windows 10: a guide to secure mobility in the enterprise

© 2015 IBM Corporation

A Guide to Secure Mobility in the Enterprise

Chuck BrownProduct Management

IBM Security

Windows 10

Jimmy TsangProduct Marketing

IBM Security

2 © 2016 IBM Corporation

Housekeeping items

Duration – 60 minutes Submit your questions to all

panelists in the Q&A box located in the bottom right corner of your screen

Recording and slides will be emailed to you


Agenda

Windows overview & trends

Windows 10 highlights

MaaS360 support for Windows 10

Demo

Q&A


Poll results from May 2015

Windows 8

Windows 7

Windows XP

Mac OS X

Other

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

9%

85%

4%

2%

0%

What operating system is installed on most of your laptops and desktops?


Microsoft OS ecosystem


Convergence of Windows


Windows 10


Current State of Affairs

Windows 10 generally available on July 29, 2015 “Free” upgrades to majority of devices except for Enterprise users First 24 hours – 14 million installs

– At peak - Windows 10 was being installed on about 1500 machines per second Adoption is accelerating: >40% of new Win10 devices since Black Friday Microsoft expects 1 billion devices to be running Windows 10 in 3 years

050000000

100000000150000000200000000250000000

14000000

110000000

200000000

Windows 10 Installs


Windows 10 Migration

Shifting in Week 5 Previous – moves

from W8/8.1– W8/8.1 has

highest dissatisfaction among users

Now migrating more from Windows 7

http://www.networkworld.com/article/2985121/windows/windows-10-begins-to-eat-into-windows-7s-usage-share.html?phint=newt%3Dnetworkworld_daily_news_alert&phint=idg_eid%3D9d62e138c25290651cbb2506bb69e242#tk.NWWNLE_nlt_daily_am_2015-09-22&siteid=&phint=tpcs%3D&phint=idg_eid%3D9d62e138c25290651cbb2506bb69e242

http://www.networkworld.com/article/2985121/windows/windows-10-begins-to-eat-into-windows-7s-usage-share.html?phint=newt=networkworld_daily_news_alert&phint=idg_eid=9d62e138c25290651cbb2506bb69e242#tk.NWWNLE_nlt_daily_am_2015-09-22&siteid=&phint=tpcs=&phint=idg_eid=9d62e138c25290651cbb2506bb69e242




Laptop and Desktop OS Market Share

NetMarketShare.com

Windows operating systems constitute ~ 91% of the total market share Current Windows 10 market share is 9.96% At 10% growth rate month on month – 20.81% market share by 2016 Q3

NetMarketShare.com

Windows 758%

Windows XP16%

Windows 815%

OS X6%

Other3% Windows Vista

2%

April 2015

Windows 756%

Windows XP11%

Windows 813%

OS X7%

Other2%

Windows Vista2% Windows 10

10%

December 2015


Microsoft has an API set across Windows 10 PC/Tablet and Mobile– API set is an extension to Windows Phone 8.1– No API sets on Windows 7

Mac OS X provides a set of management APIs similar to iOS.– Apple is working on convergence of management API sets

Device and OS are Creating a Continuum

Code for one.Reach them all.


Where Are We?


Configuration Service Provider Reference

Up-to-date list of API features for Windows 10

https://msdn.microsoft.com/en-us/library/windows/hardware/dn920025%28v=vs.85%29.aspx





7 Reasons to Open Up Windows 10

Convergence of Windows (Continuum) Similar API set and policies on all devices Build once use anywhere (Universal Apps) Greater data and program security Enlightened applications – Application management Consistent workflow Spartan/Edge browser


Windows 10 Policies


Security Policies


Device Restrictions


Network Restrictions


Configure Trusted Certificates


ActiveSync Settings


Windows 10 Actions


Windows 10 Actions

Locate Selective Wipe Wipe Change Policy

* Support for real-time notifications for these actions

Remove Control Hide Request Data Refresh


Additional Security Options


Enterprise Data Protection – The Device is the BIG Container

Encrypt enterprise data on employee- and corporate-owned devices Remotely wipe enterprise data off managed devices w/o affecting

personal data Privileged Apps

– Select specific apps that can access data– Block non-privileged apps from accessing data

Employees not interrupted while switching between personal and enterprise apps while security policies are in place.

AppLocker– The AppLocker configuration service provider is used to specify which

applications are allowed or disallowed for enterprise data protection

https://technet.microsoft.com/en-us/library/Dn985838(v=VS.85).aspx

https://technet.microsoft.com/en-us/library/Dn985838(v=VS.85).aspx


Additional Security Options

BitLocker for Full Disk Encryption– New Features

• Encrypt and recover your device with Azure Active Directory. • DMA port protection. You can use the DataProtection/

AllowDirectMemoryAccess MDM policy to block DMA ports when the device is starting up.

• New Group Policy for configuring pre-boot recovery. Windows Defender included with the OS

– Anti-virus & Anti-malware• Auto updates• Have not receive glowing reviews – “Just good enough” ?

Backup & Recovery– Native integration with OneDrive

https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx




Assigned Access – Kiosk Mode – Device Lockdown

Use Cases– Device in the lobby that customers can use to view your product catalog– Portable device that drivers can use to check a route on a map– Device that a temporary worker uses to enter data

Configure a persistent locked down state to create a kiosk-type device. When the locked-down account is logged on, the device displays only the app that you select.

Configure a lockdown state that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify.

Lockdown settings can also be configured for device look and feel, such as a theme or a custom layout on the Start screen


Edge Browser

Stops phishers before they cast their bait – Edge aims to prevent phishing attacks through its Passport technology– Instead of using a shareable password, Edge will authenticate securely to

applications, including websites and networks Operates in a sandbox

– Internet Explorer was the browser was built directly into Windows– If the browser was compromised,

your entire computer might be taken down along with it

– Edge, on the other hand, will be a universal app, constantly running in a partial sandbox

Deactivates extensions, such as ActiveX & VB


Patching


Security Patching

Security patching is mandatory for all versions except Enterprise– Management– Automatic download and installation when device is connect to internet– Peer to Peer sharing of patch distribution inside the LAN – Updates/patches/fixes can be granularly controlled on the Enterprise edition

(have not seen that yet) Patching Bundles

– Multiple line items (bulletins) now bundled into one package• Do not have the ability to test each item• http://

www.computerworld.com/article/2969850/microsoft-windows/patch-bundles-are-the-new-norm-for-windows-10.html

OS Upgrades – 2 speeds – Fast and Slow ring

http://www.computerworld.com/article/2969850/microsoft-windows/patch-bundles-are-the-new-norm-for-windows-10.html





Applications & Software Distribution


Universal Applications, Store and Software Distribution

Build once – install on all devices Multiple types of applications

– Win32 – “legacy” type of application – APPX, App-V

Business Store for Applications– Acquire and Distribute Applications– Bulk Acquisition of Apps (Free and Paid)– Application Management – reclaim/re-use licenses– Similarities to iTunes App Store

Software Catalogs– Need to have a self-directed app catalog, like iOS/Android


Third Party Software Distribution

Standard third party Windows software – Google (Chrome), Adobe, Java – Many have msi and APPX versions– Updates still necessary


Windows 10 Enrollment


Starting the Enrollment

Same standard process in MaaS360 for over-the-air enrollment Enroll a device – receive the request


MDM Enrollment

Installing the Company Hub Click Continue


MDM Enrollment

Enrolled successfully Click Done


Poll Results from May 2015

Within 6 months

6-12 months

12-18 months

18 months or longer

We don’t plan to upgrade to

Windows 10

0% 5% 10% 15% 20% 25% 30% 35% 40%

5%

22%

22%

35%

17%

Based on what your organization knows today, when does it plan to upgrade to Windows 10?


Demo


Customer Value

Greatly simplifies workflows Support all devices from one window Actionable intelligence on or off network Upgrades and new features/functions made available without end-user

installations Silent service

– Does not disturb the productivity of the end user


Why Should I Care?

Consistent unified workflow and information across all device platforms No on-site infrastructure needed to support laptops, desktops, tablets and

smartphones Easy and fast to turn on No heavy lifting for upgrades


Complete Mobility Management and Security

Advanced ManagementVisibility & Control

Secure Productivity Suite Trusted Workplace

Secure Document SharingContent Collaboration

Mobile Threat ManagementMalware Protection

Mobile Enterprise GatewayEnterprise Access


Seamless Enterprise Integration

Advanced ManagementVisibility & Control

Secure Productivity Suite Trusted Workplace

Secure Document SharingContent Collaboration

Mobile Threat ManagementMalware Protection

Mobile Enterprise GatewayEnterprise Access

BYODCorporate

Shared

Mail systemsDirectoriesCertificatesFile shares


Platform for Strong Mobile Security

Mobile Threat Management

Risk & Event Detection

Unified Endpoint Management

Mobile Identity Management

Integrated App Security

App Vulnerability &

Reputation

Automated Policy ComplianceEncryption & Data ProtectionAuthentication & RestrictionsContainerization & App VPNDevice Quarantine & Wipe


Why IBM MaaS360?

Integratedsolutions that connect

seamlessly to your existing and external

environments

Scalabledata security with intelligence for the

volume, speed, and variability of mobile

Completemanagement of

devices, apps, content and users from a single platform


Get Started Right Now

InstantAccess a free, fully functional trial for 30 days

MobileManage and secure your devices, apps and content

EasySet up and configure your service in minutes

1 2 3

http://www.google.com/url?sa=i&source=images&cd=&cad=rja&docid=b9I3y_9d_1BZFM&tbnid=6mySvvAbgQEIyM:&ved=0CAUQjRw&url=http://blogs.msdn.com/b/education/archive/2011/05/27/june-partner-webinar-for-cloud-and-hosting-partners.aspx&ei=irXdUYmTF9e54AP40YG4Bw&psig=AFQjCNHqf_l1sbJ8zFyfwdMvhXpxwMsFeA&ust=1373570805756585

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

THANK YOUwww.ibm.com/security

http://www.ibm.com/security

http://www.ibm.com/security