1. Enterprise Mobility + Security
Slim omgaan met uw mobiele devices
dinsdag 20 juni 2017
2. • 9:30 Even voorstellen
• 10:00 Introductie EMS en relevantie
voor Office 365
• 10:15 Identity management met Azure
Active Directory (Premium)
• 12:30 Lunch
• 13:00 Windows, Apple iOS en Android
devices managent met Windows Intune
• 15:00 Informatie beveiligen met Azure
Rights Management
• 15:45 Hoe de mogelijkheden en
toepasbaarheid van EMS voor uw
organisatie verder te onderzoeken?
• 16:30 Vragen
Agenda
3. Even voorstellen
• Naam
• Instelling
• Functie
• Status Office 365
• Ervaring met Azure (-AD)
• Verwachting vandaag
4. Accounts EMS
Trainingen
Gebruikersnaam Wachtwoord
ems_bussemaker@slbdienstendemo.nl bussemaker
ems_bijsterveldt@slbdienstendemo.nl bijsterveldt
ems_plasterk@slbdienstendemo.nl plasterk
ems_rouvoet@slbdienstendemo.nl rouvoet1
ems_vdhoeven@slbdienstendemo.nl vdhoeven
ems_hermans@slbdienstendemo.nl hermans1
ems_ritzen@slbdienstendemo.nl ritzen12
ems_deetman@slbdienstendemo.nl deetman1
ems_vkemenade@slbdienstendemo.nl vkemenade
ems_pais@slbdienstendemo.nl pais1234
ems_vveen@slbdienstendemo.nl vveen123
ems_veringa@slbdienstendemo.nl veringa1
ems_diepenhorst@slbdienstendemo.nl diepenhorst
ems_bot@slbdienstendemo.nl bot12345
Productlicenties:
Enterprise Mobility Suite
• Azure Rights Management Premium
• Intune A Direct
• Azure Rights Management
• Azure Active Directory Premium
• Azure-Multi Factor Authentication
• SSID is SLB-training
• pw is Tr@1ning
15. Features Azure AD (Free) Azure AD Basic Azure AD
Premium
Directory as a Service Up to 500k objects No object limit No object limit
User and group management using UI or Windows PowerShell
Cmdlets
Yes Yes Yes
Access Panel portal for SSO-based user access to SaaS and
custom applications
10 applications per
user
10 applications per
user
No limit
User-based application access management/provisioning Yes Yes Yes
Self-service password change for cloud users Yes Yes Yes
Directory synchronization tool – For syncing between on-
premises Active Directory and Azure Active Directory
Yes Yes Yes
Standard security reports Yes Yes Yes
High availability SLA uptime (99.9%) Yes Yes
Group-based application access management and provisioning Yes Yes
Company branding - customization of company logo and colors
to the Sign In and Access Panel pages
Yes Yes
Self-service password reset for cloud users Yes Yes
Configuring a Bring Your Own App (BYOA) Yes
16. Features Azure AD
(Free)
Azure AD
Basic
Azure AD
Premium
Application Proxy Yes Yes
Self-service group management for cloud users Yes Yes
Self-service password reset with on-premises write-
back
Yes
Microsoft Identity Manager (MIM) server licenses –
For syncing between on-premises databases and/or
directories and Azure Active Directory
Yes
Advanced anomaly security reports (machine
learning-based)
Yes
Advanced usage reporting Yes
Multi-Factor Authentication service for cloud users Yes
Multi-Factor Authentication server for on-premises
users
Yes
AAD Editions https://msdn.microsoft.com/en-us/library/azure/dn532272.aspx
http://blogs.office.com/2015/02/17/sign-page-branding-cloud-user-self-service-password-reset-office-365
20. User attributes are synchronized including the password
hash, Authentication can be completed against either
Azure or Windows Server Active Directory
User attributes are synchronized, Authentication is
passed back through federation and completed
against Windows Server Active Directory
Synchronization
Federation
AD FS provides conditional access to
resources, Work Place Join for device
registration and integrated Multi-Factor
Authentication
*Write back of attributes to support
cloud first and co-existence
Microsoft
Azure
Microsoft
Azure
21.
22.
23. See Install the Azure AD Sync Service
https://msdn.microsoft.com/en-us/library/azure/dn790204.aspx
52. What are you trying to secure? Cloud Multi-Factor
Authentication
Multi-Factor Authentication
Server
First party Microsoft apps ● ●
SaaS apps in the app gallery ● ●
IIS applications published
through CWAP
● ●
IIS applications not published
through CWAP
●
Remote access systems such as
VPN, RDG
●
55. 52 percent of information
workers across 17 countries
report using three or more
devices for work*
>80 percent of employees
admit to using non-approved
software-as-a-service (SaaS)
applications in their jobs***
90 percent of enterprises will
have two or more mobile
operating systems to support
in 2017**
52% 90% >80%
* Forrester Research: “BT Futures Report: Info workers will erase boundary between enterprise & consumer technologies,” Feb. 21, 2013
** Gartner Source: Press Release, Oct. 25, 2012, http://www.gartner.com/newsroom/id/2213115
*** http://www.computing.co.uk/ctg/news/2321750/more-than-80-per-cent-of-employees-use-non-approved-saas-apps-report
58. Easily manage identities across
on-premises and cloud. Single sign-on
and self-service for corporate resources.
Azure Active Directory
Premium
Unify identity Manage apps and devices Protect data
Microsoft Intune
Azure Rights
Management
Manage and protect corporate apps
and data on almost any device with
MDM and MAM.
Encryption, identity, and authorization
policies to secure corporate files and
email across phones, tablets, and PCs.
59.
60. Mobile application
management
PC managementMobile device
management
ITUser
Microsoft Intune
Intune helps organizations provide their employees with access to corporate
applications, data, and resources from virtually anywhere on almost any
device, while helping to keep corporate information secure.
61. Enroll
• Provide a self-service Company
Portal for users to enroll devices
• Deliver custom terms and
conditions at enrollment
• Bulk enroll devices using Apple
Configurator or service account
• Restrict access to Exchange
email if a device is not enrolled
Retire
• Revoke access to corporate
resources
• Perform selective wipe
• Audit lost and stolen devices
Provision
• Deploy certificates, email, VPN,
and WiFi profiles
• Deploy device security policy
settings
• Install mandatory apps
• Deploy app restriction policies
• Deploy data protection policies
Manage and Protect
• Restrict access to corporate
resources if policies are violated
(e.g., jailbroken device)
• Protect corporate data by
restricting actions such as copy,
cut, paste, and save as between
Intune-managed apps and
personal apps
• Report on device and app
compliance
User IT
63. ITUser
Actions upon device enrollment
• Deploy email, VPN, and WiFi profiles
• Deploy certificates
• Deploy and install apps
• Apply and enforce device configuration settings
• Collect hardware and software inventory data
Microsoft Intune
Devices
enrolled
64. Microsoft Intune
Corporate email server
IT
Deploy email profile upon enrollment
• Configure account settings and security restrictions
• Enable certificate authentication
• Synchronize email, task, contacts, and calendar
• Support for iOS, Samsung KNOX, and Windows Phone
Any email service supported by Exchange ActiveSync
User
65. Microsoft Passport replaces passwords with strong two-factor authentication to
help protect user identities and user credentials
• Intune can deploy certificates to Microsoft Passport to
authenticate users and help them to access corporate
resources
• Intune manages Passport for Work policy including PIN
settings, biometrics settings, Trusted Platform Module
(TPM) requirements
Intune provides comprehensive management of
Microsoft Passport
• Credentials protected by hardware or software
• Credentials can be based on certificate or local keys
• Can be accessed using biometrics (Windows Hello) or PIN
67. Azure AD Join makes it possible to connect
work-owned Windows 10 devices to your
company’s Azure Active Directory.
With Azure AD Join, you can auto enroll
devices in Microsoft Intune for management.
Azure AD Join for Windows 10
Windows 10 Azure AD
Joined Devices
Intune / MDM
auto-enrollment
Intune auto-enrollment
Enterprise-compliant services
Support for hybrid environments
Single sign-on from the desktop to cloud
and on-premises applications with no VPN
69. Consistent experience across Windows,
Windows Phone, Android, and iOS
Discover and install corporate apps
Manage devices and data
Ability to contact IT
Customizable terms and conditions
70. Volume purchasing integration
Assign licenses to users
Purchase licenses in bulk for paid
apps using the Windows Store for
Business and Apple Volume
Purchasing Program (VPP)
Deploy licenses to users with
Intune and install apps as required
License and app
installed by store
Deploy offline app packages to
Windows 10 devices that cannot
access the Windows Store with next
version of Configuration Manager
72. Need fast and easy way to enroll CYOD
devices
Should not be able to un-enroll devices
that are corporate-owned
Need access to corporate apps and
other MDM capabilities on devices to
be productive
User
Need easy way to prepare corporate-
owned devices for enrollment
Need to distinguish corporate-owned
devices from personal-owned devices in
the management console
Need fast and easy way to bulk enroll
shared devices
Need devices to be secure at all times
and within IT control
IT
End usersIT admins
74. Business
Manager
IT
Apply policies
School Retail StoreRestaurant
Deploy policies using Intune to lock down devices so
they can only run applications allowed by IT
Allow multiple users to use the same device and
customize device experience based on identity
Deploy Device Guard policies using Intune to only allow
trusted applications to run on Windows 10 devices
80. Apply and enforce device configuration settings across iOS,
Android, and Windows via Intune MDM
Collect hardware and software inventory data for reporting
Manage settings across Windows 10 PC, phone, and IoT devices via Intune MDM –
including Windows Defender (anti-malware), Firewall, and Cortana
81. Windows 8.1 Windows 10
Basic management and
security settings
Device lockdown
Comprehensive
device management
Phone Desktop Phone Desktop
Significant investments in added functionality for both mobile and desktop devices
82. Enforce corporate data
access requirements
Prevent data leakage
on the device
Enforce encryption
of app data at rest
App-level
selective wipe
83. Maximize mobile productivity and protect corporate resources
with Office mobile apps – including multi-identity support
Extend these capabilities to your existing line-of-business apps
using the Intune App Wrapping Tool
Enable secure viewing of content using the Managed Browser,
PDF Viewer, AV Player, and Image Viewer apps
Managed apps
Personal appsPersonal apps
Managed apps
ITUser
Corporate
data
Personal
data
Multi-identity policy
84. Personal apps
Managed apps
Maximize productivity while preventing leakage of company
data by restricting actions such as copy, cut, paste, and save
as between Intune-managed apps and unmanaged apps
User
85. Personal apps
Managed apps
Perform selective wipe via self-service
company portal or admin console
Remove managed apps and data
Keep personal apps and data intact
IT
IT
86. Configure and manage EDP policies with Intune
and Azure Rights Management
Separate personal and corporate data with
limited impact to employee’s day-to-day
activities
Protect data at rest and wherever it may
roam*
User
Corporate
network
Microsoft Intune
&
Azure Rights
Management
Apply policies
Save
Save
Share files and
enforce policies
File share
Personal
storage
Secure content collaboration through
integration with Azure Rights Management
* Some roaming scenarios use Azure Right Management
Control app access to corporate data and
prevent copy and paste-related data leaks
87. Microsoft Intune Microsoft Intune Azure Rights Management
Device protection
BitLocker
Device Guard
Device settings
Windows
Defender
Data separation Leak protection
Enterprise
Data Protection
Sharing protection
Rights
Management
88. Containers
Depends on
specific DMZ
infrastructure
Works on-
premises only
SharePoint
Server
Exchange
Server
Corporate
network
Active Directory
Firewall
Firewall
DMZ/
Perimeter
network
SDK/wrapper, managed browser,
managed viewers
Custom SDK/wrapper
enables line-of-business
apps to be managed
Mobile application
management
Custom data container
provides mobile productivity
apps integrated with content
and access systems
Custom
email app
Custom
file app
Custom
collab app
Native device MDM
Standard MDM provides
device configuration and
management
89. Standard
on-premises
integration
SharePoint
Online
Exchange
Online
Cloud integration
Intune App SDK
Intune App Wrapping Tool
Extensibility based on Azure
AD and Intune Enable business
apps to interoperate with Office
mobile apps
SharePoint
Server
Exchange
Server
Corporate
network
Active Directory
Firewall
Firewall
DMZ/
Perimeter
network
Managed Office
productivity and moreOffice 365: Mobile productivity
Azure AD: Access control to
Office 365 and SaaS apps
Intune: App restrictions for
Office mobile and LOB apps
Azure Rights Management:
Information protection at the
file layer
Native device MDMIntune: Cross-platform MDM
90. Identify and authorize user
Apply device policies
Apply application policies
Apply content policies
User IT
ActiveDirectoryPremium
Rights Management
Enterprise Mobility Suite
92. Mobile devices and PCs Mobile devices
System Center
Configuration
Manager
Domain joined PCs
Configuration Manager integrated with Intune (hybrid)Intune standalone (cloud only)
IT IT
Intune web console Configuration Manager console
93. • Always up-to-date, no need to migrate
• Always available and reachable
• Easy to try, adopt, and deploy
• Integrates with existing on-premises infrastructure
• Disaster recovery and geo-diversity
• Assign your data to a region
• Built from the ground up: datacenter, fabric, SaaS
• Built using world-class engineering and security
• Compliant and certified
• Financially backed Service Level Agreements (SLAs)
Intune
Office 365
Azure
Active Directory
Azure
Rights Management
94. Security reports,
audit reports,
multi-factor
authentication
Self-service
password reset
and group
management
Single sign-on
to over 2,400
popular SaaS
applications
Information
protection
Connection to
on-premises assets
Bring your
own key
Mobile device
settings
management
Mobile application
management with
Office mobile apps
Conditional
access and
selective wipe
Active Directory Premium
Rights Management
98. New intuitive dashboard
Respond to alerts
Manage software deployments
Configure and deploy policies
View reports
Role-based management
Intune web console
99. Mobile devices and PCs
Intune standalone (cloud only)
IT
Intune web console
Manage and Protect
• No existing infrastructure necessary
• No existing Configuration Manager
deployment required
• Simplified policy control
• Simple web-based administration console
• Faster cadence of updates
• Always up-to-date
Devices Supported
• Windows PCs (x86/64, Intel SoC)
• Windows RT
• Windows Phone 8.x
• iOS
• Android
100. Mobile devices
System Center
Configuration
Manager
Domain joined PCs
Configuration Manager integrated with Intune (hybrid)
IT
Configuration Manager console
System Center 2012 R2 Configuration
Manager with Microsoft Intune
• Build on existing Configuration Manager
deployment
• Full PC management (OS deployment, endpoint
protection, application delivery control, custom
reporting)
• Deep policy control requirements
• Greater scalability
• Extensible administration tools (RBA, PowerShell,
SQL reporting services)
• Windows RT
• Windows Phone 8.x
• iOS
• Android
Devices Supported
• Windows PCs
(x86/64, Intel SoC)
• Windows to Go
• Windows Server
• Linux
• Mac OS X
102. Intune standalone (cloud only)
Lightweight, agentless OR agent-based management
PC protection from malware
PC software update management
Software distribution
Proactive monitoring and alerts
Hardware and software inventory
Policies for Windows Firewall management
Intune standalone (cloud only) Configuration Manager integrated with Intune (hybrid)
Lightweight, agentless OR agent-based management Lightweight, agentless OR comprehensive agent-based management
PC protection from malware PC protection from malware
PC software update management PC software update management
Software distribution Software distribution
Proactive monitoring and alerts Proactive monitoring and alerts
Hardware and software inventory Hardware and software inventory
Policies for Windows Firewall management Policies for Windows Firewall management
Operating system deployment
PC, mobile device, Windows Server, Linux/Unix, Mac, and virtual desktop management
Power management
Custom reporting
103. Comprehensive security
policies are enforced on
each platform
Reporting available on
each setting whether it is
applicable, conformant or
has an error
Extensive configuration
settings are available for
each platform
Policies can be applied to
user and device groups
User
105. WiFi settings Manage and distribute certificates
Provision networks
Setup certificate based authentication
106. ITUser
Hardware properties for mobile
devices are collected
Company app inventory is collected
Personal app inventory is not collected
Reporting
107. If compliant,
email access is
granted
7
Enrollment /
compliance
remediation
5
If not compliant,
push device into
quarantine
Quarantine
4
2
Quarantine email with
remediation steps
Link to enroll device
and compliance
remediation steps
Who does what?
Intune: Evaluate policy
compliance for device
Azure AD: Authenticate
user and provide device
compliance status
Exchange Online:
Enforces access to email
based on device state
Attempt
email
connection
1
3
Azure
Active Directory
Set device
management/
compliance
status
6
Office 365
Mobile device
Microsoft Intune
108. 2
Attempt
email
connection
1
Block unmanaged
device
5
Allow managed
device
Device
enrollment4
6
If managed,
email access
is granted
Who does what?
Intune: Evaluate and
manage device state
Exchange Server:
Provides API and
infrastructure for
quarantine
Quarantine email with
remediation steps
Link to enroll device
3
If not managed,
push device into
quarantine
Quarantine
Mobile device
Microsoft Intune
On-premises
Exchange
server
109. Platform
Desktop Apps
(.msi, .exe) *
Modern App Types Managed
Store
app
Side loading Deep
Links
Web
apps.app .app .ipa .apk
Windows 8.1/10 ● ● ● ●
Windows RT ● ● ●
iOS ● ● ● ●
Android ● ● ● ●
Windows Phone ● ● ●
Windows 7 and below ● ●
110. Category Feature Exchange
ActiveSync
MDM for
Office 365
Microsoft Intune
(cloud only)
Intune + ConfigMgr
(hybrid)
Device
configuration
Inventory mobile devices that access corporate applications ● ● ● ●
Remote factory reset (full device wipe) ● ● ● ●
Mobile device configuration settings (PIN length, PIN required, lock time, etc.) ● ● ● ●
Self-service password reset (Office 365 cloud only users) ● ● ● ●
Office365
Provides reporting on devices that do not meet IT policy ● ● ●
Group-based policies and reporting (ability to use groups for targeted device configuration) ● ● ●
Root and jailbreak detection ● ● ●
Remove Office 365 app data from mobile devices while leaving personal data and apps intact (selective wipe) ● ● ●
Prevent access to corporate email and documents based upon device enrollment and compliance policies ● ● ●
Premium
mobiledevice&
appmanagement
Self-service Company Portal for users to enroll their own devices and install corporate apps ● ●
App deployment (Windows Phone, iOS, Android) ● ●
Deploy certificates, VPN profiles (including app-specific profiles), email profiles, and Wi-Fi profiles ● ●
Prevent cut/copy/paste/save as of data from corporate apps to personal apps (mobile application management) ● ●
Secure content viewing via Managed Browser, PDF Viewer, Image Viewer, and AV Player apps for Intune ● ●
Remote device lock via self-service Company Portal and via admin console ● ●
PC
management
Client PC management (e.g. Windows 8.1, inventory, antimalware, patch, policies, etc.) ● ●
PC software management ● ●
Comprehensive PC management (e.g. Group Policy, login scripts, BitLocker management, virtual desktop and
power management, custom reporting, etc.) ●
Windows Server/Linux/UNIX/Mac OS X support ●
OS deployment and imaging ●
130. 87% of senior managers admit
to regularly uploading work
files to a personal email or
cloud account.*
87%
58% have accidentally sent
sensitive information to the
wrong person.*
58%
>80% focus on data leak
prevention for personal
devices, but ignore the issue
on corporate owned devices
where the risks are the same
??%
133. The traditional perimeter is rapidly eroding
IT needs continuous data protection that works across ‘classic boundaries’
Consumerization of IT
Users need access, from any device
Externalization of IT
Applications are on-premises and in the cloud
More data, stored in more places
Dispersed enterprise data needs protection
Social Enterprise
Data is shared between people and applications
138. 1. Document author attempts to
protect a document
3. Author protects the document
4. Author distributes the document
to another user
5. User contacts the information
protection platform, is
authenticated, and receives a use
license
2. Author obtains the certificates
necessary to participate in the
information protection
platform
139. Galactic Empire Confidential – You cannot copy, print or export this
information in unprotected form to droids of any class.
User Certificates User License
Galactic Empire Confidential – You cannot copy, print or export this
information in unprotected form to droids of any class.
Publishing
License
and Keys
140. File share, email server
or document library
Authorized
Users
Business
network
Authorized
Users
Unauthorized
Users
Can’t forward
Use Licenses
Unauthorized
Users
No License
AD RMS
Server
157. 5.
Hoe de mogelijkheden en toepasbaarheid van EMS voor uw organisatie verder te
onderzoeken?
158. Iedereen een tenant!
• Tenant? Wat is een tenant?
• Nieuwe? Bestaande?
• Log even in met een “In-Private” browser sessie.
• Stuur nu een email naar berry.schreuder@breinwave.nl met als
onderwerp:
• “EMSTRIAL” en je krijgt een uitnodging terug voor:
• 100 licenses Enterprise Security + Mobility E3
• Gedelegeerd beheer voor Breinwave (mag je ook weigeren)
• Je kunt dit aktiveren in je bestaande tenant, maar denk goed na of je dat
wilt
• De TRIAL duurt 30-dagen