Today, many organizations want to embrace “mobility.”
But what do we mean when we use the term?
If you ask ten people, you’re likely to get ten different answers. To some, it means they have access to their email and company files from their phone. To others, it means running work applications while they’re away from the office.
As IT administrators, we want to standardize devices in the organization to make our lives easier. However, the data shows that people are more productive when working on their preferred devices. It’s for this reason that Microsoft has pioneered its enterprise mobility and security suite to help organizations enable mobile, productive workers on the devices they love.
In our latest webinar, “Modern Windows Management,” we explore Microsoft Enterprise Mobility + Security (EM+S) solution, including the core components of EM+S and the ways they enhance Windows 10 management for cloud-first, mobile-first environments.
Watch the Microsoft Enterprise Mobility + Security (EM+S) webinar below:
“Mobility: n. To be able to work from anywhere, on any device with safety and security” – any organization that wants to enable mobility should strive to meet this definition.
It’s also an important mandate for companies facing the coming paradigm shift in the workforce. Many up-and-coming workers haven’t experienced a world without mobile devices, wi-fi or the ability to install and set up an application with the push of a thumb. More experienced IT administrators realize this instant gratification is somewhat far-fetched within the enterprise, but that doesn’t mean we can’t move the needle.
For example, say one person prefers a laptop. Meanwhile, another gets much more accomplished on a tablet with a foldout keyboard. Their employer should be prepared to accommodate both preferences. Accommodating a variety of workstyles will allow organizations to unlock greater productivity.
Protection in the Mobile-First Workplace
Nonetheless, the cloud-first, mobile-first workplace comes with its own risks. Microsoft has published some compelling statistics on the modern enterprise environment:
- 63% of data breaches result from weak, lost or stolen passwords
The user identity provides the greatest surface area for attack. This is a mission-critical point of protection, as that identity leads back to your organization’s most valuable resource: data.
- 80% of employees admit to using non-approved SaaS applications to do their jobs
The problem of shadow IT is always lurking. Imagine the scenario where a department approaches IT in need of a cloud storage solution. The response from IT is that they’re considering rolling something out within eight or twelve months. The result? An unknown alternative ends up paid for on a personal credit card or department budget. IT has no visibility or governance. This kind of problem is a key obstacle to overcome in enabling secure mobility.
- Gartner predicts IT spending will increase just 0.6% in 2017.
The IT department proposes steps to prepare for the sophisticated threats in today’s environment. Management responds with the same budget as last year. It’s a common story: The business asks IT to do more with less.
Microsoft’s EM+S helps address these issues with a unique, integrated technology stack. While there are many providers for identity protection, for instance, few also have device management. As another example, many vendors are great for managing mobile devices but fall short when it comes to laptops and desktops. EM+S is the only offering equipped to cover all four pillars of your mobile environment:
- Apps & Data
EM+S: Under the Hood
EM+S is a suite of products you can deploy as individual solutions or in combination. This allows you to select and use those components that address your organization’s specific gaps. It’s also possible to set up hybrid deployments with technology from other providers like System Center.
- Azure Active Directory
Azure Active Directory (Azure AD) is a key component of modern Windows management. To provide proper protection for your corporate assets, you need to control the people and devices that access them. Azure AD provides identity and access management for the cloud, including:
- Web-based single-sign-on (SSO)
- Multi-factor authentication for cloud and on-premises components
- Self-service password reset from a cloud-based portal
- Reporting on identities active in your cloud footprint as well as possible exploits
If you’re already using Azure or Office 365, much of the groundwork in enabling Azure AD Premium is already laid for you. Azure AD Join allows a user to register a device from anywhere using an organizational ID. At the same time, integrated device registration provides each device with an identity that can enable or disable that device’s access to the environment. This helps to shore up BYOD initiatives with an additional layer of trust.
- Microsoft Cloud App Security
Cloud App Security is another major component of EM+S. It provides key insight into your data and how people are accessing it within your environment. It’s also integrated with major third-party SaaS solutions, including Box, Salesforce, and SharePoint Online.
This means EM+S could, for example, determine if there is an external-facing document in SharePoint Online that contains identifiable personal data, un-share it and receive an alert. Or, Cloud App Security could detect and send notification should an employee account log into Salesforce from Philadelphia and then log in again from Beijing forty-five minutes later.
- Microsoft Intune
Intune is the EM+S component for mobile device and application management. Many view Intune as a mobile device management (MDM) platform – and it is. But, it’s also an excellent platform for managing laptop and desktop PCs.
Another important feature of Intune surrounds enrollment. In the past, device enrollment involved going to a website and downloading an app, or pushing out an agent in the case of desktops. With Windows 10, device enrollment with Intune is baked into the operating system. This allows a user to enroll a new device, without the need for central imaging, from the moment they first turn it on.
Meanwhile, Intune also provides key capabilities in data protection. Through integration with Azure AD, it allows you to detect a device logging into your cloud footprint and apply the appropriate policies. It also combines Encrypting File and AppLocker technology to separate corporate and personal data. Your WIP policies then define the apps you trust to access or modify company data. This, in turn, enables Intune’s selective wipe capabilities for corporate data.
The result is a low-friction opt-in for both users and IT.
- Microsoft Threat Analytics
This is the sole component of EM+S that is majority on-premises. Advanced Threat Analytics sits inside your data center and monitors your Active Directory and authentication structure. Using behavioral analysis, it benchmarks the norm for activity in your environment. It then reports suspicious activity that deviates from the norm.
Why include an on-premises solution within a cloud-based environment? The answer is that the identities you sync out to the cloud are only as secure as the on-premises identities they’re synced with. After all, identity is the wedge that often gets attackers in your door.
- Microsoft Information Protection
The last component of EM+S protects data, the veritable keys to the kingdom. You wouldn’t care to protect the identities or devices if they couldn’t access your data.
- Hello for Business
Although not a part of the EM+S suite, Azure AD and Intune enable Microsoft’s bio-metric authentication technology, Hello for Business. This adds further strength to two-factor authentication for devices by replacing flimsier password-based methods. It’s also much more convenient for end users.
Making Life Easier for Device Managers
The EM+S offering has a robust feature set that applies whether your organization numbers in the hundreds or thousands. Say, for example, you’re a small-to-medium organization with little or no on-premises infrastructure. As a cloud-based business, why would you then expend resources to install physical servers to manage your devices?
In another scenario, you’re a traditional organization with a few hundred employees that wants to roll out a BYOD initiative. In the past, this was a painful experience for users and IT alike. Today, Azure AD Join allows users to register their devices and enroll with Intune in a self-service capacity. When users separate from the company, you’re equipped to erase their access to corporate data leaving their personal information intact.
A third scenario relates to remote and mobile workers. If your users spend little time in the office, it’s a hassle for them to go through a VPN to reset passwords or access security updates. EM+S functionalities allow this access from anywhere, a situation ideal for “road warriors.”
Embrace Modern Windows Management
The traditional approach to managing Windows devices comprised getting a computer, joining it to Active Directory, using System Center Configuration Manager (SCCM) to push out applications and data. Imaging a new device was a high-touch process with heavy IT involvement.
Modern Windows management uses Azure AD, eliminating the need for group policies and configuration tools. Central imaging becomes outdated with Intune enrollment enabled out-of-the-box. The result is a much easier, much safer and much more secure way to enable mobility in your organization with EM+S.
Check out related articles here.