• Full wipe of device • Mobile Device Management • Granular device policy controls • Provision access to corp resources (Email, VPN etc) • Selective wipe MAM • Device Policies tied to Mailbox • PIN • Encryption • Device restrictions MDM Early Mobile security PC Security • Data protection through device lockdown (Group Policy, app mgmt., OSD, compliance) • Hardening devices against attack (patch, anti-malware, etc.) • Mobile application management: • Corporate data containerization • Per application policy restrictions • Compliance based access control to corporate resources Devices Enable your users Apps Unify Your Environment Data Protect your data Help organizations enable their users to be productive on the devices they love while helping ensure corporate assets are secure Enterprise Mobility Platform Microsoft Differentiation • Managed Mobile Productivity • Layered Protection • Hybrid Solutions Office 365 Dynamics Workday On Premise SharePoint On Premise File Server MDM Lifecycle Concepts Enrollment Enroll in MDM to get access to corporate resources Key Features • Block email/SharePoint etc until enrolled • Customizable Terms & Conditions • Simple end user experience Initial Provisioning Retire Disconnect from Company resources, Lost/stolen device etc Key concepts • Selective wipe User Devices Quick access to corporate resources Key Features • Security policy settings • VPN, Wifi, Certificates • Mandatory app installs • App restriction policies On going management Device and App level policies Key Features • Block access if IT policies violated (Eg: Jailbreak) • Enforce data leak prevention • Self service portal for user initiated app installs/help desk operations 8 Solution architecture – Secure email in O365 Azure AD Who does what? 2 Office 365 EAS Service 3 Intune: Evaluate policy compliance for device Azure AD: Auth user, provide device compliance status Exchange Online: Enforces access to email based on device state. 4 Attempt email connection 1 6 If not compliant, Push device into quarantine Intune Quarantine 7 If compliant, email access is granted EAS Client Quarantine email with remediation steps Link to enroll device/Compliance Remediation steps 5 Enrollment / Compliance Remediation Set device management/ compliance status Resource Access Configuration Features* • • • • • Configure VPN profiles Support for Automatic VPN Wi-Fi protocol and authentication settings Email account profiles Management and distribution of certificates Benefits Platforms End users get access to company resources with no manual steps for them Windows 8.1 Windows 8.1 RT iOS Android Windows Phone 8.1 Samsung KNOX Standard 46 Challenges Password based authentication is vulnerable but the alternative Cert based authentication is complex. How to issue certificate to mobile devices that are not on my trusted network? How do I manage the lifecycle of certificates? How do I secure my network resources like Email, VPN, Wifi etc with certificates? Issue/Enroll certificates Certificate Revocation Manage Certificates Automated renewal • • • • • • • • Challenge Solution SCEP is an old protocol designed to for use in closed networks. CERT warns that SCEP does not strongly authenticate requests. Intune’s integration with Microsoft NDES (Network device Enrollment service) Policy module offers higher security and integrity of issued certificates Security concerns with Microsoft NDES deployment Use Microsoft Web Application Proxy Blog: Protecting NDES with WAP by Pieter Wigleven Coming soon: Whitepaper on NDES deployment best practices Automate configuration of Email account settings Secure access to email by requiring Certificate based authentication Enable selective wipe of corporate email here Features Support for major SSL VPN vendors SSL VPNs from Cisco, Juniper, Check Point, Microsoft, Dell SonicWALL, F5 Support for VPN standards PPTP ,L2TP, IKEv2 Automatic VPN connection Application ID based initiation support for Windows 8.1 and Windows Phone 8.1 Per-app VPN for iOS Automatic VPN connection • Manage Wi-Fi protocol and authentication settings • WEP • WPA/WPA2 Personal • WPA/WPA2 Enterprise • Provision Wi-Fi networks that device can auto connect • Specify certificate to be used for Wi-Fi connection User provides attempts Trusts thiscredentials tocertificate connect (username/password to Wifi Endpoint or cert) Connect Server 1) Server presents establishes its identity tunnel certificate 2) Server asks for user credentials • iOS • Allow/Block applications • Kiosk Mode • Custom Payload: Import profiles created in Apple configurator • Windows Phone • Allow/Block applications • Custom Payload: Configure Any Window Phone (OMA URI) setting • Android • Allow/Block applications • Kiosk mode 68 69 70 http://aka.ms/enterprise mobilitysuite http://aka.ms/microsoftintune http://aka.ms/configmgr http://aka.ms/hi http://aka.ms/aip http://aka.ms/virtualdesktop http://channel9.msdn.com/Events/TechEd www.microsoft.com/learning http://microsoft.com/technet http://developer.microsoft.com