Enterprise Mobility Services - November 2014 - Device Day

Hinweis der Redaktion

1. Mobility is the new normal There are a couple of mega trends that have been changing the world of work as many of us know it. The place where people work is no longer exclusively the workplace. People work from home, from cafes, from customer sites, on the road, in the air. In fact people can – and do – work from just about anywhere. Even when they’re in the office, people don’t expect to be sitting at their desk in order to be productive. We are in an era where mobility really is the new normal. The cloud-first, mobile-first world is here. People expect to have the ability to work where, when and how they choose. Using the devices they love and the apps they are familiar with. Just look at the story told by some of these stats: 66% of employees use personal devices for work. A large percentage of employees work away from their desk – even when they are in the office. And BYOD is going to mean a new way of working across apps and data.
2. PCIT: People-centric IT (PCIT) enables every employee IT supports to work from virtually anywhere, on the device of their choice, while giving IT a consistent way to manage and protect it all. EMM: Enterprise mobility management (EMM) is an all-encompassing approach to securing and enabling employee smartphones and tablets that involves MDM, MAM, MIM and MCM. MDM: System Center Configuration Manager 2012 R2 uses Microsoft Intune as an Internet gateway to enroll, secure, and manage mobile devices. PCIT means we expect employees to have multiple devices and we therefore license “by user” instead of “by device.” It also means you use a single console to manage desktops, laptops, servers, tablets and smartphones running a variety of operating systems. MAM: System Center Configuration Manager 2012 R2 delivers a private app store via a native portal downloaded from the Windows Store, Apple App Store and Google Play. This PCIT way of delivering software means employees get the corporate apps they need for the mobile devices they use in order to be productive at work. MIM: Active Directory Rights Management on Windows Server 2012 R2 encrypts sensitive data allowing only approved applications and users to access it. PCIT allows IT to protect corporate data by helping to define classification of data based on content. This prevents users from forwarding, saving or printing Exchange/Outlook emails containing sensitive data or attachments. It also prevents users from uploading corporate data to Dropbox. MCM: The PCIT way of giving users access to corporate resources begins with Windows Server 2012 R2 working with Active Directory to allow mobile devices to register via Workplace Join so IT knows about them. This provides seamless second factor authentication and therefore single-sign-on to corporate resources and applications. Mobile access to those corporate resources is provided by the Web Application Proxy feature of Windows Server 2012 R2. If you’ve used ISA Server, TMG, or UAG to publish Exchange ActiveSync, then you know how Web Application Proxy works. Encrypted file synchronization is delivered to mobile devices via Work Folders as an IT-controlled alternative to Dropbox.
3. IT has had to respond and there are tools available to help address many of the challenges we’ve outlined already. But the majority of solutions manage either PCs or mobile devices. Not both. The result is that many organizations have two lots of infrastructure set up to manage devices for the same user. This adds cost and complexity from an IT perspective. It also means that the end user is most likely getting a different experience across their devices. Not ideal for anyone! In addition, the user can end up having to sign in multiple times, with a different experience across different devices. Frustrating and inefficient!
4. Now that we’ve talked about how you can provide your users access resources from virtually anywhere, on any device, we need to turn to the second section of our discussion – making sure that with all the empowerment you’re providing to your workers, that you can still maintain the corporate security and compliance – as well as the efficiency of your IT processes. Given the explosion of devices that you’ll see coming through the door, it is absolutely essential that you have an infrastructure in place to manage these devices without introducing complexity or astronomical budget increases. Unified infrastructure enables IT to manage devices “where they live” The Microsoft solution is focused on helping reducing client management infrastructure costs and complexity. With the integration between Configuration Manager and Microsoft Intune, we offer a single console that integrates both on-premises and in-the-cloud management. Client management and security are offered in a unified single solution – giving you a streamlined approach to managing devices and applications as well as identifying and remediating threats and non-compliance. If you’re a current Configuration Manager customer, adding the Microsoft Intune cloud-based management is quick and easy. With this unified solution, organizations are able to manage endpoint devices “where they live.” This also includes connectivity to Office 365 for EAS-based management policies. Comprehensive settings management across platforms, including certificates, VPNs, and wireless network profiles Policies can be applied across various devices and operating systems to meet compliance requirements, to the extent of the capabilities exposed on those platforms Extended native management for Windows RT, iOS and Android IT can provision certificates, VPNs, and Wi-Fi profiles on personal devices Full app inventory and application push install for corporate-owned devices, inventory of “managed” apps and publishing of apps for personal devices Remotely wipe and unregister corporate devices from management system (as supported by each operating system) IT can manage the device and application life cycle by removing MDM-specific content from devices no longer managed Selective wipe of managed applications’ data Applications that were installed through Microsoft Intune Sideloading keys MDM policies Wi-Fi/VPN profiles
5. For Windows, Windows Phone and iOS a rich Company Portal experience is provided, enabling the user to get easy access to their corporate applications. For Windows, iOS and Android (4.x) this application is available from the public application stores. For Windows Phone, the Company Portal is provided to the user during their enrollment in Microsoft Intune.
6. Let’s begin by thinking about we can help IT to enable users, how they can deliver on the users desire to work on their own device and have access to all their apps and data, and yet still retain control so that business and compliance requirements can be met. Lets start with the ultimate goal: users can work from anywhere on their devices with access to their corporate resources. This can be achieved through native applications for the device platform, web-based applications, and through data sync via Work Folders. Now, there may be some applications and data that you do not want to be available locally on devices; these users can access centralized applications and data through Desktop Virtualization, whether that be VDI, Session Host, or RemoteApp. You can empower users to register their devices for single sign-on and access to corporate data with Workplace Join. As previously covered, this is a give and get system, and it allows IT to be able to open up access to applications and data that otherwise would not be available, in return for knowing about the device. An easy way for users to get all their applications in one place is by enrolling their devices for access to the company portal. This enrollment joins the device to the Windows Intune management service and allows the installation of the company portal, which IT can populate with internal line-of-business (LoB) applications as well as links to applications that are available in the public app stores. From within the company portal, users can also manage their devices and perform actions such as wiping a lost or replaced device. IT can provide seamless corporate access with DirectAccess and automatic connections with automatic VPN connections. DirectAccess allows users to work remotely and always be connected to the corporate network without the need to initiate a VPN connection. New with Windows Server 2012 R2 and Windows 8.1 is the ability to configure applications to initiate the VPN connection when the application is launched. IT can publish access to resources with the web application proxy based on device awareness and the users identity. New in Windows Server 2012 R2, using the web application proxy, IT can publish access to internal web applications that can be connected to from user devices, either by native applications or a web browser. Additionally, the web application proxy can pre-authenticate the user and the device and enforce access policies such as requiring the device to be registered or invoking multi-factor authentication.
7. Azure Active Directory Premium, Microsoft’s advanced identity and access management solution for the cloud is generally available since April 2nd 2014. Capabilities like synchronization with on-premises directories, single sign-on to thousands of SaaS applications, machine learning-based security and usage reports, alerting, Multi-Factor Authentication, company branding, self-service password reset, group management delegation, an Enterprise scale SLA and more will provide the level of reliability required by enterprises with advanced needs on identity and access management. Besides all the cloud capabilities Azure AD Premium offers usage rights to Forefront Identity Manager Server and CALs. Unlimited number of servers and a use CAL for every Azure AD Premium subscriber user. Free services, such as Azure Active Directory free, do not have an SLA. Azure Active Directory is the identity foundation for many Microsoft services like Microsoft Intune, Office 365 and others. These services have an uptime SLA of 99.9%, and Azure Active Directory has to maintain the same stringent availability standards as the services that depend on it. So Office 365 customers are getting an 99.9% SLA and that includes the ability to sign in to the service witch is provided from Azure AD.
8. If your enterprise uses cloud-based, SaaS or custom LoB, applications that are not pre-integrated into Azure Active Directory, you can follow simple steps to add them and enable single sign on to them too.   Azure Active Directory sign-in gives developers a way to avoid a separate ID and password for their application.  Users get single sign on across your application and other applications like Office 365.  Support for industry standard protocols such as SAML 2.0, WS-Federation, and OpenID Connect makes sign-in possible on a wide variety of platforms such as .Net, Java, Node.js, and PHP.  The REST-based Graph API enables read and write to the directory, which is often essential for access management.  Through support for OAuth 2.0, developers can build mobile and web applications that integrate with Microsoft and third party web APIs, and build their own secure web APIs.  Open source client libraries are available for .Net, Windows Store, iOS, and Android, with additional libraries under development. So a developer can build an application on any platform (.Net, Node, Java) and host it in any cloud, (we strongly recommend to use our rich platform and host it on Azure) and to leave the identity management to Azure AD. More info on what we offer to developers for application integration: http://msdn.microsoft.com/en-us/library/windowsazure/dn151121.aspx   At this point we must highlight that Azure Active Directory can also provide identity management for cloud only solutions. If there is a need for a custom branded cloud directory  to host identities and provide authentication to cloud based apps that are built on azure on any other public cloud, Azure Active Directory can address your needs. Create a Azure Active Directory tenant, give it a name that you want, add users and assign to them access to cloud based apps with a new set of credentials. That could be a solution for customer-partner-vendor related projects or for companies/departments that are focused on cloud only.   Pre-integrated or easily added SaaS apps, custom LoB cloud-based apps, newly developed apps, hosted on Azure or any other cloud can be connected with Azure Active Directory and make it the home of all the CLOUD-BASED applications you need. All capabilities described in this slide are included in the free and premium offering
9. From the beginning of this presentation one key principle we highlighted is the effort to empower end –user and simplify how they access applications across many disparate systems, ultimately making them happier and more productive. This might happen if they could access all their apps from many devices and geographies with a single set of credentials and get Self-Service capabilities. Azure Active Directory is focused on this key capability. When administrators assign access to preintegrated SaaS applications from the Azure Portal, as we described earlier, shortcuts of these apps (tiles) are displayed, for every user, via a single personalized web paged, that is hosted on Azure. This web page is called Access Panel from which every user has a personalized view of their apps. The link to the Access Panel is really easy : myapps.Microsoft.com Also mobile application are available to provide the same experience from mobile phones. [Click] From the Access Panel of every user all displayed SaaS apps can be launched using a single set of credentials. Being a web page, hosted on Azure, Access Panel is accessible from any device and any place providing the end user the flexibility he needs. Some restrictions exist for those SaaS apps that are using Password SSO instead of federation SSO. Those SaaS apps can be launched only from desktop browsers and web applications. IE, Chrome and Firefox are supported for now. The reason behind that is that an add-on is needed to be installed in order for Password SSO apps to be launched. The logon screen and the actual Access Panel can be customized (Company branded) and host the logos and the color schemes that the IT administrator wants. This can be done from the “configure” tab of Azure Management Portal and it’s a feature of the premium offering [Click] Via Access Panel a user can review his profile and change his password or his Multi-Factor Authentication settings (if he has this feature enabled)
10. 1500 SaaS apps are already in the application gallery and counting … For a the most updated content of the application gallery see here http://www.windowsazure.com/en-us/gallery/active-directory
11. Multi-Factor Authentication offers the additional security you demand using the phones your users already carry. Multiple phone-based authentication methods are available, allowing users to choose the one that works best for them. And, support for multiple methods ensures additional authentication is always available. Multi-Factor Authentication apps are available for Windows Phone, iOS phones and tablets, and Android devices. Users download the free app from the device store and activate it using a code provided during set up. When the user signs in, a notification is pushed to the app on their mobile device. The user taps to approve or deny the authentication request. Cell or Wi-Fi access is required. For offline authentication, the app works like a software token to generate a one-time passcode that is entered during sign in. The one-time-passcode method is comparable to software or soft tokens solutions offered by vendors like RSA and Gemalto. Automated phone calls are placed by the Multi-Factor Authentication service to any phone, landline or mobile. The user simply answers the call and presses # on the phone keypad to complete their sign in. Text messages are sent by the Multi-Factor Authentication service to any mobile phone. The text message contains a one-time passcode. The user is prompted to either reply to the text message with the passcode or enter the passcode into the sign in screen.
12. Mobility Licensing This table shows the supported licensing mechanisms for the different Microsoft Intune SKUs and for the Enterprise Mobility Suite. Note that the enterprise mobility suite is only available through Enterprise Agreement (EA) and Enrollment for Education Solutions (EES) Contrasting this is Microsoft Intune, which is also now available through the Open License, The new The direct Microsoft Online Services Program (MOSP) The new Cloud Solution Provider Program (CSPP) The new Microsoft Products and Services Agreement (MPSA) Also note that under EA/EAS there are options for customers to “Bridge” from Coreor Enterprise CAL to Intune and/or Office 365. Also under Open and EA/EES there is an Microsoft Intune add-on option for customers that are already licensed for Systems Center Configuration Manager Also worth noting is that Azure Active Directory Premium is only available through Enterprise Agreement (EA) and Enrollment for Education Solutions (EES), while Azure Rights management is available more broadly across MOSP, MPSA or EA/EES.
13. Key Points: Microsoft’s vision is to provide a solution that meets the needs of today’s modern workplace. A solution that will help you to protect your data, manage the growing number of mobile devices, unify environments that span OS’s and enable seamless collaboration across for your workers across all their devices. This solution is Office 365 + the Enterprise Mobility Suite + Windows Enterprise. These solutions will help you thrive in the modern workplace and empower users with best-in-class productivity across devices while providing IT with the tools they need to help maintain security and control.