office 365 mobile device management: what is it, and why should you care - paul robichaux
TRANSCRIPT
Office 365 Mobile Device Management: What Is It,
and Why Should You CarePaul Robichaux
Summit 7 Systems [email protected]
Introduction
The rise of BYOD
• Mobile devices have become ubiquitous– Blame BlackBerry and Steve Jobs
• Work time has expanded– “You can work anywhere, anytime” has become “you must”
• Employers are stingy– If you can get employees to provide their own devices and data plans…
The dark side of BYOB
• Your data, their device– Can’t guarantee physical or data integrity– Theft, loss, damage are all threats– Security policies viewed with suspicion and hostility
• Version, device, and application support• End-to-end troubleshooting
BYOD coping strategies*
• Denial– Don’t allow any user-provided devices
• Barganining– Allow user-provided devices subject to ToU
• Acceptance– Perhaps better described as “resignation”
*Anger, depression strategies are options
Common MDM tools
• Restrict which devices are allowed to sync• Restrict which users are allowed to sync• Restrict what users can sync• Store all synced content in a separate container
The MDM lifecycle
1. Enrollment places a device under management
2. Configuration applies settings / policies
3. Secure enforces settings4. Manage5. Monitor
Image courtesy Microsoft; https://technet.microsoft.com/en-us/library/mt143184.aspx
Exchange ActiveSync
• EAS is both a transport protocol and an MDM protocol• Designed years ago, it has many limitations
– Doesn’t address many capabilities customers: app policies jailbreak protection, etc.
– Rate of change is low due to installed base• But it’s also ubiquitous and cheap
– Great 80% solution
Exchange ActiveSync
Pros• Cheap• Widely available• Fully integrated with
Exchange• Equivalent on-prem/online
feature sets
Cons• Limited feature set• Not every device supports
the full protocol• No integrity protection• No containerization• Only supports Exchange
MDM Pieces and Parts
Surpassing EAS
• Competing MDM solutions have taken significant market share
• Microsoft’s previous effort was SCMDM• Second attempt was Intune• O365 MDM is a subset of Intune
What is Intune?
• Microsoft says…“Intune is a cloud-based service that lets you manage
mobile devices, PCs, and apps so your users can be productive while you protect your company's information.”
What is Intune?
• Part of Enterprise Mobility Suite (EMS)• Can manage PCs and mobile devices• Offers mobile app management (MAM)
• We won’t talk about it further in this session
What is Office 365 MDM?
• Subset of Intune– Doesn’t manage PCs– Doesn’t integrate with SCCM– Managed using O365 admin center
• Cloud-only• Provides three main functions
– Conditional access– Device management– Selective wipe
Conditional access
• Blocks access to Office 365 resources unless policy conditions are met– Mail through EAS– Mail through Outlook– OneDrive– Documents through Office apps
Device management
• Enforces security policies you specify• Devices that don’t meet policy may not be allowed to connect• Policies vary between device families
– E.g. “force encrypted cloud backup” only works on iOS
Selective wipe
• EAS wipe erases the entire device– Users don’t like this
• O365 MDM wipe allows you to choose:– Wipe the whole device, EAS-style– Wipe only data that came from O365– Wipe the device after multiple wrong password attempts
What “selective” means
• The Company Portal app is removed• Data synced into Outlook is removed• Data synced into OneDrive for Business is removed• Policy settings are no longer enforced• Managed email profiles are removed• The device is removed from the list of managed devices• Everything else stays
Configuring O365 MDM
Setting up O365 MDM
• Remember the lifecycle diagram?
• Turns out there are 2 extra steps
Image courtesy Microsoft; https://technet.microsoft.com/en-us/library/mt143184.aspx
Step 0: Audit devices
• Audit your devices!• Admins are always surprised by the audit results
– Ancient devices– Departed employees
• Best way: use Paul Cunningham’s Get-EASDeviceReport.ps1: http://bit.ly/1zEbJG5
Step 0, part 2: Config tenant
• Before you can enroll devices you must configure the tenant in Office 3651. Enable MDM in the Mobile Devices tab2. Configure DNS3. Configure APNS
Enabling feature in tenant
• Go to “Mobile Devices” tab on left nav bar in Office 365 admin portal
• Follow instructions
Creating DNS records
• You may already have done this• Two required CNAME records
– Enterpriseregistration: used to register/re-register devices• Also used by Workplace Join
– Enterpriseenrollment: used to enroll brand-new devices
APNS enrollment
• Apple Push Notification Service needed if you have iOS devices
• You request a cert then upload it to Apple’s portal
The enrollment process
Image courtey Microsoft; “Windows 8.1 Enterprise Device Management Protocol.pdf”
Configuring security policies
• You manage policies through the Compliance Center– Show of hands: who’s been to that page?
Policies and groups
• You assign policies to security groups– So create the groups first
• Single org-wide exclusion group• Policies apply to users, not devices
– Joe has two iOS devices and a Lumia 950…– This is different from EAS
What do policies do?
• Depends on device OS– Not every device OS supports every setting– E.g. “Block access to application store” works on WP + iOS, not Android
• Depends on your policy setting– You can allow non-compliant devices or not
• See http://summit7systems.com/office-365-mobile-device-management-policies/
Policy application
• Devices must download policy– No download, no policy– Devices that report that they don’t have a policy are blocked
• Up to 6-hour window when you apply a policy to existing users– Newly created users get the policy immediately when they’re added to
the target group
DEMO: MDM security policies
Enrolling devices
• Automatic enrollment happens when you add a user to a group that has a policy assigned
• Manual enrollment may require the user to install an app– iOS: install Company Portal app– Android: install Company Portal app– WP8.x: built-in– Win10: built-in
Setting up O365 MDM
• When you add a user to a group that has a policy assigned, that user’s devices will be enrolled
• User must opt in
Image courtesy of MVP Paul Cunningham since I stupidly forgot to bring an iOS device
Auto-enrollment
• After user accepts opt-in prompt, they must download and install Company Portal app for their OS– Fairly simple process that still may confuse non-technical users
New enrollment experience
• MS is rolling out a “new” end user experience• Users who are blocked by policy get an email with a link to get
the Company Portal app
Manage and monitor
• Office 365 admin center shows you enrolled devices and their states
• Compliance Center device compliance reports• Third-party reporting tools (e.g. Cogmotive)
DEMO: MDM management and reporting
The big picture
What should I use?
• O365 MDM replaces EAS– Any existing EAS policy will be overwritten when you enroll the device
• Intune replaces O365 MDM– Much broader feature set– Aggressive bundle pricing through EMS
• Several third-party solutions– Installed base and feature set drive this decision
EAS
• EAS is cheap, cheerful, compatible– Very wide range of supported devices– Basic policy management only– You’re probably already using it– Don’t expect much future investment– The split may be coming…
Office 365 MDM
• Included in most SKUs• Good functionality• Can easily be expanded to Intune
Intune
• Tons of functionality– More complex to deploy and manage