Cloud Insights from Brad Anderson, Corporate Vice President, Enterprise Client & Mobility
Today I am kicking off an exciting blog series that will dive deep into the details of the work we are doing to support and expand Enterprise Mobility. I believe that Enterprise Mobility is going to be one of the most impactful and defining trends we work on as an industry – now and for the foreseeable future.
At Microsoft we talk about our focus being “Mobile First” and “Cloud First.” Sure, you might ask how can there be two “Firsts” – but the answer is simple: Mobile and Cloud are so tightly integrated that delivering the premier Enterprise Mobility solution is best delivered from the Cloud. You simply cannot have one without the other. Mobile devices come alive and become intensely personal as they consume cloud services, and the cloud fundamentally changes the industry’s ability to deliver new value and new capabilities to our customers on a daily basis.
What I hope to accomplish through this blog series is to clearly lay out Microsoft’s vision and execution for Enterprise Mobility. I’m going to explain where our solutions are differentiated from others in the market, as well as the major areas of investment we believe will enable organizations to excel.
I believe that by better understanding the scenarios Microsoft is bringing to the market (and by seeing the types of rich end-user experiences and data protection these solutions will provide) IT Pros will be empowered to say YES! to the consumerization (aka BYOD) trends.
Our vision is to help organizations enable their users to be productive on the devices they love, while protecting the company.
The volume and diversity of devices that users and corporations want to use to access corporate assets grows every day, and organizations understand that enabling users across any device (corporate or personal) will make their users more productive and more satisfied. In pure dollars and cents, this satisfaction and efficiency generates significant positive impact for the company. While this efficiency and innovation is important to enable, IT organizations struggle with how to ensure that the corporate assets being accessed and stored on mobile devices are secure. This is a balancing act.
On one end of the balance, end-users want to bring their personal devices to work and are willing to accept some level of intrusion from IT in order to access corporate assets (such as using a power-on password). At the same time, these personal devices are incredibly personal – they are, in many ways, an extension of the individual and they contain information that the end-user wants to shield from IT.
The solution that organizations need (the other side of the balancing act), and that end-users are hoping will be implemented, is something that lets IT control and manage only the corporate assets that are being accessed and stored in these personal devices while never straying to the personal side of the device.
Finding the right balance means creating the appropriate boundary between personal and corporate content on the device. Our approach has been to put the end-user in full control of what happens on their personal device when they bring it to work. The company, however, should be the ultimate authority and in full control of the corporate assets (applications and data) being accessed and stored on the personal device.
While personal device use adds complexity to the IT department, we believe that mobility solutions need to act as a unifying force to cover all device types and all use cases. By delivering one solution that can act across all form factors, three key things will happen:
Organizations all need a way to manage access to corporate assets based on the correct authentication of the user. Active Directory is the authoritative source of corporate identity around the world, and we have extended this to the cloud with Azure Active Directory (AAD). With AAD we are delivering a common and consistent identity/access solution that enables organizations to expand their use of AD across private and public clouds.
Not only should the Enterprise Mobility identity solution require the user to correctly authenticate, but the identity solution should also know about all the devices being used to access corporate resources. This is exactly what Domain Join did for Windows devices for the past 15 years. In our Enterprise Mobility solution we have added what you can think of as a modern Domain Join – what we call Workplace Join. Workplace join enables users to register their personal devices with AAD – which lets AAD know about their devices. This is super critical because you need to be able to express policy on both the user and the device.
Later in this series I’ll go into great detail about the work we’re doing around identity management and just how critical this is to your Enterprise Mobility strategy. Identity Management is one of the areas I feel Microsoft brings significant value – a value that is missing in the solutions available in the market today.
Getting the balance right between non-intrusively enabling the end-user to be productive while protecting corporate assets is the perennial challenge here. All too often the user experience is compromised in the name of protection. Addressing this compromise is a place we have spent a great deal of time and effort.
I believe that, eventually, all the mobile device/OS vendors will deliver native containers for corporate content (SAFE on Android is a specific example today), and these OS components will be integrated into solutions like Intune and Azure Active Directory. As we go through this Enterprise Mobility series, and when I explore this topic in detail at TechEd, I’ll get a lot more specific about our POV and the work we are doing with containers.
The important concept at work here is that with MDM you can provide protection at the device level and with MAM you can provide protection at the application level. Having a layered approach to security is important; protecting at the device and application level is helpful but there are known limitations. In addition to these two layers of protection, we need to make protection a native component of every file.
Right now Microsoft has an in-market a solution that enables security and protection to travel with the file itself: Azure RMS. With Azure RMS (which is a component of the Enterprise Mobility Suite), access controls are natively saved as a part of the file itself from Office and applications like Acrobat (you can learn more about using Office and RMS together here).
With RMS, when a user goes to open a file a verification is made that the user has correctly authenticated to AD/AAD and therefore has rights to open that file. This protects against scenarios like when an employee leaves an organization but still has files on his/her device, or when a file is accidentally sent to the wrong person. This functionality is unique to what Microsoft is offering (check out this whitepaper for more details). To learn more about getting started with Azure RMS, click here.
It’s impossible to put too much emphasis on this type of security, and the need for it has been underscored lately by several significant security breaches across the industry. One of the most popular ways to attack an organization is through spear-fishing (where users are sent invitations that look legitimate while in reality the user is directed to a web site that collects their username and password) – but this type of attack can be dramatically mitigated with Azure Active Directory Premium. AAD Premium protects against these kinds of attacks by using machine learning to identify abnormal access activities (like an attempt to authenticate from an unusual location). Again, this is something that’s unique to what we are offering.
To see AAD Premium in action, check out this video.
Enabling your users across all their devices is critical to your businesses – and if it isn’t already, it will be real soon.
When I say I all their devices I am including the PCs the majority of your users are also using. While so much of the conversation today is about the mobile devices, let’s not forget that the majority of users in an Enterprise are using mobile devices and PCs. It is important that you don’t let PCs get forgotten about in these cloud-based management conversations. It is critical that you have every device in mind when you define and implement your management strategy. The ideal endpoint to this strategy is something that delivers an integrated and consistent way to deploy, manage, and secure PC’s and mobile devices via common tools.
This is another place where I believe the solution built by Microsoft is highly differentiated. System Center is by far the most common solution for managing PC’s (managing more than 2 out of 3 PC’s in the Enterprise), and, as we have built our Enterprise Mobility Solution, we have made this the starting point. This means you can use what you already have today, fully leverage the investments you’ve previously made in Active Directory and System Center for years to come, and build a reliable foundation for the future of your business.
Consider it like this: Think of Windows Intune as System Center delivered from the Cloud. With Intune we have built the Mobile Device Management capabilities you would expect (e.g. full and rich support for managing Windows, iOS and Android devices) and we’re delivering these capabilities from the cloud – but you can choose to do all your administration from the familiar SCCM console you already know. This allows IT Pros to leverage their existing knowledge and experience to manage both PCs and devices. There are never any new servers to deploy, or any new infrastructure to maintain – everything is delivered through the solution you already have deployed in SCCM 2012.
Back in March, I wrote about the Enterprise Mobility Suite (EMS) and how, as a part of EMS, updates to Intune now enable MDM/MAM scenarios that are simply best in class. A major benefit of a cloud-centric management solution is that Intune is updated and improved at a cloud cadence. We updated Intune in October 2013 and January 2014 (adding new capabilities like e-mail profile management for iOS, selective wipe, iOS 7 data protection configuration, and remote lock and password reset) and last month another update added more Android device management with support for the Samsung KNOX platform, as well as support for the upcoming update to Windows Phone.
Great solutions to real world problems are wonderful, but we also have to make them easy to acquire and easy use. The Enterprise Mobility Suite is licensed on a per-user basis. This means you no longer have to count the number of devices in the organization or be concerned about your costs increasing as your users bring in more mobile devices.
As a part of this effort to make our Enterprise Mobility solutions easy to use, we are also integrating all of the mobile management capabilities with our industry-leading PC management solution System Center. System Center administrators can now easily expand their impact and influence by using the current System Center console to also manage mobile devices – all from that single console. There’s no need to deploy and maintain any additional infrastructure or get trained on a new platform, and your end users have a consistent experience across PCs and all their mobile devices.
To put all of this in perspective, the EMS has three key elements:
* * *
There has been a lot written in the last few months about the emergence of a “new” Microsoft, and, in many ways this is true. Teams across the company are working closely to bring high-value scenarios to market in a way that is integrated and cohesive like never before. There are innovations emerging from teams across every corner of the company, and I am incredibly excited to see the work we are doing to deliver deeply, intelligently integrated solutions across System Center, Intune, Azure Active Directory, Office, and Windows.
I believe that what we have in market and what we will bring to market over the next several months will be, by far, the most complete, comprehensive, and elegant solution for your Enterprise Mobility needs.
As you are mapping out your Enterprise Mobility strategy, I encourage you to really think about the breadth of what your organization is going to need to succeed. We are investing broadly to empower your efforts, and we are delivering capabilities across the entire spectrum of what is required to enable your users to be productive on the devices they love. As you read this series, you’ll see that what Microsoft has in-market delivers an integrated and comprehensive set of capabilities across:
These are the capabilities you should demand when you are choosing a partner and choosing the technology for your Enterprise Mobility strategy. I believe we are delivering the most compete, comprehensive, and usable solutions!
This is the first of the your blogs that I read all the way through. It was well-written and I look forward to you describing things in more detail.
What was called Client Server architecture in 1992 is now called the cloud. So Microsoft.... you are only 22 years behind IBM... Too bad you were not able to play nice. we could have been ahead 20 plus years if you would have understood how much better
at operating systems IBM was...
very great :)
We gearing towards total cloud control by microsoft do you really believe all companies want that. Azure as nice as it is will not work for the big companies they dont want Microsoft or any other big IT company to get access to there data and and in return
dont get any security from microsoft about there Data protection.
Intune is Microsoft answer to Vmware Airwatch MDM/MAM solution
15 May 2014 6:09 AM
What was called Client Server architecture in 1992 is now called the cloud. So Microsoft.... you are only 22 years behind IBM... Too bad you were not able to play nice. we could have been ahead 20 plus years if you would have understood how much better at operating
systems IBM was"
You neglected to mention NT Server/Workstation...aka client/server. Even Exchange, SQL and 5 years later, Terminal Services existed back then...delivering email and applications through the private cloud. Now MS released NT server in 1993, which makes the math
1 year, not 22. Seems you're behind 20 plus years, but I'm happy to have brought you up to speed.
Thanks. I must say that you all need to keep in mind that the working IT folks DON"T want our software designed for mobile devices. I am already tired of seeing my productivity going down due to interfaces designed for mobile. We IT folks have big screens
and usually 2 or more. The new interfaces effectively make my work surface much smaller thus making my job harder. It would pretty much be 'emergency only' where I would use a mobile device to interact with the tools I use to develop and support a company.
This is too many words. This is exactly what most of us in the industry are not looking for...
Brad - A well written and thoughtful post. Day to day we are seeing the Microsoft vision for mobile unfold and the requests from our customers increase. Keep up the momentum. I recently wrote an interesting article on Microsoft and the sleeper product
avec le systeme AAD premium , vous prenez en charge ainsi tous les problèmes préoccupant de la sécuritée qyui est primordiale ,
l was dead. He returned, but not much. Sometimes we lose it. And when it was losing, it was purple purple purple, "he continues, still in shock.
Patrol ski center arrived on the scene ten minutes later hand defibrillator. The ambulance shows up at the bottom of the mountain. There is no more time to lose. The sexagenarian is placed on a board and down in an emergency, while Dave Pomerleau continues
to massage. http://www.pre-hackedgames.net/clash-of-clans-hack/
Thanks for taking the time to converse all of this.Go along such way. I am greatly helped by this site as I always get inspirational and instructional post here