Microsoft Enterprise Mobility Suite - Get started

1. Microsoft Enterprise Mobility Suite | Getting started…

2. • Introduction
• What is EMS and why do you need it?
• How to get started
• Newly added features
Agenda

3. - Senior Consultant at Atea
- Soon to be a father
- Likes long walks on the beach….
- Email: Thomas.Godsted.Rysgaard@Atea.dk
- Twitter: @thomasrysgaard
Thomas Godsted Rysgaard

4. What's driving change?
User Devices Apps Data IT

7. Enterprise Mobility Suite
Azure Active Directory Premium
• Hybrid Identity Control panel
• Multifactor Authentication
• Password Reset
Microsoft Intune
• Mobile and Device Management
• Compliance settings
• Mobile Application Management
Azure Rights Management
• Information Protection
• Document tracking
• Bring your own key

8. First step - Identity
Azure Active Directory Premium

10. Self-service Single
sign on
•••••••••••
Username
Identity as the foundation
Azure AD
Connect
Cloud
SaaS
Azure
Office 365Public
cloud
Other
Directories
Windows Server
Active Directory
On-premises Microsoft Azure Active Directory

11. Azure AD Connect
Consolidated deployment
assistant for your identity
bridge components
• Express Settings
• Multi-forest support
• Password # Sync
• Streamlined fed setup with
ADFS
• Configurable Sync settings
DirSync
Azure AD Sync
FIM+Azure AD
Connector
Sync Engine
On-boarding to Azure AD & Office 365
ADFS
http://blogs.technet.com/b/ad/archive/2014/12/15/azure-ad-connect-one-simple-fast-lightweight-tool-to-connect-active-directory-and-azure-active-directory.aspx
ADFS
ADFS is optional, can addresses complex
enterprise deployments
Domain Join SSO, Enforcement of AD login policy,
Smart Card or 3rd party MFA

12. • Multi-factor authentication
• Group-based app access
• Advanced security reports and alerts
• Self-service Enablement
• Forefront Identity Manager (FIM)
• Enterprise SLA

13. A stand-alone Azure Identity and Access
management service also included in Azure Active
Directory Premium
Prevents unauthorized access to both on-premises
and cloud applications by providing an additional
level of authentication
Trusted by thousands of enterprises to authenticate
employee, customer, and partner access.
Azure Multi-factor Authentication
DEMO

14. Second step – Device Management
Microsoft Intune

15. Desktop
virtualization
Access &
information
protection
Mobile device &
application
management
Hybrid
identity
Simplified device enrollment and registration
Single console to manage all devices
Managed productivity with Office mobile apps
Conditional access to corporate resources
Desktop
Virtualization

16. Mobile devices and PCs Mobile devices
System Center
Configuration
Manager
Domain joined PCs
Configuration Manager integrated with Intune (hybrid)Intune standalone (cloud only)
Deployment flexibility
IT IT
Intune web console Configuration Manager console

17. Single management console for IT admins
Configuration Manager console (hybrid)Intune web console (cloud only)

18. © EG A/S 18

20. Consistent experience across:
Windows
Windows Phone
Android
iOS
Discover and install corporate apps
Manage devices and data
Ability to contact IT
Customizable terms and conditions

21. Raise of hands…

22. Conditional access to email
Policy
verification
•••••••••
Username
Microsoft Intune
Required settings
defined by IT admin:
Enrolled device
Encrypted device
Passcode set
Admin console
Not jailbroken/rooted
IT
ITUser

23. Demo
Conditional Access for Exchange Online (quickest
demo….. In the world!)

25. Corporate
Complete mobile application management
• Securely access corporate information using
Office mobile apps, while preventing company
data loss by restricting actions such as
copy/cut/paste/save in your managed app
ecosystem
• Extend these capabilities to existing line of
business apps using the Intune app wrapper
• Enable secure viewing of content using the
Managed Browser, PDF Viewer, AV Player, and
Image Viewer apps
Manage all of your corporate apps and
data with Intune’s mobile device and
application management solution
Personal
Managed
Browser &
Viewer Apps
Mobile Application Management with Microsoft Intune

26. Selective wipe
Personal apps
Managed apps Company Portal
Are you sure you want to wipe
corporate data and applications
from the user’s device?
OK Cancel
Perform selective wipe via self-service company portal or admin console
Remove managed apps and data
Keep personal apps and data intact
ITIT

27. Demo
Create and Deploy Mobile Application
Management Configuration

28. Conditional access policy
• Ability to restrict access to Exchange on-premises email based upon device enrollment
• Ability to restrict access to Exchange Online email based upon device enrollment and compliance policies
Mobile app management
• Management of Office mobile apps (Word, Excel, PowerPoint) for iOS devices, including ability to restrict actions such as
copy, cut, and paste outside of the managed app ecosystem
• Ability to extend application protection to existing line-of-business apps using the Intune App Wrapping Tool for iOS
• Managed Browser app for Android devices that controls actions that users can perform, including allow/deny access to
specific websites
• PDF Viewer, AV Player, and Image Viewer apps for Android devices that help users securely view corporate content
Configuration policies and
resource access
• Deployment of email, WiFi, VPN profiles as well as certificates
• Lockdown of Supervised iOS devices and devices using Samsung KNOX with Kiosk mode
• Targeting of policies and apps by device groups
• Enforcement of application install or uninstall
• Convenient access to internal corporate resources via per-app VPN configurations for iOS
• Application install allow/deny list
• Remote pin reset for Windows Phone 8.1 (currently supported for iOS and Android)
• Multi-factor authentication at enrollment for Windows 8.1 and Windows Phone 8.1 devices
• Ability to restrict administrator access to a specific set of user and device groups
• Ability to create configuration files using Apple Configurator and import these files into Intune to set custom iOS policies
• Lockdown of Windows Phone 8.1 devices with Assigned Access mode using OMA-URI settings
• Ability to set additional policies on Windows Phone 8.1 devices using OMA-URI settings
Ongoing support for device
platforms
• Service account enrollment
• Customizable terms and conditions
• Enhanced user interface for Intune administration console
• Ability to push free store apps to iOS devices
• Support for Apple Configurator

29. Conditional access policy
• Ability to restrict access to SharePoint Online (includes OneDrive for Business) based upon device enrollment and compliance
• Ability to restrict access to Exchange on-premises for Exchange ActiveSync clients on Android devices
Mobile app management
• Management of the Office Mobile app (access, view, and edit Word, Excel, and PowerPoint documents) for Android phones
• Management of OneNote and OneDrive apps
• Management of Work Folders app for iOS devices
Configuration policies and
resource access
• Ability to require encryption on Windows 8.1 (x86) devices
• Ability to set minimum classification of platform updates to be installed automatically on Windows 8.1 (x86) devices
• Ability to restrict the number of devices a user can enroll in Intune
• Support for Cisco AnyConnect per-app VPN configurations for iOS devices
• Deployment of WiFi profiles for Windows devices using XML import and Windows Phone devices using OMA-URI (currently supported for
iOS and Android)
• Ability to create WiFi profiles with pre-shared keys (PSK) for Android devices
• Ability to resolve certificate chains on Android devices without the need to deploy each intermediate certificate individually
• Ability to deploy .appx files and .appx bundles to Windows Phone 8.1 devices
Ongoing support for device
platforms
• Support for Apple Device Enrollment Program (DEP)
• Ability to browse and install apps on Windows Phone 8.1 devices using Intune Company Portal website
• Ability to manage Windows Defender on Windows 10 PCs running Windows 10 Technical Preview without need for separate Microsoft
Intune Endpoint Protection agent to be installed
• Combined Microsoft Intune Company Portal websites for PCs and mobile devices to provide a more consistent user experience across
platforms
• Enhanced user interface for overview pages within Intune admin console
Hybrid configuration (ConfigMgr)
• Restrict access to Exchange Online email only if device is managed and compliant
• Ability to create custom WiFi profiles with pre-shared keys (PSK) for Android devices

30. Conditional access policy • Ability to restrict access to Outlook app based on device enrollment and compliance
Mobile app management
• Intune App SDK for iOS
• Intune app Wrapping tool for Android
• Support for MAM in Outlooks app
• Multi-identity
Ongoing support for
device platforms
• Support of Apple Volume Purchase Program (VPP)
• Windows 10 support
• Mac OS X support
Roadmap

32. Settings management
Comprehensive security
policies are enforced on
each platform
Reporting available on
each setting whether it is
applicable, conformant or
has an error
Extensive configuration
settings are available for
each platform
Policies can be applied to
user and device groups
User

33. Third step – Data Protection
Azure Rights Management

34. Azure RMS is built on…
Encryption: documents are strongly encrypted at rest, in motion and in-use
Identity and access management: user identities are used to restrict access
Policy enforcement: granular rights control (who can print/edit/save/forward)
Access logging: a document access is logged whenever and whenever it is
used

35. Integration
BYO Key
Sync
Azure RMS
Connector
Azure Rights Management

36. Native Applications and Generic
protection using Protected File (PFILE)
Custom administrator
defined policies
I can protect and share information
securely across device types
RMS Application
DEMO

37. The Document Tracking site

38. User tracks a document he sends to his staff

39. Summary View

40. Timeline View

41. Map View

42. 43
User wants to revoke the document

44. http://blogs.technet.com/b/rms/archive/2015
/06/03/rms-protection-tool-ga.aspx
$lic = New-RMSProtectionLicense -UserEmail thomas.godsted.rysgaard@atea.dk -Permission EDIT
Protect-RMSFile -License $lic -File "C:UsersthomasDesktopConfidential"

45. ITUser
Enterprise
Mobility Suite
Identify and authorize
user
Apply device policies
Apply application policies
Apply content
policies
Active Directory Premium
Rights Management

46. aka.ms/EnterpriseMobilitySuite

47. Q&A

48. © 2014 Atea A/S. All rights reserved.
This presentation is for informational purposes only. Atea A/S makes no warranties, express or implied, in this summary.
Specialists in IT infrastructure