Microsoft Intune - Empowering Enterprise Mobility - Presented by Atidan

David J. Rosenthal, CEO, Atidan August 21, 2016 Microsoft Briefing Center, NYC

Microsoft IntuneMobile device and application management from the cloud

52 percent of information

workers across 17 countries

report using three or more

devices for work*

>80 percent of employees

admit to using non-approved

software-as-a-service (SaaS)

applications in their jobs***

90 percent of enterprises will

have two or more mobile

operating systems to support

in 2017**

52% 90% >80%

* Forrester Research: “BT Futures Report: Info workers will erase boundary between enterprise & consumer technologies,” Feb. 21, 2013** Gartner Source: Press Release, Oct. 25, 2012, http://www.gartner.com/newsroom/id/2213115*** http://www.computing.co.uk/ctg/news/2321750/more-than-80-per-cent-of-employees-use-non-approved-saas-apps-report

Devices Apps Data

Protect your data

Enable your users Unify your environment

People-centric approach

Devices Apps Data

It just worksPreserve existing investments

It’s integrated on common identityAccess from many devices

Support iOS, Android, Windows It’s comprehensive

Protection at all layers Identity, device, apps, data—built in

It protects Office betterManage and secure productivity

Easily manage identities across

on-premises and cloud. Single sign-on

and self-service for corporate resources.

Azure Active Directory

Premium

Unify identity Manage apps and devices Protect data

Microsoft IntuneAzure Rights

Management

Manage and protect corporate apps

and data on almost any device with

MDM and MAM.

Encryption, identity, and authorization

policies to secure corporate files and

email across phones, tablets, and PCs.

Mobile application management

PC managementMobile device management

ITUser

Microsoft Intune

Intune helps organizations provide their employees with access to corporate

applications, data, and resources from virtually anywhere on almost any

device, while helping to keep corporate information secure.

Enroll• Provide a self-service Company

Portal for users to enroll devices

• Deliver custom terms and

conditions at enrollment

• Bulk enroll devices using Apple

Configurator or service account

• Restrict access to Exchange

email if a device is not enrolled

Retire• Revoke access to corporate

resources

• Perform selective wipe

• Audit lost and stolen devices

Provision• Deploy certificates, email, VPN,

and WiFi profiles

• Deploy device security policy

settings

• Install mandatory apps

• Deploy app restriction policies

• Deploy data protection policies

Manage and Protect• Restrict access to corporate

resources if policies are violated

(e.g., jailbroken device)

• Protect corporate data by

restricting actions such as copy, cut,

paste, and save as between Intune-

managed apps and personal apps

• Report on device and app

compliance

User IT

Enable users to be productive

ITUser

Actions upon device enrollment

• Deploy email, VPN, and WiFi profiles

• Deploy certificates

• Deploy and install apps

• Deploy managed app configuration policies

• Apply and enforce device configuration settings

• Collect hardware and software inventory data

Microsoft Intune

Devicesenrolled

Microsoft Intune

Corporate email server

IT

Deploy email profile upon enrollment

• Configure account settings and security restrictions

• Enable certificate authentication

• Synchronize email, task, contacts, and calendar

• Support for iOS, Samsung KNOX, and Windows Phone

Any email service supported by Exchange ActiveSync

User

Microsoft Passport replaces passwords with strong two-factor authentication to help protect user identities and user credentials

• Intune can deploy certificates to Microsoft Passport to authenticate users and help them to access corporate resources

• Intune manages Passport for Work policy including PIN settings, biometrics settings, Trusted Platform Module (TPM) requirements

Intune provides comprehensive management of

Microsoft Passport

• Credentials protected by hardware or software

• Credentials can be based on certificate or local keys

• Can be accessed using biometrics (Windows Hello) or PIN

Azure AD Join makes it possible to connect

work-owned Windows 10 devices to your

company’s Azure Active Directory.

With Azure AD Join, you can auto enroll

devices in Microsoft Intune for management.

Azure AD Join for Windows 10

Windows 10 Azure AD Joined Devices

Intune / MDM

auto-enrollment

Intune auto-enrollment

Enterprise-compliant services

Support for hybrid environments

Single sign-on from the desktop to cloud

and on-premises applications with no VPN

Windows appsanywhere

RemoteApp

Native apps

Intune

SaaS apps

Azure AD Premium

Consistent experience across Windows, Windows Phone, Android, and iOS

Discover and install corporate apps

Manage devices and data

Ability to contact IT

Customizable terms and conditions

Volume purchasing integration

Assign licenses to users

Purchase licenses in bulk for paid apps using the Windows Store for Business and Apple Volume Purchasing Program (VPP)

Deploy licenses to users with Intune and install apps as required

License and app

installed by store

Deploy offline app packages to Windows 10 devices that cannot access the Windows Store with System Center Configuration Manager

Corporate-owneddevices

Corporate-owned devices

(CYOD), with personal use

allowed

Retail outlets using tablets

as point of sales devices,

gift registries, etc.

Schools providing

tablets for technology-

based learning

Service account

enrollment

Apple

Configurator

Apple Device

Enrollment Program

(DEP)

Windows 10

provisioning profile

BusinessManager

IT

Apply policies

School Retail StoreRestaurant

Deploy policies using Intune to lock down devices so they can only run applications allowed by IT

Allow multiple users to use the same device and customize device experience based on identity

Deploy Device Guard policies using Intune to only allow trusted applications to run on Windows 10 devices

Protect corporate data

from virtually anywhere

The perimeter cannot help protect data stored in the cloud Access control to corporate data today

Mobile devices

PCs

Web browsers

AppsData

Enterprise Mobility Suite

Access control and data protection

integrated natively in the apps, devices,

and the cloud

SharePointOnline

ExchangeOnline

Conditional access policies

IP Range

Device State

Advanced

Windows 10

options

User Group

User

On-premises

Cloud

Corporate apps

Windows Provable PC

Health (PPCH)

SharePointOnline

ExchangeOnline

User

Microsoft Intune

SharePointOnline

ExchangeOnline

User

Microsoft Intune

Apply and enforce device configuration settings across iOS, Android, and Windows via Intune MDM

Collect hardware and software inventory data for reporting

Manage settings across Windows 10 PC, phone, and IoT devices via Intune MDM –including Windows Defender (anti-malware), Firewall, and Cortana

Enforce corporate data

access requirements

Prevent data leakage

on the device

Enforce encryption

of app data at rest

App-level

selective wipe

Maximize mobile productivity and protect corporate resources

with Office mobile apps – including multi-identity support

Extend these capabilities to your existing line-of-business

apps using the Intune App Wrapping Tool

Enable secure viewing of content using the Managed Browser,

PDF Viewer, AV Player, and Image Viewer apps

Managed apps

Personal appsPersonal apps

Managed apps

ITUser

Corporate data

Personaldata

Multi-identity policy

Prevent data leakage for Office

mobile and other apps on

unmanaged devices or devices

managed by a third-party MDM.

Protect data at the file level for

Office documents and more with

Azure Rights Management.

Enable familiar Office experiences

for employees. No enrollment.

Personal apps

Corporate apps

Azure Rights

Management

MDM policies

MAM policies

File policies

MDM – optional (Intune or 3rd-party)

Familiar Office experience

• Seamless “enrollment” into app management

• Use for personal and corporate accounts

Comprehensive protection

• App encryption at rest

• App access control – PIN or credentials

• Save as/copy/paste restrictions

• App-level selective wipe

MDM mgmt. by Intune or third-party is optional

Extend protection to a file level with Azure RMS

Might be a good solution for these scenarios:

• BYOD when MDM is not required

• Extending app access to vendors and partners

• Already have an existing MDM solutionPersonal apps

Corporate apps

Azure Rights

Management

MDM policies

MAM policies

File policies

MDM – optional (Intune or 3rd-party)

1 User installs an app from the Apple

App Store or Google Play

2 User logs in with Office 365

credentials

3 Azure AD verifies that the app and

user are allowed to access Office 365

4 Intune applies MAM policies to the

managed apps

5 Access to Office 365 is granted

6 User continues to use the app as per

usual

User

Office 365

Azure AD

Microsoft apps, such as Office, Dynamics CRM, Power BI, and more

Partners that integrated their apps with Intune App SDK

Personal apps

Managed apps

Perform selective wipe via self-service

company portal or admin console

Remove managed apps and data

Keep personal apps and data intact

IT

IT

Configure and manage EDP policies with Intune and Azure Rights Management

Separate personal and corporate data with limited impact to employee’s day-to-day activities

Protect data at rest and wherever it may roam*

User

Corporate

network

Microsoft Intune&

Azure Rights Management

Apply policies

Save

Save

Share files and enforce policies

File share

Personal

storageSecure content collaboration through integration with Azure Rights Management

* Some roaming scenarios use Azure Right Management

Control app access to corporate data and prevent copy and paste-related data leaks

Microsoft Intune Microsoft Intune Azure Rights Management

Device protection

BitLocker

Device Guard

Device settings

Windows Defender

Data separation Leak protection

Enterprise Data Protection

Sharing protection

Rights Management

Containers

Depends on specific DMZ infrastructure

Works on-premises only

SharePointServer

Exchange Server

Corporate network

Active Directory

Fire

wall

Fire

wall

DMZ/Perimeternetwork

SDK/wrapper, managed browser,

managed viewers

Custom SDK/wrapper enables line-of-business apps to be managed

Mobile application

management

Custom data container provides mobile productivity apps integrated with content and access systems

Custom

email app

Custom

file app

Custom

collab app

Native device MDMStandard MDM provides device configuration and management

Standard on-premises integration

SharePointOnline

ExchangeOnline

Cloud integration

Intune App SDK

Intune App Wrapping Tool

Extensibility based on Azure AD and Intune Enable business apps to interoperate with Office mobile apps

SharePointServer

Exchange Server

Corporate network

Active Directory

Fire

wall

Fire

wall

DMZ/Perimeternetwork

Managed Office

productivity and moreOffice 365: Mobile productivity

Azure AD: Access control to Office 365 and SaaS apps

Intune: App restrictions for Office mobile and LOB apps

Azure Rights Management: Information protection at the file layer

Native device MDMIntune: Cross-platform MDM

Identify and authorize user

Apply device policies

Apply application policies

Apply content policies

User IT

Active Directory Premium

Rights Management

Enterprise Mobility Suite

SummaryDeployment

flexibility

Modern

architecture

Enable

enterprise mobility with

EMS

Mobile devices and PCs Mobile devices

System Center Configuration

Manager

Domain joined PCs

Configuration Manager integrated with Intune (hybrid)Intune standalone (cloud only)

IT IT

Intune web console Configuration Manager console

• Always up-to-date, no need to migrate

• Always available and reachable

• Easy to try, adopt, and deploy

• Integrates with existing on-premises infrastructure

• Disaster recovery and geo-diversity

• Assign your data to a region

• Built from the ground up: datacenter, fabric, SaaS

• Built using world-class engineering and security

• Compliant and certified

• Financially backed Service Level Agreements (SLAs)

Intune

Office 365

Azure Active Directory

Azure Rights Management

Security reports,

audit reports,

multi-factor

authentication

Self-service

password reset

and group

management

Single sign-on

to over 2,400

popular SaaS

applications

Information

protection

Document tracking Bring your

own key

Mobile device

settings

management

Mobile application

management with

Office mobile apps

Conditional

access and

selective wipe

Active Directory Premium

Rights Management

Making it easier to deliver

a great brand experience

Keeping the selling workforce

productive

Bringing a new level of

efficiency to management

For more information, please contact:

David J. Rosenthal, CEO

office365@Atidan.com

1-215-825-5045 ex. 5005

Learn more about our enterprise mobility products

and solutions:

Enterprise Mobility Suite:

aka.ms/EnterpriseMobilitySuite

Mobile device and application management:

aka.ms/MDM-MAM

Microsoft Intune:

aka.ms/MicrosoftIntune

System Center 2012 R2 Configuration Manager:

aka.ms/ConfigMgr

“By using Microsoft Intune, we can

improve staff members’ work experience

and guest satisfaction, while reducing IT

labor and operational costs. Everyone

wins.”

Tim Banham

Solution Architect

Mitchells and Butlers

“Our competitive strategy depends on

deploying Microsoft Intune to manage

1,200 tablets used by our independent

sales contractors to improve our in-

home sales process and win more

business.”

Steven Creaney

Senior .NET Developer

Empire Today

“By adding Microsoft Intune to our

environment … we can deploy, secure,

and manage mobile apps that staff use

to move faster than the competition and

drive business.”

Gurdip Kundi

Senior Systems Engineer

Foxtons

“We use the Enterprise Mobility Suite to

empower employees to use their own

devices to securely access and share

their data. The upshot? We’re improving

project management and reducing

costs.”

Patrick Wirtz

Innovation Manager

The Walsh Group

A rendering of the new Tom Bradley International Terminal’s great hall. (credit: Los Angeles World Airports)

Devices Apps Data

Management. Access control. Information protection.

Protect your data

Enable your users

User IT

Identity

Application

Device (optional)

Data

Microsoft Intune

Access corporate

resourcesAuthentication

token

Authenticate and

trust my unique key

Deploy a certificate and

Microsoft Passport settings

Azure Active Directory

and

Active Directory

Need fast and easy way to enroll CYOD

devices

Should not be able to un-enroll devices

that are corporate-owned

Need access to corporate apps and

other MDM capabilities on devices to

be productive

User

Need easy way to prepare corporate-

owned devices for enrollment

Need to distinguish corporate-owned

devices from personal-owned devices in

the management console

Need fast and easy way to bulk enroll

shared devices

Need devices to be secure at all times

and within IT control

IT

End usersIT admins

Windows 8.1 Windows 10

Basic management and

security settings

Device lockdown

Comprehensive

device management

Phone Desktop Phone Desktop

Significant investments in added functionality for both mobile and desktop devices

Personal apps

Managed apps

Maximize productivity while preventing leakage of company

data by restricting actions such as copy, cut, paste, and save

as between Intune-managed apps and unmanaged apps

User

New intuitive dashboard

Respond to alerts

Manage software deployments

Configure and deploy policies

View reports

Role-based management

Intune web console

Mobile devices and PCs

Intune standalone (cloud only)

IT

Intune web console

Manage and Protect

• No existing infrastructure necessary

• No existing Configuration Manager

deployment required

• Simplified policy control

• Simple web-based administration console

• Faster cadence of updates

• Always up-to-date

Devices Supported

• Windows PCs (x86/64, Intel SoC)

• Windows RT

• Windows Phone 8.x

• iOS

• Android

• OS X

Mobile devices

System Center Configuration

Manager

Domain joined PCs

Configuration Manager integrated with Intune (hybrid)

IT

Configuration Manager console

System Center 2012 R2 Configuration

Manager with Microsoft Intune

• Build on existing Configuration Manager

deployment

• Full PC management (OS deployment, endpoint

protection, application delivery control, custom

reporting)

• Deep policy control requirements

• Greater scalability

• Extensible administration tools (RBA, PowerShell,

SQL reporting services)

• Windows RT

• Windows Phone 8.x

• iOS

• Android

Devices Supported

• Windows PCs

(x86/64, Intel SoC)

• Windows to Go

• Windows Server

• Linux

• OS X

Intune standalone (cloud only)

Lightweight, agentless OR agent-based management

PC protection from malware

PC software update management

Software distribution

Proactive monitoring and alerts

Hardware and software inventory

Policies for Windows Firewall management

Intune standalone (cloud only) Configuration Manager integrated with Intune (hybrid)

Lightweight, agentless OR agent-based management Lightweight, agentless OR comprehensive agent-based management

PC protection from malware PC protection from malware

PC software update management PC software update management

Software distribution Software distribution

Proactive monitoring and alerts Proactive monitoring and alerts

Hardware and software inventory Hardware and software inventory

Policies for Windows Firewall management Policies for Windows Firewall management

Operating system deployment

PC, mobile device, Windows Server, Linux/Unix, Mac, and virtual desktop management

Power management

Custom reporting

Comprehensive security policies are enforced on each platform

Reporting available on

each setting whether it is

applicable, conformant or

has an error

Extensive configuration settings are available for each platform

Policies can be applied to user and device groups

User

Automatic VPN

connection

Per-app VPN (iOS)VPN

WiFi settings Manage and distribute certificatesProvision networks

Setup certificate based authentication

ITUser

Hardware properties for mobile devices are collected

Company app inventory is collected

Personal app inventory is not collectedReporting

Productivity

If compliant,

email access is

granted

7

Enrollment /

compliance

remediation

5

If not compliant,

push device into

quarantine

Quarantine

4

2

Quarantine email with

remediation steps

Link to enroll device

and compliance

remediation steps

Who does what?

Intune: Evaluate policy

compliance for device

Azure AD: Authenticate

user and provide device

compliance status

Exchange Online:

Enforces access to email

based on device state

Attempt

email

connection1

3

Azure Active Directory

Set device

management/

compliance

status

6Office 365

Mobile device

Microsoft Intune

2Attempt

email

connection

1Block unmanaged

device

5

Allow managed

device

Device

enrollment 4

6

If managed,

email access

is granted

Who does what?

Intune: Evaluate and

manage device state

Exchange Server:

Provides API and

infrastructure for

quarantine

Quarantine email with

remediation steps

Link to enroll device

3

If not managed,

push device into

quarantine

Quarantine

Mobile device

Microsoft IntuneOn-premises

Exchange

server

Microsoft Office mobile

apps are natively

manageable with Intune

• Word

• Excel

• PowerPoint

• OneNote

• Outlook

• OneDrive for Business

Office mobile apps

Intune provides apps for

secure content viewing

• Managed Browser

• PDF Viewer

• AV Player

• Image Viewer

Intune Viewer apps

Make any app manageable

without modifying code

• ‘Wrap’ internal line-of-

business (LOB) apps to

manage with Intune

MAM policies

Intune App Wrapping

Tool

Build your apps from the

ground-up with Intune App

SDK

• Developers can easily

integrate applications for

manageability

• Provide more control

over user experience

with App SDK (vs. App

Wrapping Tool)

Intune App SDK

Allows you to apply Intune MAM policies to

existing line-of business (LOB) apps:

• Post-compilation command line tool for IT Pros

• Supports repackaging unencrypted applications

• Applications are signed with company-specific certificates

Intune App Wrapping Tool:

• Platform-specific tools for iOS (Mac OS X 10.8.5+) and

Android (Windows)

• Published by Microsoft (available on Download Center)

• Product documentation and in-tool command line help

Intune App Wrapping Tool

Enables additional options to manage internal

apps with Intune MAM policies:

• Intune App SDK and App Wrapping Tool use the same

processing and enforcement engine

• SDK can be used for both LOB apps and store apps

• Enables additional MAM functionality over the app than

the App Wrapping Tool (for example: disable save as

functionality of the app)

Intune App SDK

Intune app wrapping tool

or SDK

Apply MAM policiesDeploy app

LOB application

ITUser

App origination ScenariosWindows

8.1/10

Windows

Phone 8.1iOS Android

Line-of-business apps

(Sideloading)

Available in Company Portal; targeted to

users● ● ● ●

Mandatory install and uninstall; targeted

to users and devices● ● ●

User consent

required

●

User consent

required

Public store apps Deep linked app; available in Company

Portal; targeted to users● ● ● ●

Managed store app; available in Company

Portal; targeted to users● ●

Managed store app; mandatory install

and uninstall; targeted to users and

devices

●

User consent

required

●

User consent

required

• End user is taken to the store for installation

• Installation status is not reported in the admin

console

• IT Pro can only make it available in Company Portal

• App on the device is marked as a personal app in

inventory

• Works for both free and paid apps

• MAM policies cannot be applied

External/Deep linked apps

• No trip to the store; installation begins directly

• Installation status is reported in the admin console

• Push apps; apps can be installed directly.

• App on the device is marked as a managed app in

the inventory

• Works only for free store apps

• MAM policies can be applied

Managed store apps

Restore device to factory defaults

• All data on the device is removed

• Device is reset to factory defaults

• Typically used for lost/stolen devices or resetting

corporate-owned devices

Full wipe

Remove company assets from device

• Company resources (apps, data, profiles,

certificates, settings, and email) are removed

• MAM support adds ability to remove only

corporate data from multi-account applications

• Typically used for personal-owned devices

Selective wipe

• Bulk enroll devices with a service account

• Support for Apple Configurator

• Support for Apple Device Enrollment Program

• Windows 10 provisioning profiles

Bulk enrollment

• Custom iOS policy

• Device lockdown

• Policies and apps targeted to devices

• Application install allow/deny list

Configuration policies

Enrolls devices on behalfof users

Apply policies

ITBusinessManager

Distributesto users

Restaurant School Retail Store

Export device enrollment profile from Intune

Configure iOS devices with the Apple Configurator

iOS devices will automatically enroll on first power on

Import to Apple Configurator

ITUser

User IT

ITUser

Export a custom configuration policy from AppleConfigurator

Import the custom configuration file to Intune

Deploy a custom policy to iOS devices

Platform Allow/block enforcement

Windows 10 Enforced by device OS (always compliant)

Windows Phone 8.1 Enforced by device OS (always compliant)

iOS Audit reporting

Android Audit reporting

*

*

App origination ScenariosWindows

8.1/10

Windows

Phone 8.1iOS Android

Installation

status

Application

update

Line-of-business

apps (Sideloading)

Available in Company

Portal; targeted to users● ● ● ● ● ●

Mandatory install and

uninstall; targeted to

users and devices

●

User consent

required

●

User consent

required

● ●

Public store apps Deep linked apps;

available in Company

Portal; targeted to users● ● ● ●

Managed store apps;

available in Company

Portal; targeted to users● ● ●

Managed store apps;

mandatory install and

uninstall; targeted to

users and devices

●

User consent

required

●

User consent

required

●

Category Win 8.1/10 Windows

Phone 8.1

iOS Android/KNOX Exchange

ActiveSync

Password ● ● ● ●

Encryption ● ● ●

Malware ●

System Settings ● ● ● ●

Cloud ● ●

Window Server Work Folders ●

Accounts and Sync ● ●

Email ● ● ●

Browser ● ● ● ●

Store Applications & Gaming ● ● ●

Device Hardware ● ● ●

Device Cellular/Roaming ● ● ●

Device Features ● ● ●

PlatformDesktop Apps

(.msi, .exe) *

Modern App Types Managed

Store

app

Side loading Deep

Links

Web

apps.app .app .ipa .apk

Windows 8.1/10 ● ● ● ●

Windows RT ● ● ●

iOS ● ● ● ●

Android ● ● ● ●

Windows Phone ● ● ●

Windows 7 and below ● ●

Category Feature Exchange ActiveSync

MDM for Office 365

Microsoft Intune(cloud only)

Intune + ConfigMgr (hybrid)

Devi

ce

con

fig

ura

tio

n Inventory mobile devices that access corporate applications ● ● ● ●

Remote factory reset (full device wipe) ● ● ● ●

Mobile device configuration settings (PIN length, PIN required, lock time, etc.) ● ● ● ●

Self-service password reset (Office 365 cloud only users) ● ● ● ●

Off

ice 3

65

Provides reporting on devices that do not meet IT policy ● ● ●

Group-based policies and reporting (ability to use groups for targeted device configuration) ● ● ●

Root and jailbreak detection ● ● ●

Remove Office 365 app data from mobile devices while leaving personal data and apps intact (selective wipe) ● ● ●

Prevent access to corporate email and documents based upon device enrollment and compliance policies ● ● ●

Pre

miu

m

mo

bile

devi

ce &

ap

p m

anag

em

ent

Self-service Company Portal for users to enroll their own devices and install corporate apps ● ●

App deployment (Windows Phone, iOS, Android) ● ●

Deploy certificates, VPN profiles (including app-specific profiles), email profiles, and Wi-Fi profiles ● ●

Prevent cut/copy/paste/save as of data from corporate apps to personal apps (mobile application management) ● ●

Secure content viewing via Managed Browser, PDF Viewer, Image Viewer, and AV Player apps for Intune ● ●

Remote device lock via self-service Company Portal and via admin console ● ●

PC

m

anag

em

ent

Client PC management (e.g. Windows 8.1, inventory, antimalware, patch, policies, etc.) ● ●

PC software management ● ●Comprehensive PC management (e.g. Group Policy, login scripts, BitLocker management, virtual desktop and

power management, custom reporting, etc.) ●

Windows Server/Linux/UNIX/Mac OS X support ●

OS deployment and imaging ●

David J. Rosenthal, CEOOffice365@Atidan.com1-215-825-5045 ex. 5001