Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
Device & Content Management with Microsoft Enterprise Mobility + Security (EMS)
Microsoft Presenters:
Microsoft Tech Talks
PLEASE HELP YOURSELF TO FOOD / DRINKS
11:30AM -12:30PM
Food / Networking / Sign-in
12:30PM -12:45PM
Opening / Welcome
12:45PM -3:00PM
Featured slot - Speaker
11:30AM -12:30PM
Food / Networking / Sign-in
12:30PM -12:45PM
Opening / Welcome
12:45PM -3:00PM
Featured slot - Speaker
1) Connect to the wireless network MSFTGUEST
2) Open a browser and navigate to a web site to be redirected to the Captive Portal
3) Click on Event Attendee Code and enter the Wi-fi event attendee code:
• Microsoft Tech Talks is a Technical Community event, designed to bring IT leaders in the local area together at
a Microsoft facility, for deep Microsoft-technology based discussions, and
• An opportunity to network and share with local Microsoft Services Professionals and other IT professionals.
• A Microsoft Services presenter delivers a technically-rich presentation covering a product, product feature, or
service that Microsoft offers,
• Our presenters are world-class Subject Matter Experts and trusted advisors to our highly-valued customers.
• Our meetings are a great opportunity to 'ask the experts' questions about their given field of expertise.
• Subjects vary from session to session and attempt to be at the leading edge, showcasing our latest features
and products available.
PLEASE……
• Join Us
• Join Other Groups
• RSVP Closed does not mean Closed!
Look for the Microsoft Events sign-up
link!
• We send details of other events out
• Look out for poll Qs
• Tell all your friends / colleagues
• Review us through Group Review!!
http://aka.ms/SMDCEMS
VERY Short 10 questions!
Please be aware that your feedback is extremely valued
and important to us, as in addition to improving the
quality of our events, it helps us to justify the time, effort
and money in hosting, funding and organizing these
events.
Secure Productivity in amobile-first cloud-first world
Ashok Vellore & Steven Hernandez
Microsoft Corporation - Malvern
Enterprise Mobility + Security (EMS)
Microsoft Enterprise Mobility + Security
Protect at the front door- Conditional
Access
Protect your data, anywhere –App
Protection
Detect and remediate attacks
Agenda
Additional Services and Resources
Device Management
Devices AppsIdentity Data
On-premises
On-premises
Identity & Access
Management
Mobile Device
& Application
Management
Data Loss
Prevention
User &
Entity
Behavioral
Analytics
Cloud Access
Security
Broker
Information
Rights
Management
Protect at the
front door
Detect &
remediate attacks
Protect your
data anywhere
Cloud Access Security Broker
Mobile Device &
App ManagementIdentity & Access
Management
User & Entity
Behavioral Analytics
Data Loss Prevention
Information Protection
Protect at the
front door
Detect &
remediate attacks
Protect your
data anywhere
Mobile device & app management
Information protection
Identity and access management
Threat protection
Holistic and innovative solutions for protection across users, devices, apps and data
Protect at the
front door
Detect &
remediate attacks
Protect your
data anywhere
Enterprise Mobility + Security
What real IT Pros and Users
say on
Enterprise Mobile
Productivity + Security?
Device management challenges
Client Management options
SCCM & Intune Co-Management
Intune Standalone
Office 365MDMOMA-DM
(Built into OS)iOS /Android
/Windows Phone
OMA-DM(Built into OS)
OMA-DM (Built into OS)
SCCM Client(External Agent)
iOS /Android /Windows Phone
/Windows 10/MAC
iOS /Android /Windows 10 Phone/MAC
Windows 7/8.1/10Server/MAC
iOS /Android /Windows
Phone/MACWindows 7/8.1/10
Windows Server/MAC
Internet
Internet
Internet
Intranet
SCCM (On-Prem)
OMA-DM (Built into OS)
SCCM Client(External Agent)
Windows 10
Windows 7/8.1/10Server/MAC/Unix
Linux
Internet\intranet
Intranet
Internet requires PKI
Windows 10
No More hybrid
deployment
Microsoft Confidential
General Microsoft Intune Setup: Steps
1. Create Microsoft Intune account• Office 365 users should use the same account used for that domain registration
2. Set up an internal User Principal Name (UPN) to match the external name
3. Synchronize the on-premises account information to Microsoft Azure
4. Assign EMS licenses to the users
5. Enable the Mobile Device Management authority
6. Configure Device platforms for enrollment
7. Enroll devices
Conditional Access Agenda
Protect at thefront door
Detect &remediate attacks
Protect yourdata anywhere
Enterprise Mobility + Security
Azure AD Conditional Access
Capability of Azure Active Directory
Configurable worldwide service offering
Works with browser and Modern Auth
New features are added continuously
https://azure.microsoft.com/en-us/roadmap/?tag=azure-active-directory
How Conditional Access Works
Client
Requests
Access
Azure AD
Registered
Application
Azure STS
Azure AD
Authenticates
Conditional
Access engine
Authorizes
Azure AD
Registered
Application
Authorizes
Common Use Cases
Force Multi-
Factor
Authentication
based on
location
Restrict access
to critical Cloud
App based on
device status
Restrict access
to Cloud App
based on client
app
Restricts actions
within critical
applications
based on
location and
device status
Licensing Requirements
Azure AD Premium*
Enterprise Mobility + Security3*
*Some of the conditions may require Azure AD Premium II or Enterprise Mobility + Security 5 licenses.
On-premises
Firewall
Corp email, business apps
• Open access for users – any device, any network
• Unrestricted sharing methods – users decide how to share
• Cloud app ecosystem
• Limited visibility and control
• Access via managed devices and networks
• Layers of defense protecting internal apps
• Known security perimeter
Ability to Share and Consume Information
LIFE AFTER CLOUD AND MOBILITYLIFE BEFORE CLOUD AND MOBILITY
Office 365
Conditional Access Goals
Security
Availability
Ease of Use
Access Controls Available Now
Virtual Private Network
Federation Trust Conditional Authorization
Virtual Private Network
ADVANTAGES
Device Based
Location Based
Multi-Factor Auth Available
DISADVATAGESExpensive Infrastructure
Cloud App Unaware
Limited Client App management
Suboptimal user experience
Not suitable to for BYOD
Requires integration with MFA
Federation Trust Conditional Authorization
ADVANTAGES
Location Based
Multi-Factor Auth Available
BYOD Friendly
Optimal User Experience
DISADVANTAGES
Expensive Infrastructure
Limited Device Based Conditions
Limited to initial authentication
Limited risk based condition
Limited Client App management
Azure AD CA Control Anywhere Access
On-premises
applications
APPLICATION
Per app policy
Type of client
Business sensitivity
OTHER
Network location
Risk profile
DEVICES
Are domain joined
Are compliant
Platform type (Windows,
iOS, Android)
USER ATTRIBUTES
User identity
Group memberships
Auth strength (MFA)
• Allow
• Enforce MFA
• Block
Brute force attacks
Leaked credentials
Infected devices
Suspicious sign-in activities
Configuration vulnerabilities
Conditions available for verification
Users and Groups
Device State
Device Platform
Cloud Application
Location
SignIn Risk*
Client App
Supported Clients
Supported Browsers
• Internet Explorer
• Edge
• Chrome
Supported Device
Platforms
• Android
• iOS
• Windows Phone
• Windows
• macOS
Supported App Clients
• Office 2016 apps
• Office 2013 apps with Modern Auth enabled
• Office Mobile Apps
• Many more
Good Practices
Remember policies assignments are additive.
Exclude Global Administrators from policy, unless policy dedicated to this group
Assign a small group of users to newly created policy until testing is complete
Use “What If” tool to verify new policy’s applicability
Have a “break glass” account with Conditional Administrator rights and always exclude from policies
Settings to avoid
Assign block policies to All Users no exceptions
Assign block policies to All Locations no exceptions
Assign block policy to all Cloud Apps
Require Compliant Device for all access
Protect at thefront door
Detect &remediate attacks
Protect yourdata anywhere
Enterprise Mobility + Security
App Protection Using Intune
• Managed mobile apps working with App Protection Policies (APP) restrict the following app
operations:
o Copy and paste
o Screenshot functionality
o Configure an app to open all web links inside a managed browser
o A managed browser policy configures the list of websites that is allowed or blocked for users
o Ensures that when users click on the links to its content, it will open only in the other managed apps
o Some managed apps like the Microsoft Outlook app for iOS and Android support multi-identity
• Currently supported only on:
o Android 6.0 or later
o iOS 11.0 or later
How to Obtain Managed Apps
• There are two methods to obtain managed apps:
o Use a policy managed app: Has the built-in App SDK. Typically Microsoft publishes apps under the
Managed apps category
o Use a wrapped app: Applications that are repackaged to include the App SDK by using the Microsoft
Intune App Wrapping Tool
APP - Application Protection Policies (formerly MAM)
App Protection Policies
▪ Built into Microsoft Office & Productivity apps – SDK
▪ Support for App Store and LOB applications – SDK & App Wrapping Tool
What’s the purpose?
▪ Protect and separate corporate apps, data and identities from personal ones
Managed apps
Personal appsPersonal apps
Managed apps
MDM – optional (Intune or 3rd-party)
Corporate data
Personaldata
Multi-identity policy
Restrict features, sharing and downloads
Managing Mobile Apps: How it Works
Maximize mobile productivity and help protect corporate resources with Microsoft Office mobile apps – including multi-identity support
Extend these capabilities to your existing line-of-business apps using the Microsoft Intune App Wrapping Tool
Enable secure viewing of content using the Managed Browser, PDF Viewer, AV Player, and Image Viewer apps
Managed apps
Personal appsPersonal apps
Managed apps
ITUser
Corporate data
Personaldata
Multi-identity policy
Paths to Managed Applications
• Built in managed apps available : https://www.microsoft.com/en-us/cloud-platform/microsoft-intune-apps
• Microsoft Intune App SDK• Developers can easily interoperate applications for manageability
• Provide more control over user experience than wrapping
• App Wrapping Tool
• Apply all MAM policies to applications
App Protection Policies (APP)
Enforce access
requirements
• App PIN
• Corporate credentials
• Jailbreak/root
detection
Prevent data leakage
• Restrict copy/cut and
paste
• Block screen capture
(Android only)
• Restrict sharing of data
between apps
• Prevent cloud backup
• Disable printing
Remotely wipe data
• Remove company
data from an app
remotely
Encrypt app data
• iOS: OS encryption
scheme
• Android: OpenSSL
scheme, 128-bit AES
key gen
Enabling App Protection Policies in apps
Intune App SDK
• Full APP feature
functionality
• For store & LOB
apps
Cordova Plugin
• APP functionality
for Android and
iOS apps built with
Cordova
Xamarin Component• APP functionality for
Android and iOS
apps built with
Xamarin
App Wrapping Tool
• Simple cmd-line tool
• No code changes
• For LOB apps
C:\users\bill
App Wrapping Tool vs. SDK
App Wrapping Tool SDK
Your app is simple. Your app is complex in functionality or large in size.
Your app will only be deployed internally. Your app will be released to a public app store or
deployed internally.
Your app only supports one (corporate) identity. Your app supports multiple identities.
Your app is not frequently updated. You frequently updated your app.
You don’t have access to source code. You do have source code access and are familiar
with it!
App Wrapping Tool
iOS Android
Prerequisites • macOS X 10.8.5+ with Xcode
toolset 5+
• Signing certificate
• Provisioning profile
• iOS app – written for iOS 8.0+
• Windows machine
• Java Key tool
• App can’t be encrypted
• Android app – written for Android 4.0+
Environment Terminal PowerShell
Hybrid mobile
platforms
Cordova, Xamarin Cordova, Xamarin in preview
SDK exclusive features
• Multi-identity
• Save-as controls for storage locations
• Style customization + branding
• Selective wipe
• Status, result, and debug notifications
• APIs for interacting with MAM service
• MAM targeted configuration
Technology Benefit E3 E5
Azure Active Directory
Premium P1Secure single sign-on to cloud and on-premises app
MFA, conditional access, and advanced security reporting ● ●
Azure Active Directory
Premium P2Identity and access management with advanced protection for
users and privileged identities ●
Microsoft Intune
Mobile device and app management to protect corporate apps
and data on any device
App Protection Policies without MDM Enrollment
● ●
Azure Information Protection P1Encryption for all files and storage locations
Cloud-based file tracking● ●
Azure Information Protection P2Intelligent classification and encryption for files shared inside
and outside your organization ●
Microsoft Cloud App SecurityEnterprise-grade visibility, control, and protection for your
cloud applications ●
Microsoft Advanced Threat AnalyticsProtection from advanced targeted attacks leveraging user
and entity behavioral analytics ● ●
Identity and access management
Managed mobileproductivity
Data/Information protection
Threat protection
Free Self-Assessment and Schedule a deep-dive session onEnterprise Mobility + Security
Get a free 90-day trial, evaluateEnterprise Mobility + Security
Deploy with FastTrack forEnterprise Mobility + Security
While implementing Enterprise Mobility
Solution you should look for
all-inclusive approach for protection across
users, devices, apps and data
Microsoft EMS is there to help
http://aka.ms/SMDCEMS
VERY Short 10 questions!
Please be aware that your feedback is extremely valued
and important to us, as in addition to improving the
quality of our events, it helps us to justify the time, effort
and money in hosting, funding and organizing these
events.