4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Securing Mobile Device Access to Corporate Resources with Intune 4/17/2017 Securing Mobile Device Access to Corporate Resources with Intune EM-B320 Dilip Radhakrishnan Principal Program Manager, Microsoft Intune © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Agenda Enterprise Mobility Strategy Overview Conditional access to Email and Collaboration services Secure resource access Deep dive on Certificate management, VPN and Wifi New Security Policies Selective wipe
Mobile device and app management evolution PC Security Data protection through device lockdown (Group Policy, app mgmt., OSD, compliance) Hardening devices against attack (patch, anti-malware, etc.) Early Mobile security Device Policies tied to Mailbox PIN Encryption Device restrictions Full wipe of device MDM Mobile Device Management Granular device policy controls Provision access to corp resources (Email, VPN etc) Selective wipe MAM Mobile application management: Corporate data containerization Per application policy restrictions Compliance based access control to corporate resources
Enterprise Mobility Vision Protect your data Enable your users User IT Unify Your Environment Devices Apps Data Help organizations enable their users to be productive on the devices they love while helping ensure corporate assets are secure
Enterprise Mobility Platform 4/17/2017 1:27 PM Enterprise Mobility Platform Microsoft Differentiation Managed Mobile Productivity Layered Protection Hybrid Solutions Enterprise Mobility Suite Azure Active Directory Office 365 Dynamics Workday © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Mobile Data Protection approach Protect corporate data accessed ‘from the device’ Email & collab services Network services – VPN,Wifi Intranet sites On Prem File Shares On Premise SharePoint On Premise File Server Cloud based email/collab services Remote access services (VPN, App Proxy etc) DMZ Mobile data protection Protect corporate data cached ‘on the device’ Emails, Attachments Cached documents Apps syncing corp data Apps sharing corp data BYOD and Corp owned Mobile devices
MDM Lifecycle Concepts Enrollment Enroll in MDM to get access to corporate resources Key Features Block email/SharePoint etc until enrolled Customizable Terms & Conditions Simple end user experience User Initial Provisioning Quick access to corporate resources Key Features Security policy settings VPN, Wifi, Certificates Mandatory app installs App restriction policies Retire Disconnect from Company resources, Lost/stolen device etc Key concepts Selective wipe Devices On going management Device and App level policies Key Features Block access if IT policies violated (Eg: Jailbreak) Enforce data leak prevention Self service portal for user initiated app installs/help desk operations
Conditional access to email and collaboration services
Features Block access to O365 services like email if device is not compliant to IT policies Simple end user experience for remediating the non compliance status
Demo – Conditional Resource access 4/17/2017 Demo – Conditional Resource access Dilip Radhakrishnan © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Solution architecture
Solution architecture – Secure email in O365 Azure AD Is Device Managed & Compliant 2 Set device management/ compliance status 6 Office 365 EAS Service Return Device state 3 Who does what? Intune: Evaluate policy compliance for device Azure AD: Auth user, provide device compliance status Exchange Online: Enforces access to email based on device state. Attempt email connection 1 7 If compliant, email access is granted Quarantine If not compliant, Push device into quarantine 4 Intune Enrollment / Compliance Remediation 5 Quarantine email with remediation steps Link to enroll device/Compliance Remediation steps EAS Client
Secure resource access
Resource Access Configuration Features* Configure VPN profiles Support for Automatic VPN Wi-Fi protocol and authentication settings Email account profiles Management and distribution of certificates Benefits End users get access to company resources with no manual steps for them Platforms Windows 8.1 Windows 8.1 RT iOS Android Windows Phone 8.1 Samsung KNOX Standard * Varies based on device platform
Certificate Management Challenges Password based authentication is vulnerable but the alternative Cert based authentication is complex. How to issue certificate to mobile devices that are not on my trusted network? How do I manage the lifecycle of certificates? How do I secure my network resources like Email, VPN, Wifi etc with certificates?
Certificate management lifecycle Issue/Enroll certificates Manage Certificates Automated renewal Certificate Revocation
Issuing certificates Approaches Simple Certificate Enrollment Protocol (SCEP) Generate and deploy PFX (Personal Information Exchange) files Choice depends on: Security requirements, especially Where is the private key generated and stored? What are the deployment requirements/constraints?
SCEP solution Challenges and Solutions PFX approach – MDM servers generates private key and certificate and deploy it to the mobile device. SCEP approach – Mobile device generates the private/public key pair Unlike PFX method, the Private key never leaves the device. Unique key and certificate on every device allows certificate revocation for just a specific device Is not useful for S/MIME encryption scenarios Challenges and Solutions Challenge Solution SCEP is an old protocol designed to for use in closed networks. CERT warns that SCEP does not strongly authenticate requests. Intune’s integration with Microsoft NDES (Network device Enrollment service) Policy module offers higher security and integrity of issued certificates Security concerns with Microsoft NDES deployment Use Microsoft Web Application Proxy
Certificate Deployment with Intune 4/17/2017 Certificate Deployment with Intune Deploy root CA cert Deploy SCEP certificate profile (with challenge based on User/Type of Cert) Device gets SCEP profile that contains URI for NDES Device contacts NDES presents challenge NDES contacts CRP and validates the challenge If valid, NDES passes on request to issue Cert “on behalf” Cert is delivered to the device and event is reported back to Intune Intune (and Azure AD) 7 DMZ DC DirSync 5 6 4 2 1 3 ADFS ADFS Proxy ConfigMgr 2012 R2 NDES Reverse Proxy CA Blog: Protecting NDES with WAP by Pieter Wigleven Coming soon: Whitepaper on NDES deployment best practices © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Manage, Renew and Revoke certificates Intune provides rich certificate compliance reporting Renew certificate Automated renewal prior to certificate expiry Admin can specify the # days prior to expiry Revoke certificate Device is lost, stolen or repurposed then initiate a Device retire operation Selective wipe triggers device clean up as well as revokes any certificates issued to that device automatically
Demo – Certificate Management 4/17/2017 Demo – Certificate Management Dilip Radhakrishnan © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Email profile management Automate configuration of Email account settings Secure access to email by requiring Certificate based authentication Enable selective wipe of corporate email
Email profiles FAQs What happens if an email account already exists on the device? On iOS, profile will be rejected with an error iOS: fails if hostname + username + email address are matching Solutions Use Conditional access feature to block access to email until manually created MDM profile is removed by the user. Set up cert based authentication for email access. Whitepaper can be found here. Can I change an existing profile? Yes, unless you modify the key values (which will result in a new profile being pushed) On IOS device the email profile key is : HostName + EmailAddress On Windows Phone device the email profile key is : AccountName + EmailAddress What versions of Exchange are supported? Any version that supports Exchange ActiveSync (Exchange 2007, 2010, 2013, Exchange Online)
VPN Profile Management Features Support for major SSL VPN vendors SSL VPNs from Cisco, Juniper, Check Point, Microsoft, Dell SonicWALL, F5 Support for VPN standards PPTP ,L2TP, IKEv2 Automatic VPN connection Application ID based initiation support for Windows 8.1 and Windows Phone 8.1 Per-app VPN for iOS Automatic VPN connection
Per App VPN (iOS 7+) Concepts Create a secure connection between your Line of business or Productivity applications and the corporate network Concepts Traditional VPN : VPN tunnel established at the device level Introduces risk of providing corporate access to unauthorized apps Depending on VPN infrastructure, can impact end user’s internet access speeds Privacy issue associated with routing user’s personal traffic to corporate servers Per App VPN On demand VPN connection for corporate apps only Routes only specific app’s data to corporate VPN
Wi-fi Profiles Connect Manage Wi-Fi protocol and authentication settings WEP WPA/WPA2 Personal WPA/WPA2 Enterprise Provision Wi-Fi networks that device can auto connect Specify certificate to be used for Wi-Fi connection User provides credentials (username/password or cert) User Trusts this certificate User attempts to connect to Wifi Endpoint Connect Server presents its identity certificate Server establishes tunnel Server asks for user credentials EAP- TLS – Authenticate with certificate EAP-TTLS – Authenticate with user name/pwd through PAP, CHAP, MSCHAP v2 PEAP – Authentication determined by Wifi infra – Either password or Cert based.
Demo – VPN & Wi-fi configuration 4/17/2017 Demo – VPN & Wi-fi configuration Dilip Radhakrishnan © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
New security settings iOS Allow/Block applications Kiosk Mode Custom Payload: Import profiles created in Apple configurator Windows Phone Custom Payload: Configure Any Window Phone (OMA URI) setting Android Kiosk mode
Demo – Security settings & Custom Profiles 4/17/2017 Demo – Security settings & Custom Profiles Dilip Radhakrishnan © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Selective Wipe
iOS selective wipe - email “Work” email profile is first provisioned to the device
iOS selective wipe - email
iOS selective wipe - email
Tech Ready 15 4/17/2017 Key Takeaways Securing access to corporate data resources is a key component of your corporate Data protection strategy Microsoft Intune’s tight integration with Azure AD’s Identity and O365’s productivity services offers an unique comprehensive solution for MDM/MAM. Microsoft continues to innovate at the OS platform level for securing your corporate assets on PCs and Mobile devices. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Related content Breakout Sessions 4/17/2017 Related content Breakout Sessions Tuesday, October 28th, 3:15 PM-4:30 PM: EM-B216 - Enterprise Client Management with System Center Configuration Manager and Intune Tuesday, October 28th, 5:00 PM-6:15 PM: EM-B326 - What’s New and Upcoming with OS Deployment in System Center Configuration Manager and the Microsoft Deployment Toolkit Wednesday, October 29th, 8:30 AM – 9:45 AM: EM-B321 - Infrastructure Deployment for Mobile Device Management with System Center Configuration Manager and Intune Wednesday, October 29th, 5:00 PM – 6:15 PM - Securing Mobile Device Access to Corporate Resources with Intune Thursday, October 28th, 3:15 PM-4:30 PM: EM-B312 - Mobile Application Management with Intune Friday, October 31st, 8:30 AM – 9:45 AM: EM-B317 - Configuring Corporate-Owned Mobile Devices with Intune © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Enterprise Mobility Track Resources 4/17/2017 Enterprise Mobility Track Resources Enterprise Mobility Suite http://aka.ms/enterprise mobilitysuite Microsoft Intune http://aka.ms/microsoftintune Configuration Manager http://aka.ms/configmgr Hybrid Identity http://aka.ms/hi Access & Info Protection http://aka.ms/aip Desktop Virtualization http://aka.ms/virtualdesktop © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Resources Learning TechNet Developer Network 4/17/2017 Resources Sessions on Demand http://channel9.msdn.com/Events/TechEd Learning Microsoft Certification & Training Resources www.microsoft.com/learning TechNet Resources for IT Professionals http://microsoft.com/technet Developer Network http://developer.microsoft.com © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Please Complete An Evaluation Form Your input is important! 4/17/2017 Please Complete An Evaluation Form Your input is important! TechEd Mobile app Phone or Tablet QR code TechEd Schedule Builder CommNet station or PC © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Evaluate this session 4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.