Protect your data Enable your users Unify Your Environment DevicesAppsData Help organizations enable their users to be productive on the devices they love while helping ensure corporate assets are secure
Manage mobile productivity and protect data with Office Mobile apps for iOS and Android Manage policy for existing iOS line of business apps (so called “app wrapping”) Managed browser and PDF/Audio/Video viewers Provide access to Exchange and OneDrive for Business resources only to managed devices Deny access if a device falls out of compliance Enable IT to bulk enroll corporate-owned task-worker devices Support for Apple Configurator Manage mobile productivity without compromising compliance Conditional Access Policy to and Documents Enroll and Manage Corporate-owned Devices Manage Mobile Productivity and Protect Data with Office Personal Corporate
Layer 2 – Application and data containers (aka “managed mobile productivity”) Protects corporate data by… Gaps it leaves open Preventing apps from sharing data with other apps outside of IT control Preventing apps from saving data to stores outside of IT control Encrypting app data to supplement device encryption Only protects corporate data that resides on devices. Cannot protect data beyond a device. Applies same protection to all data that an app touches. Does not allow for specific protection per document. Layer 3 – Data wrapping Protects corporate data by… Gaps it leaves open Protecting data wherever it resides Providing granular, content specific protection – e.g. time bomb vision docs Requires enlightened applications Requires all data to be protected if not complemented by Layers 1 and 2 Native Managed Browser LoB Layer 1 – Mobile device lockdown via MDM Protects corporate data by… Gaps it leaves open Restricting device behaviors: PIN, encryption, wipe, disable screen capture and cloud backup, track compliance, etc. Provisioning credentials that enable corporate resource access control Apps may share corporate data with other apps outside IT control Apps may save corporate data to consumer cloud services LoB
Enterprise Mobility Lifecycle Manage and Protect Measure device and app compliance Block access if policy violated (eg: jailbreak) Contain data to prevent leaks Self service portal for users Retire Revoke company resource access Selective wipe Audit lost/stolen devices etc Employees Enroll Enroll devices in AD and MDM Block /SharePoint etc until enrolled Customizable Terms & Conditions Simple end user experience Provision Provision access to corporate resources Install VPN, Wifi, Certificates Deploy device security policy settings Install mandatory apps Deploy app restriction policies Deploy data protection policies
Manage and Protect Retire Enroll Provision
Intune web console Mobile devices and PCs ConfigMgr console Microsoft Intune Mobile devices System Center ConfigMgr Domain joined PCs ConfigMgr integrated with Intune (hybrid) Intune standalone (cloud only) Microsoft Intune System Center 2012 R2 Configuration Manager with Microsoft Intune Build on existing Configuration Manager deployment Full PC management (OS Deployment, Endpoint Protection, application delivery control, rich reporting) Deep policy control requirements Scale to 100,000 devices Extensible administration tools (RBA, PowerShell, SQL Reporting Services) Cloud-based Management Microsoft Intune No existing Configuration Manager deployment Simplified policy control PC+MDM: 4K users, 6K PCs, and 7K devices MDM Only: 25k users and 50k mobile devices Simple web-based administration console
The End User Experience Family
Bulk Enrollment Support for Apple Device Enrollment Program and Apple Configurator Service account enrollment Configuration Policies Device lockdown through supervisor mode Policies and apps targeted to devices Application install allow/deny list URL allow/deny
Device Type Allow/Block enforcement Windows Phone Enforced by device OS (always compliant) iOSAudit reporting AndroidAudit reporting
No trip to the store. - Installation begins directly. Monitor installation – Get install status in the console Push apps – Apps can be required installations Inventory apps - App on the device is marked as a Managed app in inventory Works only for Free apps. App Restriction policies can be applied Managed store apps IW is taken to the store for installation Intune is NOT aware of the installation. No Installation status. IT Pro can only make it Available install App on the device is marked as a Personal app in inventory Works for both free and paid app App Restriction policies can NOT be applied External/Deep link
Detect Option 1: Configure app in deny list Option 2: Deploy managed iOS app Audit Option 1: Audit devices that have “denied” app installed Option 2: Report on installation failure Advise Advise end user to uninstall iOS app Deploy Deploy managed iOS app successfully to device
App Origination ScenariosWindows 8.1 Windows Phone 8.1 iOSAndroid Line of Business (Sideloading) Available Install deployed to users Required Install & Uninstall deployed to users and devices User Consent required Public Store apps Deep linked app: Available user targeted Managed store app: Available user targeted Managed store app: Required Install & Uninstall deployed to users & devices User Consent required Coming soon
App Origination ScenariosWindows 8.1Windows Phone 8.1 iOSAndroidInstallation Status Application Update Line of Business (Sideloading) Available Install deployed to users Required Install & Uninstall deployed to users and devices User Consent required User Consent required * Public Store apps Deep linked app: Available user targeted Managed store app: Available user targeted Managed store app: Required Install & Uninstall deployed to users & devices User Consent required * Coming soon
Manage and Protect Retire Enroll Provision
Microsoft Office apps are natively manageable with Intune Intune offers key apps to support content viewing Build or buy your app with the Intune SDK Make any app manageable, without modifying code OWA OneDrive for Business Word Excel PowerPoint Managed Browsers PDF Viewer AV Viewer Image Viewer Developers can easily integrate applications for manageability. Provide more control over user experience than wrapping Apply all MAM policies to apps
Acquire Option 1: Wrap LOB apps or recompile with the Intune App SDK Option 2: Purchase store applications that include the Intune App SDK Import Import LOB App Packages or App deeplinks into Intune Configure Create MAM Policies Deploy Associate MAM Policy with User group(s) during Application deployment
Tool Download the Intune App Wrapping Tool from Download Center and Install Certs Acquire appropriate packaging certs (e.g. Apple signing certification and provisioning profile) Package Run the App Wrapping Tool and generate the new app package
Manage and Protect Retire Enroll Provision
Restore device to factory defaultsRemove company assets from device All assets on device are removed Typically used for lost/stolen devices or resetting corporate owned devices Company assets (Apps, Data, Profiles, Certs, Settings and ) are removed MAM support adds ability to remove only company data from multi-account applications Typically used for personally owned device
Initiate Option 1: IT Pro opens in the Microsoft Intune console, finds the device and chooses Retire Option 2: IW opens the Microsoft Company Portal, finds device and chooses Retire Wipe Option 1: IT Pro/IW chooses Full Wipe Option 2: IT Pro/IW choose Selective Wipe Device For Selective Wipe: IWs will notifications for specific platforms (e.g. Android) IWs will be informed of Company Data removal in MAM enabled applications