Briforum London 2015
How to Get Started with the Microsoft Enterprise Mobility Suite
Key Takeaways
Why is managing your mobile workforce important?
What is EMS and why do you need it is your Enterprise?
How do we get started with EMS?
How to Get Started with the Microsoft Enterprise Mobility Suite 2
Peter Daalmans
Senior Technical Consultant
How to Get Started with the Microsoft Enterprise Mobility Suite
https://twitter.com/pdaalmans
https://www.linkedin.com/in/pdaalmans
http://configmgrblog.com
Kenny Buntinx
Managing Consultant
How to Get Started with the Microsoft Enterprise Mobility Suite
https://twitter.com/KennyBuntinx
http://be.linkedin.com/KennyBuntinx
http://scug.be/blogs/sccm
Enterprise Mobility Suite
2015 Enterprise Mobility PredictionsSay goodbye to BOYD
Say Hello to Data Protection
Organizations will generally have three types of devices
Employee Owned, Company Managed (EOCM)Company Owned, Company Managed (COCM)Company Owned, Company Dictated (COOD)
Source:http://simon-may.com/yet-another-predictions-post-mobility-2015/
How to Get Started with the Microsoft Enterprise Mobility Suite 6
• SCCM is undisputed winner of
PC Mgmt w/ >70% share
• You need to look into a MDM
solution today
• We believe Microsoft is the
long-term winner
How to Get Started with the Microsoft Enterprise Mobility Suite
Growth is all in Mobile Devices
349 315 296 294 293 292
725
1,0101,131
1,2831,434
1,579162
231
270
308
340
368
0
500
1,000
1,500
2,000
2,500
2012 2013 2014 2015 2016 2017
Tablet
Smartphone
PC
Devices Shipments (MM)
Source: IDC
LicensingMicrosoft Intune (Standalone)
Enterprise Mobility SuiteMicrosoft IntuneAzure Active Directory PremiumAzure Rights Management
Enterprise Cloud SuiteEnterprise Mobility SuiteOffice 365 Enterprise E3Windows Software Assurance
http://www.microsoft.com/licensing/about-licensing/briefs/enterprise-cloud-suite.aspx
How to Get Started with the Microsoft Enterprise Mobility Suite 10
Azure AD PremiumIdentity
Azure Active Directory PremiumActive Directory in the cloud
Federation and identity provisioning
Centrally managed identitiesSynchronizationSingle User Identity (SSO)
Monitoring and protect access to cloud appsAuthentication and Security reportsMulti-Factor Authentication (MFA)
Empower end UsersSelf-Service password reset
How to Get Started with the Microsoft Enterprise Mobility Suite 12
Azure Active Directory free and premium offerings feature comparison
Identity: Cloud, Sync or Federated?
Cloud identity provides a solution where all identity resides in the cloud
Federated identity allows customers to retain all authentication on-premises
Identity sync enables customers to bridge their existing identity into the cloud
B2B federated identity allows customers to securely share and collaborate with each other
Common Identity with Sync and Federation
User attributes are synchronized including the password hash, Authentication can be completed against eitherAzure or Windows Server Active Directory
User attributes are synchronized, Authentication is passed back through federation and completed against Windows Server Active Directory
Synchronization
Federation
AD FS provides conditional access to resources, Work Place Join for device registration and integrated Multi-Factor Authentication
*Write back of attributes to support cloud first and co-existence
Azure Active DirectoryIdentity
Demo
Enabling users
Self-service password resetSelf-service Profile access
Self-service group management, including dynamic membership calculation in these groups and distribution lists, based on the user’s attributes.
Users can reset their passwords significantly reducing help desk burden and costs.
Users can edit their profile details to update and add missing information
Provide users with self-service experiences
Self-service password resetDemo
Protect your data
Security ReportsSelf-service Profile access
Multi Factor Authentication
Multi-Factor Authentication
How to Get Started with the Microsoft Enterprise Mobility Suite 25
What is multi-factor authentication?Any two or more of the following factors:
Something you know: a password or PIN.
Something you have: a phone, credit card or hardware token.
Something you are: a fingerprint, retinal scan or other biometric.
Stronger when using two different channels (out-of-band).
Security Reports Demo
Microsoft Intune
Microsoft IntuneMobile Device Management
Windows, Windows Phone, IOS and Android
Policy and Application Management
Compliance reporting
Conditional Access to resources
Selective Wipe Devices
Hybrid / Cloud solution
How to Get Started with the Microsoft Enterprise Mobility Suite 30
Single management console for IT admins
Configuration Manager console (hybrid)Intune web console (cloud only)
Comprehensive lifecycle management
Enroll• Provide a self-service Company
Portal for users to enroll devices
• Deliver custom terms and
conditions at enrollment
• Bulk enroll devices using Apple
Configurator or service account
• Restrict access to Exchange
email if a device is not enrolled
Retire• Revoke access to corporate
resources
• Perform selective wipe
• Audit lost and stolen devices
Provision• Deploy certificates, email, VPN,
and WiFi profiles
• Deploy device security policy
settings
• Install mandatory apps
• Deploy app restriction policies
• Deploy data protection policies
Manage and Protect• Restrict access to corporate
resources if policies are violated
(e.g., jailbroken device)
• Protect corporate data by
restricting actions such as
copy/cut/paste/save outside of
managed app ecosystem
• Report on device and app
compliance
User IT
Company Portal(s)
Company portal self-service experienceConsistent experience across:
WindowsWindows PhoneAndroidiOS
Discover and install corporate apps
Manage devices and data
Customizable terms and conditions
Ability to contact IT
Force the Policy refresh
How to Get Started with the Microsoft Enterprise Mobility Suite 3434
Mobile Device – Portals
All portals offer the same experience(except for Windows Phone)
Device Enrolment – The new way Conditional access
Enrolling Devices
Users can enroll devices that configure the device for management with Windows Intune; the user can then use the Company Portal for easy access to corporate applications
Data from Windows Intune is in sync with Configuration Manager, which provides unified management across both on-premises and in the cloud
Dirsync
w Pwd Sync
Connector
Inte
rnal
Co
nn
ect
or
Conditional access for Office 365
7
5
4
2
1
3
6
Device Enrolment – The new way Conditional access
DEMO
Application Management
Mobile Application Management
How to Get Started with the Microsoft Enterprise Mobility Suite 43
Personal apps
Mobile Application Management
How to Get Started with the Microsoft Enterprise Mobility Suite 44
Mobile Application ManagementDEMO
Rights Management
Microsoft Rights ManagementEncrypt and control
DocumentsMails
Prevent unwanted viewing/printing or access to Corporate data
How to Get Started with the Microsoft Enterprise Mobility Suite 47
Integrating RMS into workflows
Sharing documents securely
Rights ManagementDemo
Corporate Data RemovalFull Wipe vs. Selective Wipe
Options for corporate data removal
How to Get Started with the Microsoft Enterprise Mobility Suite 53
Selective/Full WipeDEMO
Questions
How to Get Started with the Microsoft Enterprise Mobility Suite 56
How to Get Started with the Microsoft Enterprise Mobility Suite 57
