Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Windows Server 2012R2 Capabilities for BYOD

advertisement 
Windows Server 2012 R2
Capabilities for BYOD Scenario
Yuri Diogenes
Senior Knowledge Engineer
Data Center, Devices & Enterprise Client – CSI
Team’s Page: http://technet.microsoft.com/cloud
@yuridiogenes
http://aka.ms/yuridio
What’s happening?
Before
What’s happening?
Now
90%
32%
GARTNER
GARTNER PRESS RELEASE, GARTNER SAYS TWOTHIRDS OF ENTERPRISES WILL ADOPT A MOBILE
DEVICE MANAGEMENT SOLUTION FOR
CORPORATE LIABLE USERS THROUGH 2017,
OCTOBER 25, 2012,
HTTP://WWW.GARTNER.COM/NEWSROOM/ID/2213
115
FORRESTER RESEARCH
THE STATE OF WORKFORCE TECHNOLOGY ADOPTION:
GLOBAL BENCHMARK 2012, FORRESTER RESEARCH,
INC., APRIL 12, 2012
of enterprises will have two or more mobile
operating systems to support in 2017
of employees use two or three PCs for
work from multiple locations
What’s happening?
Today
32%
of your employees—power
laptop users—access 21
different applications, while
desktop users—36% of your
employees—use 9.8
applications at work
FORRESTER RESEARCH
THE STATE OF WORKFORCE
TECHNOLOGY ADOPTION: GLOBAL
BENCHMARK 2012, FORRESTER
RESEARCH, INC., APRIL 12, 2012
Mobility is the new normal
67%
905M
of the people who use a
smartphone for work and
70% of people who use a
tablet for work are choosing
the devices themselves
tablets in use for work and
home globally by 2017
FORRESTER RESEARCH
BRING THE BUSINESS CASE FOR A BRINGYOUR-OWN-DEVICE (BYOD) PROGRAM,
FORRESTER RESEARCH, INC., OCTOBER 23, 2012
FORRESTER RESEARCH
2013 MOBILE WORKFORCE ADOPTION TRENDS,
FORRESTER RESEARCH, INC., FEBRUARY 4, 2013
Today’s challenges
Users
Devices
Apps
Data
Users expect to be able to
work in any location and
have access to all their
work resources.
The explosion of devices is
eroding the standards-based
approach to corporate IT.
Deploying and managing
applications across
platforms is difficult.
Users need to be productive
while maintaining
compliance and reducing
risk.
Starts with a
person…
whose identity
is verified…
EMPLOYEE #
0000000-000
CONTOSO
across multiple
devices…
with access
to apps…
in a consistent
manner.
People-centric IT
Enable users
Allow users to work on the
devices of their choice and
provide consistent access to
corporate resources.
Hybrid Identity
Users
Devices
Apps
Data
Deliver a unified application and
device management onpremises and in the cloud.
Protect your data
Management. Access. Protection.
Help protect corporate
information and manage risk.
Access and Information Protection
Enable users
Hybrid Identity
Protect your data
Simplified registration and
enrollment for BYO devices
Automatically connect to internal
resources when needed
Access to company resources is
consistent across devices
Common identity to access resources
on-premises and in the cloud
Centralize corporate information
for compliance and data protection
Policy-based access control to
applications and data
Enable users
Challenges
Solutions
Users want to use the device of their choice and have
access to both their personal and work-related
applications, data, and resources.
Users can register their devices, which makes them known to
IT, who can then use device authentication as part of providing
access to corporate resources.
Users want an easy way to be able to access their
corporate applications from anywhere.
Users can enroll their devices, which provides them with the
company portal for consistent access to applications and
data, and to manage their devices.
IT departments want to empower users to work this
way, but they also need to control access to sensitive
information and remain in compliance with regulatory
policies.
IT can publish access to corporate resources with
conditional access based on the user’s identity, the device they
are using, and their location.
Registering and Enrolling Devices
Users can enroll devices which
configure the device for management
with Windows Intune. The user can
then use the Company Portal for easy
access to corporate applications
Users can register BYO
devices for single sign-on
and access to corporate
data with Workplace Join.
As part of this, a certificate
is installed on the device
IT can publish access to corporate resources with
the Web Application Proxy based on device
awareness and the users identity. Multi-factor
authentication can be used through Windows
Azure Multi-Factor Authentication integration
with Active Directory Federation Services.
Data from Windows Intune is
sync with Configuration
Manager which provides unified
management across both onpremises and in the cloud
As part of the registration
process, a new device record is
created in Active Directory,
establishing a link between the
user and their device
Publish access to resources with the Web Application Proxy
Developers can leverage Windows
Azure Mobile Services to integrate
and enhance their apps
AD Integrated
Use conditional access for
granular control over how
and where the application
can be accessed
Published
applications
Devices
Users can access
corporate applications
and data wherever
they are
Apps & Data
IT can use the Web Application
Proxy to pre-authenticate users
and devices with multi-factor
authentication through
integration with AD FS
Active Directory provides
the central repository of
user identity as well as
the device registration
information
Make corporate data available to users with Work Folders
IT can selectively wipe the corporate
data from managed devices
(Windows 8.1, Windows Phone 8, iOS,
Android)
Devices
Users can sync
their work data to
their devices.
Users can register
their devices to be
able to sync data
when IT enforces
conditional access
IT can configure a File Server to
provide Work Folder sync
shares for each user to store
data that syncs to their devices,
including integration with
Rights Management
Apps & Data
IT can publish access directly
through a reverse proxy (such
as the Web Application Proxy,
or conditional access can be
enforced through integration
with AD FS
Active Directory
discoverability
provides users Work
Folders location
Effective working with Remote Access
An automatic VPN
connection provides
automated starting of the
VPN when a user launches
an application that requires
access to corporate
resources.
Traditional VPNs are userinitiated and provide ondemand connectivity to
corporate resources.
With DirectAccess, a users
PC is automatically
connected whenever an
Internet connection is
present.
Cannot originate admin
connection from intranet
VPN
Can originate admin
connection from intranet
DirectAccess
Connection to
intranet is always active
Firewall
Video Demo
Windows 8.1 and iPad Workplace Join and
Company Portal
Hybrid Identity
Challenges
Solutions
Providing users with a common identity when they
are accessing resources that are located both onpremises in a corporate environment, and in cloudbased platforms.
Users have a single sign-on experience when
accessing all resources, regardless of location.
Managing multiple identities and keeping the
information in sync across environments is a drain on
IT resources.
Users and IT can leverage their common identity for
access to external resources through federation.
IT can consistently manage identities across onpremises and cloud-based identity domains.
Delivering a seamless user authentication experience
Cloud Authentication
Multi-Factor Authentication
can be configured through
Windows Azure
User attributes are synchronized using
DirSync including the password hash,
Authentication is completed against
Windows Azure Active Directory
Federated Authentication
with Single Sign-On
AD FS provides conditional access
to resources, Work Place Join for
device registration and integrated
Multi-Factor Authentication
User attributes are synchronized using
DirSync, Authentication is passed back
through federation and completed
against Windows Server Active Directory
Protecting information with multi-factor authentication
1. Users attempts to login or
perform an action that is
subject to MFA
2. When the user
authenticates, the application
or service performs a MFA
call
3. The user must respond to
the challenge, which can be
configured as a txt, a phone
call or using a mobile app
4. The response is returned
to the app which then allows
the user to proceed
5. IT can configure the type
and frequency of the MFA
that the user must respond
to
Protect your
data
Challenges
Solutions
As users bring their own devices in to use for work,
they will also want to access sensitive information and
have access to this information locally on the device.
Users can work on the device of their choice and be
able to access all their resources, regardless of location
or device.
A significant amount of corporate data can only be
found locally on user devices.
IT can enforce a set of central access and audit
polices, and be able to protect sensitive information
based on the content of the documents.
IT needs to be able to secure, classify, and protect
data based on the content it contains, not just where it
resides, including maintaining regulatory compliance.
IT can centrally audit and report on information
access.
Policy based access to corporate information
Desktop
Virtualization
IT can provide a secure and familiar
solution for users to access sensitive
corporate data from anywhere with
VDI and RemoteApp technologies.
Centralized Data
Devices
Users can access
corporate data regardless
of device or location with
Work Folders for data
sync and desktop
virtualization for
centralized applications.
Distributed Data
IT can publish resources using the
Web Application Proxy and create
business-driven access policies with
multi-factor authentication based
on the content being accessed.
IT can audit user access to
information based on
central audit policies.
Protect data with Dynamic Access Control
Automatically
identify and classify
data based on
content. Classification
applies as files are
created or modified.
File classification, access
policies and automated
Rights Management
works against client
distributed data through
Work Folders.
Centrally manage
access control and
audit polices from
Windows Server
Active Directory.
Integration with
Active Directory
Rights Management
Services provides
automated
encryption of
documents.
Central access and audit
policies can be applied
across multiple file servers,
with near real-time
classification and processing
of new and modified
documents.
Video Demo
Work Folders with DAC and RMS
For More Information
System Center 2012 R2 Configuration Manager
http://technet.microsoft.com/enus/evalcenter/hh667640.aspx?wt.mc_id=TEC_105_1_33
Windows Intune
http://www.microsoft.com/en-us/windows/windowsintune/try-andbuy
Windows Server 2012 R2
http://www.microsoft.com/en-us/server-cloud/windowsserver/windows-server-2012-r2.aspx
More Resources:
http://www.microsoft.com/en-us/server-cloud/solutions/accessinformation-protection.aspx
http://www.microsoft.com/en-us/server-cloud/solutions/user-devicemanagement.aspx
Related documents
Windows Azure Active Directory Overview
Windows Azure Active Directory Overview
Chapter 11 HW
Chapter 11 HW
Network Services
Network Services
Davis
Davis
1-Identity
1-Identity
2014.11-NYExUG-Microsoft-Chandan-Bharti-Microsoft
2014.11-NYExUG-Microsoft-Chandan-Bharti-Microsoft
MFA
MFA
The Azure Multi-Factor Authentication server acts as an LDAP server
The Azure Multi-Factor Authentication server acts as an LDAP server
A Lost Lady B9
A Lost Lady B9
File Sync And Share Platforms, Q3 2013
File Sync And Share Platforms, Q3 2013
Leverage Multi-Factor Authentication Server for Azure AD single
Leverage Multi-Factor Authentication Server for Azure AD single
Download
advertisement