Windows 10 Azure AD / EMS Jörgen Nilsson @ccmexec Jorgen.nilsson@onevinn.se Blog: http://ccmexec.com #win10tour
The traditional IT environment is no more Our users have More than one device A large number of identities/accounts Apps and cloud services Onedrive, Dropbox, icloud Company information. Everywhere!
Enterprise Mobility Suite
EMS:Microsoft Intune Securing your device Mobile Device Management Mobile Application Management Securing the Device Policies Conditional Access Personal Corporate
EMS:Rights Management Protects your information Encrypts all file types The files can be saved everywhere Central control and logging Support for modern devices Determines user and permission Grant access to anyone
EMS:Azure AD Premium Securing Your Identity Authentication Identity management Application Portal Logging and Reporting Application Proxy Multi-Factor Authentication Azure AD Join Device Registration Self Service
EMS:Azure AD Premium: Security and reports
Windows 10 Identity Choices Computer joins AD to establish trust User signs on using AD account Group Policy + System Center Computer joins Azure AD to establish trust User signs on using Azure AD account Intune/MDM Settings roaming Single sign-on to enterprise + cloud-based services
Azure AD join Single sign on to apps protected by Azure AD (Office 365) Synced back on-prem for use in ADFS Conditional access for Office 365 Conditional access for On-premise (ADFS) OS State Roaming Enterprise-ready Windows store Automatic MDM enrollment Self-provisioning of corporate owned devices
Personal vs Corporate devices Personal Device (MDM) Intune enrollment forces a workplace join in Azure AD Enrolled device=personal Device Corporate Device(AzureAD+MDM) Azure AD join, optional Intune enrollement. Enrolled device = Corporate Device Global Administrators are made local administrators Add additional local administrators
Demo Azure AD Join
OTHER ATTEMPTS TO FILL THE GAP: PAIN POINTS
OUR VISION
Windows 10 Enterprise Data Protection Protects data at rest, and when roaming Platform integrated, no mode switching Corp data identifiable from personal Only IT-Allowed apps see business data IT controls keys, can remote wipe Common experience, x-plat support
Windows 10 Enterprise Data Protection Optional screen lock security policy System tosses decryption key on lock Blocks read when screen is locked Can encrypt new files and data Logon, unlock restores keys and access Helps mitigate system level attacks See session 639 Microsoft Passport and Windows Hello: Moving beyond passwords and credential theft
Business/Personal One experience Data is isolated Data is encrypted at rest Business Apps & Data (Managed) Lync email Facebook OneDrive for Business Contacts WhatsApp Personal Apps & Data (Unmanaged) Block/audit data exchange Organization holds keys PowerPoint Calendar OneDrive Office and OneDrive APIs for ISVs MDM managed PDF Reader Photos Weather Data exchange is blocked or audited
Windows 10 Management Group Policies will still work but. MDM policies will have near the same capabilities Features like Enterprise Data Protection, Conditional Access will require either: Configuration Manager vnext Intune 3rd Party MDM solution
Windows 10 MDM is the new black! Open Mobile Alliance Device Management (OMA DM) Open Mobile Alliance Uniform Resource Identifier (OMA URI) Windows 10 Mobile and Desktop Intune, Configuration Manager and 3rd Party MDM
Custom policy Policy/Config/AreaName Handles the policy configuration request from the server. Policy/Result/AreaName Provides a read-only path to policies enforced on the device. Example:./Vendor/MSFT/Policy/Config/Defender/AllowRealtimeMonitoring Integer: 0 Not allowed. 1 (default) Allowed. https://msdn.microsoft.com/enus/library/windows/hardware/dn904962%28v=vs.85%29.aspx
Demo Windows 10 Custom Policy
ConfigMgr vnext On-Premise MDM
Bulk enrollment Provisioning Package Root Certificate Automatic MDM Enrollment Wi-Fi Configuration
Demo Bulk enrollment
Microsoft Edge Modern Browser Modern Standards Always up to date Sandbox Universal app FAST!
Microsoft Edge Default.PDF reader Default Browser in Windows 10 (Not LTSB) Doesn t exist in LTSB No Plug-ins, like java, silverlight. Builtin Flash A plugin solution will be developed like Chrome and Firefox.
Favorites %Userprofile%\appdata\local\packages\Microsoft.MicrosoftEdge_8w ekyb3d8bbwe\ac\microsoftedge\user\default Registry key with favorites order HKEY_Classes_Root\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Fav Order
Edge
Compatibility Options: Sends all intranet traffic over to Internet Explorer Allows you to configure the Enterprise Site list Microsoft provides list
Group Policy Inställning Machine/User Allows you to run scripts like Javascript Allows you to let people use autofill on websites Machine/User Machine /User Allows you to let people send Do Not Track headers Machine/User Allows you to configure password manager Machine/User Allows you to run pop-ups Stops address bar from showing search suggestions Machine/User Machine/User Allows you to configure SmartScreen Configure how Microsoft Edge treats cookies Machine/User Machine/User Allows you to configure the Enterprise Site list Machine/User Sends all intranet traffic over to Internet Explorer Machine/User
Future!