enterprise mobility suite - wpc 2015€¦ · microsoft windows expert since version nt 3.51 (1995)...
TRANSCRIPT
presenta
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 1
Identity + Mobile Management + Security = Enterprise Mobility SuiteAlessandro AppianiFounder & CTO - Pulsar IT
twitter: @AlexAppiani
Gabriele TansiniPartner Technical Consultant- Microsoft
www.pulsarit.net – [email protected] 2
• 18-years experience
• Microsoft Certified since 1998
• MCT, MCITP Exchange+Office365 and MCM:Exchange 2007
• 12-years in Microsoft as Premier Field Engineer and Partner Technical Consultant
• LinkedIn: https://www.linkedin.com/in/gtansini
• Supporto Prevendita Partner MAPS, Silver e Gold: [email protected]
About Gabriele
www.pulsarit.net – [email protected] 3
• 30-years experience in IT Technologies and Solutions
• Computer Science Master’s Degree (full marks with honors) in 1989
• Microsoft Certified since 1995
• Microsoft TechNet speaker & Train-the-trainer since 1996
• MCT, MCITP Windows+Exchange+Lync+Office365 Microsoft Windows Expert since version NT 3.51 (1995)
Microsoft Exchange Expert since first product release (Exchange 4.0 - 1996)
Microsoft Lync/Skype Expert since first product release (LCS 2003)
Microsoft Office 365 Expert since first Cloud version (BPOS - 2009)
• Pulsar IT Founder & CTO technologies, strategy, digital transformation, advisory, ...
Twitter: @AlexAppiani
About Alessandro
ww
w.p
uls
arit.
net –
info
@puls
arit.
net
Design, Deploy, andSupport of Microsoft Solutions
Unified Communications & Collaboration• Exchange, Lync & SharePoint
Private Cloud• Virtualization & Systems Management
Hybrid & Public Cloud• Office 365, Azure, Active Directory Federation
Smart Workplace• Security, Control, Platform & Device Management
Microsoft Excellence since 1995
www.pulsarit.netblogs.pulsarit.net
Involved in Skype/Lync
vNext development (TAP)
with Microsoft Corporation Product
Team since 2009
Agenda
• Enterprise Mobility Suite intro
• Identity & Authentication
• Information Protection / Document security
• Device management
• Let’s go!
www.wpc2015.it – [email protected] - +39 02 365738.11 5
Enterprise Mobility Suite
Microsoft IntuneMicrosoft Azure Active Directory
Premium
Microsoft Azure Rights Management
Premium
Mobile Device & App Management
Identity & Access Management
Information Protection
Behavior based threat analytics
Advanced Threat Analytics
Easily manage identities
across on-premises and
cloud. Single sign-on &
self-service for any
application
Manage and protect
corporate apps and data on
almost any device with MDM
& MAM
Encryption, identity, and
authorization to secure
corporate files and email across
phones, tablets, and PCs
Identify suspicious activities
and advanced threats in near
real time, with simple,
actionable reporting
Typical EMM stack
Containers
Depends on specific DMZ infrastructure
Works on-premises only
SharePointServer
Exchange Server
Corporate network
Active Directory
Fire
wal
l
Fire
wal
l
DMZ/Perimeternetwork
SDK/wrapper, managed browser,
managed viewers
Custom SDK/wrapper enables line-of-business apps to be managed
Mobile application
management
Custom data container provides mobile productivity apps integrated with content and access systems
Custom
email app
Custom
file app
Custom
collab app
Native device MDMStandard MDM provides device configuration and management
Microsoft’s EMM stack
Standard on-premises integration
SharePointOnline
ExchangeOnline
Cloud integration
Intune App SDK
Intune App Wrapping Tool
Extensibility based on Azure AD and Intune Enable business apps to interoperate with Office mobile apps
SharePointServer
Exchange Server
Corporate network
Active Directory
Fire
wal
l
Fire
wal
l
DMZ/Perimeternetwork
Managed Office
productivity and moreOffice 365: Mobile productivity
Azure AD: Access control to Office 365 and SaaS apps
Intune: App restrictions for Office mobile and LOB apps
Azure Rights Management: Information protection at the file layer
Native device MDMIntune: Cross-platform MDM
www.wpc2015.it – [email protected] - +39 02 365738.11 10
• Microsoft native technologies, no add-on
• Office Apps integrated on ALL Platforms
• Protect data at rest where it’s created
• Work seamlessy on-prem and in Office 365
• Leverage Active Directory identity
Microsoft EMS key points
Self-service Singlesign on
•••••••••••
Username
Integrated / Hybrid Identity as the control plane
Simple connection
Cloud
SaaSAzure
Office 365Publiccloud
Other Directories
Windows ServerActive Directory
On-premises Microsoft Azure Active Directory
One common identity
Intelligent cloud
Machine learning
Security reports
Privileged Identity Management
App security
Conditional access
Multi-factor authentication
Cloud App Discovery
ALERT
1 4 5 6 7 6
Detect threats
User behavioral analysis
Simple attack timeline
Identity Driven Security
Azure Active Directory
Access and information protection
Keep corporate data secure
Manage the data, not the user
Provide access to data on any trusted device
aEZQAR]ibr{qU@M]BXNoHp9nMDAtnBfrfC;jx+Tg@XL2,Jzu()&(*7812(*:
Use Rights +
Rights management 101
Secret cola formula
Water
Sugar
Brown #16
Protect Unprotect
Usage rights and symmetric
key stored in file as ‘license’
Each file is protected by
a unique AES symmetric
License protected
by customer-owned
RSA key
Water
Sugar
Brown #16
Local processing on PCs/devices
Rights management 101
Apps protected with
RMS enforce rights
SDK
Apps use the SDK to
communicate with the
RMS service/servers
File content is never sent to
the RMS server/service.
aEZQAR]ibr{qU@M]BXNoHp9nMDAtnBfrfC;jx+Tg@XL2,Jzu()&(*7812(*:
Use Rights+
Use Rights+
Azure RMS
never sees the file
content, only the
license.
www.wpc2015.it – [email protected] - +39 02 365738.11 22
• Azure RMS has additional features compared to on-prem AD RMS RMS available in Microsoft infrastructure since Windows Server 2003
• Simplify collaboration with partners & customers
• Enable external-people collaboration (consumer identity)
• Manage cloud content
• Document tracking report web site available to users
• AD Premium integration (Multi-Factor authentication, ...)
• Simplified deployment (cloud-based, less servers required)
Azure Right Management vs AD RMS
Comparing Azure Rights Management and AD RMS
https://technet.microsoft.com/en-us/library/jj739831.aspx
Authentication & collaboration BYO Key
RMS connector
Authorization requests go to a federation service
• Data protection for organizations at different stages of cloud adoption
• Ensures security because sensitive data is never sent to the RMS server
• Integration with on-premises assets with minimal effort
Topology
AAD Connect
ADFS
Mobile device & application management
Consistent user experience across device platforms
Secure access to corporate apps and data
Single management console for mobile devices and PCs
Enterprise Mobility Management with Microsoft Intune
Mobile Device
Management (MDM)• Provide access to Exchange email based
upon device enrollment and compliance
policies
• Deploy certificates, WiFi, VPN, and email
profiles automatically once a device is
enrolled for management
• Enable bulk enrollment of task-worker
devices to set policies and deploy
applications on a large scale
• Provide a self-service Company Portal for
users to enroll their own devices and install
corporate apps
Mobile Application
Management (MAM)• Maximize mobile productivity and protect
corporate resources with Office mobile
apps
• Extend these capabilities to existing line of
business apps using the Intune app
wrapper
• Enable secure viewing of content using the
Managed Browser, PDF Viewer, AV Player,
and Image Viewer apps
PC Management• Provide lightweight, agentless
management from the cloud
• Connect Intune to System Center 2012 R2
Configuration Manager to manage all of
your devices including PCs, Macs,
Unix/Linux Servers, and mobile devices
from a single management console
• Provide real-time protection against
malware threats on managed computers
• Collect information about hardware
configurations and software installed on
managed computers
• Deploy software based upon policies set by
the administrator
User
Intune helps organizations provide their employees with access to corporate applications, data, and resources from virtually anywhere on almost any device, while helping to keep corporate information secure.
Empowering enterprise mobility
Devices Apps Data
Management. Access control. Information protection.
Mobile device and app management
Access & Information protection
Enterprise Mobility Suite
RMS Protection via RMS for O365• Protection for content stored in Office
(on-prem or O365)•Access to RMS SDK• Bring your own Key
RMS for O365+ • Protection for on-premises Windows
Server file shares
• Email notifications when sharing
documents
• Email notifications when shared
documents are forwarded
Basic Mobile Device Management via
MDM for O365•Device Settings Management
• Selective Wipe
• Built into O365 Mgmt. Console
MDM for O365+ • PC Management
•Mobile App Management (prevent
cut/copy/past/save as from corporate
apps to personal apps)
• Secure content viewers
• Certificate Provisioning
• System Center integration
Basic Identity Mgmt. via Azure AD for
O365:• Single Sign on for O365
• Basic Multifactor Authentication (MFA)
for O365
Azure AD for O365+• Single Sign on for all cloud apps
•Advanced MFA for all workloads
• Self Service group management and
password reset with write back to on
prem directory
•Advanced security reports
•MIM (Server + CAL)
GA Dec 2014
Hybrid identity management
EMS benefits for O365 customers
Windows 10
Enterprise Mobility Suite
EMS benefits for Windows
Mobile device and app management
Information protection
• Single sign-on for business cloud
apps
• Device set up and registration for
Windows devices
• Windows Store for Business
• Traditional domain join
manageability
• Manageability via MDM and MAM
• Encryption for data at rest and
generated on device
• Encryption for data included in
roaming settings
• Conditional access policies for
enhanced single sign on security
• MDM auto enrollment
• Self-service group and application
management
• Password reset with write-back to
on-premises directory
• Cloud based advanced security
reports
• Microsoft Identity Manager
• Mobile device management
• Mobile app management
• Secure content viewer
• Certificate, WiFi, VPN, email profile
provisioning
• Agent-based management of
Windows devices (domain joined via
ConfigMgr and internet-based via
Intune)
• Tracking and notifications for shared
documents
• Protection for content stored in
Office & Office 365
• Protection for on-premises Windows
Server file shares
• Behavioral analytics for advanced
threat detection
• Detection for known malicious
attacks and security issues
Identity and access management
www.wpc2015.it – [email protected] - +39 02 365738.11 43
• Se si consente il reset con le domande di sicurezza è consigliabile richiedere almeno un secondo metodo di SSPR
• Abilitare MFA per gli Admin è gratuito per tutte le Azure AD
• Per fare admin via Powershell con MFA abilitata serve nuova versione (in preview) Azure AD PowerShell: Public Preview of support for Azure MFA + new Device
Management Commandshttp://blogs.technet.com/b/ad/archive/2015/10/20/azure-ad-powershell-public-preview-of-support-for-azure-mfa-new-device-management-commands.aspx
Tips & Best Practice
Q & A
Domande e Risposte
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 45
Grazie!
Corsi consigliati
MOCxxx - Titolo
MOCxxx - Titolo
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 46
Contatti OverNetEducation
OverNet [email protected]
www.overneteducation.it
Tel. 02 365738
@overnete
www.facebook.com/OverNetEducation
www.linkedin.com/company/overnet-solutionswww.wpc2015.it
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 47