In this episode, Brad talks about a recent trip to some customers in the mid-west, an incredible learning experience, seeing some of the real world challenges of trying to cobble point solutions together for EMM. Simon and Brad then talk about Conditional Access controls, Microsoft Ignite and much more.
Don’t forget to register for the Enterprise Mobility Core Skills Jumpstart Series, starting with Azure AD Core Skills and checkout the introductory blog post.
Brad also mentioned the Enterprise Mobility Roadmap
Check out these sessions at the Ignite conference about Enterprise Mobility:
The post Endpoint Zone Episode 6: Conditional Access, Ignite, Azure Remote App appeared first on Enterprise Devices + Infrastructure.
The Microsoft Word, Excel, PowerPoint and OneDrive apps are hugely popular on iOS and are natively instrumented for management only with Microsoft Intune. On Android, OneDrive, Office Mobile, and many other apps are also natively instrumented only for Intune. In this post, you’ll learn about Mobile Application Management in Microsoft Intune, including containers, encryption, policies, and app deployment. Dive in!
Enterprise Mobility Management (EMM) is a rapidly evolving technology. Every few weeks the operating systems we manage add new features, new apps are released and our users do something new. One of the technology subsets of EMM that’s arisen is the Mobile Application Management (MAM): essentially application deployment, lifecycle, policy, and removal technologies. Every EMM platform has them. Of course, the one I’m most interested in is Microsoft Intune (itself the MDM and MAM subset of Enterprise Mobility Suite) which interacts at the Mobile Device Management (MDM) layer.
MAM lets you have granular control of applications and provides a container that isolates corporate data and apps from personal ones on the device.
Most EMM products have their own apps that can live within these containers to perform “good enough” functions that users commonly need. The trouble is that “good enough” and “choice” don’t sit well together. Why should your spreadsheet application be “good enough” when your users can go get Microsoft Excel from the app store? Why use a document app when you can use Microsoft Word? The list goes on.
The Microsoft Word, Excel, PowerPoint apps top the charts on iOS, Android, and Windows. It is clear people love them.
Why do organizations need to use MAM? That’s clear too. We need to protect our company resources; our intellectual property, our customer information and our personnel information. Where’s the intersection of these two stories? Microsoft Word, Excel, PowerPoint, OneNote and OneDrive come with mobile application management built in and managed through Microsoft Intune!
Microsoft Word, Excel, PowerPoint, OneNote iOS apps and OneDrive iOS and Android apps have the Microsoft SDK built into them, meaning that they know how to interpret configuration payloads from Microsoft Intune. The Office team took the SDK and implemented it right into the Office code. As a matter of fact, they are only natively instrumenting for Microsoft Intune.
SDK managed apps live in an encrypted container on iOS using the inbuilt iOS encryption engine, which is FIPS 140-2 certified. On Android, SDK managed apps implement their own encryption algorithm. Any corporate data is protected inside the container.
SDK managed apps also can “policy managed”, meaning that they know how to interpret a payload that Microsoft Intune sends to the device. This allows IT to control many aspects of the apps’ behaviors. For example, by setting an Intune Managed Application Policy, it’s possible to redirect any web browsing to a Secure Browser. IT can also enable policy managed apps to need a PIN or authentication of corporate credentials before allowing the user into the app, increasing the container security. Other neat features include encrypting data when saving files to external storage, such as SD cards.
A mobile application management policy spans apps, meaning that the policy becomes the “link” between, for example, Word, Excel and OneDrive. All the data is secured by the policy and the apps are managed by the policy.
When a developer integrates the Microsoft Intune SDK into an app they can later publish the app to the store. Microsoft is working with partners to do this right now.
One of the biggest concerns with enterprise mobility is the “un-enrollment” scenario, or what happens when a user no longer requires access to corporate information. Since SDK managed apps are generally published to a public store there is always the possibility that they will also have interacted with personal data which the user might want to keep private (although there is a policy to disable this if IT want). In the case of an SDK managed app, when the device is “un-enrolled” the app data is wiped out, but the app remains.
In the future, it will also be possible to use the SDK for a Line of Business (LoB) app, but another route, App Wrapping, might be more suitable.
Although I’m focusing this post on managing Office apps on iOS and Android they probably won’t exist alone. Many organizations are developing custom LoB apps for iOS, and they want to be able to secure them too. Budgets for LoB apps, however, remain tight in most organizations and so redeveloping an existing app to incorporate the SDK might not always be good. Enter the app wrapper.
Today, wrapping is available for iOS and it requires the wrapping be done from a Mac; not a problem, since you need a Mac to develop for iOS. There are some requirements around wrapping:
The wrapped app are managed with the same mobile application management policies as SDK managed apps. This means that they form part of the container and that the same policy requirements are apparent.
There is a third type of app that Microsoft Intune cares about: Managed Apps. These are apps in the iOS store that include specific iOS functionality such as implementing managed open in. To cut to the chase, these applications can be set as Required Installations, meaning that they are installed automatically. Additionally, using a mobile device policy for iOS in Microsoft Intune, you can control the behavior of even these apps, allowing or preventing those apps sharing data with unmanaged apps.
For completeness, unmanaged apps are those apps available from the app store that do not implement wrapping or the Microsoft Intune SDK and are not managed by Microsoft Intune using MDM application management policy. AKA they’re just another app.
We’re going to start by assuming that you have Microsoft Intune (and an Office 365 subscription for the Office apps). If you don’t you can go start a Microsoft Intune trial.
Let’s start by adding PowerPoint as a managed app in Microsoft Intune. In the Intune console select the Software workspace and then Managed Software. Next click Add Software to start the process. A ClickOnce installer will download that you need to run. Upon doing so you’ll be asked to sign in with a Microsoft Intune administrator account.
Once you’re signed into the Microsoft Intune Software Publisher, select Add software and click Next. Because Microsoft PowerPoint is in the iOS App store, let’s select Managed iOS App from the App Store and then specify the URL to the app in the App Store. Personally I usually find this by opening a browser and just searching for the app. The URL will be something like: https://itunes.apple.com/us/app/microsoft-powerpoint/id586449534?mt=8 . Click Next to move on.
Now we need to set some information about the app. Remember, your users will see this in your Company Portal app. I usually also use the Snipping Tool to grab the app icon from the App Store web page. When you’ve provided your info, click Next and select which device type (iPad, iPhone or both) you want to target. We’ll select iPad. Click Next again, read the summary and click Upload. Since all you are uploading is your app icon it will complete very quickly!
Back in the Microsoft Intune management portal, click Detected Software and then back to Managed Software to refresh the list and confirm that PowerPoint is listed. Highlight PowerPoint and click View Properties at the top of the Managed Software list. Notice that the Supports App Policy detail is marked Yes; this indicates it’s a wrapped or SDK managed app.
We now need to create a policy to manage the app. Click the Policy workspace and navigate to Configuration Policies. To create a new mobile application management policy click Add… Next on the Create a New Policy screen, select the Software drop down and then select Mobile Application Management Policy (iOS 7 and later). Then select Create a Policy with the Recommended Settings and click Create Policy.
Now select your new policy which, at this point, is called Mobile Application Management Policy (iOS 7 and later) create and click Edit… You now have the opportunity to rename the policy and change any of the default settings that created by this template. By default this Mobile Application Management policy will:
*this is a Conditional Access Policy and will make sure that the device is not jailbroken and has a long, complex enough password for your organization. This policy can be set in the Compliance Policies node.
The next step is to associate the policy to the app and deploy the app. Go back to the Software workspace, select Managed Software and PowerPoint then click Manage Deployment… Now select the users that need the app. You can select All Users, a group, or a device group. All Users is good in a lab, then click Add and Next.
For Deployment Action, there’s a couple of options. Required Install will automatically install the app when the user enrolls their device or when policy is next refreshed for devices already enrolled. Available Install will place the app into the Company Portal application for the user to manually select. In this case, choose Required Install and click Next.
Now choose the App Management Policy that we created earlier and click Next. Next is choosing a VPN profile. Selecting a VPN profile, if you have one, will tunnel all the app’s traffic through the VPN connection, useful if your app is on-premises. In our case, Office 365 is not on-prem so we can just click Finish.
PowerPoint will now be deployed to users’ iPads upon enrollment or policy refresh and will be protected by the mobile application management policy.
So that PowerPoint has something to talk to, repeat this process to add Microsoft Word, Excel and OneDrive. You don’t need to create a new mobile application management policy though, so just repeat step 1 and step 2 above.
Take a look at the video below to see the outcome of what we just built, which of course you can try on any iOS devices you’ve enrolled:
Adding Android apps is very similar to iOS but with a few differences. First let’s add OneDrive for Android.
In the Intune console select the Software workspace and then Managed Software. Next click Add Software to start the process, a ClickOnce installer will download that you need to run. Upon doing so you’ll be asked to sign in with a Microsoft Intune administrator account again.
Once you’re signed into the Microsoft Intune Software Publisher, select Add software and click Next. Because Microsoft OneDrive is in the Google Play store, let’s select External Link and then specify the URL to the app in the Google Play Store. Again I usually find this by opening a browser and just searching for the app. The URL will be something like: https://play.google.com/store/apps/details?id=com.microsoft.skydrive . Click Next to move on.
Enter the publisher details, and again, snip the icon from the Google Play store. Click Next and then Upload. Finally, click Close.
We now need to create a policy to manage the app. MAM policies are specific to each platform, iOS and Android. Click the Policy workspace and navigate to Configuration Policies. To create a new mobile application management policy click Add… Next, on the Create a New Policy screen select the Software drop down and then select Mobile Application Management Policy (Android 4 and later). Then select Create a Policy with the Recommended Settings and click Create Policy.
Select the new policy called Mobile Application Management Policy (Android 4 and later) create <today’s date> and click Edit… You can again change any of the template settings which in this case are:
Save any changes by clicking Save Policy.
The next step is to associate the policy to the app and then deploy it. Go back to the Software workspace, select Managed Software and OneDrive then click Manage Deployment… Now select the users that need the app. You can select All Users, or a user group; All Users is good in a lab. Then click Add and Next.
For Deployment Action, Android only gives us one option; Available Install, which places the app into the Company Portal for the user to select. Select Available Install and click Next.
Now, choose the App Management Policy created earlier and click Next. Android doesn’t allow us to give a per-app VPN so just click Finish.
Other managed apps are in the Google Play store:
Today, not as many Office apps for Android are manageable as on the iOS platform. Android, while a great platform, isn’t as natively manageable as iOS at this stage (although Lollipop should change this, but isn’t widely available at time of writing).
We’ll be covering more on MAM in the upcoming Microsoft Intune episode of the Enterprise Mobility Core Skills Jumpstart series. Also, take a look at this course on Microsoft Virtual Academy on Samsung KNOX management with Microsoft Intune, this free virtual Lab on TechNet and the following places in the Microsoft TechNet library:
The post Enable Mobile Application Management of Office apps for iOS and Android appeared first on Enterprise Devices + Infrastructure.
Really like this “considerations guide” on TechNet. It helps you think about what you, er, need to think about when planning a BYOD Project.
The post Considerations Guide for BYOD appeared first on Enterprise Devices + Infrastructure.
The last month has been pretty busy again in the space of enterprise mobility and Windows. Lots of new announcements, features, and products coming out the door of Redmond.
First up, let’s talk about the show: In this episode of The Edge Show Simon May talk’s about Azure RemoteApp with Eric Orman, Senior Program Manager from Microsoft’s Azure RemoteApp team about what Azure RemoteApp can do. They take a look at a very real world use case with QuickBooks 2015 and walk through how it’s implemented inside Azure RemoteApp.
If you want to comment on the show, leave the comments over on the show page on Channel 9.
We released a new Microsoft Virtual Academy course, Enabling Samsung KNOX via Microsoft Intune, it shows the great things that Samsung KNOX and Microsoft Intune can do when they work together and helps you get up and running quickly.
One question we always get asked is “what’s the roadmap” and in the spirit of working out loud I’m really pleased to say that you can now find a public roadmap for Enterprise Mobility that actually explains it! In the roadmap, you can see features that are recently available, in public preview, in development (aka coming), and canceled what’s not coming.
There were yet more updates to Microsoft Intune. Up to Feb 11 they released a raft of new stuff including:
These are pretty important, but the MAM wrapping of Office is probably the most game-changing.
There was a ton of new things inside Azure RMS too – too many to list but take a look here for more info on what I think is the best content management solution on the planet!
If you’d like some evidence about how awesome System Center Configuration Manager is you can check out this great case study with Humbolt University.
I wrote about 5 great reasons you need to connect your directory to Azure AD!
We released a new Technical Preview of Windows 10 – you should join the Insiders and take a look at it! Also, take a look at this awesome MVA course while you’re at it! (hint updating this soon).
We also released a new RSAT for Windows 10 and Windows Server Technical Preview.
Microsoft acquired Sunrise, provider of next-gen calendar apps on iOS and Android which is interesting as it strengthens Microsoft’s commitment to enabling people to be productive wherever they happen to be, on any device.
Outlook for iOS and Android was released to pretty popular user acclaim, as always software is never done and there will be updates. Personally I’m loving Outlook on my iPad!
The post Edge Show 135 Understanding Azure RemoteApp+ What happened in Microsoft Enterprise Mobility and Windows in January / Febuary appeared first on Enterprise Devices + Infrastructure.
With a new version of Windows coming down the pipe, Microsoft have begun to let you know about some of the key technologies you need to know a little more about. Those technologies aren’t just key to helping your users to have an amazing Windows experience though, no matter what device they use these core skills for enterprise mobility will help all your users have a better experience.
Enterprise Mobility Management is a massive subject domain, subdivided into multiple solution domains to meet that holy grail of outcomes: Maximize personal and organizational productivity while minimizing organizational risk (and minimizing personal privacy invasion). I include the section in parenthesis because it’s important, IT needs to respect user privacy to gain user trust.
Now is the time to invest in your “core skills” for enterprise mobility so you are at the center of your organization’s future, just like you were when you moved from Windows NT to Windows 2000…remember how you felt then? I felt pretty epic, it was a career highpoint for me!
If you have a severe case of TL;DR you can just look at the pictures and skip to the bottom.
Identity, not device management, is where I think you want to begin your journey. Why? Well, it’s the cornerstone of being able to set up some sort of trust. So what are the top three things you need to know about identity in the modern world?
You need to start out by understanding why you need to extend your directory to the cloud and this is where devices come in. Today’s devices move around a lot, they go everywhere. As a result, they connect to different types of networks and they can’t always work in the synchronous way we recognize with on-prem. Even if you think you don’t have a highly mobile environment your environment probably has highly mobile characteristics: high latency, lossy network connections.
Maximize personal and organizational productivity while minimizing organizational risk (and minimizing personal privacy invasion)
Azure AD is designed from the ground up to work in this environment. Also because Azure AD was born in this new world you don’t need to wait for improvements to come along – which means you can quickly take advantage of an improvement and test it when it’s in Public Preview and move to production when the feature does. On-prem you’d have waited a couple of years, then you’d have done the paperwork to get a change window to upgrade he domain functional level.
Not having to wait means you don’t get left behind when your organization wants to try new things!
Users aren’t the only things with identity in your organization though, each device that a user enrolls also has identity and Azure AD can automatically track that information for you, as long as you’ve enabled it to. This is a critical core skill because it helps you leverage something we will come to later: Conditional Access. But this is the foundation.
User accounts are of course much more than just about matching a password to an identity. They are also about matching other attributes, such as where and when a person works to that identity. One of the coolest things about Azure AD is that it can learn those things about your users – don’t get me wrong, Azure AD won’t learn your user’s job function and add that to their account!
Azure AD will do something much more than that though – it will learn what your users are doing and let you know when they do something strange.
That’s why reporting is a core skill…that and the fact that your manager wants to see reports!
Getting your existing users into Azure AD is the first step to setting things up correctly. Signing into Windows is something that most people are so used to doing they don’t even realize what they’re doing when they sign in. They don’t realize that being logged on means that they’ve been authenticated for a specified period (and that Windows renews it); they don’t realize that they’ve been seamlessly signed into multiple systems they use daily, file, print, email.
The first step and, therefore, one of the most critical skills is setting up and maintaining a sync relationship between your on-prem AD and Azure AD.
This is a super valuable core skill. Knowing how AD FS works, how to deploy, manage and troubleshoot it is a core skill for now and the future. Many organizations that use Office 365 or otherwise have connected to Azure AD use AD FS for authentication. With AD FS in place no authentication actually takes place in the cloud – you don’t need to securely synchronize password hashes – and many organizations find that comforting. Instead of Azure AD handling the sync the client is actually directed to your on-prem AD FS servers.
AD FS actually forms another massively important part of your user’s daily life though: It handles single sign on requests. When a user connects to a service that has a trust relationship with your AD FS you will be automatically allowed access if you’ve already been granted the token by another trusted broker – so say you’ve signed into Windows, AD has issued your token. When you want to use a site secured by AD FS you pass the AD FS service the token, it trusts your AD so you get single sign on – no password prompting.
It is possible to get lots of AD FS style functionality without AD FS using just Azure AD but for some advanced scenarios you’ll want AD FS.
There are tons of other things that I’d consider core skills for enterprise mobility related to Identity, but that’s enough to get you started, let’s move onto he topic of management.
Organizations need management capabilities for a multitude of reasons and topping that list now is security. Organizations want to maintain a level of security that will stop data breaches, or at least show that they exercised due diligence!
When we look at the world of management we can see that Windows is the most manageable OS on the planet. With the ability to tweak almost every characteristic remotely. While some want to get to that level of detail not everyone does – so you need to have the skill of selecting the most appropriate level of management. Windows management using SCCM is pretty well-known, so while I think that’s a core skill it’s probably something you, like me, have internalized over the years.
As we moved into the mobile, world a new, lighter, level of management more appropriate for BYOD scenarios but that adapts to company owned scenarios developed.
MDM is the ability to take a device, enroll it into management and then change settings at the device level. The ability to, for example, turn on encryption is something that most MDM platforms support. Microsoft has Intune for MDM and it supports doing exactly that on iOS, Samsung KNOX, Android and Windows Phone – anywhere that the device OS supports that management.
The core skill here is knowing how to translate the requirements for device level management into the MDM solution. For example when you want to protect your company data you might decide that you need to turn off the camera on all enrolled devices…but then you need to think how your users feel when they suddenly can’t, legitimately, take a picture of their kids. Angry is how they feel. So they core skill with Mobile Device Management is being able to translate what’s possible to what’s appropriate, and it will always vary.
MAM is the exciting new area of Enterprise Mobility Management that involves managing at the application level. In the case of Microsoft Intune this is actually exceptionally cool because the product is the only product that works with Microsoft Office. As a result you can manage the iOS and Android applications for Word, Excel, PowerPoint, OneNote and OneDrive. All have which integrate the Microsoft Intune SDK.
This SDK integration means you can group together those applications and allow each of them to only allow data egress to each other. More specifically, when managed, you can only open a document from SharePoint online in the managed Microsoft Word application and you can only save from Microsoft Word to OneDrive for Business. However, unlike other MAM solutions, you can opt to allow users to bring in data from anywhere.
Extending the scenario – you’re updating a business proposal in Word, saved on OneDrive for Business and you want to put in a pretty picture from Instagarm. Fine you can do that because we control data egress from the apps and optionally allow data ingress by default.
This is exactly the behavior user want and your core skill is knowing how to enable that.
Integrating your identity is only one part of the solution. You might want to enable integration at the management level too, meaning productivity gains for you in IT, from a single console. Configuration Manager can control Microsoft Intune to give you a single pane of glass between your existing managed Windows, OSX and Linux devices and any mobile devices in Intune.
The core skill is knowing how to architect your solution to make this possible.
As the Enterprise Mobility Management space continues to evolve and mature content management becomes an ever more interesting area. If you want to future proof, you need to be understanding the core skills for enterprise mobility that relate to content management.
When you have knowledge of a user’s identity and knowledge of the state of a device you can start to leverage that to allow conditional access to company resources. Quite literally, this core skill is about protecting your assets.
Conditional Access allows you to set up rules that do functions such as:
Conditional access can become an automatic gate-keeper for your information.
Rights management, on the other hand, is able to control what people can do with the information. RMS is the leading service in the world for this type of thing, trusted by lawyers and those who want to protect intellectual property (IP) the world over. When a file is protected with Rights Management it can be configured with rules that allow different people differing levels of access. Some can print; some can save; some can only read; and much more.
Because the rights travel with the file, either directly in the file or in the files wrapper they will go wherever the file goes. This is great because if your users manage to avoid the system and store their files with a cloud storage provider you weren’t expecting information is still safe. The user are made to authenticate (to AAD, with MFA and auditing if required) each time they need access to the file – no authentication, no access. Also, the files can expire automatically after a specified period.
The core skill you need is knowing how to configure appropriate levels of rights management templates to make information protection decisions easy, or automatic, for end users.
As always you’ll need to integrate with what you already have. In the case of Azure RMS, that means that a core skill becomes deploying new, hybrid architecture, such as the Azure RMS connector. This connector performs a “call home connection” to Azure AD and enables integration between Azure RMS and on-premises Exchange, SharePoint and file server farms.
So there you have them, my 10 core skills for Enterprise Mobility Management. If you can gain and internalize these skills you’ll get to a really successful architecture for the future and you’ll probably keep the money coming and the rent paid for a few more years. Of course you need to know how to get them…
That’s why I’ve designed this Enterprise Mobility Core Skills Jumpstart series for Microsoft Virtual Academy that I’m really excited to be the first to tell you about. Over the course of the four episodes, one each month from March to June, I’ll be taking you through the core skills for enterprise mobility that you need – LIVE!
I’m really excited by this series and joining me each month will Brad Anderson, Corporate Vice President, Enterprise Client Management and Mobility at Microsoft who’ll be explaining and showing what you can do…then myself and my far more knowledgeable co-host will break down the solution into the key skills you need to take away. Not only that but to get you started we’ll have instructor led virtual labs.
Go here, sign up – get involved.
Also tell me what you’d love me to cover in the comments below – honestly you will be helping me to target this content just for you!
The post Learn these 10 core skills for Enterprise Mobility and to future proof your enterprise appeared first on Enterprise Devices + Infrastructure.