDrive for Business, which is allowed since it is managed by IT.
5. She then tries to copy/paste content into a PowerPoint slide, and is successful.
6. Susan tries to copy text from her attachment and paste it into another,
unmanaged app. This action is blocked since this app is not managed by IT.
7. Susan later leaves the company, and a selective wipe is performed on her tablet, removing
corporate apps and data while leaving her personal content on the device.
24. Native
E-mail
Managed
Browser
LoB
Layer 1 – Mobile device lockdown via MDM
Protects corporate data
by…
Gaps it
leaves open
Restricting device behaviors: PIN,
encryption, wipe, disable screen
capture and cloud backup, track
compliance, etc.
Provisioning credentials that
enable corporate resource access
control
Apps may share corporate
data with other apps outside
IT control
Apps may save corporate data to
consumer cloud services
Layer 2 – Application and data containers
(aka “managed mobile productivity”)
Protects corporate data
by…
Gaps it
leaves open
Preventing apps from sharing
data with other apps outside
of IT control
Preventing apps from saving data
to stores outside of
IT control
Encrypting app data to
supplement device encryption
Only protects corporate data that
resides on devices. Cannot
protect data beyond a device.
Applies same protection to all
data that an app touches. Does
not allow for specific protection
per document.
Layer 3 – Data wrapping
Protects corporate data
by…
Gaps it
leaves open
Protecting data
wherever it resides
Providing granular, content
specific protection – e.g. time
bomb vision docs
Requires enlightened applications
Requires all data to be protected
if not complemented by Layers 1
and 2
LoB
25. This roadmap contains two Windows Intune releases. Dates are subject to change.
Wave
H.0
November December
Wave
H.1
26. Deployment of email profiles
Deployment of certificates
Deployment of VPN profiles
Deployment of WiFi profiles
Configure EAS email only if device is managed (Exchange on-prem)
Deployment of free store apps for iOS
Convenient access tointernal corporate resources via per-app VPN configurations for iOS
Requiredapp install/uninstall
Remote pin reset for WP 8.1 (currently supported for iOS and Android)
MFA at enrollment
Group filteringwithin admin console (RBAC lite)
Service account enrollment
Device lockdown via Supervisor mode (iOS) and Kiosk mode (KNOX)
Policies andapps targetedto devices
Application install allow/deny list
Customizable terms of use
27. Configure EAS email only if device is managed (O365)
Configure MOWA email only if device is managed
Configure documents only if device is managed **
Restrict access ifdevice falls out of compliance policy
ManagedOffice mobile apps – Word, Excel,PowerPoint
App wrapper for existingiOS line-of-business apps *
Managedbrowser
PDF viewer,AV player, Image viewer
Selective wipe of managed apps and data
Support for Apple Configurator
Device lockdown via AssignedAccess mode (WP 8.1)
URL allow/deny (via Managedbrowser)
* SSO not supported in December release
** OD4B team dependency – possible delay
43. What is Enterprise Mobility Suite ?
Hybrid Identity Management
w/AzureActiveDirectory Premium
Mobile Device & Application Mgmt
w/Microsoft Intune
Single-sign on to over 2,400 SaaS Applications
Multi-factor Authentication(MFA)
Self-servicepassword reset
Group-based SaaSprovisioning
Centralized application access management
FIM CALs for on premise usage
SLA
Advanced securityreporting
Cross-platformmobiledevicemgmt (Windows, iOS, Android)
Hardware& softwareinventory
Application distribution
Policy settings
Full & selectivewipeof corporatedate
Information Protection
w/Azure Rights Management
Share RMSprotected documents with anyoneon any device
On-premiseusefor hybrid scenarios with no infrastructure
48. Employee productivity−anywhere, any device
"With employees using the self-service password reset feature in Azure
AD Premium, we’ve been able to reduce annual help-desk costs by $20,000.”
Empowerusers to do more
with single sign-on, self-service
password reset, and managed
access to apps
è Provide single sign-on to apps and
data from personal or corporate
devices based on user identity
è Enable self-service password reset
with multi-factor authentication
è Let users register personal devices and
install IT-approved apps through a
web-based, company-specific app store
(Company Portal)
Sign-on
Single Sign-on Self-service
password reset
Company
Portal
***
Download
apps
Enable your mobile workforce
49. “With Windows Azure MFA, we have a stronger level of protection
for Office 365…so we have all of our external services well protected.”
Authenticated access to apps and data
Make sure users are
who they say they are
è Verify identity with multi-factor
authentication (call, text, mobile app)
è Choose who can read, copy, print, save,
forward, and edit−and set when these
rights expire
è Let users download only the apps
they’re authorized to use through the
Company Portal
Multi-factor authentication
Data Apps Docs
Double-check identity
through text, call or app
Log on to any device
Help protect corporate
data, apps and docs
50. “Now we can deploy, secure, and manage mobile apps that staff
use to move faster than the competition and drive business.”
Remote device management across platforms
Deliveran up-to-dateand
security-enhanced experience
on nearly any device
è Remotely manage & help protect
Windows, iOS, and Android devices
è Handle device theft and loss with
remote wipe: selectively remove
corporate apps, data, and policies
è Better protect corporate data as users
and devices travel
è Deploy policies and updates, and
inventory HW and SW via the cloud
AndroidiOSWindows
IT
Simplified, device management via the cloud
51. Company Portal
IT Administrator
Corporate devices Personal devices
Cloud services Line of business apps SaaS apps Store apps
Microsoft’s Mobile
Management solution
provides user-centric
device and information
management
User
The logos above may bethe property of their respective owners.
52. 66%of enterprise seats
covered with System
Center Configuration
Manager
240mUser accounts in Microsoft
AzureActiveDirectory
…lets you build on your investments
14B+Microsoft AzureActive
Directory authentications
per week
54. PLA would like to help your organization gain clarity on how to manage your mobile workforce Bring Your Own Device
(BYOD) challenges. Microsoft’s Enterprise Mobility Suite can help make this dream a reality and allow you to proactively
control your evolving mobile users and their devices.
Topics include:
q End-User Mobility
q Implementing Hybrid Identity Management
q Mobile Device & Application Management
q Access & Information Protection
q Self-service Password reset
For more information contact PLA at
EMS@projectleadership.net or call (877) 752-0451
Enterprise Mobility Suite
½ Day Strategy Assessment
Each person that completes a ½ day EMS Strategy
Assessment by 12/31 will be entered into a
drawing to win a Surface Pro 3