Embed Size (px)
Citation preview
David J. Rosenthal, CEO, Atidan August 21, 2016 Microsoft Briefing Center, NYC
Microsoft IntuneMobile device and application management from the cloud
52 percent of information
workers across 17 countries
report using three or more
devices for work*
>80 percent of employees
admit to using non-approved
software-as-a-service (SaaS)
applications in their jobs***
90 percent of enterprises will
have two or more mobile
operating systems to support
in 2017**
52% 90% >80%
* Forrester Research: “BT Futures Report: Info workers will erase boundary between enterprise & consumer technologies,” Feb. 21, 2013** Gartner Source: Press Release, Oct. 25, 2012, http://www.gartner.com/newsroom/id/2213115*** http://www.computing.co.uk/ctg/news/2321750/more-than-80-per-cent-of-employees-use-non-approved-saas-apps-report
Devices Apps Data
Protect your data
Enable your users Unify your environment
People-centric approach
Devices Apps Data
It just worksPreserve existing investments
It’s integrated on common identityAccess from many devices
Support iOS, Android, Windows It’s comprehensive
Protection at all layers Identity, device, apps, data—built in
It protects Office betterManage and secure productivity
Easily manage identities across
on-premises and cloud. Single sign-on
and self-service for corporate resources.
Azure Active Directory
Premium
Unify identity Manage apps and devices Protect data
Microsoft IntuneAzure Rights
Management
Manage and protect corporate apps
and data on almost any device with
MDM and MAM.
Encryption, identity, and authorization
policies to secure corporate files and
email across phones, tablets, and PCs.
Mobile application management
PC managementMobile device management
ITUser
Microsoft Intune
Intune helps organizations provide their employees with access to corporate
applications, data, and resources from virtually anywhere on almost any
device, while helping to keep corporate information secure.
Enroll• Provide a self-service Company
Portal for users to enroll devices
• Deliver custom terms and
conditions at enrollment
• Bulk enroll devices using Apple
Configurator or service account
• Restrict access to Exchange
email if a device is not enrolled
Retire• Revoke access to corporate
resources
• Perform selective wipe
• Audit lost and stolen devices
Provision• Deploy certificates, email, VPN,
and WiFi profiles
• Deploy device security policy
settings
• Install mandatory apps
• Deploy app restriction policies
• Deploy data protection policies
Manage and Protect• Restrict access to corporate
resources if policies are violated
(e.g., jailbroken device)
• Protect corporate data by
restricting actions such as copy, cut,
paste, and save as between Intune-
managed apps and personal apps
• Report on device and app
compliance
User IT
Enable users to be productive
ITUser
Actions upon device enrollment
• Deploy email, VPN, and WiFi profiles
• Deploy certificates
• Deploy and install apps
• Deploy managed app configuration policies
• Apply and enforce device configuration settings
• Collect hardware and software inventory data
Microsoft Intune
Devicesenrolled
Microsoft Intune
Corporate email server
IT
Deploy email profile upon enrollment
• Configure account settings and security restrictions
• Enable certificate authentication
• Synchronize email, task, contacts, and calendar
• Support for iOS, Samsung KNOX, and Windows Phone
Any email service supported by Exchange ActiveSync
User
Microsoft Passport replaces passwords with strong two-factor authentication to help protect user identities and user credentials
• Intune can deploy certificates to Microsoft Passport to authenticate users and help them to access corporate resources
• Intune manages Passport for Work policy including PIN settings, biometrics settings, Trusted Platform Module (TPM) requirements
Intune provides comprehensive management of
Microsoft Passport
• Credentials protected by hardware or software
• Credentials can be based on certificate or local keys
• Can be accessed using biometrics (Windows Hello) or PIN
Azure AD Join makes it possible to connect
work-owned Windows 10 devices to your
company’s Azure Active Directory.
With Azure AD Join, you can auto enroll
devices in Microsoft Intune for management.
Azure AD Join for Windows 10
Windows 10 Azure AD Joined Devices
Intune / MDM
auto-enrollment
Intune auto-enrollment
Enterprise-compliant services
Support for hybrid environments
Single sign-on from the desktop to cloud
and on-premises applications with no VPN
Windows appsanywhere
RemoteApp
Native apps
Intune
SaaS apps
Azure AD Premium
Consistent experience across Windows, Windows Phone, Android, and iOS
Discover and install corporate apps
Manage devices and data
Ability to contact IT
Customizable terms and conditions
Volume purchasing integration
Assign licenses to users
Purchase licenses in bulk for paid apps using the Windows Store for Business and Apple Volume Purchasing Program (VPP)
Deploy licenses to users with Intune and install apps as required
License and app
installed by store
Deploy offline app packages to Windows 10 devices that cannot access the Windows Store with System Center Configuration Manager
Corporate-owneddevices
Corporate-owned devices
(CYOD), with personal use
allowed
Retail outlets using tablets
as point of sales devices,
gift registries, etc.
Schools providing
tablets for technology-
based learning
Service account
enrollment
Apple
Configurator
Apple Device
Enrollment Program
(DEP)
Windows 10
provisioning profile
BusinessManager
IT
Apply policies
School Retail StoreRestaurant
Deploy policies using Intune to lock down devices so they can only run applications allowed by IT
Allow multiple users to use the same device and customize device experience based on identity
Deploy Device Guard policies using Intune to only allow trusted applications to run on Windows 10 devices
Protect corporate data
from virtually anywhere
The perimeter cannot help protect data stored in the cloud Access control to corporate data today
Mobile devices
PCs
Web browsers
AppsData
Enterprise Mobility Suite
Access control and data protection
integrated natively in the apps, devices,
and the cloud
SharePointOnline
ExchangeOnline
Conditional access policies
IP Range
Device State
Advanced
Windows 10
options
User Group
User
On-premises
Cloud
Corporate apps
Windows Provable PC
Health (PPCH)
SharePointOnline
ExchangeOnline
User
Microsoft Intune
SharePointOnline
ExchangeOnline
User
Microsoft Intune
Apply and enforce device configuration settings across iOS, Android, and Windows via Intune MDM
Collect hardware and software inventory data for reporting
Manage settings across Windows 10 PC, phone, and IoT devices via Intune MDM –including Windows Defender (anti-malware), Firewall, and Cortana
Enforce corporate data
access requirements
Prevent data leakage
on the device
Enforce encryption
of app data at rest
App-level
selective wipe
Maximize mobile productivity and protect corporate resources
with Office mobile apps – including multi-identity support
Extend these capabilities to your existing line-of-business
apps using the Intune App Wrapping Tool
Enable secure viewing of content using the Managed Browser,
PDF Viewer, AV Player, and Image Viewer apps
Managed apps
Personal appsPersonal apps
Managed apps
ITUser
Corporate data
Personaldata
Multi-identity policy
Prevent data leakage for Office
mobile and other apps on
unmanaged devices or devices
managed by a third-party MDM.
Protect data at the file level for
Office documents and more with
Azure Rights Management.
Enable familiar Office experiences
for employees. No enrollment.
Personal apps
Corporate apps
Azure Rights
Management
MDM policies
MAM policies
File policies
MDM – optional (Intune or 3rd-party)
Familiar Office experience
• Seamless “enrollment” into app management
• Use for personal and corporate accounts
Comprehensive protection
• App encryption at rest
• App access control – PIN or credentials
• Save as/copy/paste restrictions
• App-level selective wipe
MDM mgmt. by Intune or third-party is optional
Extend protection to a file level with Azure RMS
Might be a good solution for these scenarios:
• BYOD when MDM is not required
• Extending app access to vendors and partners
• Already have an existing MDM solutionPersonal apps
Corporate apps
Azure Rights
Management
MDM policies
MAM policies
File policies
MDM – optional (Intune or 3rd-party)
1 User installs an app from the Apple
App Store or Google Play
2 User logs in with Office 365
credentials
3 Azure AD verifies that the app and
user are allowed to access Office 365
4 Intune applies MAM policies to the
managed apps
5 Access to Office 365 is granted
6 User continues to use the app as per
usual
User
Office 365
Azure AD
Microsoft apps, such as Office, Dynamics CRM, Power BI, and more
Partners that integrated their apps with Intune App SDK
Personal apps
Managed apps
Perform selective wipe via self-service
company portal or admin console
Remove managed apps and data
Keep personal apps and data intact
IT
IT
Configure and manage EDP policies with Intune and Azure Rights Management
Separate personal and corporate data with limited impact to employee’s day-to-day activities
Protect data at rest and wherever it may roam*
User
Corporate
network
Microsoft Intune&
Azure Rights Management
Apply policies
Save
Save
Share files and enforce policies
File share
Personal
storageSecure content collaboration through integration with Azure Rights Management
* Some roaming scenarios use Azure Right Management
Control app access to corporate data and prevent copy and paste-related data leaks
Microsoft Intune Microsoft Intune Azure Rights Management
Device protection
BitLocker
Device Guard
Device settings
Windows Defender
Data separation Leak protection
Enterprise Data Protection
Sharing protection
Rights Management
Containers
Depends on specific DMZ infrastructure
Works on-premises only
SharePointServer
Exchange Server
Corporate network
Active Directory
Fire
wall
Fire
wall
DMZ/Perimeternetwork
SDK/wrapper, managed browser,
managed viewers
Custom SDK/wrapper enables line-of-business apps to be managed
Mobile application
management
Custom data container provides mobile productivity apps integrated with content and access systems
Custom
email app
Custom
file app
Custom
collab app
Native device MDMStandard MDM provides device configuration and management
Standard on-premises integration
SharePointOnline
ExchangeOnline
Cloud integration
Intune App SDK
Intune App Wrapping Tool
Extensibility based on Azure AD and Intune Enable business apps to interoperate with Office mobile apps
SharePointServer
Exchange Server
Corporate network
Active Directory
Fire
wall
Fire
wall
DMZ/Perimeternetwork
Managed Office
productivity and moreOffice 365: Mobile productivity
Azure AD: Access control to Office 365 and SaaS apps
Intune: App restrictions for Office mobile and LOB apps
Azure Rights Management: Information protection at the file layer
Native device MDMIntune: Cross-platform MDM
Identify and authorize user
Apply device policies
Apply application policies
Apply content policies
User IT
Active Directory Premium
Rights Management
Enterprise Mobility Suite
SummaryDeployment
flexibility
Modern
architecture
Enable
enterprise mobility with
EMS
Mobile devices and PCs Mobile devices
System Center Configuration
Manager
Domain joined PCs
Configuration Manager integrated with Intune (hybrid)Intune standalone (cloud only)
IT IT
Intune web console Configuration Manager console
• Always up-to-date, no need to migrate
• Always available and reachable
• Easy to try, adopt, and deploy
• Integrates with existing on-premises infrastructure
• Disaster recovery and geo-diversity
• Assign your data to a region
• Built from the ground up: datacenter, fabric, SaaS
• Built using world-class engineering and security
• Compliant and certified
• Financially backed Service Level Agreements (SLAs)
Intune
Office 365
Azure Active Directory
Azure Rights Management
Security reports,
audit reports,
multi-factor
authentication
Self-service
password reset
and group
management
Single sign-on
to over 2,400
popular SaaS
applications
Information
protection
Document tracking Bring your
own key
Mobile device
settings
management
Mobile application
management with
Office mobile apps
Conditional
access and
selective wipe
Active Directory Premium
Rights Management
Making it easier to deliver
a great brand experience
Keeping the selling workforce
productive
Bringing a new level of
efficiency to management
For more information, please contact:
David J. Rosenthal, CEO
1-215-825-5045 ex. 5005
Learn more about our enterprise mobility products
and solutions:
Enterprise Mobility Suite:
aka.ms/EnterpriseMobilitySuite
Mobile device and application management:
aka.ms/MDM-MAM
Microsoft Intune:
aka.ms/MicrosoftIntune
System Center 2012 R2 Configuration Manager:
aka.ms/ConfigMgr
“By using Microsoft Intune, we can
improve staff members’ work experience
and guest satisfaction, while reducing IT
labor and operational costs. Everyone
wins.”
Tim Banham
Solution Architect
Mitchells and Butlers
“Our competitive strategy depends on
deploying Microsoft Intune to manage
1,200 tablets used by our independent
sales contractors to improve our in-
home sales process and win more
business.”
Steven Creaney
Senior .NET Developer
Empire Today
“By adding Microsoft Intune to our
environment … we can deploy, secure,
and manage mobile apps that staff use
to move faster than the competition and
drive business.”
Gurdip Kundi
Senior Systems Engineer
Foxtons
“We use the Enterprise Mobility Suite to
empower employees to use their own
devices to securely access and share
their data. The upshot? We’re improving
project management and reducing
costs.”
Patrick Wirtz
Innovation Manager
The Walsh Group
A rendering of the new Tom Bradley International Terminal’s great hall. (credit: Los Angeles World Airports)
Devices Apps Data
Management. Access control. Information protection.
Protect your data
Enable your users
User IT
Identity
Application
Device (optional)
Data
Microsoft Intune
Access corporate
resourcesAuthentication
token
Authenticate and
trust my unique key
Deploy a certificate and
Microsoft Passport settings
Azure Active Directory
and
Active Directory
Need fast and easy way to enroll CYOD
devices
Should not be able to un-enroll devices
that are corporate-owned
Need access to corporate apps and
other MDM capabilities on devices to
be productive
User
Need easy way to prepare corporate-
owned devices for enrollment
Need to distinguish corporate-owned
devices from personal-owned devices in
the management console
Need fast and easy way to bulk enroll
shared devices
Need devices to be secure at all times
and within IT control
IT
End usersIT admins
Windows 8.1 Windows 10
Basic management and
security settings
Device lockdown
Comprehensive
device management
Phone Desktop Phone Desktop
Significant investments in added functionality for both mobile and desktop devices
Personal apps
Managed apps
Maximize productivity while preventing leakage of company
data by restricting actions such as copy, cut, paste, and save
as between Intune-managed apps and unmanaged apps
User
New intuitive dashboard
Respond to alerts
Manage software deployments
Configure and deploy policies
View reports
Role-based management
Intune web console
Mobile devices and PCs
Intune standalone (cloud only)
IT
Intune web console
Manage and Protect
• No existing infrastructure necessary
• No existing Configuration Manager
deployment required
• Simplified policy control
• Simple web-based administration console
• Faster cadence of updates
• Always up-to-date
Devices Supported
• Windows PCs (x86/64, Intel SoC)
• Windows RT
• Windows Phone 8.x
• iOS
• Android
• OS X
Mobile devices
System Center Configuration
Manager
Domain joined PCs
Configuration Manager integrated with Intune (hybrid)
IT
Configuration Manager console
System Center 2012 R2 Configuration
Manager with Microsoft Intune
• Build on existing Configuration Manager
deployment
• Full PC management (OS deployment, endpoint
protection, application delivery control, custom
reporting)
• Deep policy control requirements
• Greater scalability
• Extensible administration tools (RBA, PowerShell,
SQL reporting services)
• Windows RT
• Windows Phone 8.x
• iOS
• Android
Devices Supported
• Windows PCs
(x86/64, Intel SoC)
• Windows to Go
• Windows Server
• Linux
• OS X
Intune standalone (cloud only)
Lightweight, agentless OR agent-based management
PC protection from malware
PC software update management
Software distribution
Proactive monitoring and alerts
Hardware and software inventory
Policies for Windows Firewall management
Intune standalone (cloud only) Configuration Manager integrated with Intune (hybrid)
Lightweight, agentless OR agent-based management Lightweight, agentless OR comprehensive agent-based management
PC protection from malware PC protection from malware
PC software update management PC software update management
Software distribution Software distribution
Proactive monitoring and alerts Proactive monitoring and alerts
Hardware and software inventory Hardware and software inventory
Policies for Windows Firewall management Policies for Windows Firewall management
Operating system deployment
PC, mobile device, Windows Server, Linux/Unix, Mac, and virtual desktop management
Power management
Custom reporting
Comprehensive security policies are enforced on each platform
Reporting available on
each setting whether it is
applicable, conformant or
has an error
Extensive configuration settings are available for each platform
Policies can be applied to user and device groups
User
Automatic VPN
connection
Per-app VPN (iOS)VPN
WiFi settings Manage and distribute certificatesProvision networks
Setup certificate based authentication
ITUser
Hardware properties for mobile devices are collected
Company app inventory is collected
Personal app inventory is not collectedReporting
Productivity
If compliant,
email access is
granted
7
Enrollment /
compliance
remediation
5
If not compliant,
push device into
quarantine
Quarantine
4
2
Quarantine email with
remediation steps
Link to enroll device
and compliance
remediation steps
Who does what?
Intune: Evaluate policy
compliance for device
Azure AD: Authenticate
user and provide device
compliance status
Exchange Online:
Enforces access to email
based on device state
Attempt
connection1
3
Azure Active Directory
Set device
management/
compliance
status
6Office 365
Mobile device
Microsoft Intune
2Attempt
connection
1Block unmanaged
device
5
Allow managed
device
Device
enrollment 4
6
If managed,
email access
is granted
Who does what?
Intune: Evaluate and
manage device state
Exchange Server:
Provides API and
infrastructure for
quarantine
Quarantine email with
remediation steps
Link to enroll device
3
If not managed,
push device into
quarantine
Quarantine
Mobile device
Microsoft IntuneOn-premises
Exchange
server
Microsoft Office mobile
apps are natively
manageable with Intune
• Word
• Excel
• PowerPoint
• OneNote
• Outlook
• OneDrive for Business
Office mobile apps
Intune provides apps for
secure content viewing
• Managed Browser
• PDF Viewer
• AV Player
• Image Viewer
Intune Viewer apps
Make any app manageable
without modifying code
• ‘Wrap’ internal line-of-
business (LOB) apps to
manage with Intune
MAM policies
Intune App Wrapping
Tool
Build your apps from the
ground-up with Intune App
SDK
• Developers can easily
integrate applications for
manageability
• Provide more control
over user experience
with App SDK (vs. App
Wrapping Tool)
Intune App SDK
Allows you to apply Intune MAM policies to
existing line-of business (LOB) apps:
• Post-compilation command line tool for IT Pros
• Supports repackaging unencrypted applications
• Applications are signed with company-specific certificates
Intune App Wrapping Tool:
• Platform-specific tools for iOS (Mac OS X 10.8.5+) and
Android (Windows)
• Published by Microsoft (available on Download Center)
• Product documentation and in-tool command line help
Intune App Wrapping Tool
Enables additional options to manage internal
apps with Intune MAM policies:
• Intune App SDK and App Wrapping Tool use the same
processing and enforcement engine
• SDK can be used for both LOB apps and store apps
• Enables additional MAM functionality over the app than
the App Wrapping Tool (for example: disable save as
functionality of the app)
Intune App SDK
Intune app wrapping tool
or SDK
Apply MAM policiesDeploy app
LOB application
ITUser
App origination ScenariosWindows
8.1/10
Windows
Phone 8.1iOS Android
Line-of-business apps
(Sideloading)
Available in Company Portal; targeted to
users● ● ● ●
Mandatory install and uninstall; targeted
to users and devices● ● ●
User consent
required
●
User consent
required
Public store apps Deep linked app; available in Company
Portal; targeted to users● ● ● ●
Managed store app; available in Company
Portal; targeted to users● ●
Managed store app; mandatory install
and uninstall; targeted to users and
devices
●
User consent
required
●
User consent
required
• End user is taken to the store for installation
• Installation status is not reported in the admin
console
• IT Pro can only make it available in Company Portal
• App on the device is marked as a personal app in
inventory
• Works for both free and paid apps
• MAM policies cannot be applied
External/Deep linked apps
• No trip to the store; installation begins directly
• Installation status is reported in the admin console
• Push apps; apps can be installed directly.
• App on the device is marked as a managed app in
the inventory
• Works only for free store apps
• MAM policies can be applied
Managed store apps
Restore device to factory defaults
• All data on the device is removed
• Device is reset to factory defaults
• Typically used for lost/stolen devices or resetting
corporate-owned devices
Full wipe
Remove company assets from device
• Company resources (apps, data, profiles,
certificates, settings, and email) are removed
• MAM support adds ability to remove only
corporate data from multi-account applications
• Typically used for personal-owned devices
Selective wipe
• Bulk enroll devices with a service account
• Support for Apple Configurator
• Support for Apple Device Enrollment Program
• Windows 10 provisioning profiles
Bulk enrollment
• Custom iOS policy
• Device lockdown
• Policies and apps targeted to devices
• Application install allow/deny list
Configuration policies
Enrolls devices on behalfof users
Apply policies
ITBusinessManager
Distributesto users
Restaurant School Retail Store
Export device enrollment profile from Intune
Configure iOS devices with the Apple Configurator
iOS devices will automatically enroll on first power on
Import to Apple Configurator
ITUser
User IT
ITUser
Export a custom configuration policy from AppleConfigurator
Import the custom configuration file to Intune
Deploy a custom policy to iOS devices
Platform Allow/block enforcement
Windows 10 Enforced by device OS (always compliant)
Windows Phone 8.1 Enforced by device OS (always compliant)
iOS Audit reporting
Android Audit reporting
*
*
App origination ScenariosWindows
8.1/10
Windows
Phone 8.1iOS Android
Installation
status
Application
update
Line-of-business
apps (Sideloading)
Available in Company
Portal; targeted to users● ● ● ● ● ●
Mandatory install and
uninstall; targeted to
users and devices
●
User consent
required
●
User consent
required
● ●
Public store apps Deep linked apps;
available in Company
Portal; targeted to users● ● ● ●
Managed store apps;
available in Company
Portal; targeted to users● ● ●
Managed store apps;
mandatory install and
uninstall; targeted to
users and devices
●
User consent
required
●
User consent
required
●
Category Win 8.1/10 Windows
Phone 8.1
iOS Android/KNOX Exchange
ActiveSync
Password ● ● ● ●
Encryption ● ● ●
Malware ●
System Settings ● ● ● ●
Cloud ● ●
Window Server Work Folders ●
Accounts and Sync ● ●
Email ● ● ●
Browser ● ● ● ●
Store Applications & Gaming ● ● ●
Device Hardware ● ● ●
Device Cellular/Roaming ● ● ●
Device Features ● ● ●
PlatformDesktop Apps
(.msi, .exe) *
Modern App Types Managed
Store
app
Side loading Deep
Links
Web
apps.app .app .ipa .apk
Windows 8.1/10 ● ● ● ●
Windows RT ● ● ●
iOS ● ● ● ●
Android ● ● ● ●
Windows Phone ● ● ●
Windows 7 and below ● ●
Category Feature Exchange ActiveSync
MDM for Office 365
Microsoft Intune(cloud only)
Intune + ConfigMgr (hybrid)
Devi
ce
con
fig
ura
tio
n Inventory mobile devices that access corporate applications ● ● ● ●
Remote factory reset (full device wipe) ● ● ● ●
Mobile device configuration settings (PIN length, PIN required, lock time, etc.) ● ● ● ●
Self-service password reset (Office 365 cloud only users) ● ● ● ●
Off
ice 3
65
Provides reporting on devices that do not meet IT policy ● ● ●
Group-based policies and reporting (ability to use groups for targeted device configuration) ● ● ●
Root and jailbreak detection ● ● ●
Remove Office 365 app data from mobile devices while leaving personal data and apps intact (selective wipe) ● ● ●
Prevent access to corporate email and documents based upon device enrollment and compliance policies ● ● ●
Pre
miu
m
mo
bile
devi
ce &
ap
p m
anag
em
ent
Self-service Company Portal for users to enroll their own devices and install corporate apps ● ●
App deployment (Windows Phone, iOS, Android) ● ●
Deploy certificates, VPN profiles (including app-specific profiles), email profiles, and Wi-Fi profiles ● ●
Prevent cut/copy/paste/save as of data from corporate apps to personal apps (mobile application management) ● ●
Secure content viewing via Managed Browser, PDF Viewer, Image Viewer, and AV Player apps for Intune ● ●
Remote device lock via self-service Company Portal and via admin console ● ●
PC
m
anag
em
ent
Client PC management (e.g. Windows 8.1, inventory, antimalware, patch, policies, etc.) ● ●
PC software management ● ●Comprehensive PC management (e.g. Group Policy, login scripts, BitLocker management, virtual desktop and
power management, custom reporting, etc.) ●
Windows Server/Linux/UNIX/Mac OS X support ●
OS deployment and imaging ●
David J. Rosenthal, [email protected] ex. 5001
