• Full wipe of
device
• Mobile Device
Management
• Granular device
policy controls
• Provision access
to corp
resources (Email,
VPN etc)
• Selective wipe
MAM
• Device Policies
tied to Mailbox
• PIN
• Encryption
• Device
restrictions
MDM
Early Mobile security
PC Security
• Data protection
through device
lockdown (Group
Policy, app
mgmt., OSD,
compliance)
• Hardening
devices against
attack (patch,
anti-malware,
etc.)
• Mobile
application
management:
• Corporate data
containerization
• Per application
policy
restrictions
• Compliance
based access
control to
corporate
resources
Devices
Enable
your users
Apps
Unify Your Environment
Data
Protect
your data
Help organizations enable their users to be productive on the devices they love while
helping ensure corporate assets are secure
Enterprise Mobility
Platform
Microsoft Differentiation
• Managed Mobile Productivity
• Layered Protection
• Hybrid Solutions
Office 365
Dynamics
Workday
On Premise
SharePoint
On Premise
File Server
MDM Lifecycle Concepts
Enrollment
Enroll in MDM to get access to corporate
resources
Key Features
• Block email/SharePoint etc until enrolled
• Customizable Terms & Conditions
• Simple end user experience
Initial Provisioning
Retire
Disconnect from Company resources,
Lost/stolen device etc
Key concepts
• Selective wipe
User
Devices
Quick access to corporate resources
Key Features
• Security policy settings
• VPN, Wifi, Certificates
• Mandatory app installs
• App restriction policies
On going management
Device and App level policies
Key Features
• Block access if IT policies violated (Eg: Jailbreak)
• Enforce data leak prevention
• Self service portal for user initiated app
installs/help desk operations
8
Solution architecture – Secure email in O365
Azure AD
Who does what?
2
Office 365 EAS
Service
3
Intune: Evaluate policy
compliance for device
Azure AD: Auth user,
provide device compliance
status
Exchange Online:
Enforces access to email
based on device state.
4
Attempt email
connection
1
6
If not compliant,
Push device into
quarantine
Intune
Quarantine
7
If compliant, email
access is granted
EAS Client
Quarantine email
with remediation
steps
Link to enroll
device/Compliance
Remediation steps
5
Enrollment /
Compliance
Remediation
Set device
management/
compliance
status
Resource Access Configuration
Features*
•
•
•
•
•
Configure VPN profiles
Support for Automatic VPN
Wi-Fi protocol and authentication settings
Email account profiles
Management and distribution of certificates
Benefits
Platforms
End users get
access to
company
resources with no
manual steps for
them
Windows 8.1
Windows 8.1 RT
iOS
Android
Windows Phone 8.1
Samsung KNOX Standard
46
Challenges
Password based authentication is
vulnerable but the alternative Cert based
authentication is complex.
 How to issue certificate to mobile
devices that are not on my trusted
network?
How do I manage the lifecycle of
certificates?
How do I secure my network resources
like Email, VPN, Wifi etc with certificates?
Issue/Enroll
certificates
Certificate
Revocation
Manage
Certificates
Automated
renewal
•
•
•
•
•
•
•
•
Challenge
Solution
SCEP is an old protocol designed to for use
in closed networks.
CERT warns that SCEP does not strongly
authenticate requests.
Intune’s integration with Microsoft NDES
(Network device Enrollment service) Policy
module offers higher security and integrity of
issued certificates
Security concerns with Microsoft NDES
deployment
Use Microsoft Web Application Proxy
Blog: Protecting NDES with WAP by Pieter Wigleven
Coming soon: Whitepaper on NDES deployment best practices
Automate configuration of Email
account settings
Secure access to email by requiring
Certificate based authentication
Enable selective wipe of corporate
email
here
Features
Support for major SSL VPN vendors
SSL VPNs from Cisco, Juniper, Check Point,
Microsoft, Dell SonicWALL, F5
Support for VPN standards
PPTP ,L2TP, IKEv2
Automatic VPN connection
Application ID based initiation support for
Windows 8.1 and Windows Phone 8.1
Per-app VPN for iOS
Automatic VPN
connection
• Manage Wi-Fi protocol
and authentication
settings
• WEP
• WPA/WPA2 Personal
• WPA/WPA2
Enterprise
• Provision Wi-Fi networks
that device can auto
connect
• Specify certificate to be
used for Wi-Fi
connection
User provides
attempts
Trusts
thiscredentials
tocertificate
connect (username/password
to Wifi Endpoint
or
cert)
Connect
Server
1)
Server
presents
establishes
its identity
tunnel
certificate
2)
Server asks for user credentials
• iOS
• Allow/Block applications
• Kiosk Mode
• Custom Payload: Import profiles created in Apple configurator
• Windows Phone
• Allow/Block applications
• Custom Payload: Configure Any Window Phone (OMA URI)
setting
• Android
• Allow/Block applications
• Kiosk mode
68
69
70
http://aka.ms/enterprise
mobilitysuite
http://aka.ms/microsoftintune
http://aka.ms/configmgr
http://aka.ms/hi
http://aka.ms/aip
http://aka.ms/virtualdesktop
http://channel9.msdn.com/Events/TechEd
www.microsoft.com/learning
http://microsoft.com/technet
http://developer.microsoft.com