Sean P. McDonough National Office 365 Solution Manager Cardinal Solutions Group
2 A little about me Sean P. McDonough National Office 365 Solution Manager Responsible for business productivity (primarily Office 365 and EMS) strategy, capabilities development, etc., at a national level Have been spending a lot of time providing education, guidance, and POC development with Microsoft s EMS Microsoft MVP for Office Development, Office Servers and Services
3 Who we are Cardinal Solutions Group Founded Growth Locations Technology Founded in 1996 Cincinnati, Ohio 400+ FTEs 20% YOY growth $60M 2015 revenue Cincinnati Columbus Charlotte Raleigh Tampa Cloud Data Web Mobile
4 What We ll Cover Today Why I m talking about EMS What s driving EMS? EMS capabilities and solutions Summaries and comparisons
WHY I M TALKING ABOUT EMS
6 Why I m Talking About EMS Yeah, I ve heard of that Many of you have probably heard of EMS Microsoft is spending lot of time talking about EMS and adding capabilities to it Despite knowing that EMS stands for Enterprise Mobility Suite, many people don t know what EMS really is Confusion about Office 365, EMS, and other offerings Where does Office 365 stop and EMS start? What can I actually do with EMS?
WHAT S DRIVING EMS?
What s driving EMS? The Our current reality identity reality
What s driving EMS? We live in a mobile-first/cloud-first world 61% of workers mix personal and work tasks in their devices* >80% of employees admit to using non-approved software-as-a-service (SaaS) applications in their jobs** >75% percent of network intrusions exploited weak or stolen credentials ***
What s driving EMS? Axes of protection IT Users Devices Apps Data Employees Business Partners Customers
11 What s driving EMS? Security is the name of the game At it s core, EMS is about security Enhancing existing identity security Strengthening device security Protecting data, not just systems Extending security to on-premises systems EMS is also about convenience Can be used by itself to easily enable SSO to cloud-based and on-premises applications Maximum capability with minimum configuration Natural complement to Office 365
What s driving EMS? A multi-axis protection example Identity Device Application Data
What s driving EMS? Real-world solutions must go cross-platform EMS is cross-platform ios, Android, Windows 1000s of SaaS apps LOB apps, RemoteApp
What s driving EMS? At the end of the day, it just works Always up to date Works with what you have Simple to set up and connect
EMS CAPABILITIES AND SOLUTIONS
EMS capabilities and solutions The Mobility Suite Identity & Access Management Mobile Device & App Management Information Protection Behavior based threat analytics Microsoft Azure Active Directory Premium Microsoft Intune Microsoft Azure Rights Management Premium Advanced Threat Analytics Easily manage identities across on-premises and cloud. Single sign-on & self-service for any application Manage and protect corporate apps and data on almost any device with MDM & MAM Encryption, identity, and authorization to secure corporate files and email across phones, tablets, and PCs Identify suspicious activities and advanced threats in near real time, with simple, actionable reporting
AZURE ACTIVE DIRECTORY PREMIUM
Azure Active Directory Premium Integrated Identity as the control plane One common identity Simple connection Self-service Single sign on Windows Server Active Directory Other Directories Username Azure SaaS Public cloud Office 365 On-premises Microsoft Azure Active Directory Cloud
Azure Active Directory Premium Application Support Single sign-on (SSO) support for over 2600 SaaS applications in a variety of different categories Many of the most common SaaS applications in-use today are supported Salesforce WorkDay Dropbox GoToMeeting
Azure Active Directory Premium Self-Service Capabilities With Office 365 Self-service password management With EMS Self-service password reset Self-service group management Alleviates many of the day-to-day calls that first-level support personnel deal with in a typical organization
Azure Active Directory Premium Exposing On-Premises Applications (like SharePoint) Connectors are deployed on corporate network Multiple connectors can be deployed for redundancy and scale https://sales-contoso.msappproxy.net https://sales.contoso.com Azure Active Directory The connector(s) auto connect to the cloud service User connects to the cloud service that routes their traffic to the resources via the connector(s) http://sales DMZ Corporate Network
Azure Active Directory Premium Security Benefits with Application Proxy All HTTP/S traffic is terminated in the cloud blocking most HTTP level attacks such as the Heartbleed bug. https://sales-contoso.msappproxy.net Azure Active Directory Unauthenticated traffic filtered in the cloud will not arrive on-premises. No incoming connections to the corporate network only outgoing connection to the Azure AD Application Proxy service Internet facing service always up to date with latest security patches and server upgrades DMZ Login abnormalities detection, reporting and auditing by Azure AD App App App Corporate Network
Azure Active Directory Premium Multi-Factor Authentication With Office 365 Basic two-factor authentication With EMS On-premises MFA server Additional MFA methods Robust reporting One-time bypassing Customizable phone calls and more
INTUNE
Intune How Gartner Sizes It Up On pure device management, AirWatch is king. Microsoft s strategy is more comprehensive, cloudcentric, and cost-effective. It is also not a point solution Organizations that should consider Intune are those that want to extend the Office 365 services to mobile devices and ConfigMgr customers that value client management and EMM integration over bestof-breed EMM functionality. The combination of Azure Active Directory Premium, Azure Rights Management and Intune addresses some useful mobile scenarios, for example, changing an Active Directory password from a mobile device.
Intune Mobile application management Managed apps Multi-identity policy Corporate data User Personal data IT Maximize mobile productivity and protect corporate resources with Office mobile apps including multi-identity support Personal apps Extend these capabilities to your existing line-of-business apps using the Intune App Wrapping Tool Enable secure viewing of content using the Managed Browser, PDF Viewer, AV Player, and Image Viewer apps
Intune Mobile Application Management Managed apps User Personal apps Maximize productivity while preventing leakage of company data by restricting actions such as copy, cut, paste, and save as between Intune-managed apps and unmanaged apps
Intune Controlling Access to Corporate Data Mobile devices PCs Data Apps Web browsers The Access perimeter control cannot to corporate help protect data today data stored in the cloud
Intune Protecting Data in a Mobile-First, Cloud-First World Enterprise Mobility Suite SharePoint Online Exchange Online Access control and data protection integrated natively in the apps, devices, and the cloud
Intune Conditional access with EMS Conditional access policies Corporate apps IP Range User Device State Advanced Windows 10 options User Group Cloud On-premises
Intune Mobile Data Protection On-premises User Protect corporate data accessed from devices IT Protect corporate data stored on devices
Firewall Firewall Intune Typical EMM Stack Standard MDM provides device configuration and management Native device MDM Mobile application management DMZ/ Perimeter network Corporate network Custom data container provides mobile productivity apps integrated with content and access systems Custom email app Custom collab app Custom file app Containers Depends on specific DMZ infrastructure Active Directory Custom SDK/wrapper enables line-of-business apps to be managed SDK/wrapper, managed browser, managed viewers Works on-premises only Exchange Server SharePoint Server
Firewall Firewall Intune Microsoft s EMM Stack Intune: Cross-platform MDM Office 365: Mobile productivity Azure AD: Access control to Office 365 and SaaS apps Intune: App restrictions for Office mobile and LOB apps Azure Rights Management: Information protection at the file layer Native device MDM Managed Office productivity and more Cloud integration Standard on-premises integration DMZ/ Perimeter network SharePoint Online Exchange Online Corporate network Active Directory Extensibility based on Azure AD and Intune Enable business apps to interoperate with Office mobile apps Intune App SDK Intune App Wrapping Tool Exchange Server SharePoint Server
AZURE RIGHTS MANAGEMENT SERVICE
Azure Rights Management Service Encrypt files and data
Azure Rights Management Service RMS How It Works 1. Document author attempts to protect a document 2. Author obtains the certificates necessary to participate in the information protection platform 3. Author protects the document 4. Author distributes the document to another user 5. User contacts the information protection platform, is authenticated, and receives a use license
Azure Rights Management Service Email protection Keep corporate email off the Internet Prevent the forwarding of confidential information Templates to centrally manage policies
Azure Rights Management Service Automating protection Automatically protect email messages and documents that contain sensitive information
Azure Rights Management Service Summary of RMS Benefits Information is persistently protected wherever it goes User experience is natural: Users don t need to learn how to protect or consume information, and user effort is minimal Protection can be automated (but without affecting the user s experience) Works with the cloud and with on-premises systems RMS can be integrated with most enterprise systems (web mail, MDM, document libraries, ERP, and so on)
ADDITIONAL PROTECTION
Additional Protection Microsoft Advanced Threat Analytics ATA Behavioral Analytics Forensics for known attacks and issues Advanced Threat Analytics Devices and servers SIEM Active Directory Profile normal entity behavior (normal vs. abnormal) Search for known security attacks & issues Detect suspicious user activities, known attacks and issues
Additional Protection Hot off the presses Announced June 7 th Microsoft is partnering with Lookout Lookout Mobile Threat Protection is being added to EMS What is Mobile Threat Protection? Detects, remediates, and predicts mobile threats Enables secure BYOD programs Provides visibility into mobile device security without compromising employee privacy
SUMMARIES AND COMPARISONS
Summaries and comparisons EMS Benefits for O365 Customers Hybrid identity management Mobile device and app management Access & Information protection Enterprise Mobility Suite Azure AD for O365+ Single Sign on for all cloud apps Advanced MFA for all workloads Self Service group management and password reset with write back to on prem directory Advanced security reports MIM (Server + CAL) MDM for O365+ PC Management Mobile App Management (prevent cut/copy/past/save as from corporate apps to personal apps) Secure content viewers Certificate Provisioning System Center integration RMS for O365+ Protection for on-premises Windows Server file shares Email notifications when sharing documents Email notifications when shared documents are forwarded Basic Identity Mgmt. via Azure AD for O365: Single Sign on for O365 Basic Multifactor Authentication (MFA) for O365 Basic Mobile Device Management via MDM for O365 Device Settings Management Selective Wipe Built into O365 Mgmt. Console RMS Protection via RMS for O365 Protection for content stored in Office (on-prem or O365) Access to RMS SDK Bring your own Key GA Dec 2014
Summaries and comparisons EMS Benefits for Windows Identity and access management Mobile device and app management Information protection Enterprise Mobility Suite Conditional access policies for enhanced single sign on security MDM auto enrollment Self-service group and application management Password reset with write-back to on-premises directory Cloud based advanced security reports Microsoft Identity Manager Mobile device management Mobile app management Secure content viewer Certificate, WiFi, VPN, email profile provisioning Agent-based management of Windows devices (domain joined via ConfigMgr and internet-based via Intune) Tracking and notifications for shared documents Protection for content stored in Office & Office 365 Protection for on-premises Windows Server file shares Behavioral analytics for advanced threat detection Detection for known malicious attacks and security issues Windows 10 Single sign-on for business cloud apps Device set up and registration for Windows devices Windows Store for Business Traditional domain join manageability Manageability via MDM and MAM Encryption for data at rest and generated on device Encryption for data included in roaming settings
Summaries and comparisons Azure Active Directory Offering Comparison
Summaries and comparisons Azure MFA Offering Comparison MFA for O365/Azure Administrators Windows Azure Multi-Factor Authentication / EMS
Compare Microsoft Intune to MDM for Office 365 Premium mobile device & app management Device configuration PC management Office 365 Category Feature Exchange ActiveSync MDM for Office 365 Microsoft Intune (cloud only) Intune + ConfigMgr (hybrid) Inventory mobile devices that access corporate applications Remote factory reset (full device wipe) Mobile device configuration settings (PIN length, PIN required, lock time, etc.) Self-service password reset (Office 365 cloud only users) Provides reporting on devices that do not meet IT policy Group-based policies and reporting (ability to use groups for targeted device configuration) Root and jailbreak detection Remove Office 365 app data from mobile devices while leaving personal data and apps intact (selective wipe) Prevent access to corporate email and documents based upon device enrollment and compliance policies Self-service Company Portal for users to enroll their own devices and install corporate apps App deployment (Windows Phone, ios, Android) Deploy certificates, VPN profiles (including app-specific profiles), email profiles, and Wi-Fi profiles Prevent cut/copy/paste/save as of data from corporate apps to personal apps (mobile application management) Secure content viewing via Managed Browser, PDF Viewer, Image Viewer, and AV Player apps for Intune Remote device lock via self-service Company Portal and via admin console Client PC management (e.g. Windows 8.1, inventory, antimalware, patch, policies, etc.) PC software management Comprehensive PC management (e.g. Group Policy, login scripts, BitLocker management, virtual desktop and power management, custom reporting, etc.) Windows Server/Linux/UNIX/Mac OS X support OS deployment and imaging
Summaries and comparisons Azure RMS Offering Comparison RMS for O365 Azure RMS (EMS)
Summaries and comparisons Cost Effectiveness of EMS vs. Point Solutions Identity and access management Mobile device and application management Microsoft Other EMS vendors Included $8 1 Included $10 2 Data protection Included No similar products Advanced threat detection Included No similar products Total cost (per user/month) Microsoft EMS $8.75 3 Other vendors $18 1 Okta Enterprise Edition as of 3/1/2015. 2 Airwatch Orange Management Suite-Cloud as of 3/1/2015. 3 50% savings over standalone offers
QUESTIONS Contact Info Sean McDonough National Solution Manager smcdonough@cardinalsolutions.com Blog: http://www.sharepointinterface.com