mobile device management for office 365 - atidan
TRANSCRIPT
David J. Rosenthal
CEO, Atidan
May 4, 2015
Ignite Conference, Chicago, IL
Mobile Device
Management for
Office 365
Agenda Trends around mobility and BYOD
MDM for Office 365 overview
Demo admin setup & end user experience
iOS and Android apps
Enforce app password
Wipe just the app
Entire org or individuals (no groups)
Exchange ActiveSync
Devices supporting EAS
Enforce device password
Wipe entire device
Entire org or individuals (no groups)
Other appsOWA for Devices
No controls
Protect your data
Enable your users Unify Your Environment
Devices Apps Data
Helping organizations enable their users to be productive on the devices they love
while helping ensure corporate assets are secure
Enroll• Provide a self-service Company
Portal for users to enroll devices
• Deliver custom terms and
conditions at enrollment
• Bulk enroll devices using Apple
Configurator or service account
• Restrict access to Exchange
email if a device is not enrolled
Retire• Revoke access to corporate
resources
• Perform selective wipe
• Audit lost and stolen devices
Provision• Deploy certificates, email, VPN,
and WiFi profiles
• Deploy security policy
• Install mandatory apps
• Deploy app restriction policies
• Deploy data protection policies
Manage and Protect• Restrict access to corporate
resources if policies are violated
(e.g., jailbroken device)
• Protect corporate data by
restricting actions such as
copy/cut/paste/save outside of
managed app ecosystem
• Report on device and app
compliance
User IT
Inventory mobile devices that access corporate applications
Remote factory reset (full device wipe)
Mobile device configuration settings (PIN length, PIN required, lock time, etc.)
Self-service password reset (Office 365 cloud only users)
Provides reporting on devices that do not meet IT policy
Group-based policies and reporting (ability to use groups for targeted device configuration)
Root cert and jailbreak detection
Remove Office 365 app data from mobile devices while leaving personal data and apps intact (selective wipe)
Prevent access to corporate email and documents based upon device enrollment and compliance policies
Self-service Company Portal for users to enroll their own devices and install corporate apps
Deploy certificates, VPN profiles (including app-specific profiles), and Wi-Fi profiles
Prevent cut/copy/paste/save as of data from corporate apps to personal apps (mobile application management)
Secure content viewing via Managed browser, PDF viewer, Imager viewer, and AV player apps for Intune
Remote device lock via self-service Company Portal and via admin console
PC management (e.g. inventory, antimalware, patch, policies, etc.)
OS deployment (via System Center ConfigMgr)
PC software management
Single management console for PCs and mobile devices (through integration with System Center ConfigMgr)
Microsoft IntuneBuilt-In
Device Management
Conditional Access
Selective Wipe
Built-In Microsoft Intune
LoB
app
User-centric approach
Before mobile devices can access Office 365 data, they must be enrolled and healthy.
1. A user downloads the public OneDrive
app on a personal iPad
2. The user is shown a page that directs them
to enroll the iPad
3. The user steps through the enrollment
process
4. The OneDrive app is now MDM enabled
5. The user is able to access their OneDrive
data
Device Polices• Control what mobile devices can connect to Office
365 Data
• Set device configuration policies such as pin lock
• Enforce data encryption on devices
Admin Controls• Built-In management in Office 365 Admin Center,
and PowerShell
• Configure device policies by groups
• Product level granular control
Device Reporting• Device compliance reports
• Mobile usage and trends in our organization
• API support
The IT admin can wipe Office 365 data from the user’s device. When they trigger the wipe, all of the data cached or stored by the apps will be deleted, while all of the user’s personal content remains intact.
1. An employee uses Office 365 apps and data on a mobile
device. The employee leaves the company.
2. The IT admin logins into Office 365 Admin Center to perform a
selective wipe
3. The Office 365 data is removed from the Office applications leaving personal information
intact
* Native email clients that use ActiveSync will support Conditional Access, and Selective Wipe
** Office on Windows Phone (Combined App)
Action required to access your organization’s
This email was automatically generated by Microsoft Exchange.
You are receiving this message because your IT department requires
that you enroll your device in order to access Exchange email. This
helps to protect corporate information in your organization.
Follow the steps listed on this site to enroll your device, verify
compliance, and activate your email.
Please contact your IT department with any questions or problems.
Pasting content not allowed
This content is managed by Contoso. The
destination is not. Pasting this content is
not allowed by your administrator.
paste close
Contoso ITDevice Not Enrolled
Thu 1/16, 11:18
To: Contoso Employees
To access emails and other company
resources, your device needs to be enrolled
with Contoso. To enroll your device follow the
instructions below:
Step 1:
Enroll your Device
Step 2:
Once you’ve enrolled your device.
Click here to activate
Contoso ITDevice Not Enrolled
Thu 1/16, 11:18
To: Contoso Employees
To access emails and other company
resources, your device needs to be enrolled
with Contoso. To enroll your device follow the
instructions below:
Step 1:
Enroll your Device
Step 2:
Once you’ve enrolled your device.
Click here to activate
Jame
s
Activation
Successful!
Your access to emails and other company
resources has been granted.
https://activate.aad/contoso/
Office 365Users on their devices Azure AD
Report device compliance
Enroll device, evaluate & enforce compliance with device management policies
Microsoft
Intune
IT Admin
(Workplace Join +
management)
4
Conditional access control - Exchange ActiveSync (EAS)
Azure AD DRS
EAS Client
EAS Server
IntuneGet email
EAS ID,
username,
password
1
Lookup device
compliance state
2
Register EAS
email client
6
Create EASID to
device ID binding7
Set device
management/
compliance
status 5
Device object
- device id
- isManaged
- MDMStatus
- EASIDsAzure AD
Push device into
quarantine
Quarantine
Quarantine email
Step 1: Enroll device
Step 2: Register EAS
client
3
© 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on
the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Corporate
Complete mobile application management
• Securely access corporate information using Office mobile apps, while preventing company data loss by restricting actions such as copy/cut/paste/save in your managed app ecosystem
• Extend these capabilities to existing line of business apps using the Intune app wrapper
• Enable secure viewing of content using the Managed Browser, PDF Viewer, AV Player, and Image Viewer apps
Manage all of your corporate apps and data with Intune’s mobile device and application management solution
Personal
Managed Browser & Viewer Apps
Mobile device management
• Deploy certificates, WiFi, VPN, and email profiles automatically once a device is enrolled for management
• Enable bulk enrollment of task-worker devices to set policies and deploy applications on a large scale
• Provide a self-service Company Portal for users to enroll their own devices and install corporate apps
PC management
• Provide lightweight, agentless management from the cloud
• Connect Intune to System Center 2012 R2 Configuration Manager to manage all of your devices including PCs, Macs, Unix/Linux Servers, and mobile devices from a single management console
• Provide real-time protection against malware threats on managed computers
• Collect information about hardware configurations and software installed on managed computers
• Deploy software based upon policies set by the administrator
User