Device & Content Management with Microsoft Enterprise Mobility + Security (EMS)

Microsoft Presenters:

Microsoft Tech Talks

PLEASE HELP YOURSELF TO FOOD / DRINKS

11:30AM -12:30PM

Food / Networking / Sign-in

12:30PM -12:45PM

Opening / Welcome

12:45PM -3:00PM

Featured slot - Speaker

11:30AM -12:30PM

Food / Networking / Sign-in

12:30PM -12:45PM

Opening / Welcome

12:45PM -3:00PM

Featured slot - Speaker

1) Connect to the wireless network MSFTGUEST

2) Open a browser and navigate to a web site to be redirected to the Captive Portal

3) Click on Event Attendee Code and enter the Wi-fi event attendee code:

• Microsoft Tech Talks is a Technical Community event, designed to bring IT leaders in the local area together at

a Microsoft facility, for deep Microsoft-technology based discussions, and

• An opportunity to network and share with local Microsoft Services Professionals and other IT professionals.

• A Microsoft Services presenter delivers a technically-rich presentation covering a product, product feature, or

service that Microsoft offers,

• Our presenters are world-class Subject Matter Experts and trusted advisors to our highly-valued customers.

• Our meetings are a great opportunity to 'ask the experts' questions about their given field of expertise.

• Subjects vary from session to session and attempt to be at the leading edge, showcasing our latest features

and products available.

PLEASE……

• Join Us

• Join Other Groups

• RSVP Closed does not mean Closed!

Look for the Microsoft Events sign-up

link!

• We send details of other events out

• Look out for poll Qs

• Tell all your friends / colleagues

• Review us through Group Review!!

http://aka.ms/SMDCEMS

VERY Short 10 questions!

Please be aware that your feedback is extremely valued

and important to us, as in addition to improving the

quality of our events, it helps us to justify the time, effort

and money in hosting, funding and organizing these

events.

Secure Productivity in amobile-first cloud-first world

Ashok Vellore & Steven Hernandez

Microsoft Corporation - Malvern

Enterprise Mobility + Security (EMS)

Microsoft Enterprise Mobility + Security

Protect at the front door- Conditional

Access

Protect your data, anywhere –App

Protection

Detect and remediate attacks

Agenda

Additional Services and Resources

Device Management

Devices AppsIdentity Data

On-premises

On-premises

Identity & Access

Management

Mobile Device

& Application

Management

Data Loss

Prevention

User &

Entity

Behavioral

Analytics

Cloud Access

Security

Broker

Information

Rights

Management

Protect at the

front door

Detect &

remediate attacks

Protect your

data anywhere

Cloud Access Security Broker

Mobile Device &

App ManagementIdentity & Access

Management

User & Entity

Behavioral Analytics

Data Loss Prevention

Information Protection

Protect at the

front door

Detect &

remediate attacks

Protect your

data anywhere

Mobile device & app management

Information protection

Identity and access management

Threat protection

Holistic and innovative solutions for protection across users, devices, apps and data

Protect at the

front door

Detect &

remediate attacks

Protect your

data anywhere

Enterprise Mobility + Security

What real IT Pros and Users

say on

Enterprise Mobile

Productivity + Security?

Device management challenges

Client Management options

SCCM & Intune Co-Management

Intune Standalone

Office 365MDMOMA-DM

(Built into OS)iOS /Android

/Windows Phone

OMA-DM(Built into OS)

OMA-DM (Built into OS)

SCCM Client(External Agent)

iOS /Android /Windows Phone

/Windows 10/MAC

iOS /Android /Windows 10 Phone/MAC

Windows 7/8.1/10Server/MAC

iOS /Android /Windows

Phone/MACWindows 7/8.1/10

Windows Server/MAC

Internet

Internet

Internet

Intranet

SCCM (On-Prem)

OMA-DM (Built into OS)

SCCM Client(External Agent)

Windows 10

Windows 7/8.1/10Server/MAC/Unix

Linux

Internet\intranet

Intranet

Internet requires PKI

Windows 10

No More hybrid

deployment

Microsoft Confidential

General Microsoft Intune Setup: Steps

1. Create Microsoft Intune account• Office 365 users should use the same account used for that domain registration

2. Set up an internal User Principal Name (UPN) to match the external name

3. Synchronize the on-premises account information to Microsoft Azure

4. Assign EMS licenses to the users

5. Enable the Mobile Device Management authority

6. Configure Device platforms for enrollment

7. Enroll devices

Conditional Access Agenda

Protect at thefront door

Detect &remediate attacks

Protect yourdata anywhere

Enterprise Mobility + Security

Azure AD Conditional Access

Capability of Azure Active Directory

Configurable worldwide service offering

Works with browser and Modern Auth

New features are added continuously

https://azure.microsoft.com/en-us/roadmap/?tag=azure-active-directory

How Conditional Access Works

Client

Requests

Access

Azure AD

Registered

Application

Azure STS

Azure AD

Authenticates

Conditional

Access engine

Authorizes

Azure AD

Registered

Application

Authorizes

Common Use Cases

Force Multi-

Factor

Authentication

based on

location

Restrict access

to critical Cloud

App based on

device status

Restrict access

to Cloud App

based on client

app

Restricts actions

within critical

applications

based on

location and

device status

Licensing Requirements

Azure AD Premium*

Enterprise Mobility + Security3*

*Some of the conditions may require Azure AD Premium II or Enterprise Mobility + Security 5 licenses.

On-premises

Firewall

Corp email, business apps

• Open access for users – any device, any network

• Unrestricted sharing methods – users decide how to share

• Cloud app ecosystem

• Limited visibility and control

• Access via managed devices and networks

• Layers of defense protecting internal apps

• Known security perimeter

Ability to Share and Consume Information

LIFE AFTER CLOUD AND MOBILITYLIFE BEFORE CLOUD AND MOBILITY

Office 365

Conditional Access Goals

Security

Availability

Ease of Use

Access Controls Available Now

Virtual Private Network

Federation Trust Conditional Authorization

Virtual Private Network

ADVANTAGES

Device Based

Location Based

Multi-Factor Auth Available

DISADVATAGESExpensive Infrastructure

Cloud App Unaware

Limited Client App management

Suboptimal user experience

Not suitable to for BYOD

Requires integration with MFA

Federation Trust Conditional Authorization

ADVANTAGES

Location Based

Multi-Factor Auth Available

BYOD Friendly

Optimal User Experience

DISADVANTAGES

Expensive Infrastructure

Limited Device Based Conditions

Limited to initial authentication

Limited risk based condition

Limited Client App management

Azure AD CA Control Anywhere Access

On-premises

applications

APPLICATION

Per app policy

Type of client

Business sensitivity

OTHER

Network location

Risk profile

DEVICES

Are domain joined

Are compliant

Platform type (Windows,

iOS, Android)

USER ATTRIBUTES

User identity

Group memberships

Auth strength (MFA)

• Allow

• Enforce MFA

• Block

Brute force attacks

Leaked credentials

Infected devices

Suspicious sign-in activities

Configuration vulnerabilities

Conditions available for verification

Users and Groups

Device State

Device Platform

Cloud Application

Location

SignIn Risk*

Client App

Supported Clients

Supported Browsers

• Internet Explorer

• Edge

• Chrome

Supported Device

Platforms

• Android

• iOS

• Windows Phone

• Windows

• macOS

Supported App Clients

• Office 2016 apps

• Office 2013 apps with Modern Auth enabled

• Office Mobile Apps

• Many more

Good Practices

Remember policies assignments are additive.

Exclude Global Administrators from policy, unless policy dedicated to this group

Assign a small group of users to newly created policy until testing is complete

Use “What If” tool to verify new policy’s applicability

Have a “break glass” account with Conditional Administrator rights and always exclude from policies

Settings to avoid

Assign block policies to All Users no exceptions

Assign block policies to All Locations no exceptions

Assign block policy to all Cloud Apps

Require Compliant Device for all access

Protect at thefront door

Detect &remediate attacks

Protect yourdata anywhere

Enterprise Mobility + Security

App Protection Using Intune

• Managed mobile apps working with App Protection Policies (APP) restrict the following app

operations:

o Copy and paste

o Screenshot functionality

o Configure an app to open all web links inside a managed browser

o A managed browser policy configures the list of websites that is allowed or blocked for users

o Ensures that when users click on the links to its content, it will open only in the other managed apps

o Some managed apps like the Microsoft Outlook app for iOS and Android support multi-identity

• Currently supported only on:

o Android 6.0 or later

o iOS 11.0 or later

How to Obtain Managed Apps

• There are two methods to obtain managed apps:

o Use a policy managed app: Has the built-in App SDK. Typically Microsoft publishes apps under the

Managed apps category

o Use a wrapped app: Applications that are repackaged to include the App SDK by using the Microsoft

Intune App Wrapping Tool

APP - Application Protection Policies (formerly MAM)

App Protection Policies

▪ Built into Microsoft Office & Productivity apps – SDK

▪ Support for App Store and LOB applications – SDK & App Wrapping Tool

What’s the purpose?

▪ Protect and separate corporate apps, data and identities from personal ones

Managed apps

Personal appsPersonal apps

Managed apps

MDM – optional (Intune or 3rd-party)

Corporate data

Personaldata

Multi-identity policy

Restrict features, sharing and downloads

Managing Mobile Apps: How it Works

Maximize mobile productivity and help protect corporate resources with Microsoft Office mobile apps – including multi-identity support

Extend these capabilities to your existing line-of-business apps using the Microsoft Intune App Wrapping Tool

Enable secure viewing of content using the Managed Browser, PDF Viewer, AV Player, and Image Viewer apps

Managed apps

Personal appsPersonal apps

Managed apps

ITUser

Corporate data

Personaldata

Multi-identity policy

Paths to Managed Applications

• Built in managed apps available : https://www.microsoft.com/en-us/cloud-platform/microsoft-intune-apps

• Microsoft Intune App SDK• Developers can easily interoperate applications for manageability

• Provide more control over user experience than wrapping

• App Wrapping Tool

• Apply all MAM policies to applications

App Protection Policies (APP)

Enforce access

requirements

• App PIN

• Corporate credentials

• Jailbreak/root

detection

Prevent data leakage

• Restrict copy/cut and

paste

• Block screen capture

(Android only)

• Restrict sharing of data

between apps

• Prevent cloud backup

• Disable printing

Remotely wipe data

• Remove company

data from an app

remotely

Encrypt app data

• iOS: OS encryption

scheme

• Android: OpenSSL

scheme, 128-bit AES

key gen

Enabling App Protection Policies in apps

Intune App SDK

• Full APP feature

functionality

• For store & LOB

apps

Cordova Plugin

• APP functionality

for Android and

iOS apps built with

Cordova

Xamarin Component• APP functionality for

Android and iOS

apps built with

Xamarin

App Wrapping Tool

• Simple cmd-line tool

• No code changes

• For LOB apps

C:\users\bill

App Wrapping Tool vs. SDK

App Wrapping Tool SDK

Your app is simple. Your app is complex in functionality or large in size.

Your app will only be deployed internally. Your app will be released to a public app store or

deployed internally.

Your app only supports one (corporate) identity. Your app supports multiple identities.

Your app is not frequently updated. You frequently updated your app.

You don’t have access to source code. You do have source code access and are familiar

with it!

App Wrapping Tool

iOS Android

Prerequisites • macOS X 10.8.5+ with Xcode

toolset 5+

• Signing certificate

• Provisioning profile

• iOS app – written for iOS 8.0+

• Windows machine

• Java Key tool

• App can’t be encrypted

• Android app – written for Android 4.0+

Environment Terminal PowerShell

Hybrid mobile

platforms

Cordova, Xamarin Cordova, Xamarin in preview

SDK exclusive features

• Multi-identity

• Save-as controls for storage locations

• Style customization + branding

• Selective wipe

• Status, result, and debug notifications

• APIs for interacting with MAM service

• MAM targeted configuration

Technology Benefit E3 E5

Azure Active Directory

Premium P1Secure single sign-on to cloud and on-premises app

MFA, conditional access, and advanced security reporting ● ●

Azure Active Directory

Premium P2Identity and access management with advanced protection for

users and privileged identities ●

Microsoft Intune

Mobile device and app management to protect corporate apps

and data on any device

App Protection Policies without MDM Enrollment

● ●

Azure Information Protection P1Encryption for all files and storage locations

Cloud-based file tracking● ●

Azure Information Protection P2Intelligent classification and encryption for files shared inside

and outside your organization ●

Microsoft Cloud App SecurityEnterprise-grade visibility, control, and protection for your

cloud applications ●

Microsoft Advanced Threat AnalyticsProtection from advanced targeted attacks leveraging user

and entity behavioral analytics ● ●

Identity and access management

Managed mobileproductivity

Data/Information protection

Threat protection

Free Self-Assessment and Schedule a deep-dive session onEnterprise Mobility + Security

Get a free 90-day trial, evaluateEnterprise Mobility + Security

Deploy with FastTrack forEnterprise Mobility + Security

While implementing Enterprise Mobility

Solution you should look for

all-inclusive approach for protection across

users, devices, apps and data

Microsoft EMS is there to help

http://aka.ms/SMDCEMS

VERY Short 10 questions!

Please be aware that your feedback is extremely valued

and important to us, as in addition to improving the

quality of our events, it helps us to justify the time, effort

and money in hosting, funding and organizing these

events.