atea ems the next level
TRANSCRIPT
EMS - The next level
Mobility First | Cloud First
Per LarsenSolution Architect | [email protected] | m: +45 3078 1828 | f: +45 7025 2575Co-Organizer - Everything Windows User Group Denmark | www.ewug.dkin: http://www.linkedin.com/in/perlarsen1975 | t: @PerLarsen1975Blog: http://osddeployment.dk
• User chooses apps (unsanctioned, shadow IT)• User can access resources from anywhere• Data is shared by user and cloud apps • IT has limited visibility and protection
• Only sanctioned apps are installed• Resources accessed via managed devices/networks
• IT had layers of defense protecting internal apps
• IT has a known security perimeter
Life with cloudLife before cloud
On-premises
Storage, corp data Users
What is driving change?
•Windows 10 and AzureAd join• Automatic MDM enrollment• Microsoft Passport for Work• Deploy MSI to Windows 10 MDM Joined devices
• Device Group Mapping• Use OMS to view System Update Assessment
AgendaEMS the next level
•Windows Store for Business integrated into Intune• How to deploy Application from Windows Store for Business with Intune
• Disable private Store with OMA-URI
AgendaEMS the next level
• Security• Identity as a service: core architecture• Conditional Access• Conditional Access - Challenge from the Real Life
• AD Connect new feature – Device Write back
AgendaEMS the next level
Devices | Windows 10 | Cloud
Azure AD Join and Automatic MDM enrollment
•Requirements• Azure AD Premium
• Settings in Azure AD• AzureAD Maximum number of devices per user = 20
• Intune Maximum number of devices per user = 5
Auto MDM enroll Windows 10 when Azure AD join
Auto MDM enroll Windows 10 when Azure AD join
• Intune - Custom URI settings for Windows 10 devices• Experience/AllowManualMDMUnenrollment
•How to setup AzureAD Join a Windows 10 device• Demo
Auto MDM enroll Windows 10 when Azure AD join
•What is Microsoft Passport• Microsoft Passport is set up on the user's device
• The user sets a gesture, which can be Windows Hello or a PIN
What is two-step verification/Microsoft Passport
How to disable or configure Microsoft Passport
Deploy MSI to Windows 10 MDM Joined deviceshttp://officedev.github.io/Office-IT-Pro-Deployment-Scripts/XmlEditor.html
Device Group Mapping
Use OMS to view System Update Assessment
Windows Store for Business
Windows Store for Business integrated into Intune
How to deploy Application from Windows Store for Business with Intune
Disable private Store with OMA-URI./User/Vendor/MSFT/Policy/Config/ApplicationManagement/RequirePrivateStoreOnly
Security
Identity as a service: core architecture
On-premises and private cloud
Enabling users
(Active Directory) Federation Services
SaaSapps
Custom apps
10,000 + apps
Active Directory
Windows Server Active Directory
Other apps
Core Identity ManagementHR
Other Directories
Sync
Other Directories
Devices
Advanced Identity & Access management functions
RBAC, ABAC, B2B, B2C, Reporting, Strong AuthN, IDManagement, Conditional Access, Risk Reporting
On-Premises applications
Introducing ‘Conditional Access Control’
ApplicationBusiness sensitivity
OtherInside corp. network
Outside corp. network
Risk profile
DevicesAuthenticatedMDM Managed (Intune)Compliant with policiesNot lost/stolen
User attributesUser identity Group membershipsAuth strength (MFA)
Conditional access control
Conditional access for Office 365
If compliant, email access is granted
7
Enrollment/compliance remediation5
If not compliant, push device into quarantine
Quarantine
4
Is device
managed &
compliant ?2
Quarantine email with remediation steps
Link to enroll device and compliance remediation steps
Who does what?Intune: Evaluate policy compliance for device
Azure AD: Authenticate user and provide device compliance status
Exchange Online: Enforces access to email based on device state
Attempt email connection
1
Return device
state3
Azure Active Directory
Set device management/ compliance status
6Office 365
Mobile device
Microsoft Intune
Intuitive end-user experience
To access your Contoso e-mail and other company resources, this device needs to be enrolled with Contoso. Part of this process includes installing the Company Portal. Click first link below to begin this process.
Step 1Enroll your device.
Step 2Once you’ve enrolled your device, click here to Activate your enrollment.
Restrict access forNon-managed devicesNon-compliant devices
Assistance with remediating issuesSteps provided on how to enroll devices and remediate compliance issues
Quick compliance remediation and evaluationIntune automatically remediates most of the policy issuesEnd user can retrigger compliance evaluation in the Company Portal
•Different mobile OS•Outlook App not working on IOS and Android•CA for Windows - Not working with RDS or Citrix•Apple DEP enrollment not working with CA
Conditional Access - Challenge from the Real Life
•Requirements• Azure AD Premium
•How to Enable??•What can we use Device Write back for?
AD Connect new feature – Device Write back
AD Connect new feature – Device Write back
Usefull links• Office 365 Portal
• https://portal.office.com
• AzureAD Portal• https://manage.windowsazure.com
• Intune Admin portal• https://manage.microsoft.com
• Intune User portal• https://portal.manage.microsoft.com
• Windows Store for Business• https://businessstore.microsoft.com
Usefull links• Microsoft Operations Management Suite
• http://oms.microsoft.com
© 2015 Atea A/S. All rights reserved.This presentation is for informational purposes only. Atea A/S makes no warranties, express or implied, in this summary.
Thank you