Understanding Microsoft enterprise mobility solutions

  • 2/17/2016

Microsoft enterprise mobility solutions

Microsoft has aggressively pursued a strategy of “mobile first, cloud first” in their enterprise mobility management vision. This vision is centered on helping organizations enable their users to be productive on the devices they prefer, while protecting company resources. Central to this vision is the concept of balance—balancing the financial and data-security needs of the company with the productivity and privacy needs of users. Finding an appropriate balance often means splitting authority between the company and users, and keeping added management complexity to a minimum to ensure satisfaction and compliance.

Instead of piecing together parts of existing on-premises products and attempting to update and rebrand them as cloud services, Microsoft chose to design an enterprise mobility management solution from the ground up and leverage the powerful features of its proven cloud services, such as Azure and Office 365.

Microsoft Enterprise Mobility Suite

The Enterprise Mobility Suite (EMS), shown in Figure 1-2, is a comprehensive set of cloud services and on-premises technologies designed to extend user identities to the cloud, manage mobile devices and apps, increase user productivity through native support for Microsoft Office apps and support for thousands of SaaS applications, and protect files accessed and stored on managed devices.


FIGURE 1-2 Enterprise Mobility Suite products

EMS comprises the following products:

  • Microsoft Azure Active Directory Premium
  • Microsoft Intune
  • Microsoft Azure Rights Management
  • Microsoft Advanced Threat Analytics

Azure Active Directory Premium

Azure Active Directory (Azure AD) Premium is a Microsoft cloud-based service that provides comprehensive user identity and application access management capabilities. Built on the rich set of directory-service features of Azure AD that is included in all Microsoft Azure subscriptions, the Azure AD Premium subscription includes additional capabilities for enterprise-level identity management. One of the most popular features of Azure AD Premium is its integrated single sign-on (SSO) support for thousands of popular Software as a Service (SaaS) apps. This means that instead of users having to use multiple sets of user names and passwords to access apps such as Salesforce, Concur, or Workday, they can use a single user name and password for a consistent experience across every app and device.

In addition to the features in the Azure AD Free and Basic subscriptions, the Premium subscription includes the following:

  • Self-service group management that users can use to create and manage customized user groups
  • Advanced security reports and alerts based on machine-learning that organizations can use to monitor and protect access to cloud applications
  • Multi-factor authentication (MFA) that supports configuring user verification steps in addition to a single user name/password authentication process
  • Microsoft Identity Manager (MIM) support option you can use if you need to configure additional on-premises hybrid identity services
  • Password reset with write back for user self-service password management with on-premises directory services
  • Azure AD Connect Health to monitor on-premises identity infrastructure and synchronization services available through Azure AD Connect

Microsoft Intune

Microsoft Intune is another Microsoft cloud-based service that provides mobile device management (MDM), mobile application management (MAM), and Windows PC management capabilities. Supporting Android, iOS, and Windows-based devices, Microsoft Intune also can be used as a standalone cloud service or connected to an existing on-premises Microsoft System Center Configuration Manager 2012 R2 or later deployment. Additionally, Microsoft Intune provides the infrastructure support for enterprise mobility management features included with Office 365.

Microsoft Intune supports a comprehensive mix of MDM and MAM capabilities, including

  • Simplified device enrollment for Android, iOS, and Windows devices
  • Mobile device management through configuration and compliance policies
  • Device access profiles for managing access to virtual private networks, wireless networks, email servers, and certificate-controlled resources
  • Conditional access to Microsoft Exchange Server or Exchange Online–based email accounts
  • Mobile application deployment, installation, and management
  • Mobile device lock, remote PIN reset, complete device factory reset, or selective wipe of company data while leaving personal data intact

Azure Rights Management

Azure Rights Management (Azure RMS) is a cloud-based service that helps you protect your organization’s sensitive information from unauthorized access and controls how this information is used or shared. Using encryption, identity, and authorization policies to secure files and email, Azure RMS applies policies and permissions directly to files and email messages, independent of where they are located. Permissions follow files and email messages inside or outside your organization, networks, file servers, and applications. This behavior enables users to access company data no matter what device they use or how the data is shared.

Microsoft Advanced Threat Analytics

Cyberattacks and Internet-based threats have grown more and more sophisticated and continue to increase in frequency and severity. Organizations realize now more than ever that they need to be proactive in their efforts to protect corporate data, user identities, employee and customer personal information, and their online reputation. Advanced Threat Analytics (ATA) identifies suspicious activities and abnormal behavior in on-premises networks, helps detect malicious attacks, and provides alerts for security risks. ATA is covered in more depth in Chapters 4 and 5.

Mobile Device Management for Office 365

The Office 365 business productivity suite is a group of cloud-based services and software subscriptions designed to increase productivity and lower licensing costs for organizations of all sizes. Office 365 and EMS are complementary suites of services and share many of the same architectural services. By sharing a common cloud-based infrastructure, both suites offer identity management provided by Azure AD, mobile device and application management capabilities provided by Microsoft Intune, and access and information protection enabled by Azure RMS. Microsoft ATA is an on-premises service and is included with EMS, but it isn’t currently included with Office 365 subscriptions. Table 1-1 shows the relationships of these services.

TABLE 1-1 Enterprise Mobility Suite and Office 365 products and services

Enterprise Mobility Suite

Office 365

Identity management

Azure AD Premium

  • Single sign-on for SaaS apps
  • Advanced multifactor authentication
  • Microsoft Identity Management (MIM)

Identity management enabled by Azure AD

  • Basic single sign-on for Office 365
  • Basic multifactor authentication for Office 365

Mobile device and app management

Microsoft Intune

  • MDM and MAM support
  • Advanced device and app policies
  • System Center integration

MDM for Office 365 enabled by Microsoft Intune

  • Basic device settings management
  • Selective wipe/device reset
  • Built into Office 365 Management Console

Access and data protection

Azure RMS

  • Protection for content in Office apps (on-premises or Office 365) and Windows Server files
  • Email notifications for shared documents

RMS protection enabled by Azure RMS

  • Protection for content in Office apps (on-premises or Office 365)
  • Access to RMS Software Development Kit (SDK)

Threat protection

Advanced Threat Analytics

  • Detects abnormal user behavior
  • Detects malicious attacks
  • Identifies known risks

Advanced Threat Analytics

  • Detects abnormal user behavior
  • Detects malicious attacks
  • Identifies known risks

Mobile Device Management for Office 365 (MDM for Office 365) is the group of mobility device management features included as a part of most Office 365 subscription plans. MDM for Office capabilities are enabled by Microsoft Intune and mobile device management features are tightly integrated with Office 365 services like Exchange Online and SharePoint Online. Instead of using the Microsoft Intune management portal, MDM for Office 365 management is built into the Office 365 admin console. Details about MDM for Office 365 will be covered in more depth in Chapter 6, “Introducing Mobile Device Management for Office 365,” and Chapter 7, “Implementing Mobile Device Management for Office 365.”