Identitet

+

Mobil kontroll

+

InformasjonssikkerhetOlav Tvedt

Sjefs Konsulent

MVP – Windows Expert-ITPRO

Twitter: @olavtwitt

Blog: http://olavtvedt.blogspot.com

52% of information workers

across 17 countries report

using three or more devices

for work*

>80% of employees admit to

using non-approved software-

as-a-service (SaaS) applications

in their jobs***

90% of enterprises will have

two or more mobile operating

systems to support in 2017**

Mobility is the new normal52% 90% >80%

* Forrester Research: “BT Futures Report: Info workers will erase boundary between enterprise & consumer technologies,” Feb. 21, 2013** Gartner Source: Press Release, Oct. 25, 2012, http://www.gartner.com/newsroom/id/2213115*** http://www.computing.co.uk/ctg/news/2321750/more-than-80-per-cent-of-employees-use-non-approved-saas-apps-report

What's driving change?

User Devices Apps Data IT

Empowering enterprise mobility

Protect your data

Enable your users

User IT

Unify your environment

People-centric approach

Devices Apps Data

Capabilities for a mobile IT infrastructure

Device

management

Connect existing

applications, data

& services to

any device

Content

management

Manage,

store &

process data

Identity &

access

Support

common

identity control

Application

management

Manage new &

existing apps to

any device

Application

development

Develop,

test & deploy

new apps

Ringo

George

Paul

John

How Microsoft can help mobile transformation

Device

management

Content

management

Application

management

Application

development

Identity &

access

Application

management

Microsoft

Intune

Office 365

System Center

Configuration

Manager

Microsoft Azure

RMS

Office 365

Active Directory

RMS

SharePoint

Microsoft Azure

Active Directory

Active Directory

Microsoft Intune

System Center

Configuration

Manager

Microsoft Visual

Studio

Xamarin

Microsoft Visual

Studio Online

How Microsoft can help mobile transformation

Identity &

access

Microsoft Azure

Active Directory

Active Directory

Identity and Access

Microsoft apps

Non-MS cloud-based apps

Active Directory

Active Directory

Microsoft

Account

(Personal)

Other

Accounts

(Personal)

Capabilities• Single Sign on Identity

• Multifactor Authentication

• High Value Asset Protection

• Single Console Device Management

PERIMETER

Other Directories

Custom LOB apps

ISV/CSVapps

PCs and devices

Azure Active Directory

Self-service Singlesign on

•••••••••••

Username

Simple connection

Cloud

SaaSAzure

Office 365Intune

Other Directories

Windows ServerActive Directory

On-premises Microsoft Azure Active Directory

How Microsoft can help mobile transformation

Application

development

Microsoft Visual

Studio

Xamarin

Microsoft Visual

Studio Online

Application development

Use the same

language, APIs and

data structures to

share an average of

75% of app code

across all mobile

development

platforms.

How Microsoft can help mobile transformation

Device

management

Microsoft

Intune

Office 365

System Center

Configuration

Manager

Microsoft Intune

System Center

Configuration

Manager

Application

management

Device & Application Management

Capabilities• Hybrid Identity

• Single Console Device Management

• Deploy and manage apps

• Deploy and manage devices

Active Directory

Identity

Microsoft

Intune Azure AD

Enterprise

Certificate Services

System Center 2012 R2

Configuration Manager

CLOUD PERIMETER

MicrosoftAzure

Unified device management

Application management

Comprehensive Windows, Linux, and Mac management

Mobile device management

User IT

System Center Configuration Manager

Clients

Hybrid Only

Jailbreak detection

SymptomsLook for symptoms of jailbroken device

changes in OS behavior

binaries, config files

presence of certain apps/libraries

Future ProofDetection logic not tied to any specific jailbreak kit or version

TestingRegularly verify against latest jailbreak kits

Android

Conditional AccessSecure access to email, SharePoint Online services using conditional access policy

Data ProtectionPrevent data leakage from mobile apps using Intune data protection SDK

Resource AccessDeploy VPN, Wi-Fi, Certificate profiles to easily enable access

Data Loss PreventionSelectively wipe corporate data off lost/stolen devices

Secure Android Devices and

Applications with Microsoft Intune

Wide range of supportSupport for all Android devices 4.0+

UX consistencyConsistent management and user experience across all device OEMs

Best productivity suiteProductivity with Microsoft Office

Separation of business and personal dataIdentity-aware apps let IT control corporate data while leaving personal data untouched

Emphasis on User Experience

Device & compliance policy

• PIN

• Encryption

• Root detection

Publish managed apps

• Office

• Intune viewer apps

Deploy MAM policy with apps

• Copy/paste protection

• Sharing restrictions

• Cloud backup restrictions

• Screenshot restricting

What to consider for secure Android email and collaboration

Application InstallationPlay Store Apps Side loading (APK) Web links

Required installation

(mandatory)

Yes Yes Yes

Available installation

(in catalog)

Yes Yes Yes

Uninstall No Yes Yes

Remove on Retire No Yes

(KNOX only)

Yes

iOS

Kieran Gupta

iOS Device

Apple

MDM Agent

Microsoft Intune

Company Portal

Enrollment

PoliciesConfig Profiles

Remote commands

LOB apps

App Store apps

Inventory

check-in

Retire

iOS Device

Apple

MDM Agent

Microsoft Intune

Company Portal

Enrollment

Remote commands

LOB apps

App Store apps

RetirePoliciesConfig Profiles

Inventory

check-in

Company Portal App

User-based enrollment

Install from the App Store

Apple ID required

Example: BYOD

Apple Configurator / DEPUser-less bulk enrollment via Service Account

User-based enrollment

Pre-enroll / out-of-box enrollment

Examples: kiosk, retail, corporate-owned CYOD

CorporateBYOD

Users brings device

Install Comp. Portal + Enroll

Apply policy + configuration

Out-of-box enrollment

Apply policy + configuration

Install Comp. Portal (user)

+ jailbreak detection

+ AAD device registration

(conditional access / compliance)

+ SSO and selective wipe

(managed Office apps)

+ lock MDM profile to device

+ enable Supervised mode

Supervised mode

Kiosk mode

Activation Lock bypass (Find My iPhone)

Silent app installation + prevent app uninstallation

Custom background, lock screen message, device name

Global HTTP proxy + always-on VPN

Prevent device factory reset

Prevent USB tethering

more…

Supervise your

corporate devices

iOS Custom Policy

ConfigureDefine any iOS setting or config payload available in

[ Config Profile Reference]

2 methods Apple Configurator

Custom-written XML

Deploy Custom iOS Policy

Import. mobileconfig

Deploy to users

<key>PayloadType<key>

<string>com.apple.appaccess<string>

<key>allowCamera</key>

<false/>

…

Forward-thinking: iOS 9

Day 0 supportYour users can upgrade worry-free at GA

How we do it Compatibility testing

against beta drops

Proactive & regular communication with Apple

New FeaturesPrioritized and delivered based on customer demand.

Mac

10.9 10.1010.

8

10.

7

10.

6

20132010

MDM support

Mac Support – v1

SecureWeb-based enrollment

Passcode policies

Disk encryption

ConfigurePush WiFi/VPN profiles

Push custom policies

AuditHardware inventory

Software inventory

Device reports

Agent

Level 1 Level 2 Level 3

Self-Service Portal

Mac Management: Microsoft Philosophy

MDM

Demo: Intune

How Microsoft can help mobile transformation

Content

management

Microsoft Azure

RMS

Office 365

Active Directory

RMS

SharePoint

Content management

Capabilities• Hybrid Identity / SSO

• Multifactor Authentication

• High Value Asset Protection

• Single Console Device Management

Active Directory

Identity

Azure Rights

Management System

Microsoft

Intune

Trusted Platform Module

Encryption File System

Encrypting Hard Drives

Azure AD

Premium

Enterprise

Certificate Services

Securing the Boot

UEFI

TPM

Trusted Boot

Measured Boot

Securing the Code and Core

Security Development Lifecycle

(SDL)

Address space layout

randomization (ASLR)

Data Execution Prevention (DEP)

System Center 2012 R2

Configuration Manager

CLOUD PERIMETER

MicrosoftAzure

Access control to corporate data today

SharePointServer

Exchange Server

CORPORATE NETWORK

Mobile

devices

PCs

Browsers

INTERNETDMZ

Active

Directory

Policies

• Filter EAS

• Filter web access

• Filter or block mobile app access

• Block unmanaged devices

• Prevent downloads

• Force multi-factor authentication

• Require domain joined

• Force traffic via proxy/VPN

Protecting data in a mobile first, cloud first world

SharePointServer

Exchange Server

CORPORATE NETWORK

Mobile

devices

PCs

Browsers

INTERNETDMZ

Active

Directory

Solution

Access control and data

containment integrated

natively in the apps,

devices, and the cloud.

The perimeter can not

help protect data

Challenge

SharePointOnline

ExchangeOnline

Email profile management

Corporate email server

ITUser

Deploy email profile on enrollment

• Configure account settings and security restrictions

• Enable certificate authentication

• Synchronize email, task, contacts, and calendar

• Support for iOS, Samsung KNOX, and Windows Phone

Any email service supported by Exchange ActiveSync

Microsoft Intune

Consistent experience across:Windows

Windows Phone

Android

iOS

Discover and install corporate apps

Manage devices and data

Ability to contact IT

Customizable terms and conditions

Demo: Portal

Typical EMM Stack

Native device MDMStandard MDM provides device configuration and management

SDK/wrapper, helper apps

Managed browser, viewers

Custom SDK/wrapper enables LoB apps to be managed

Mobile application

management

Custom data containerprovides mobile productivity apps integrated with content and access systems.

Custom

email app

Custom

file app

Custom

collab app

Containers

1. Depend on specific DMZ infrastructure

2. Work on premise only

SharePoint

Server

Exchange Server

CORPORATE NETWORK

Active Directory

Fir

ew

all

Fir

ew

all

Perimeternetwork

Microsoft’s Mobility Stack

Native device MDMIntune: standard MDM

Intune App SDK

Intune App Wrapping Tool

Extensibility based on AAD and Intune. Enable business apps to interoperate with Office MobileManaged Office

productivity and more

O365: Mobile productivityAzure AD: Access control to O365Intune: Data container for Office mobile appsAzure RMS: Information protection at file level

Standard on-premises integration

SharePoint

Server

Exchange Server

CORPORATE NETWORK

Perimeternetwork

Active Directory

SharePointOnline

ExchangeOnline

Native cloud integration

Fir

ew

all

Fir

ew

all

Mobile data protection

Protect corporate data

accessed from devices

On-premises

Protect corporate data

cached on devices

User IT

Conditional access to email

Policy

verification

•••••••••

Username Microsoft Intune

Required settings defined by IT admin:

Enrolled device

Encrypted device

Passcode set

Admin console

Not jailbroken/rooted

ITITUser

Conditional access to email

Policy

verification

•••••••••

Username Microsoft Intune

Required settings defined by IT admin:

Enrolled device

Encrypted device

Passcode set

Admin console

Not jailbroken/rooted

ITITUser

Mobile application management

Maximize mobile productivity and protect corporate

resources with Office mobile apps

Extend these capabilities to existing line-of-business

apps using the Intune App Wrapping Tool

Enable secure viewing of content using the Managed

Browser, PDF Viewer, AV Player, and Image Viewer apps

Managed apps

Personal apps

Managed apps

IT

User

Selective wipe

Personal apps

Managed apps

Company Portal

Are you sure you want to wipe

corporate data and applications

from the user’s device?

OK Cancel

Perform selective wipe via self-service company portal or admin console

Remove managed apps and data

Keep personal apps and data intact

ITIT

ConclusionEMS

Multiple layers of data protection

ITUser

Enterprise

Mobility Suite

Identify and authorize user

Apply device policies

Apply application policies

Apply content policies

Active Directory Premium

Rights Management

Enterprise Mobility Suite + Office 365

• Common identity infrastructure

• Control access to on prem and SaaS

• Authentication and SSO

• Encryption and policy at the file level

Azure ADAzure RMSIdentity & Access

• World class productivity and collaboration

• Consistent experience across all devices

• IT compliance and data protectionOffice 365

Productivity

IntuneDevice & App Management

• Mobile device management

• Mobile application management

• Contain corporate data on devices

Integrated experiences• Conditional email access• Secure collaboration• Email based enrollment• Device and user provisioning• Single sign-on• Device compliance• App restriction• Lost or stolen device• Device wipe• Employee leaves the company• …and more in the works

Deployment options

Windows PC, Windows Phone, iOS, Android

System Center Configuration

Manager

Configuration Manager integrated with Intune (hybrid)Intune standalone (cloud only)

IT IT

Intune web console Configuration Manager console

Windows PC, Mac, Linux, Windows Phone, iOS, Android

How Microsoft can help mobile transformation

Device

management

Content

management

Application

management

Application

development

Identity &

access

Application

management

Microsoft

Intune

Office 365

System Center

Configuration

Manager

Microsoft Azure

RMS

Office 365

Active Directory

RMS

SharePoint

Microsoft Azure

Active Directory

Active Directory

Microsoft Intune

System Center

Configuration

Manager

Microsoft Visual

Studio

Xamarin

Microsoft Visual

Studio Online