Simplify management of apps & devices
Microsoft Intune provides mobile device management, mobile application management, and PC management capabilities from the cloud. Using Intune, organizations can provide their employees with access to corporate applications, data, and resources from virtually anywhere on almost any device, while helping to keep corporate information secure.
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Microsoft Intune - Empowering Enterprise Mobility - Presented by Atidan
1. David J. Rosenthal, CEO, Atidan
August 21, 2016
Microsoft Briefing Center, NYC
Microsoft Intune
Mobile device and application
management from the cloud
2. 52 percent of information
workers across 17 countries
report using three or more
devices for work*
>80 percent of employees
admit to using non-approved
software-as-a-service (SaaS)
applications in their jobs***
90 percent of enterprises will
have two or more mobile
operating systems to support
in 2017**
52% 90% >80%
* Forrester Research: “BT Futures Report: Info workers will erase boundary between enterprise & consumer technologies,” Feb. 21, 2013
** Gartner Source: Press Release, Oct. 25, 2012, http://www.gartner.com/newsroom/id/2213115
*** http://www.computing.co.uk/ctg/news/2321750/more-than-80-per-cent-of-employees-use-non-approved-saas-apps-report
5. It just worksPreserve existing investments
It’s integrated on common identityAccess from many devices
Support iOS, Android, Windows It’s comprehensive
Protection at all layers Identity, device, apps, data—built in
It protects Office betterManage and secure productivity
6. Easily manage identities across
on-premises and cloud. Single sign-on
and self-service for corporate resources.
Azure Active Directory
Premium
Unify identity Manage apps and devices Protect data
Microsoft Intune
Azure Rights
Management
Manage and protect corporate apps
and data on almost any device with
MDM and MAM.
Encryption, identity, and authorization
policies to secure corporate files and
email across phones, tablets, and PCs.
7.
8. Mobile application
management
PC managementMobile device
management
ITUser
Microsoft Intune
Intune helps organizations provide their employees with access to corporate
applications, data, and resources from virtually anywhere on almost any
device, while helping to keep corporate information secure.
9. Enroll
• Provide a self-service Company
Portal for users to enroll devices
• Deliver custom terms and
conditions at enrollment
• Bulk enroll devices using Apple
Configurator or service account
• Restrict access to Exchange
email if a device is not enrolled
Retire
• Revoke access to corporate
resources
• Perform selective wipe
• Audit lost and stolen devices
Provision
• Deploy certificates, email, VPN,
and WiFi profiles
• Deploy device security policy
settings
• Install mandatory apps
• Deploy app restriction policies
• Deploy data protection policies
Manage and Protect
• Restrict access to corporate
resources if policies are violated
(e.g., jailbroken device)
• Protect corporate data by
restricting actions such as copy, cut,
paste, and save as between Intune-
managed apps and personal apps
• Report on device and app
compliance
User IT
11. ITUser
Actions upon device enrollment
• Deploy email, VPN, and WiFi profiles
• Deploy certificates
• Deploy and install apps
• Deploy managed app configuration policies
• Apply and enforce device configuration settings
• Collect hardware and software inventory data
Microsoft Intune
Devices
enrolled
12. Microsoft Intune
Corporate email server
IT
Deploy email profile upon enrollment
• Configure account settings and security restrictions
• Enable certificate authentication
• Synchronize email, task, contacts, and calendar
• Support for iOS, Samsung KNOX, and Windows Phone
Any email service supported by Exchange ActiveSync
User
13. Microsoft Passport replaces passwords with strong two-factor authentication to
help protect user identities and user credentials
• Intune can deploy certificates to Microsoft Passport to
authenticate users and help them to access corporate
resources
• Intune manages Passport for Work policy including PIN
settings, biometrics settings, Trusted Platform Module
(TPM) requirements
Intune provides comprehensive management of
Microsoft Passport
• Credentials protected by hardware or software
• Credentials can be based on certificate or local keys
• Can be accessed using biometrics (Windows Hello) or PIN
14. Azure AD Join makes it possible to connect
work-owned Windows 10 devices to your
company’s Azure Active Directory.
With Azure AD Join, you can auto enroll
devices in Microsoft Intune for management.
Azure AD Join for Windows 10
Windows 10 Azure AD
Joined Devices
Intune / MDM
auto-enrollment
Intune auto-enrollment
Enterprise-compliant services
Support for hybrid environments
Single sign-on from the desktop to cloud
and on-premises applications with no VPN
16. Consistent experience across Windows,
Windows Phone, Android, and iOS
Discover and install corporate apps
Manage devices and data
Ability to contact IT
Customizable terms and conditions
17. Volume purchasing integration
Assign licenses to users
Purchase licenses in bulk for paid
apps using the Windows Store for
Business and Apple Volume
Purchasing Program (VPP)
Deploy licenses to users with
Intune and install apps as required
License and app
installed by store
Deploy offline app packages to
Windows 10 devices that cannot
access the Windows Store with
System Center Configuration
Manager
20. Business
Manager
IT
Apply policies
School Retail StoreRestaurant
Deploy policies using Intune to lock down devices so
they can only run applications allowed by IT
Allow multiple users to use the same device and
customize device experience based on identity
Deploy Device Guard policies using Intune to only allow
trusted applications to run on Windows 10 devices
26. Apply and enforce device configuration settings across iOS,
Android, and Windows via Intune MDM
Collect hardware and software inventory data for reporting
Manage settings across Windows 10 PC, phone, and IoT devices via Intune MDM –
including Windows Defender (anti-malware), Firewall, and Cortana
27. Enforce corporate data
access requirements
Prevent data leakage
on the device
Enforce encryption
of app data at rest
App-level
selective wipe
28. Maximize mobile productivity and protect corporate resources
with Office mobile apps – including multi-identity support
Extend these capabilities to your existing line-of-business
apps using the Intune App Wrapping Tool
Enable secure viewing of content using the Managed Browser,
PDF Viewer, AV Player, and Image Viewer apps
Managed apps
Personal appsPersonal apps
Managed apps
ITUser
Corporate
data
Personal
data
Multi-identity policy
29. Prevent data leakage for Office
mobile and other apps on
unmanaged devices or devices
managed by a third-party MDM.
Protect data at the file level for
Office documents and more with
Azure Rights Management.
Enable familiar Office experiences
for employees. No enrollment.
Personal apps
Corporate apps
Azure Rights
Management
MDM
policies
MAM
policies
File
policies
MDM – optional
(Intune or 3rd-party)
30. Familiar Office experience
• Seamless “enrollment” into app management
• Use for personal and corporate accounts
Comprehensive protection
• App encryption at rest
• App access control – PIN or credentials
• Save as/copy/paste restrictions
• App-level selective wipe
MDM mgmt. by Intune or third-party is optional
Extend protection to a file level with Azure RMS
Might be a good solution for these scenarios:
• BYOD when MDM is not required
• Extending app access to vendors and partners
• Already have an existing MDM solution
Personal apps
Corporate apps
Azure Rights
Management
MDM
policies
MAM
policies
File
policies
MDM – optional
(Intune or 3rd-party)
31. 1 User installs an app from the Apple
App Store or Google Play
2 User logs in with Office 365
credentials
3 Azure AD verifies that the app and
user are allowed to access Office 365
4 Intune applies MAM policies to the
managed apps
5 Access to Office 365 is granted
6 User continues to use the app as per
usual
User
Office 365
Azure AD
32. Microsoft apps, such as Office, Dynamics CRM, Power BI, and more
Partners that integrated their apps with Intune App SDK
33. Personal apps
Managed apps
Perform selective wipe via self-service
company portal or admin console
Remove managed apps and data
Keep personal apps and data intact
IT
IT
34. Configure and manage EDP policies with Intune
and Azure Rights Management
Separate personal and corporate data with
limited impact to employee’s day-to-day activities
Protect data at rest and wherever it may
roam*
User
Corporate
network
Microsoft Intune
&
Azure Rights
Management
Apply policies
Save
Save
Share files and
enforce policies
File share
Personal
storage
Secure content collaboration through
integration with Azure Rights Management
* Some roaming scenarios use Azure Right Management
Control app access to corporate data and
prevent copy and paste-related data leaks
35. Microsoft Intune Microsoft Intune Azure Rights Management
Device protection
BitLocker
Device Guard
Device settings
Windows
Defender
Data separation Leak protection
Enterprise
Data Protection
Sharing protection
Rights
Management
36. Containers
Depends on
specific DMZ
infrastructure
Works on-
premises only
SharePoint
Server
Exchange
Server
Corporate
network
Active Directory
Firewall
Firewall
DMZ/
Perimeter
network
SDK/wrapper, managed browser,
managed viewers
Custom SDK/wrapper
enables line-of-business
apps to be managed
Mobile application
management
Custom data container
provides mobile productivity
apps integrated with content
and access systems
Custom
email app
Custom
file app
Custom
collab app
Native device MDM
Standard MDM provides
device configuration and
management
37. Standard
on-premises
integration
SharePoint
Online
Exchange
Online
Cloud integration
Intune App SDK
Intune App Wrapping Tool
Extensibility based on Azure
AD and Intune Enable business
apps to interoperate with Office
mobile apps
SharePoint
Server
Exchange
Server
Corporate
network
Active Directory
Firewall
Firewall
DMZ/
Perimeter
network
Managed Office
productivity and moreOffice 365: Mobile productivity
Azure AD: Access control to
Office 365 and SaaS apps
Intune: App restrictions for
Office mobile and LOB apps
Azure Rights Management:
Information protection at the
file layer
Native device MDMIntune: Cross-platform MDM
38. Identify and authorize user
Apply device policies
Apply application policies
Apply content policies
User IT
ActiveDirectoryPremium
Rights Management
Enterprise Mobility Suite
40. Mobile devices and PCs Mobile devices
System Center
Configuration
Manager
Domain joined PCs
Configuration Manager integrated with Intune (hybrid)Intune standalone (cloud only)
IT IT
Intune web console Configuration Manager console
41. • Always up-to-date, no need to migrate
• Always available and reachable
• Easy to try, adopt, and deploy
• Integrates with existing on-premises infrastructure
• Disaster recovery and geo-diversity
• Assign your data to a region
• Built from the ground up: datacenter, fabric, SaaS
• Built using world-class engineering and security
• Compliant and certified
• Financially backed Service Level Agreements (SLAs)
Intune
Office 365
Azure
Active Directory
Azure
Rights Management
42. Security reports,
audit reports,
multi-factor
authentication
Self-service
password reset
and group
management
Single sign-on
to over 2,400
popular SaaS
applications
Information
protection
Document tracking Bring your
own key
Mobile device
settings
management
Mobile application
management with
Office mobile apps
Conditional
access and
selective wipe
Active Directory Premium
Rights Management
43. Making it easier to deliver
a great brand experience
Keeping the selling workforce
productive
Bringing a new level of
efficiency to management
44. For more information, please contact:
David J. Rosenthal, CEO
office365@Atidan.com
1-215-825-5045 ex. 5005
Learn more about our enterprise mobility products
and solutions:
Enterprise Mobility Suite:
aka.ms/EnterpriseMobilitySuite
Mobile device and application management:
aka.ms/MDM-MAM
Microsoft Intune:
aka.ms/MicrosoftIntune
System Center 2012 R2 Configuration Manager:
aka.ms/ConfigMgr
45.
46. “By using Microsoft Intune, we can
improve staff members’ work experience
and guest satisfaction, while reducing IT
labor and operational costs. Everyone
wins.”
Tim Banham
Solution Architect
Mitchells and Butlers
47. “Our competitive strategy depends on
deploying Microsoft Intune to manage
1,200 tablets used by our independent
sales contractors to improve our in-
home sales process and win more
business.”
Steven Creaney
Senior .NET Developer
Empire Today
48. “By adding Microsoft Intune to our
environment … we can deploy, secure,
and manage mobile apps that staff use
to move faster than the competition and
drive business.”
Gurdip Kundi
Senior Systems Engineer
Foxtons
49. “We use the Enterprise Mobility Suite to
empower employees to use their own
devices to securely access and share
their data. The upshot? We’re improving
project management and reducing
costs.”
Patrick Wirtz
Innovation Manager
The Walsh Group
A rendering of the new Tom Bradley International Terminal’s great hall. (credit: Los Angeles World Airports)
53. Need fast and easy way to enroll CYOD
devices
Should not be able to un-enroll devices
that are corporate-owned
Need access to corporate apps and
other MDM capabilities on devices to
be productive
User
Need easy way to prepare corporate-
owned devices for enrollment
Need to distinguish corporate-owned
devices from personal-owned devices in
the management console
Need fast and easy way to bulk enroll
shared devices
Need devices to be secure at all times
and within IT control
IT
End usersIT admins
54. Windows 8.1 Windows 10
Basic management and
security settings
Device lockdown
Comprehensive
device management
Phone Desktop Phone Desktop
Significant investments in added functionality for both mobile and desktop devices
55. Personal apps
Managed apps
Maximize productivity while preventing leakage of company
data by restricting actions such as copy, cut, paste, and save
as between Intune-managed apps and unmanaged apps
User
56. New intuitive dashboard
Respond to alerts
Manage software deployments
Configure and deploy policies
View reports
Role-based management
Intune web console
57. Mobile devices and PCs
Intune standalone (cloud only)
IT
Intune web console
Manage and Protect
• No existing infrastructure necessary
• No existing Configuration Manager
deployment required
• Simplified policy control
• Simple web-based administration console
• Faster cadence of updates
• Always up-to-date
Devices Supported
• Windows PCs (x86/64, Intel SoC)
• Windows RT
• Windows Phone 8.x
• iOS
• Android
• OS X
58. Mobile devices
System Center
Configuration
Manager
Domain joined PCs
Configuration Manager integrated with Intune (hybrid)
IT
Configuration Manager console
System Center 2012 R2 Configuration
Manager with Microsoft Intune
• Build on existing Configuration Manager
deployment
• Full PC management (OS deployment, endpoint
protection, application delivery control, custom
reporting)
• Deep policy control requirements
• Greater scalability
• Extensible administration tools (RBA, PowerShell,
SQL reporting services)
• Windows RT
• Windows Phone 8.x
• iOS
• Android
Devices Supported
• Windows PCs
(x86/64, Intel SoC)
• Windows to Go
• Windows Server
• Linux
• OS X
59. Intune standalone (cloud only)
Lightweight, agentless OR agent-based management
PC protection from malware
PC software update management
Software distribution
Proactive monitoring and alerts
Hardware and software inventory
Policies for Windows Firewall management
Intune standalone (cloud only) Configuration Manager integrated with Intune (hybrid)
Lightweight, agentless OR agent-based management Lightweight, agentless OR comprehensive agent-based management
PC protection from malware PC protection from malware
PC software update management PC software update management
Software distribution Software distribution
Proactive monitoring and alerts Proactive monitoring and alerts
Hardware and software inventory Hardware and software inventory
Policies for Windows Firewall management Policies for Windows Firewall management
Operating system deployment
PC, mobile device, Windows Server, Linux/Unix, Mac, and virtual desktop management
Power management
Custom reporting
60. Comprehensive security
policies are enforced on
each platform
Reporting available on
each setting whether it is
applicable, conformant or
has an error
Extensive configuration
settings are available for
each platform
Policies can be applied to
user and device groups
User
62. WiFi settings Manage and distribute certificates
Provision networks
Setup certificate based authentication
63. ITUser
Hardware properties for mobile
devices are collected
Company app inventory is collected
Personal app inventory is not collected
Reporting
64. If compliant,
email access is
granted
7
Enrollment /
compliance
remediation
5
If not compliant,
push device into
quarantine
Quarantine
4
2
Quarantine email with
remediation steps
Link to enroll device
and compliance
remediation steps
Who does what?
Intune: Evaluate policy
compliance for device
Azure AD: Authenticate
user and provide device
compliance status
Exchange Online:
Enforces access to email
based on device state
Attempt
email
connection
1
3
Azure
Active Directory
Set device
management/
compliance
status
6
Office 365
Mobile device
Microsoft Intune
65. 2
Attempt
email
connection
1
Block unmanaged
device
5
Allow managed
device
Device
enrollment4
6
If managed,
email access
is granted
Who does what?
Intune: Evaluate and
manage device state
Exchange Server:
Provides API and
infrastructure for
quarantine
Quarantine email with
remediation steps
Link to enroll device
3
If not managed,
push device into
quarantine
Quarantine
Mobile device
Microsoft Intune
On-premises
Exchange
server
66. Microsoft Office mobile
apps are natively
manageable with Intune
• Word
• Excel
• PowerPoint
• OneNote
• Outlook
• OneDrive for Business
Office mobile apps
Intune provides apps for
secure content viewing
• Managed Browser
• PDF Viewer
• AV Player
• Image Viewer
Intune Viewer apps
Make any app manageable
without modifying code
• ‘Wrap’ internal line-of-
business (LOB) apps to
manage with Intune
MAM policies
Intune App Wrapping
Tool
Build your apps from the
ground-up with Intune App
SDK
• Developers can easily
integrate applications for
manageability
• Provide more control
over user experience
with App SDK (vs. App
Wrapping Tool)
Intune App SDK
67. Allows you to apply Intune MAM policies to
existing line-of business (LOB) apps:
• Post-compilation command line tool for IT Pros
• Supports repackaging unencrypted applications
• Applications are signed with company-specific certificates
Intune App Wrapping Tool:
• Platform-specific tools for iOS (Mac OS X 10.8.5+) and
Android (Windows)
• Published by Microsoft (available on Download Center)
• Product documentation and in-tool command line help
Intune App Wrapping Tool
Enables additional options to manage internal
apps with Intune MAM policies:
• Intune App SDK and App Wrapping Tool use the same
processing and enforcement engine
• SDK can be used for both LOB apps and store apps
• Enables additional MAM functionality over the app than
the App Wrapping Tool (for example: disable save as
functionality of the app)
Intune App SDK
69. App origination Scenarios
Windows
8.1/10
Windows
Phone 8.1
iOS Android
Line-of-business apps
(Sideloading)
Available in Company Portal; targeted to
users
● ● ● ●
Mandatory install and uninstall; targeted
to users and devices
● ● ●
User consent
required
●
User consent
required
Public store apps Deep linked app; available in Company
Portal; targeted to users
● ● ● ●
Managed store app; available in Company
Portal; targeted to users
● ●
Managed store app; mandatory install
and uninstall; targeted to users and
devices
●
User consent
required
●
User consent
required
70. • End user is taken to the store for installation
• Installation status is not reported in the admin
console
• IT Pro can only make it available in Company Portal
• App on the device is marked as a personal app in
inventory
• Works for both free and paid apps
• MAM policies cannot be applied
External/Deep linked apps
• No trip to the store; installation begins directly
• Installation status is reported in the admin console
• Push apps; apps can be installed directly.
• App on the device is marked as a managed app in
the inventory
• Works only for free store apps
• MAM policies can be applied
Managed store apps
71. Restore device to factory defaults
• All data on the device is removed
• Device is reset to factory defaults
• Typically used for lost/stolen devices or resetting
corporate-owned devices
Full wipe
Remove company assets from device
• Company resources (apps, data, profiles,
certificates, settings, and email) are removed
• MAM support adds ability to remove only
corporate data from multi-account applications
• Typically used for personal-owned devices
Selective wipe
72. • Bulk enroll devices with a service account
• Support for Apple Configurator
• Support for Apple Device Enrollment Program
• Windows 10 provisioning profiles
Bulk enrollment
• Custom iOS policy
• Device lockdown
• Policies and apps targeted to devices
• Application install allow/deny list
Configuration policies
73. Enrolls devices
on behalf
of users
Apply policies
ITBusiness
Manager
Distributes
to users Restaurant School Retail Store
74. Export device enrollment
profile from Intune
Configure iOS
devices with the
Apple Configurator
iOS devices will
automatically enroll on
first power on
Import to Apple
Configurator
ITUser
76. ITUser
Export a custom
configuration policy
from Apple
Configurator
Import the custom
configuration file to
Intune
Deploy a custom
policy to iOS devices
77. Platform Allow/block enforcement
Windows 10 Enforced by device OS (always compliant)
Windows Phone 8.1 Enforced by device OS (always compliant)
iOS Audit reporting
Android Audit reporting
78. *
*
App origination Scenarios
Windows
8.1/10
Windows
Phone 8.1
iOS Android
Installation
status
Application
update
Line-of-business
apps (Sideloading)
Available in Company
Portal; targeted to users
● ● ● ● ● ●
Mandatory install and
uninstall; targeted to
users and devices
●
User consent
required
●
User consent
required
● ●
Public store apps Deep linked apps;
available in Company
Portal; targeted to users
● ● ● ●
Managed store apps;
available in Company
Portal; targeted to users
● ● ●
Managed store apps;
mandatory install and
uninstall; targeted to
users and devices
●
User consent
required
●
User consent
required
●
80. Platform
Desktop Apps
(.msi, .exe) *
Modern App Types Managed
Store
app
Side loading Deep
Links
Web
apps.app .app .ipa .apk
Windows 8.1/10 ● ● ● ●
Windows RT ● ● ●
iOS ● ● ● ●
Android ● ● ● ●
Windows Phone ● ● ●
Windows 7 and below ● ●
81. Category Feature Exchange
ActiveSync
MDM for
Office 365
Microsoft Intune
(cloud only)
Intune + ConfigMgr
(hybrid)
Device
configuration
Inventory mobile devices that access corporate applications ● ● ● ●
Remote factory reset (full device wipe) ● ● ● ●
Mobile device configuration settings (PIN length, PIN required, lock time, etc.) ● ● ● ●
Self-service password reset (Office 365 cloud only users) ● ● ● ●
Office365
Provides reporting on devices that do not meet IT policy ● ● ●
Group-based policies and reporting (ability to use groups for targeted device configuration) ● ● ●
Root and jailbreak detection ● ● ●
Remove Office 365 app data from mobile devices while leaving personal data and apps intact (selective wipe) ● ● ●
Prevent access to corporate email and documents based upon device enrollment and compliance policies ● ● ●
Premium
mobiledevice&
appmanagement
Self-service Company Portal for users to enroll their own devices and install corporate apps ● ●
App deployment (Windows Phone, iOS, Android) ● ●
Deploy certificates, VPN profiles (including app-specific profiles), email profiles, and Wi-Fi profiles ● ●
Prevent cut/copy/paste/save as of data from corporate apps to personal apps (mobile application management) ● ●
Secure content viewing via Managed Browser, PDF Viewer, Image Viewer, and AV Player apps for Intune ● ●
Remote device lock via self-service Company Portal and via admin console ● ●
PC
management
Client PC management (e.g. Windows 8.1, inventory, antimalware, patch, policies, etc.) ● ●
PC software management ● ●
Comprehensive PC management (e.g. Group Policy, login scripts, BitLocker management, virtual desktop and
power management, custom reporting, etc.) ●
Windows Server/Linux/UNIX/Mac OS X support ●
OS deployment and imaging ●