Posted on October 3, 2017 by Arun Kirupananthan
But what do we mean when we use the term?
If you ask ten people, you’re likely to get ten different answers. To some, it means they have access to their email and company files from their phone. To others, it means running work applications while they’re away from the office.
As IT administrators, we want to standardize devices in the organization to make our lives easier. However, the data shows that people are more productive when working on their preferred devices. It’s for this reason that Microsoft has pioneered its enterprise mobility and security suite to help organizations enable mobile, productive workers on the devices they love.
In our latest webinar, “Modern Windows Management,” we explore Microsoft Enterprise Mobility + Security (EM+S) solution, including the core components of EM+S and the ways they enhance Windows 10 management for cloud-first, mobile-first environments.
“Mobility: n. To be able to work from anywhere, on any device with safety and security” – any organization that wants to enable mobility should strive to meet this definition.
It’s also an important mandate for companies facing the coming paradigm shift in the workforce. Many up-and-coming workers haven’t experienced a world without mobile devices, wi-fi or the ability to install and set up an application with the push of a thumb. More experienced IT administrators realize this instant gratification is somewhat far-fetched within the enterprise, but that doesn’t mean we can’t move the needle.
For example, say one person prefers a laptop. Meanwhile, another gets much more accomplished on a tablet with a foldout keyboard. Their employer should be prepared to accommodate both preferences. Accommodating a variety of workstyles will allow organizations to unlock greater productivity.
Nonetheless, the cloud-first, mobile-first workplace comes with its own risks. Microsoft has published some compelling statistics on the modern enterprise environment:
The user identity provides the greatest surface area for attack. This is a mission-critical point of protection, as that identity leads back to your organization’s most valuable resource: data.
The problem of shadow IT is always lurking. Imagine the scenario where a department approaches IT in need of a cloud storage solution. The response from IT is that they’re considering rolling something out within eight or twelve months. The result? An unknown alternative ends up paid for on a personal credit card or department budget. IT has no visibility or governance. This kind of problem is a key obstacle to overcome in enabling secure mobility.
The IT department proposes steps to prepare for the sophisticated threats in today’s environment. Management responds with the same budget as last year. It’s a common story: The business asks IT to do more with less.
Microsoft’s EM+S helps address these issues with a unique, integrated technology stack. While there are many providers for identity protection, for instance, few also have device management. As another example, many vendors are great for managing mobile devices but fall short when it comes to laptops and desktops. EM+S is the only offering equipped to cover all four pillars of your mobile environment:
EM+S is a suite of products you can deploy as individual solutions or in combination. This allows you to select and use those components that address your organization’s specific gaps. It’s also possible to set up hybrid deployments with technology from other providers like System Center.
Azure Active Directory (Azure AD) is a key component of modern Windows management. To provide proper protection for your corporate assets, you need to control the people and devices that access them. Azure AD provides identity and access management for the cloud, including:
If you’re already using Azure or Office 365, much of the groundwork in enabling Azure AD Premium is already laid for you. Azure AD Join allows a user to register a device from anywhere using an organizational ID. At the same time, integrated device registration provides each device with an identity that can enable or disable that device’s access to the environment. This helps to shore up BYOD initiatives with an additional layer of trust.
Cloud App Security is another major component of EM+S. It provides key insight into your data and how people are accessing it within your environment. It’s also integrated with major third-party SaaS solutions, including Box, Salesforce, and SharePoint Online.
This means EM+S could, for example, determine if there is an external-facing document in SharePoint Online that contains identifiable personal data, un-share it and receive an alert. Or, Cloud App Security could detect and send notification should an employee account log into Salesforce from Philadelphia and then log in again from Beijing forty-five minutes later.
Intune is the EM+S component for mobile device and application management. Many view Intune as a mobile device management (MDM) platform – and it is. But, it’s also an excellent platform for managing laptop and desktop PCs.
Another important feature of Intune surrounds enrollment. In the past, device enrollment involved going to a website and downloading an app, or pushing out an agent in the case of desktops. With Windows 10, device enrollment with Intune is baked into the operating system. This allows a user to enroll a new device, without the need for central imaging, from the moment they first turn it on.
Meanwhile, Intune also provides key capabilities in data protection. Through integration with Azure AD, it allows you to detect a device logging into your cloud footprint and apply the appropriate policies. It also combines Encrypting File and AppLocker technology to separate corporate and personal data. Your WIP policies then define the apps you trust to access or modify company data. This, in turn, enables Intune’s selective wipe capabilities for corporate data.
The result is a low-friction opt-in for both users and IT.
This is the sole component of EM+S that is majority on-premises. Advanced Threat Analytics sits inside your data center and monitors your Active Directory and authentication structure. Using behavioral analysis, it benchmarks the norm for activity in your environment. It then reports suspicious activity that deviates from the norm.
Why include an on-premises solution within a cloud-based environment? The answer is that the identities you sync out to the cloud are only as secure as the on-premises identities they’re synced with. After all, identity is the wedge that often gets attackers in your door.
The last component of EM+S protects data, the veritable keys to the kingdom. You wouldn’t care to protect the identities or devices if they couldn’t access your data.
Although not a part of the EM+S suite, Azure AD and Intune enable Microsoft’s bio-metric authentication technology, Hello for Business. This adds further strength to two-factor authentication for devices by replacing flimsier password-based methods. It’s also much more convenient for end users.
The EM+S offering has a robust feature set that applies whether your organization numbers in the hundreds or thousands. Say, for example, you’re a small-to-medium organization with little or no on-premises infrastructure. As a cloud-based business, why would you then expend resources to install physical servers to manage your devices?
In another scenario, you’re a traditional organization with a few hundred employees that wants to roll out a BYOD initiative. In the past, this was a painful experience for users and IT alike. Today, Azure AD Join allows users to register their devices and enroll with Intune in a self-service capacity. When users separate from the company, you’re equipped to erase their access to corporate data leaving their personal information intact.
A third scenario relates to remote and mobile workers. If your users spend little time in the office, it’s a hassle for them to go through a VPN to reset passwords or access security updates. EM+S functionalities allow this access from anywhere, a situation ideal for “road warriors.”
The traditional approach to managing Windows devices comprised getting a computer, joining it to Active Directory, using System Center Configuration Manager (SCCM) to push out applications and data. Imaging a new device was a high-touch process with heavy IT involvement.
Modern Windows management uses Azure AD, eliminating the need for group policies and configuration tools. Central imaging becomes outdated with Intune enrollment enabled out-of-the-box. The result is a much easier, much safer and much more secure way to enable mobility in your organization with EM+S.
Check out related articles here.