Presentation is loading. Please wait.

Presentation is loading. Please wait.

BYOD ESSENTIALS FOR IT PROS SANDER BERKOUWER, DirTeam.

Published byLambert Stanley Modified over 8 years ago

Similar presentations

Presentation on theme: "BYOD ESSENTIALS FOR IT PROS SANDER BERKOUWER, DirTeam."— Presentation transcript:

1 BYOD ESSENTIALS FOR IT PROS SANDER BERKOUWER, DirTeam

2 Sander Berkouwer Microsoft MVP Directory Services 2009 - 2015 Microsoft Virtual Technical Evangelist Blogger on DirTeam.com ServerCore.Net 4SysOps.com About

3 Introducing Bring Your Own (BYO) Challenges with Bring-Your-Own Solutions Web-ready authentication Rich authorization Straight-forward access Policy-based systems management Agenda

4 INTRODUCING BYO

5 51% of employees between 21 - 32 years chooses to deliberately ignote corporate policies, applying to corporate use of privetly-owned devices, cloud storage and wearables Reality 1867 57% 51% Source: Fortinet, October 22, 2013Fortinet

6 Bring Your Own Devices Apps InformationEmployees Devices Apps Employees Management| Access| Security Information

7 Bring Your Own facilitates access to organizational IT sources with devices owned by employees and other entities Bring Your Own

8 Bring Your Own and your existing infrastructure BYO Applications Data Corporate Non-corporate

9 WEB-READY AUTHENTICATION

10 Current protocols lack flexibility Kerberos tickets are encrypted, cannot be split Kerberos tickets only contain SIDs Active Directory trusts lack scalability After ~1200 trusts, authentication becomes terribly slow Multi-factor authentication Username, password combination is not good enough Challenges with authentication

11 Web-ready authentication Transport over SSL channel Optional encryption Open standards Flexible trusts Scalable loosely-coupled granular trust relationships Multi-factor authentication We need…

12 ACTIVE DIRECTORY FEDERATION SERVICES SOLUTION

13 Web-ready authentication SAML, Oauth2 are HTTPS-based and work with claims Device-agnostic authentication Relying Party trusts Fine-grained definitions, little information shared Multi-factor Authentication AD FS Authentication is extensible for 3rd parties Active Directory Federation Services

14 Authentication with AD FS On Premises Active Directory Domain Services 1 3 4 5 6 Colleague Azure AD Integrated Application 7 2

15 Claims vs. Tokens EncryptionTransportContentsLimitsSecurity Claims in SAML Optional HTTP (TCP80) HTTPS (TCP443) Kerberos (TCP88) XML-based MaxTokenSize Ticket Lifetime, Mutual Auth, PAC Validation Claims in Kerberos Kerberos (TCP88) Authorization dataMaxTokenSize Ticket Lifetime, Mutual Auth, PAC Validation Tokens Signing, Replay Protection

16 AZURE ACTIVE DIRECTORY SOLUTION

17 Modern identity management Free REST-based web service for authentication Cloud identity management Identity and access for Azure, Office 365, etc. 100% interoperability Based on open standards, like SAML Full support for 3rd party identity providers Introducing Azure Active Directory

18 Authentication with Azure AD On Premises Active Directory Domain Services 1 4 5 6 7 Colleague Directory Synchronization Tool Azure AD Integrated Application 23 9 8 10

19 DEMO CLAIMS AND CLAIMTYPES

20 AZURE MULTI-FACTOR AUTHENTICATION SOLUTION

21 Something someone can prove he/she knows Passwords Something someone can prove he/she is Biometric security like fingerprints, iris scans Something someone can prove he/she has Smart cards, phones Something someone does regularly Authentication factors

22 Smart card hardware Smart card readers never became a commodity Smart card require PKI Certificates are commonly experienced as very hard User friendliness Is a smart card actually convenient in BYOD scenarios? There are new alternatives to smart cards Challenges with auth factors

23 Extensible Authentication Model API in AD FS for 3rd party authentication extensions Default support for certificates on smart cards Azure Multi-Factor Authentication Recently acquired PhoneFactor technology Phone Call, Text message, App or OATH Multi-factor Auth with AD FS

24 DEMO CONFIGURING AZURE MFA WITH AD FS

25 Azure Multi-Factor Authentication On Premises Active Directory Domain Services 1 2 3 4 5 6 7 8 9

26 RICH AUTHORIZATION

27 Group memberships are too strict Based on a single attribute and uncontrollable fast Only AND rules allowed Token Bloat Cross-organizational access Organizations need Active Directory trust Trusts leak information both ways Challenges with authorization

28 Rich authorization Claims can be based on group membership, or on Any property of the user account Or occurrence of the user in the Global Addresslist (GAL) Or the location of the device used … or combinations of the above… … or external claims… Rich authorization scenarios

29 Claims in SAML, Oauth2 Active Directory Federation Services Available since Windows Server 2003 R2 Claims in Kerberos Dynamic Access Control Available since Windows Server 2012 * Claims in tokens and tickets

30 WORKPLACE JOIN SOLUTION

31 Single Sign-On on the intranet AD FS offers automatic Kerberos-to-claims transformation Identity 1.0 -> Identity 2.0 Single Sign-On the extranet Single Sign-On per browser session There is no Identity 1.0 on the extranet (we hope) Single Sign-On using WorkPlace Join Single Sign-on beyond the browser

32 Claims Employees verify devices for their account Certificates and cookies Certificate from MS-Organization-Access Cookies in the browser msDS-Devices in Active Directory Domain Services Automatically removed after 90 days of inactivity WorkPlace Join – Under the hood

33 DEMO WORKPLACE JOIN WITH MULTI-FACTOR AUTHENTICATION

34 STRAIGHT-FORWARD ACCESS

35 Server Message Block (SMB) Discloses Windows-based file servers Not optimized for the web Remote Procedure Call (RPC) Discloses remote Windows functionality Designed when there was no web… Challenges with accessing data

36 WORK FOLDERS SOLUTION

37 Work Folders positioning Personal data Individual business data Team and Project data Personal devices Storage back-end Onedrive SharePoint on-prem/online Onedrive for Business File Server Work Folders Public Cloud

38 HTTP-based file synchronization DNS Records (workfolders.domain.tld) for AutoDiscovery Windows Authentication or AD FS (OAuth2) Default device policies Password policy and device lock Customizable using Mobile Device Management (MDM) Encryption of data on device and remote functional wipe Work Folders internals

39 POLICY-BASED DEVICE MANAGEMENT

40 Systems management for multiple platforms Group Policies are Windows-only * Windows-based machines can be managed centrally Managing iPads, Android devices, Windows RT? Applications for multiple platforms Different platforms, different ecosystems, different apps Not all devices are connected to the network Challenges with systems management

41 INTUNE SOLUTION

42 Systems management with Intune On Premises Active Directory Domain Services

43 CONCLUDING

44 To facilitate access to organizational IT sources with devices owned by employees and other entities, you’ll need: Web-ready authentication Rich authorization Straight-forward access Policy-based systems management Concluding

45

46 Nagrađujemo vas sa 100 WinCoin bodova što ste posjetili predavanje. Osvojite dodatnih 100 WinCoin bodova ukoliko popunite službeni upitnik. HVALA!

47 MVA http://www.microsoftvirtualacademy.com Successful proffessionals never stop learning. Microsoft Virtual Academy offers online Microsoft trainings led by experts to help proffessionals to upgrade their knowledge. Trainings are prepared by leading eyperts from different technology areas. After you take a training, you can test your knowledge. To better understand this session, I advise you to take following trainings: XXX1 XXX2 XXX3 Training name 1 link1 Training name 2 link1 Training name 3 link1

48

Download ppt "BYOD ESSENTIALS FOR IT PROS SANDER BERKOUWER, DirTeam."

Similar presentations

Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Agenda AD to Windows Azure AD Sync Options Federation Architecture

Agenda AD to Windows Azure AD Sync Options Federation Architecture
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.

Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
Implementing and Administering AD FS

Implementing and Administering AD FS
SharePoint Server Exchange Server CORPORATE NETWORK Mobile devices PCs Browsers INTERNET DMZ Active Directory Policies Filter EAS Filter web access.

SharePoint Server Exchange Server CORPORATE NETWORK Mobile devices PCs Browsers INTERNET DMZ Active Directory Policies Filter EAS Filter web access.
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.

Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.
Microsoft Ignite /16/2017 4:55 PM

Microsoft Ignite /16/2017 4:55 PM
Today’s challenges Deliver applications to mobile platforms (BYOD) Respond to dynamic business requirements for IT: Seasonal/temporary workers Vendors.

Today’s challenges Deliver applications to mobile platforms (BYOD) Respond to dynamic business requirements for IT: Seasonal/temporary workers Vendors.
Windows Server 2012 R2 Capabilities for BYOD Scenario Yuri Diogenes Senior Knowledge Engineer Data Center, Devices & Enterprise Client – CSI Team’s Page:

Windows Server 2012 R2 Capabilities for BYOD Scenario Yuri Diogenes Senior Knowledge Engineer Data Center, Devices & Enterprise Client – CSI Team’s Page:
Empowering Small Businesses: Microsoft Office 365 P-Suite Danny Burlage MVP Office 365 Wortell.

Empowering Small Businesses: Microsoft Office 365 P-Suite Danny Burlage MVP Office 365 Wortell.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Demi Albuz SENIOR PRODUCT MARKETING MANAGER Samim Erdogan PRINCIPAL ENGINEERING MANAGER Thomas Willingham TECHNICAL PRODUCT MANAGER.

Demi Albuz SENIOR PRODUCT MARKETING MANAGER Samim Erdogan PRINCIPAL ENGINEERING MANAGER Thomas Willingham TECHNICAL PRODUCT MANAGER.
Empower Enterprise Mobility Jasbir Gill Azure Mobility.

Empower Enterprise Mobility Jasbir Gill Azure Mobility.
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Www.NetComLearning.com Microsoft Windows 8.1 Enterprise: A brief overview of Microsoft Windows 8 Enhancements. Welcome!

Microsoft Windows 8.1 Enterprise: A brief overview of Microsoft Windows 8 Enhancements. Welcome!
OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

Similar presentations

Ads by Google