scep is a very simple certificate enrollment protocol developed 10 years ago for routers and...
TRANSCRIPT
Spark the future.
May 4 – 8, 2015Chicago, IL
Windows 10 for Mobile Devices: 10 Steps for a Successful Deployment Roel SchellensArchitect World Wide Modern Devices Center of Excellence Microsoft
BRK3300
A Typical ExperienceAfter the sales person is gone.
Your Manager says: “Let’s buy these devices and connect them to our Infrastructure” That is where you come in the picture!You ask:
“Which Infrastructure?”
Understand what is required to prepare your supporting infrastructure for a successful deployment of Windows 10 mobile devices.
1. Prepare and Setup:BRK33000: Windows 10 for Mobile Devices: 10 Steps for a Successful DeploymentTuesday, May 5 - 1:30 PM - 2:45 PM
2. Operate:BRK33008: Windows 10 for Mobile Devices: Get and Stay in Control of Your Mobile Fleet Wednesday, May 65:00 PM - 6:15 PM
Objective
1. Basic understanding of Windows 102. Windows 10 still under development3. Supporting Infrastructure based on Microsoft solutions4. Todays Recommended Practices, not the ones of
omorrow 5. Familiar with Enterprise Mobility concepts
Assumptions
Early Deployment Program (EDP) Windows Phone 8.1 It is all about the supporting infrastructure PKI, S/MIME, VPN
Windows 10 Technical Adoption Program Windows Desktop becomes mobile Mobile Infrastructure Preparation
First Wave (Windows 10) Goal:
Bigger, Better, Faster 1000+ Win10 devices RTM +30 days and 5000+ before end of 2015
TAP and Early Deployment ProgramsLessons Learned (and still learning)
1. Secure a Sponsor2. Agree on Requirements3. Setup a Test Environment 4. Make sure your Public Key Infrastructure supports
Mobile!5. Ensure the Identity solution supports mobile6. Learn and prep for Mobile Device Management
(MDM) 7. Choose a Mobile Device Provisioning and Enrollment
approach8. Protect Your Data9. Allow to Work from Anywhere from any Device10. Make your Applications mobile and manageable
10 Steps for a Successful Mobile Deployment
For the best Windows Mobile Story!
1 – Secure a Sponsor
1. Why a good sponsor is important? Resources Escalations New standards and policies
2. How to find the best sponsor? Who will profit most Show business value Come well prepared
1 – Secure a Sponsor
2 – Agree on Requirements
Ask the Business for their functional mobility needs Common Understanding Define the End-Goal (Not Technical!) Pre-defined Questionnaire and Requirements list Quantify requirements based on business impact
Examples: Improved Acceptance by…, Improved Productivity through…, etc.) Structure Requirements
Personas Scenario’s and Processes Business Impact and Success Applications and Data required to become mobile
Define your starting point and end-goalBusiness Requirements
Ask IT for their (non-functional) mobility needs Common Understanding Agree on the End-Goal
The Business Needs is the End-Goal Pre-defined Questionnaire and Requirements list Quantify requirements based on business impact
Accept that (security) policies and standards most likely need to be revised Structure Your Requirements
Identity MDM MAM Security, etc.
Define your starting point and end-goalTechnical Requirements
3 – Setup a Test Environment
1. Proof – Validate Requirements2. Identify issues and gaps early3. Education4. Build Your Own Enterprise Mobility Lab
3 – Setup a Test Environment
Blog: The Mobility Guys From the same people as the Deployment Guys Mobility Experts blogging about Microsoft Mobility solutions Blog Series: Build Your Own Enterprise Mobility Lab
Part 1: Register, Obtain and Setup all Prerequisites for the Build Your Own Enterprise Mobility Lab
Part 2: Setup and Configure the On-Orem Identity infrastructure (in Microsoft Azure) Part 3: Setup Web Application Proxy (for publishing services) Part 4: Setup and Configure Identity Synchronization Part 5: Setup AAD Premium and Office 365 Part 6: Setup and Configure Mobile Device Management with Intune Part 7: Configure Certificate Management for Mobile Devices (NDES)
3 – Setup a Test EnvironmentBuild Your Own Enterprise Mobility Lab
4 – Make sure your Public Key Infrastructure supports Mobile!
1. Security for Mobile solutions = PKI2. Challenge number 13. Microsoft PKI or 3rd Party PKI4. Required for:
Identity (Passport) Enterprise Data Protection Remote Access (VPN and Reverse Proxy) Application Protection S/MIME Signing and Encryption
5. Simple Certificate Enrollment Protocol (SCEP)6. Direct Certificate Enrollment (new in Windows 10)
Why Public Key Infrastructure (PKI) is Important?
What is SCEP?Introduction to Simple Certificate Enrollment Protocol SCEP is a very simple certificate enrollment protocol
developed 10 years ago for routers and switches to enroll for x509 version 3 certificates from a Certification Authority (CA).
Generally used by Mobile Device Management (MDM).
A standard implementation of SCEP is not considered secure1
Private Key is generated on the device and marked as Non-Exportable1CERT warns that SCEP does not strongly authenticate certificate requests. Gartner,
Mobile Device Certificate Enrollment: Are You Vulnerable?
Certificate Deployment
DMZ
Understanding the flow – Intune Only
ADFS
CA
MDM (Intune) (and Azure AD)DC
1. Deploy root CA cert2. Deploy SCEP
certificate profile. Intune generates a challenge string.
3. Device gets SCEP profile that contains URI for NDES. Device contacts NDES and presents challenge.
4. NDES forwards to NDES Connector policy module, which validates the request
5. If valid, NDES passes on request to issue Cert “on behalf”
6. Cert is delivered to the device
7. NDES Connector reports event back to Intune
1 23
NDES + Intune NDES
Connector
4
6b
DirSync
Web Application Proxy
5 6a
7
Non-Microsoft PKI Windows 10 SCEP Agent
NDES Server (Hardening Guide1) NDES role placement (DMZ vs Internal) NDES Windows Server 2012 R2 required
S/MIME Encryption (private key non-exportable) New in Windows 10: Allow Direct Install of Certificates
“Passport for Work” Certificate Management/Troubleshooting
Certificate Management App
Challenges and Solutions for CertificatesHow these are addressed with Windows 10
1NDES Hardening Whitepaper for Intune Stand Alone and Hybrid Link
5 – Prepare and Setup Identity
Identity Challenges TodayIdentity needs to be Accessible outside of Organization IT boundariesMobile users roam and need access from everywhere
Windows Mobile Devices have to be activated with an MSAImpossible to manage
Users and IT don’t like a complex Device Unlock
Passwords not secure enoughNot enough to protect against modern security threatsUsers are required to provide their identity to more places than ever
Choosing the right Identity Solution
Cloud Identity
Independent cloud identity
Synchronized Identity
Single identity, enabling a same sign-on experience with password hash sync
Federated Identity
Single federated identity, enabling single sign-on in some scenarios and additional flexibility
Azure Multifactor AuthenticationAny two or more of the following factors:Something you know: a password or PIN.Something you have: a phone, credit card or hardware token.Something you are: a fingerprint, retinal scan or other biometric.
Stronger when using two different channels (out-of-band).
Certificates
PhoneSmartcard
Hardware token
01234
Azure Multifactor Authentication
Windows HelloBiometrics AuthenticationUsing fingerprint, face, iris
Integrated Biometrics FrameworkFalse Acceptance Rate 1/100,000False Rejection Rate 2-4%No personal identifiable data is storedEnable anti-spoofing detection
MDM Managed
Microsoft PassportReplace passwords with a private key Unlocked with solely through a “user gesture” (PIN, Windows Hello)To IT it’s familiar as it’s based on asymmetrical key pair or certificateTo the user, it’s familiar (Windows Hello or PIN)
Choice of Identity Providers (IDP)Identity providers validate and proof user by OTP, PhoneFactor …IDPs map Passport public key to a user account
Private key is never sharedKeys are ideally generated in hardware (TPM)Hardware bound keys are attested (Trusted Computing Group Protocols)Single “unlock gesture” aka “Windows Hello” provides access to multiple credentials (origin isolated)
So do I
Deployment RequirementsPer Directory deployment configuration
Need more info on Microsoft “Passport”? See session here @ Ignite on “Secure authentication with Windows Hello” by Nelly Porter
NGC Azure AD only Hybrid AD AD on-prem
onlyKey-based AAD subscription AAD subscription
AAD Sync w/ NGC key write-back
AD DS 10 DCsAD FS 10
Cert-based AAD subscriptionPKI infrastructureIntune
AAD subscriptionPKI infrastructureSCCM 2015/Intune
AD DS 10 schemaAD FS 10PKI infrastructureSCCM 2015
6 – Learn and Prep for Mobile Device Management (MDM)
Mobile Device Management
BYOD: simple security settings
Device Lockdown
Fully managed corporate device
Phone
Desk
top
Desk
top
Phone
Windows 8.1 Windows 10
Significant investments in added functionality for both mobile and desktop devices
Windows 10 Management Architecture
MDM Client
Common Device Configurator
WMI providers
Provisioning Engine
MDM Configuration Service Providers (CSP’s)
EAS Client WMI Bridge
DEVICE/OS
SERVICE/SERVER
EASProvisioningMDM (Intune) ConfigMgr
Common component PC component
Windows 10 – OMA-DM Communication
MD
M C
lien
t
MDM Configuration Service Providers
(CSP’s)
Com
mon
D
evic
e
Con
fig
ura
tor
MDM (Intune)
SyncML
Configuration Service ProviderA CSP is an interface to read, set, modify, or delete configuration settings on the deviceSyncMLFile with all information to configure CSP
Sample Policy in Intune MinDevicePasswordLength CSP
Sample SynML - MinDevicePasswordLength<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncHdr> <VerDTD>1.2</VerDTD> <VerProto>DM/1.2</VerProto> <SessionID>1</SessionID> <MsgID>1</MsgID> <Target>
<LocURI>{unique device ID}</LocURI> </Target> <Source>
<LocURI>https://www.contoso.com/mgmt-server</LocURI> </Source> </SyncHdr> <SyncBody> <!-- update device setting --> <Replace>
<CmdID>2</CmdID> <Item>
<Target> <LocURI>./Vendor/MSFT/PolicyManager/My/DeviceLock/MinDevicePasswordLength</LocURI>
</Target> <Meta>
<Type xmlns="syncml:metinf">text/plain</Type> <Format xmlns="syncml:metinf">int</Format>
</Meta> <Data>6</Data> </Item>
</Replace> <Final /> </SyncBody> </SyncML>
OMA-URIOpen Mobile Alliance
Uniform Resource Uniform Resource
Identifier
Syn
cM
L
Syn
cH
ead
er
Syn
cB
od
y
Device
Value
Mobile Device Management Lifecycle
One consistent set of MDM capabilities
across Mobile, Desktop, and IoT
•Provisioning•Bulk enrollment•Simple bootstrap•Converged protocol•Azure AD Integration
• Extended set of policies
• Context based policies• Client certificates –
Direct install (PFX)• Enterprise Wi-Fi
profiles• VPN profiles• Email provisioning• MDM Push when user
not logged in• Kiosk Mode, Start
screen configuration and control
•Curated Windows Store•Volume Purchase Program and app distribution •License reclaim/re-use•Enterprise App management•LOB app management•App inventory (MDM/Store)•App allow/deny list•Enterprise data protection
•Remote Lock, PIN reset, Ring, Find•Full device wipe
•Un-enrollment with alerts•Removal of configuration & EDP protected data
ENROLLMENT
INV
EN
TO
RY
APPLICATION
MANAGEMENT
DEVICE
CONFIGURATIO
N AND
SECURITY
REM
OTE
ASS
ISTA
NC
E
UNENROLLMENT
•Enhanced inventory for compliance decisions
See @ Ignite on “Windows 10 Mobile Device Management (MDM)” by Janani VasudevanSee @ Ignite on “Windows 10 for Mobile Devices - Get and Stay in Control of Your Mobile Fleet” by Sumit Parikh and Roel Schellens
Custom URI settings for Windows 10 devicesReferencesCustom URI settings for Windows 10 devices
Configuration service provider reference
7 –Mobile Device Provisioning and Enrollment approach
ORGANIZATION OWNED
PERSONALLY OWNED (BYOD)
• Computer joins AD to establish trust
• User signs on using AD account
• Group Policy + System Center
Active Directory
• Computer registers with AAD via Workplace Join to establish trust for remote resource access
• User signs in with a Microsoft account, associates an AAD account
• MDM
Azure AD
• Computer joins AAD to establish trust
• User signs on using AAD account
• MDM
• Single sign-on to enterprise and cloud-based services
Enrollment OptionsDevice Ownership & Identity Choices
Auto MDM enroll with Azure ADAAD join: Company owned
Add AAD account: Personally owned
Bulk enrollment and provisioning simplifying IT setup Removable media (SD/USB) on Desktop and
Mobile NFC (Mobile only) Click on .PPKG file (from email, local
storage, media, URL) USB tether (Mobile only)
Windows 10 Provisioning and EnrollmentGives you more options
Password
Sign in to your work or school account
Sign inCancelPrivacy statement
Forgot your password?
If your organization uses Office 365 or other business services from Microsoft, use the same user name and password to sign in here.
Sign in
What account should I
use?
Work or school account
Allow this PC to be managed ?
Accept
Cancel
Contoso requires this PC to be managed before it can access org resources.
What you get on this PC:• Email, Calendar, Contacts• OneDrive for Business • Access to company apps
How this PC is controlled by Contoso:• Enforce PIN lock• Partial device wipe• Enforce password policy• Monitor device location
Questions? Contact Contoso IT Help Desk at (206) 555-1234.
StartStart
Contoso Corp
Curious to know AAD Join? See session here @ Ignite Managing Windows 10 with Microsoft Intune and System Center Configuration Manager Jason Githens, Mark Florida, E450
Need more info on Bulk provisioning? Session here @ Ignite on “Provisioning Windows 10 Devices with New Tools” by Vladimir Holostov
ENROLLMENT
INV
EN
TO
RY
APPLICATION
MANAGEMENT
DEVICE
CONFIGURATI
ON &
SECURITY
REM
OTE
ASS
ISTA
NC
E
UNENROLLM
ENT
What can be Provisioned
Initial Setup Edition Upgrade Certificates Connectivity Profiles
Management Enrollment
Modern Applications
Win32 Applications Scripts
Enterprise Policies
Offline content Browser SettingsStart Menu
Customization Assigned Access
8 - Protect Your Data
Data Protection Challenges TodayHow to prevent access to Company data by non-compliant mobile devicesInsecure devices put your company data at risk
Keep Company data separate from Personal DataCompany owned data should be protected and controlled
End users don’t like “Containerized” solutionsUsers prefer to work with applications they are familiar with (e.g. Mail, Web browser, File Explorer) Users don’t like to switch between different environments on the same device
How to prevent data loss by lost devices and unenrolled (BYOD) devicesEnsure Company Data will be wiped or is unaccusable
Condition Access / Health AttestationNeed access? Prove you’re healthy
MDM evaluates compliance
HealthAttestation CSP
Device health attestationWindows health attestation service Here @ Ignite “Securing Access to Microsoft Exchange and SharePoint Online services with Microsoft Intune“ by Dilip
Radhakrishnan & Chris Green
Important resources
Documents
1
2
Access please
You’re in
Important resources
Documents
Email2
1
5
3
4
Here is my proof
Prove to me you are healthy
Access please
MDM & Windows Attestation Service
Enterprise Data ProtectionCompany data stays separate & secure
Here @ Ignite: “Protecting your data with containers without boxing yourself in” by Yogesh Mehta
“Enterprise data protection”
User friendly work-personal separation
Manage what data is “Enterprise”
Audit intentional data disclosure
for business
personal
Business Apps & DataManaged
Personal Apps & DataUnmanag
ed
Data exchange is blocked or audited
9 - Allow to Work from Anywhere from any Device
Intranet DMZ
DC
ConfigMgr2012 R2
DirSync
ADFS
CA NDES
MDM (Intune) (Azure AD and O365)
SharePoint/
EASVPN
WAPADFS Proxy
Remote Access
DNS
(CNAME)Web Application Proxy
Challenge today: Kerb.DomJoined New in Windows 10:Passport
2 Types of Remote Access VPN - New in Windows 10
“Auto Connect” / Always on VPN Per App VPN (New in Windows 10) VPN Plugin and vSC Support
(Passport)
Need more info? Session here @ Ignite “Secure Enterprise Network Access and VPN” by Aman Arneja
10 - Make your Applications mobile and manageable
Windows 10 Application Store and Portal Options
Screen shot
Windows Store
Modern appsSign in with MSAPay with credit card, gift card, PayPal, mobile operators
Business Store
Modern appsLeverages Azure ADPrivate store in the store for Store and LOB appsPay with credit card or PO/invoiceModern app license management
Company Portal
MDM-drivenDeploy Line-of-business modern apps from catalogueDeploy Windows Store apps (even when the Store UI is disabled) and as well as uploaded LOB apps through BSP integration
Here @ Ignite: “Windows 10 for mobile devices Enterprise business apps and app management” by Alan Meeus
Here @ Ignite: “BRK3338-Using the Business Store with Windows 10 Devices” by Ford McKinstry and Patel
Related SessionsMay 5, 9:00 AM - 10:15 AM BRK2348 - Windows 10 for Mobile Devices: What’s Next
Augusto Valdez; Nick Hedderman, S502May 5, 10:45 AM - 12:00 PM BRK2348 - Windows 10 for Mobile Devices: Making the Mobile Shift and Drive Business Performance and Innovation
Arno Harteveld, S501May 5, 1:30pm-2:45pm BRK3300 - Windows 10 for Mobile Devices: 10 Steps for a Successful Deployment
Roel Schellens Tuesday, E351May 5, 3:15 PM - 4:30 PM BRK2330 - Windows 10 for Mobile Devices: Top 5 “Get Ready” Activities to Prepare for Windows 10
Frank Pinto, S505May 5, 5:00 PM-6:15 PM BRK3305 - Windows 10 for Mobile Devices: To Bring Your Own or Not?
Alain Meeus, S502May 6, 9:00am-10:15am BRK3309 - Windows 10 for Mobile Devices: Secure by Design
Alain Meeus , S503May 6, 10:45am-12:00pm BRK3301 - Windows 10 for Mobile Devices: Provisioning Is Not Imaging –
Samesh Singh, S502May 6, 1:30pm - 2:45pm BRK3310 - Managing Windows 10 with Microsoft Intune and System Center Configuration Manager
Jason Githens, Mark Florida, E450May 6, 3:15 PM - 4:30 PM BRK2328 - Windows 10 for Mobile Devices: Tips and Tricks Demo Fest
Augusto Valdez; Nick Hedderman, S505May 6, 4:35pm - 4:55pm THR0333 - Windows 10 management with Microsoft Intune and System Center Configuration Manager
Jason Githens, THR0333May 6, 5:00pm - 6:15pm BRK3308 - Windows 10 for Mobile Devices: Get and Stay in Control of Your Mobile Fleet
Sumit Parikh, Roel Schellens, S105DMay 7, 10:45am - 12:00pm BRK3312 - Windows 10 for Mobile Devices: Enterprise Business Apps and App Management –
Alain Meeus, S105DMay, 7, 1:30 PM - 2:45 PM BRK3313 - Windows 10 Mobile Device Management (MDM) in Depth
Janani Vasudevan, N426May, 7, 1:30 PM - 2:45 PM BRK2301 - Windows 10 for Mobile Devices: From the Support Trenches
David Alessi; Mike Danoski, S502
Windows 10 Mobility Links and Blogs
• Windows 10 MDM documentation ONLINE http://aka.ms/kw2vwj
• Microsoft Intunehttp://www.microsoft.com/en-us/server-cloud/products/microsoft-intune/
Blog: The Mobility Guys A new blog originating from the Deployment Guys A group of Mobility Experts blogging about Microsoft Mobility
solutions including EMS and Windows 10. Blog Series: Build Your Own Enterprise Mobility Lab
• Blog: Microsoft IntuneOfficial Microsoft Intune blog of the Microsoft Intune
Connect with Microsoft Services about enterprise mobile and cloud strategies for your business
Learn more about what we’re doing at Ignite: aka.ms/digitalforbusiness
Join the conversation on Twitter@MSservices #MSIgnite#Windows10
Visit our interactive Ignite booths • Daily raffles for mobile devices
and wearables
• Ask us about scheduling a free Windows 10 Deployment Assessment or Enterprise Strategy Briefing
Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.
Please evaluate this sessionYour feedback is important to us!
© 2015 Microsoft Corporation. All rights reserved.