introduction to security on windows 10...
TRANSCRIPT
![Page 1: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/1.jpg)
Windows 10
Mobile security
introduction
![Page 2: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/2.jpg)
Access from anywhere using any device
Protect access to company resources
Confidential
Enforce enterprise security policies on phones
Manage
Easy management and deployment
![Page 3: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/3.jpg)
BOOTKIT
Malicious
software
Data
leakage
![Page 4: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/4.jpg)
Only trusted
pre-OS
firmware code
can executeWindows 10
Mobile OS allows
only trusted and
signed apps to run
The firmware only boots
a trusted Windows 10
Mobile OS image
Apps can only
access phone
features they
require
Device health can
be attested by a
remote server
Chain of trust
![Page 5: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/5.jpg)
![Page 6: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/6.jpg)
Device management
Access control
App security
Data protection
![Page 7: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/7.jpg)
EAS policies
Provisioning packs +100 new policies
MDM
Device management
Access controlWindows Hello
Conditional access Client certificates
PIN
App securityStore checks
App containers App restrictions
Signed apps
Data protectionIRM and S/MIME
EDP VPN
Device encryption
![Page 8: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/8.jpg)
Management lifecycle
Device configuration
Device deployment
App Management
Device operations
Device retirement
new policies
100+
Manage the mobile fleet
![Page 9: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/9.jpg)
Secure
startup
![Page 10: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/10.jpg)
Hardware only loads
unmodified Windows 10
Mobile OS
Modified OS
Not loaded
Loaded
Unmodified Windows
10 Mobile OS
User knows they are working
with genuine operating system
from Microsoft
Prevents attacks
Disabling of security controls
Malicious OS that looks like
Windows 10 Mobile
Not loaded
Other OS
![Page 11: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/11.jpg)
ARM
One-time
writable info
Keys and
settings
Digitally
signed drivers
Chipset UEFI firmware Windows 10 Mobile OS
OS loader
OS
Digitally
signed
![Page 12: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/12.jpg)
Chipset
Platform
key (PK)
Key
Exchange
keys (KEK)
Allowed signature DB
SignatureWindows
10 Mobile
OS loader
1 2 3 4 5Power key is
pressed
Chipset starts trusted
UEFI firmware
Verify OS loader
signature
Check that signature
is allowed
UEFI loads trusted
OS loader
OS loader loads
trusted OS
components
UEFI
![Page 13: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/13.jpg)
Create a log of
the boot process
Boot data
Health Attestation
Service (HAS)
UEFI?
![Page 14: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/14.jpg)
Health Attestation
Service (HAS)
UEFI?
![Page 15: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/15.jpg)
Health Attestation
Service (HAS)
UEFI?
Health token
![Page 16: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/16.jpg)
Azure AD
Microsoft Intune HAS
Authenticate and
access services
Access denied, prove
that you are healthy!
![Page 17: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/17.jpg)
Azure AD
Microsoft Intune HAS
Provide health
and policy info
![Page 18: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/18.jpg)
Azure AD
Microsoft Intune HAS
Verify
device health
Device is
healthy!
![Page 19: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/19.jpg)
Azure AD
Microsoft Intune HAS
Conditional access policy
PIN configured
Encryption enabled
Enrolled to MDM
Device reported healthy
![Page 20: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/20.jpg)
Azure AD
Microsoft Intune HAS
Update
compliance
state
![Page 21: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/21.jpg)
Azure AD
Microsoft Intune HAS
Authenticate and
access services
Access granted
Use Mail and
Calendar
![Page 22: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/22.jpg)
Secure
setup
![Page 23: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/23.jpg)
EAS Client
Provisioning
Engine
MDM Client
Microsoft
Exchange
MDM
server
Windows Imaging and
Configuration Designer (ICD)
Provisioning
package
![Page 24: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/24.jpg)
Minimum PIN length = 8
Alphanumeric PIN required = False
Minimum PIN length = 5
Alphanumeric PIN required = True
For security related
settings the most secure
policy wins
For non-security related
settings the last write
wins according to priority
MDM has higher priority than
provisioning packages
Minimum PIN length = 8
Alphanumeric PIN required = True
Microsoft
Exchange
MDM
server
![Page 25: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/25.jpg)
Provisioning
package
Configuration
Service Providers
MDM
server
Push
policies
ActiveSync CSP
Policy CSP
ClientCertificateInstall CSP
RemoteWipe CSP
WiFi CSP
VPNv2 CSP
Configure company
email accounts
Configure company
Wi-Fi networks
Configure device lock policies
Manage client
certificates
Configure hardware restrictions
Remotely
wipe a device
Configure VPN profile for
accessing company intranet
Configure UI restrictions
Enable device encryption
![Page 26: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/26.jpg)
AllowCamera
AllowBluetooth
AllowWiFi
AllowNFC
AllowLocation
AllowStorageCard
AllowUSBConnection
Policy
CSP
Hardware restrictions
![Page 27: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/27.jpg)
Accounts
![Page 28: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/28.jpg)
Microsoft
Azure AD
Skype for
Business
SharePoint Outlook.com
OneDrive
Xbox Live
Store
Exchange
AAD
account
Personal
account
![Page 29: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/29.jpg)
Company AD
Microsoft cloudOn-premises
Microsoft Azure AD
Domain joined
computers
Cloud joined
computers
AD join AAD join AAD join
Cloud
joined
phones
Azure Active Directory
Directory
Sync Tool
![Page 30: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/30.jpg)
Azure AD Premium
Microsoft Intune
Set up a
work
account
![Page 31: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/31.jpg)
Azure AD Premium
Microsoft Intune
Automatic
enrollment
Set up a
work
account
![Page 32: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/32.jpg)
Azure AD Premium
Push
policies
Microsoft Intune
Automatic
enrollment
Set up a
work
account
![Page 33: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/33.jpg)
Azure AD Premium
Push
policies
Microsoft Intune
Automatic
enrollment
Set up a
work
account
![Page 34: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/34.jpg)
First account configured to the
phone becomes the default
account
To change the default account the user
must reset the phone to factory settings
Can be a Microsoft account or a work or
school account
Default
account
Other
accounts
![Page 35: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/35.jpg)
Microsoft
account
AAD
account
Other email
accounts
Deny adding Microsoft accounts to the device
Deny adding non-Microsoft email accounts
to the device
Deny user to change account configuration
![Page 36: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/36.jpg)
Microsoft account
Default account
Possible other accounts
Option 1: default account is a Microsoft account
AAD account
Microsoft account
Other email accounts
Deny adding
Microsoft accounts
Deny adding non-
Microsoft email accounts
![Page 37: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/37.jpg)
Microsoft account
Default account
Possible other accounts
Option 1: default account is a Microsoft account
AAD account
Microsoft account
Other email accounts
Deny adding
Microsoft accounts
Deny adding non-
Microsoft email accounts
![Page 38: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/38.jpg)
Default account
Possible other accounts
AAD account
Microsoft account
Other email accounts
Option 2: default account is an AAD account Deny adding
Microsoft accounts
Deny adding non-
Microsoft email accounts
![Page 39: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/39.jpg)
Default account
Possible other accounts
AAD account
Microsoft account
Other email accounts
Option 2: default account is an AAD account Deny adding
Microsoft accounts
Deny adding non-
Microsoft email accounts
![Page 40: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/40.jpg)
Passwords
and Hello
![Page 41: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/41.jpg)
Personal
Password theft
Stored on the server and known by
the user, server breach can lead to
loss of thousands of passwords
Usable from any device
Services and data can be accessed
from any device and location with
the same password
Pass
Pass
Pass
![Page 42: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/42.jpg)
Lock screen password has
been replaced with the
PIN feature
Use PIN instead of password
for authentication
PIN is tied to the phone and cannot
be used from other devices
PIN is local to the phone and
not stored to an external server
![Page 43: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/43.jpg)
Used as the lock
screen password
Authenticate Store
purchases
Personal PIN
Authenticate access
to managed apps
Work PIN
The phone can be wiped after
entering the lock screen PIN
wrong too many times
(managed by policy)
![Page 44: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/44.jpg)
Only numerical PINs
can be used by default
![Page 45: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/45.jpg)
Enterprise can enforce
alphanumerical PINs via policy
Policy
Only numerical PINs
can be used by default
![Page 46: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/46.jpg)
Expiration
FALSE 1 - 730
UseCertificateForOnPremAuth
ENABLE DISABLE
UseBiometrics
ALLOWDON’T ALLOW
UsePassportForWork
TRUE FALSE
History
raspberry
strawberry
blueberry
0 1 - 50
raspberry
![Page 47: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/47.jpg)
UppercaseLetters
LowercaseLetters
SpecialCharacters
Digits
REQUIRE AT LEAST ONE
ALLOWDON’T ALLOW
P277w6rd#
MinimumPINLength
MaximumPINLength
4 X
X 127
password
...
...
![Page 48: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/48.jpg)
?
! !
Remote assistance
![Page 49: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/49.jpg)
Wrong user
User authentication
based on a biometric
signature
Can be used instead of
a PIN to unlock phone
and authenticate to
apps and services
![Page 50: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/50.jpg)
Wrong user
User authentication
based on a biometric
signature
Can be used instead of
a PIN to unlock phone
and authenticate to
apps and services
![Page 51: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/51.jpg)
Correct user
User authentication
based on a biometric
signature
Can be used instead of
a PIN to unlock phone
and authenticate to
apps and services
![Page 52: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/52.jpg)
Correct user
User authentication
based on a biometric
signature
Can be used instead of
a PIN to unlock phone
and authenticate to
apps and services
![Page 53: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/53.jpg)
ScanningScanning
Supported authentication types
Facial recognitionIris scanningFingerprint recognition
![Page 54: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/54.jpg)
Windows Hello requires special
hardware on the phone
Not supported by all phones
running Windows 10 Mobile
Hardware requirements
![Page 55: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/55.jpg)
Windows Hello requires special
hardware on the phone
Not supported by all phones
running Windows 10 Mobile
Hardware requirements Iris sensor Iris LED
Microsoft Lumia 950 supports iris scanning
![Page 56: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/56.jpg)
User
Pass
Certificate
Can be used instead of
password authentication
Certificate proves
user identity
Microsoft Edge
Wi-Fi
VPN
SSL Server Hello (server cert)
GET ylearning.sharepoint.com
SSL client response
Company
web server
CA=CA2
EKU=Client
Authentication
(1.3.6.1.5.5.7.3.2) Tom Tom
![Page 57: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/57.jpg)
MDM
server
server
Web
server
SCEP
server
attachment
Download from
a web server
Add, delete, and
query certificates
Configure enrollment
to a SCEP server
Enroll/renew
certificate
.cer
.p7b
.pem
.pfx
Supported
formats
Password
protection
Certificates app
can be used to
view installed
certificates
![Page 58: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/58.jpg)
Email, Office
and Microsoft
Edge
![Page 59: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/59.jpg)
Restrict actions for
emails and documents
Reply
Forward
Copy
View
Edit
Save Azure
Rights Management Services
Requires Azure RMS
Intended recipients
can only take
actions specifically
granted to them
![Page 60: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/60.jpg)
Outlook Mail Office Mobile apps
Pictures
(with RMS Sharing app)
![Page 61: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/61.jpg)
Permissions
![Page 62: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/62.jpg)
![Page 63: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/63.jpg)
Share
![Page 64: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/64.jpg)
Share
![Page 65: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/65.jpg)
Azure
Rights Management Services
Create a new rights
policy template
Configure the rights
for the template
Specify which users and
groups can use the template
1
2
3
![Page 66: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/66.jpg)
Exchange
Online
Azure
Rights Management Services
RMS
sharing app
![Page 67: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/67.jpg)
Apply IRM
on the client
Apply IRM
on the email
server
Exchange
Online
![Page 68: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/68.jpg)
Condition
Action
Exception
If the condition is met,
the selected action will
be applied
Received message
is protected
![Page 69: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/69.jpg)
Only works with
EAS accounts
Recipients can identity the sender
and verify message integrity
Requires a valid
personal S/MIME
certificate
Digitally sign messages
Encrypt outgoing messages
and attachments
Only the intended recipients
who have the correct
certificate can read them
![Page 70: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/70.jpg)
Check URL against list
of unsafe web pages
Check URL in local
whitelist
Check result: Unsafe
Periodic anonymous
reporting
SmartScreen filter
No plug-ins are
supported
Isolated
container
Microsoft server
1
2
3
![Page 71: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/71.jpg)
Allow/deny search suggestions
in address bar
Allow/deny SmartScreen
Configure home page
Configure favorites
Prevent SmartScreen Prompt
Override
Prevent SmartScreen Prompt
Override for files
Allow/deny BrowserAllow/deny Cookies
Allow/deny Do Not
Track headers
Allow/deny Password
Manager
![Page 72: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/72.jpg)
App security
![Page 73: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/73.jpg)
Camera
SD card
Sensors
Location
Microphone
Every app runs
inside its own
isolated container
Containers are isolated
from each other
Containers have access to
specific phone capabilities
![Page 74: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/74.jpg)
Attack surface
reductionApp isolation
User consent
and control
SD
1 32
App container benefits
![Page 75: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/75.jpg)
Download app
App
manifest
Windows Store
App +
Publish app
Developer specifies
required capabilities
in a manifest file
Manifest file used in
app certification process
User sees required
capabilities in app
details page in Store
Phone creates a new
container for the app
Access to only
the required
capabilities
![Page 76: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/76.jpg)
Camera access:
Privacy control
User can dynamically control
apps access to these capabilities
from phone settings
Some capabilities can provide
access to sensitive or private
information
![Page 77: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/77.jpg)
MDM / company
server
Apps can only be
installed from
Store by default
Windows Store
![Page 78: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/78.jpg)
MDM / company
server
App sideloading or
developer mode must be
enabled to install LOB apps
Can be enabled manually from
settings or with a policy
Windows Store
![Page 79: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/79.jpg)
Store control
Disable Store app completely
Only allow private Store
SD card control
Prevent apps from being
installed to the SD card
Prevent app data from being
installed to the SD card
App restrictions
App allow or deny lists
(based on app ID or publisher)
Disable developer mode
Disable automatic app updates
![Page 80: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/80.jpg)
Updates
and wipe
![Page 81: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/81.jpg)
All updates are
signed and
distributed by
Microsoft
![Page 82: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/82.jpg)
All updates are
delivered over
the air (OTA)
Cellular
Wi-Fi
![Page 83: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/83.jpg)
All updates are
delivered over
the air (OTA)
Cellular
Wi-Fi
![Page 84: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/84.jpg)
User can schedule when the
update is installed, but cannot
opt out from the updates
![Page 85: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/85.jpg)
User can schedule when the
update is installed, but cannot
opt out from the updates
![Page 86: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/86.jpg)
Enterprise admins can monitor
the software versions in their
mobile fleet using MDM
STOP
Enterprises can control and postpone
software updates for Windows 10
Mobile Enterprise version
![Page 87: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/87.jpg)
Cannot postpone software updates
Install up to 20 self-signed LOB apps on a phone
Telemetry data gathering cannot be disabled
Postpone and curate software updates
No limit on the number of self-signed LOB apps that can be installed
Disable telemetry data gathering
![Page 88: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/88.jpg)
Reset using
hardware keysReset from phone settings
User
![Page 89: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/89.jpg)
Reset with the
Windows Device
Recovery Tool
User
![Page 90: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/90.jpg)
Reset from
Windowsphone.com
User
![Page 91: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/91.jpg)
Reset from Office 365
/ Exchange Online
User
![Page 92: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/92.jpg)
Reset with Exchange /
Office 365 admin tools
Reset with Intune /
3rd party MDM server
Reset with SCCM
Manual device reset
can be prevented
with a policy
Admin
Wipe phone?
Yes No
User
![Page 93: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/93.jpg)
* n-1
unlock
wipe
Wrong PIN
Automatic reset after entering
wrong PIN too many times
(managed by policy)
![Page 94: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/94.jpg)
SD card contents
can also be erased
with device wipe
![Page 95: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/95.jpg)
Persistent
storage
Non-persistent
storage
SD card contents
can also be erased
with device wipe
Installed
provisioning
packages can
be retained and
re-applied after
the wipe has
been completed
![Page 96: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/96.jpg)
Persistent
storage
Non-persistent
storage
SD card contents
can also be erased
with device wipe
Installed
provisioning
packages can
be retained and
re-applied after
the wipe has
been completed
![Page 97: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/97.jpg)
Phone
encryption
and VPNs
![Page 98: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/98.jpg)
Encryption/
decryption
Bitlocker technology
No PIN for
encryption
SD card contents
cannot be encrypted
Keys protected by
platform security
Mass memory contents
not readable outside
the OS
AES-CBC 128Enterprise can configure
the encryption method and
cipher strength via MDM
SD
card
Apps USB MTP
Storage
Decrypted content
shown on a computer
Device encryption
![Page 99: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/99.jpg)
Exchange
MDM
Provisioning
package
Policy
CSP
EAS
RequireDeviceEncryption
RequireDeviceEncryption
Management systems
cannot be used to
disable encryption
Can be enabled and
disabled also by the user
Enabling device encryption
![Page 100: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/100.jpg)
Virtual Private Network (VPN)
Intranet
servers
Company
network
Encrypted VPN tunnel
IPsec (IKEv2)
L2TP
PTPP
SSL-VPN (vendor-specific app)
Internet
VPN server/
firewall
Username/password
Smart card
One-time password
client certificate
![Page 101: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/101.jpg)
Internet
VPN
server/
firewall
Other traffic
Open tunnel when
traffic to domain /
IP range
Company
network
Open tunnel when
specific apps are
launched
Destination
10.2.2.0/24
10.5.3.73
Split tunneling
![Page 102: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/102.jpg)
VPN is always on and
cannot be disconnected
Filter list of apps and
subnets can determine what
traffic can go over the tunnel
All other traffic
is dropped
VPN
server/
firewall
Company
network
InternetVPN lockdown
Destination
10.2.2.0/24
10.5.3.73
![Page 103: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/103.jpg)
Enterprise Data
Protection (EDP)
![Page 104: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/104.jpg)
Enroll phone to MDM
Provision EDP policies
and encryption keys
EDP is still in development. Not
all features are yet available and
features may still be modified!
Microsoft Intune
List of protected apps that are
trusted to handle enterprise data
Protected apps
Enterprise network locations
these apps can access
Enterprise network locations
What happens when users
try to move data outside the
protected apps
EDP protection level
![Page 105: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/105.jpg)
Enterprise
network
location
Enterprise IP ranges
Enterprise domains
![Page 106: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/106.jpg)
Enterprise
network
location
![Page 107: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/107.jpg)
Enterprise
network
location
![Page 108: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/108.jpg)
Protected appsPersonal apps Prevent
access
Allow
access
Enterprise
network
location
![Page 109: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/109.jpg)
Protected
app
Personal
appRestrict cut, copy,
and paste with
personal apps
Paste
![Page 110: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/110.jpg)
Prevent saving
to Dropbox
Protected
app
Save
Save
Allow saving to
OneDrive for Business
OneDrive
for Business
Dropbox
![Page 111: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/111.jpg)
Block
”Action blocked! This data cannot
be copied to this destination”
Ok
Override
”Action requires confirmation!
This action will be logged.”
Paste anyway Cancel
Silent (create a log in
the background)
![Page 112: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/112.jpg)
Protected app
Don’t touch personal emails in Outlook Mail
Personal account
Protect work emails in Outlook Mail
Enterprise account
![Page 113: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/113.jpg)
Wipe corporate data from devices
while leaving personal data alone
UnenrollDocuments
Remove encryption keys and
wipe inaccessible enterprise
data
Microsoft
Intune
![Page 114: Introduction to security on Windows 10 Mobilecompass.microsoft.com/assets/7f/c5/7fc578b1-5750-42fe-b93c... · Mobile security introduction. Access from anywhere using any device Protect](https://reader038.vdocument.in/reader038/viewer/2022103107/5acc6e017f8b9a63398cdd52/html5/thumbnails/114.jpg)