Understanding Microsoft enterprise mobility solutions

2/17/2016

Contents

Enterprise mobility management concepts
Microsoft enterprise mobility solutions
Selecting the best solution for your organization
Enterprise mobility management scenario

Selecting the best solution for your organization

Determining the enterprise mobility management solution that best fits the needs of your organization can be difficult. As you’ve seen from the brief overview of the capabilities of the Enterprise Mobility Suite and MDM for Office 365, differences exist between the features and capabilities for each suite (and component services). Choosing one over the other before thoroughly understanding the differences and matching each to the specific needs of your organization will likely result in wasted time, wasted money, and user dissatisfaction and frustration.

In this section, you’ll cover key enterprise mobility management planning and design considerations you’ll need to define to choose the best Microsoft solution for your organization. Additionally, you’ll compare the features and capabilities of the Enterprise Mobility Suite, Microsoft Intune (standalone deployment), and MDM for Office 365.

Planning and designing a solution

The first step in determining what enterprise mobility management solution best meets the needs of your organization is defining your requirements. These requirements aren’t just a list of mobility management capabilities you think your organization needs—they must meet the actual business and productivity needs of your organization and users. You’ll need to review the functional and service capabilities of each solution to answer questions in the following areas:

Business needs, including device ownership, device platform, application, and user requirements
Mobility management location needs, including geographic network requirements
Mobile device management life-cycle requirements, including device enrollment, configuration, security, management, and monitoring
Software as a Service (SaaS) connectivity requirements

Defining your business needs

To get started, you must understand your current and future business needs and how they fit with your organization’s business strategy. If you don’t take a long-term approach with your mobility management planning, chances are that your solution won’t be scalable as your organization changes and grows. Although each organization will have different business requirements, a good place to start is to leverage best practices from other organizations in your industry. Because more and more organizations are embracing mobility management solutions with each passing day, it’s likely that mobility management resources are available to help you with this planning. If your organization is regulated by governmental agencies or need to meet industry-specific compliance standards, you should review the applicable standards for your organization for any mobility management requirements or guidance.

Next, it’s time to match the business requirements you’ve defined to the specifics of mobile device management:

Device ownership Who will own the mobile device? The employee, the company, or a mix of both options?
Device platform Which mobile device operating systems need to be supported? Just one or a mix of several?
Applications Which mobile applications or SaaS apps need to be supported? Are the applications supported on the required device platforms? How will the applications be deployed?
Users Will different groups of users have different mobility needs? Will users need mobile access to the same resources accessible from on-premises workstations?
Compliance How will compliance requirements affect mobile applications? Are management policies in place for mobile devices? Does your organization already have a BYOD policy in place, or will you need to create one?

Defining your location needs

Location can affect the administrative model of your mobility management solution. Some solutions support only a cloud-based service model, while others support a hybrid cloud/on-premises administrative model, where cloud-based services are connected to on-premises solutions. Depending on your network infrastructure and the geographic location of your company offices, having the flexibility to connect to existing device management solutions and use a central point of administration can significantly reduce costs and administrative overhead.

Modern mobile devices almost always include Global Positioning System (GPS) features by default. These features enable mobile applications to leverage geolocation capabilities. Some organizations might have business scenarios in which disabling location services on mobile devices is a requirement. For example, a company might have employees working in areas where applications that use location services cannot be used because of the sensitive nature of the work. IT departments would need to disable location services on devices that have access to these areas.

Answer the following questions about your location requirements:

Administrative model Which administrative model best meets your current and future infrastructure needs, centralized or distributed?
Location services Does your organization need the ability to disable location services on mobile devices?

Defining your mobile device life-cycle requirements

Managing mobile devices, both company-owned and user-owned devices, encompasses several important life-cycle management decisions. You need to define how your organization will manage devices in the each of the areas shown in Figure 1-3, making sure that each aligns with your overall MDM strategy, business needs, and other network management and support policies.

FIGURE 1-3 Mobile device management life-cycle stages

Enroll

Mobile device management starts with enrollment, and it must be simple, easy, and reliable. If device enrollment is complicated, difficult, or unreliable, users will be resistant to following the process or slow to enroll their mobile devices for management. Typically, devices are registered with a mobility management solution either by a user self-enrollment or an administrator-managed bulk-enrollment process.

In the self-enrollment process, users enroll devices by accessing an enrollment or management portal. This is a manual process, and organizations need to provide users with clear enrollment guidance to avoid creating additional support cases. In most cases, IT will require users to enroll their devices if they want to access corporate resources from their mobile device. For example, most users want to immediately configure access to their work email account from their mobile device, and policies can be configured to automatically provision user devices to access corporate email when they enroll the device.

Answer the following questions about your device-enrollment needs:

Will mobile devices be enrolled by administrators, by users, or by both?
Does your organization need to bulk-enroll devices?
How many devices will each user typically use and need to enroll?
What are the connectivity requirements for users to self-enroll devices?
What are the enrollment requirements for each device operating system your organization needs to support?
Do you require special policies for device-enrollment failures?
Will IT and users both need to unenroll devices?
If a device is selectively wiped, should it automatically be unenrolled from management?

Configure

The configuration and compliance policies in the mobility management solution must align with the business requirements for your organization. Typically, a mobile device is automatically assigned these policies and permissions when the device is enrolled, and administrators can associate these policies with groups of either devices or users.

Answer the following questions:

Which internal and external applications and services will be deployed, managed, and accessed by mobile devices?
What mobile device security and access configurations do you need to enforce?
Do you need to deploy apps and agents automatically and manually?
Do you need separate levels for device-management permissions for IT roles and positions?
Will your organization require digital certificates to authenticate mobile devices to company resources?
How will mobile devices connect to the Internet when connected to the company network?

Secure

Although usage of mobile devices can increase employee productivity, it also can increase security threats that you’ll need to mitigate to protect your company’s data and maintain user privacy. Defining your organization’s data-protection requirements for mobile devices is an important planning step to address this concern. You should plan for mobile-device encryption (for both in-transit and at-rest data), data segregation, and device hardening. Each of these high-level areas build on other protection-related design considerations that need to be defined.

Each mobile-device operating system you plan to support can also control and protect devices using different methods and different levels of granularity. For example, if one operating system has more options for hardening the device than another, you need to define a common set of hardening options to protect each type of device. These hardening options can include defining custom compliance policies for device passwords, sign-in attempts, and encryption settings.

Maintaining user privacy and properly classifying data stored on devices is equally important. Your organization might already have privacy standards and policies in place for workstation computers, and these should extend to mobile devices. This is especially important when conducting device hardware, software, and file inventories. A clearly defined, transparent privacy policy outlining what, when, and how data is collected from mobile devices will ensure that users are comfortable about what information is shared with the organization. This policy should also establish clear boundaries regarding what is considered company data and how it will be protected.

Defining who and which devices will have access to company data will also need to align with your organization’s standards and policies. This access is controlled by establishing authentication and authorization policies in the mobility management solution. To control access for resources, the solution must verify that users are who they claim to be (authentication) and determine whether they should have access to the resource (authorization). Once these steps are completed, the solution must validate both the level of access the user will have for the resource and that the device accessing the resource complies with company policies.

No matter how carefully these security principles are configured, you need to plan for potential security incidents. If your organization is just getting started with mobility management, make sure that any existing security incident-response policies and requirements apply to mobile devices and that the mobility management solution supports meeting these requirements. Especially in larger organizations, mobility management responsibilities might be assigned to a department or personnel not normally accustomed to responding to security incidents. It’s a good idea to involve your organization’s security team early in the mobility management planning and design process to prevent this from occurring.

When defining your security requirements, answer the following questions:

How will data be protected on devices at rest and in transit?
Will your organization need data encryption for devices and data within applications?
Will you need the ability to erase company data from devices, while preserving personal data on devices?
What level of device-hardening settings do you need?
How will you communicate the organization’s privacy policy to mobile-device users?
Where will mobile-device data be stored? Only on the device or also in the cloud? How is privacy managed in these locations?
Do you need to classify data on mobile devices? Does the classification travel with the data or apply only to data on the device?
How will you authenticate users? Will you need multi-factor authentication features?
Does your organization use an on-premises Public Key Infrastructure (PKI) to issue certificates? How will this apply to mobile devices?
Will you need to control access to mobile apps? Does access need to have different levels of control?
How will lost mobile-device incidents be handled? If the device is compromised, what policies will ensure that malicious activity doesn’t spread to other devices or the larger network?
How will you be notified of security incidents? Proactively or in real time?

Manage

As you’ve just seen, mobility management security integrates with virtually every facet of an organization’s technology infrastructure. Managing mobile devices is a topic that’s just as broad and comprehensive. Mobile device management typically involves several administrative and management areas, such as configuring devices, managing applications, configuring access to networks and resources, and monitoring and reporting. In most mobility management solutions, configuration policies are used to define general organizational settings for devices and compliance policies enforce requirements for resource access. Additionally, conditional access policies can define access to specific services, such as email or file-sharing resources.

To simplify and standardize enforcement of these policies, many mobile management solutions use profiles to push settings for networks and services to mobile devices. For example, by setting up and deploying email profiles, IT departments can automatically configure mobile devices with the appropriate email server connection information. This arrangement helps users connect to the correct email server without having to remember specific connection details. Profiles can typically be configured for virtual private network (VPN) and Wi-Fi network access and certificate management.

Answer the following questions when defining your MDM management requirements:

Do you need specific policies applied to groups of users, groups of devices, or groups of device operating systems?
Will you need to apply separate policies based on whether devices are company or user owned?
Will you need customized policies for network access? Email access?
Do policies need to be exported to third-party security devices?
Do you need a customized company portal for users to install apps?
How will policies be used to manage access to on-premises or cloud-based resources?

Monitor

Capturing and monitoring event and status information from mobile devices is vital to ensuring that users and devices comply with your organization’s policies and standards. This is especially important for organizations that must comply with government or industry-specific requirements and guidelines. Reporting also can assist with inventory management and provide detailed information about installed software, hardware capabilities, and licensing compliance. Remember the importance of user privacy discussed earlier, particularly for user-owned mobile devices. Your mobility management solution shouldn’t monitor, capture, report, or share any personal activity or information without the consent of your users. You need to be able to answer the following monitoring questions:

What kind of reports will you need for mobile devices?
Will reports need to be shared or accessed remotely?
Are there specific issues or problems you will need to identify?
Do you need customized or on-demand reports?
After a device is unenrolled, should legacy information be archived or maintained?

Defining your SaaS requirements

Understanding how your mobile management solution will integrate with current or future cloud services is vital as more organizations leverage the scalability and power of cloud-based computing. This has a large impact on managing user identity and directory services. Connecting and synchronizing your on-premises directories with a cloud service is the driving force to uniting users, mobile devices, mobile apps, and mobile device management. Additionally, configuring and managing connections to third-party SaaS apps can be difficult and time-consuming if those tasks are not handled correctly and the connections are not properly maintained.

When defining your SaaS requirements, answer the following questions:

Are business-critical SaaS applications available?
How will your existing on-premises user and device accounts connect?
Do passwords need to be synchronized with Azure AD?
Will you implement single sign-on for your organization?
What existing SaaS platforms do you currently use? Do they support specific mobility management solutions and features?
How is user and device authentication handled? How are identity-related threats and anomalies addressed?

Comparing Microsoft mobility management solutions

Now that you’ve defined the mobility management requirements that meet the needs of your organization, you’re ready to compare the requirements and features of Microsoft’s enterprise mobility management services. You’ll cover the main features and capabilities of the Enterprise Mobility Suite, Microsoft Intune, and MDM for Office 365 side by side so that you can easily compare them. However, because these are all cloud-based services and continuously updated, make sure you verify the most current features and capabilities of these services when you’re ready to deploy a service.

Prerequisites

Make sure your organization and infrastructure meet the requirements of each mobility management solution:

Enterprise mobility Suite

The main requirements for EMS depend on the individual requirements for each of the component services. EMS-specific requirements focus only on activation and licensing. The basic steps to activate EMS are as follows:

Sign up for EMS.
Activate a licensing plan.
Activate access.
Assign user licenses.
Deploy Azure AD, Microsoft Intune, Azure RMS, and Advanced Threat Analytics.

Microsoft Intune

Microsoft Intune is a cloud-based service, and there isn’t a requirement to have any on-premises network infrastructure. Microsoft Intune uses the public Internet to communicate directly with devices and cloud-based users. If you do have an on-premises network infrastructure, Microsoft Intune will use your network to communicate with on-premises devices in your subscription. Although you are not required to use a dedicated server, options are available that use on-premises infrastructure components like Microsoft Exchange and Windows Server Active Directory tools. The basic requirements are

Mobile device platforms Versions of Android 4 and later, iOS 7.1 and later, Windows Phone 8 and later
Computer platforms Windows Vista and later versions (excluding Home editions)
Network ports TCP 80 and 443

MDM for Office 365

MDM for Office 365 is simply a set of mobility management capabilities and requires only an Office 365 subscription. MDM for Office 365 requires

An Office 365 commercial subscription (Business, Enterprise, EDU, or Government plan)
Android 4 and later, iOS 7.1 and later, and Windows Phone 8.1 and later mobile devices

Features and capabilities comparison

Because the mobility management features in EMS are provided by Microsoft Intune, you really just need to compare the features and capabilities of Microsoft Intune and MDM for Office 365. The other component services of EMS don’t provide mobility management–specific capabilities, though they do support mobility management–related capabilities.

Because many organizations use the basic mobility management features offered by Exchange ActiveSync, its features are included in Table 1-2 for a fuller comparison of features.

TABLE 1-2 Comparison of mobility management features for Exchange ActiveSync, MDM for Office 365, and Microsoft Intune

Category	Feature	Exchange ActiveSync	MDM for Office 365	Microsoft Intune
Device configurations	Inventory mobile devices that access corporate applications	x	x	x
	Remote factory reset (full device wipe)	x	x	x
	Mobile device configuration settings (PIN length, PIN required, lock time, and similar)	x	x	x
	Self-service password reset	x	x	x
Basic mobile device and app management	Provides reporting on devices that do not meet IT policy		x	x
	Group-based policies and reporting (the ability to use groups for targeted device configuration)		x	x
	Root and jailbreak detection		x	x
	Remove Office 365 app data from mobile devices while leaving personal data and apps intact (selective wipe)		x	x
	Prevent access to corporate email and documents based upon device enrollment and compliance policies		x	x
Premium mobile device and app management	Self-service company portal for users to enroll their own devices and install corporate apps			x
	App deployment (Android, iOS, Windows Phone, Windows 10)			x
	Deploy certificates, VPN profiles (including app-specific profiles), email profiles, and Wi-Fi profiles			x
	Prevent the cut, copy, paste, and save as operations from being used on data from corporate apps to share the data for use with personal apps (mobile application management)			x
	Secure content viewing via managed browser, PDF viewer, Imager viewer, and AV player apps for Intune			x
	Remote device lock via self-service company portal and via admin console			x
PC management	Client PC management (for example, Windows 8.1, inventory, antimalware, patch, policies, and similar)			x
	PC software management			x