If Disaster Strikes…It’s Already Too Late
Microsoft Security as a Service – An Overview
In essence, security is the often overlooked side of IT that ends up costing more than we can afford.
With Microsoft, you can rest easy knowing that your environment, should you choose, be water tight! Security as a Service, or SECaaS, is something that every single organisation should be looking at – regardless of size, complexity or vertical. Security affects everyone, not just IT shops, ISPs and Telcos and it will affect you and your organisation today if it’s left alone!
Most companies don’t know they’ve been “hacked” for about 200 days after the attack!
“One reason these attackers can do so much damage is that the average time between a malware infection and discovery of the attack is more than 200 days, a gap that has barely narrowed in recent years.” – https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/
What is Security as a Service (SECaaS)
- Security as a service (SecaaS) is a cloud computing model that delivers managed security services over the internet. SecaaS is based on the software as a service (SaaS) model but limited to specialized information security services.
- A business model in which a service provide integrates their security services into a corporate infrastructure on a subscription basis.
- Security Services include authentication, anti-virus, anti-malwares/spyware, intrusion detention, and security event management, amongst many others.
- The Cloud environment providers various services for protection i.e. to protect an individual computer or an organisational network.
- The various applications and/or products that they offer will fall under the banner of SECaaS
Prevent identity compromise
Help protect against compromise while uncovering potential breaches.
Secure apps and data
Boost productivity with cloud access while helping keep information protected.
Expand device controls
Deliver enhanced security across both company and personal devices.
Enforce policies that help keep cloud resources and hybrid environments safe.
Microsoft builds security into their products and services from the start. That’s how Microsoft can deliver a comprehensive, agile platform to better protect your endpoints, move faster to detect threats, and respond to security breaches across even the largest of organizations.
Out of the entire Cloud Security stack, the often most overlooked aspect of how access is granted and used, is through mobile devices – laptops, tablets and phablet, mobile phones – so we’re going to take an in-depth look into Microsoft Enterprise Mobility + Security – and specifically, Microsoft Intune – dealing with Mobile Device Management (MDM) and how your security is bound to be compromised by a lack of secure MDM policies.
Microsoft Intune & Microsoft Enterprise Mobility + Security
- What is Microsoft Intune?
- How Does Intune Work?
- Intune FAQ
- What is Enterprise Mobility + Security?
- EMS FAQ
Intune is a cloud-based enterprise mobility management (EMM) service that helps enable your workforce to be productive while keeping your corporate data protected. With Intune, you can:
- Manage the mobile devices your workforce uses to access company data.
- Manage the mobile apps your workforce uses.
- Protect your company information by helping to control the way your workforce accesses and shares it.
- Ensure devices and apps are compliant with company security requirements.
Intune integrates closely with Azure Active Directory (Azure AD) for identity and access control, and Azure Information Protection for data protection.
Together, Office 365 and EMS enable your workforce to be productive on all of their devices while keeping your organization’s information protected. Office 365 with EMS is a complete, integrated suite for enterprise mobility inclusive of productivity, identity, access control, management, and data protection. It gives you an effective way to deploy and operate a mobility solution in your organization.
Manage all the devices in your mobile ecosystem
With support for iOS, Android, Windows, Windows Mobile and Mac OS X devices, Intune allows you to manage your diverse mobile environment in a secure and unified way.
Utilize Mobile Application Management (MAM) without requiring the device to be enrolled for management. This is particularly important for scenarios where IT wants to keep corporate data safe without managing a user’s device.
No infrastructure required
Eliminate the need to plan, purchase, and maintain hardware and infrastructure by managing mobile devices from the cloud with Intune.
Spend less time counting devices with per-user licensing for Intune. Intune is also included as part of Enterprise Mobility + Security, the most cost-effective way to acquire Intune, Azure Active Directory Premium, and Azure Rights Management.
Unparalleled management of Office mobile apps
Maximize mobile productivity for your employees with access to corporate resources on Office mobile apps they know and love. Keep your corporate data safe by preventing leakage of company data all without intruding on user’s personal devices.
Secure corporate data, including Exchange email, Outlook email, and OneDrive for Business documents, based on the enrollment status of the device and the compliance policies set by the administrator.
Extend your existing System Centre Configuration Manager infrastructure through integration with Intune to provide a consistent management experience across devices on-premises and in the cloud.
Global presence with 24/7 support
Get answers to your questions with Microsoft support available online and by phone worldwide – included with every Intune subscription.
How Does Intune Work?
Intune provides mobile device management (MDM) and mobile app management (MAM). Intune’s MDM and MAM features then contribute to the EMS suite of data protection and compliance scenarios.
How you’ll use the MDM/MAM features of Intune and EMS data protection depends on the business problem you’re trying to solve.
- You’ll make strong use of MDM if you’re creating a pool of single-use devices to be shared by shift workers in a retail store.
- You’ll lean on MAM and data protection if you allow your workforce to use their personal devices to access corporate data (BYOD).
- If you are issuing corporate phones to information workers, you’ll rely heavily on all of the technologies.
Intune Mobile Device Management (MDM) Explained
MDM works by using the protocols or APIs that are available in the mobile operating systems. It includes tasks like:
- Enrolling devices into management so IT has an inventory of devices that are accessing corporate services
- Configuring devices to ensure they meet company security and health standards
- Providing certificates and Wi-Fi/VPN profiles to access corporate services
- Reporting on and measuring device compliance to corporate standards
- Removing corporate data from managed devices
Sometimes, people think that access control to corporate data is an MDM feature. We don’t think of it that way because it isn’t something that the mobile operating system provides. Rather, it’s something the identity provider delivers. In our case, the identity provider is Azure Active Directory (Azure AD), Microsoft’s identity and access management system.
Intune integrates with Azure AD to enable a broad set of access control scenarios. For example, you can require a mobile device to be compliant with corporate standards as defined in Intune before the device can access a corporate service like Exchange. Likewise, you can lock down the corporate service to a specific set of mobile apps. For example, you can lock down Exchange Online to only be accessed by Outlook or Outlook Mobile.
Intune Mobile App Management (MAM) Explained
When we talk about MAM, we are talking about the set of things our solutions enable IT Pros to do with mobile apps, such as:
- Publishing mobile apps to employees
- Configuring apps
- Controlling how corporate data is used and shared in mobile apps
- Removing corporate data from mobile apps
- Updating mobile apps
- Reporting on mobile app inventory
- Tracking mobile app usage
We have seen the term MAM used to mean any one of those things individually or to mean specific combinations. In particular, it’s common for folks to conflate the concept of app configuration (that is, using technologies like managed app configuration on iOS) with the concept of securing corporate data within mobile apps. That’s because some mobile apps expose settings that allow their data security features to be configured.
That, in combination with operating system features for protecting data (for example, MDM features such as Windows Information Protection on Windows 10), gives a lot of protection to data on mobile devices.
When you use Intune with the other services in EMS, you can provide your organization mobile app security over and above what is provided by the mobile operating system and the mobile apps themselves through app configuration. An app that is managed with EMS has access to a broader set of mobile app and data protections that includes:
- Single sign-on
- Multi-factor authentication
- App conditional access (allow access if the mobile app contains corporate data)
- Isolating corporate data from personal data inside the same app
- App protection policy (PIN, encryption, save-as, clipboard, etc.)
- Corporate data wipe from a mobile app
- Rights management support
Intune Mobile App Security
Providing app security is a part of MAM, and in Intune, when we talk about mobile app security, we mean:
- Keeping personal information isolated from corporate IT awareness
- Restricting the actions users can take with corporate information such as copy, cut/paste, save, and view
- Removing corporate data from mobile apps, also known as selective wipe or corporate wipe
One way that Intune provides mobile app security is through its app protection policy feature. App protection policy uses Azure AD identity to isolate corporate data from personal data. Data that is accessed using a corporate credential will be given additional corporate protections.
When a user logs on to her device with her corporate credentials, her corporate identity allows her access to data that is denied to her personal identity. As that corporate data is used, Intune, along with other EMS technologies, controls how it is saved and shared. Those same protections are not applied to data that is accessed when the user logs on to her device with her personal identity. In this way, IT has control of corporate data while the end user maintains control and privacy over personal data.
EMM With and Without Device Enrolment
Most enterprise mobility management solutions support basic mobile device and mobile app technologies. These are usually tied to the device being enrolled in your organization’s MDM solution. Intune supports these scenarios and additionally supports many “without enrolment” scenarios.
Organizations differ to the extent they will adopt “without enrolment” scenarios. Some organizations standardize on it. Some allow it for companion devices such as a personal tablet. Others don’t support it at all. Even in this last case, where an organization requires all employee devices to be enrolled in MDM, these organizations typically support “without enrolment” scenarios for contractors, vendors, and for other devices that have a specific exemption.
You can even use Intune’s “without-enrolment” technology on enrolled devices. For example, a device enrolled in MDM may have open-in protections provided by the mobile operating system. (Open-in protection is an iOS feature that restricts you from opening a document from one app, like Outlook, into another app, like Word, unless both apps are managed by the MDM provider.) In addition, IT may apply the app protection policy to EMS-managed mobile apps to control save-as or to provide multi-factor authentication.
Whatever your organization’s position on enrolled and unenrolled mobile devices and apps, Intune, as a part of EMS, has tools that will help increase your workforce productivity while protecting your corporate data.
Common business problems that Intune helps solve
The following list of business problems link to more detailed information about the solutions we can provide. Only the last item requires MDM enrolment as part of the solution:
- Protect your on-premises email and data so that it can be accessed by mobile devices
- Protect your Office 365 mail and data so that it can be safely accessed by mobile devices
- Issue corporate-owned phones to your workforce
- Offer a bring-your-own-device (BYOD) or personal device program to all employees
- Enable your employees to securely access Office 365 from an unmanaged public kiosk
- Issue limited-use shared tables to your task workers
- Read about some of the common ways to use Intune.
- Get familiar with the product with a 30-day trial of Intune.
Dive into the technical requirements and capabilities of Intune.
Microsoft Intune Document Repository
This TechNet Wiki article lists frequently asked questions about Microsoft Intune. There is also an every-growing list of Intune resources in the Microsoft Intune Survival Guide.
- How can I know when the Microsoft Intune service has been updated?
- Log on to your account at manage.microsoft.com. In Administration Overview select View Service Status. The location of your tenant and the maintenance schedule are listed there. For details of the service updates see Windows Intune Service Updates on TechNet.
- If a user renames a device within the Company Portal app will that name change in Intune or Configuration Manager?
- No, that name change is only for the user’s convenience.
- Is there a remote assistance functionality in Intune for mobile devices?
- No there isn’t. Third party apps such as Lumia Beamer,Bomgar, and TeamViewer could be helpful.
- If I start evaluating Intune and create a new tenant for the trial, can I add O365 to the evaluation using the same tenant?
- Yes. Just sign in using a global admin from your existing Intune tenant/subscription –
- If I assign MDM authority to Intune during a trial subscription, does that make it difficult to switch to another company’s service if I change my mind about Intune?
- Though it’s difficult to imagine you not sticking with Intune, the MDM authority choice does not affect your ability to move to another service. It’s specifically about choosing Intune or Intune + Configuration Manager for MDM.
- Can I use my existing Office 365 domain name for my subsequent Windows Intune account?
- Yes, if you sign in with the organizational ID which is associated with your existing O365 tenant and verified domain when you’re either create their Intune trial or activate your licenses. Intune will then use the same domain/users/etc. as in your O365 account. Note that each O365 user would have to be enabled as an Intune user, using an Intune license. This would have to be done by the global administrator who manages the tenant.
- Where can my end users learn how to enroll their devices?
- You can provide that information to your end users using information from the Microsoft Intune Enrolment Instructions.
Mobile Device Management (MDM)
- Can Intune detect whether a device is jailbroken?
- Yes, for some operating systems. For information on how to manage jailbroken devices, see Manage device compliance policies on TechNet.
- Can I selectively wipe corporate data from a device?
- Yes. For information about selective wipe see Help protect your data with remote wipe, remote lock, or passcode reset using Microsoft Intune.
- Is there a way to block certain websites on the mobile device browser through Windows Intune?
- Not on the native browser of any platform. However, you can control the URL whitelist and blacklist policies on the managed web browser on iOS and Android devices. For more information see Manage Internet access using managed browser policies with Microsoft Intune.
- Can we restrict a user from uninstalling an app?
- Generally, no. However, on a supervised iOS device you can prevent a user from uninstalling an app that was distributed using the Apple Configurator. For information about using supervised mode in Microsoft Intune, see Manage devices using configuration policies with Microsoft Intune.
- Is there a way to manage mobile data usage?
- Not directly, but you can ensure that WiFi is the preferred method for connecting by pushing WiFi profiles to the devices, as described in this TechNet article. Also, some platforms (for example, iOS and Android KNOX) enable the ability to control settings such as voice and data roaming.
- Is there a way to prevent a user from unenrolling a device? What if it’s a company-owned device?
- In general, no. However, using custom Windows Phone settings, you can enforce this on Windows Phone 8.1. Also, for iOS devices that are supervised and enrolled in Apple’s Device Enrollment Program (DEP), it is possible to prevent a user from unenrolling a device.
- Can I switch my chosen MDM authority?
- You can switch from Intune to Configuration Manager, from Intune to O365, and from O365 to Intune. To do so, make a request to Microsoft Support. You cannot change the MDM authority from Configuration Manager to Intune.
More Windows Phone Q&As can be found on TechNet.
- Can I sideload a Windows Store app?
- Publicly available apps cannot be sideloaded. Even though you are able to download the XAP, you cannot upload it to Intune because it is a public XAP, encrypted and signed with the developer’s code-signing certificate. Only apps you develop and sign with your own code-signing certificate can be sideloaded.
- Do Windows Phone Store apps distributed through the Company Portal require that the end user have a Microsoft Account?
- Yes, the end user will not be able to obtain the apps without a Microsoft Account. The exception is sideloaded, private LOB apps, which can be deployed to a device without a Microsoft Account.
- Is a Microsoft Account needed on a Windows Phone 8.1 in order for it to be managed by Intune?
- No. However, it will be needed to install most apps from the public store.
- How long does it take to encrypt an Android device?
- This depends primarily on the speed of the device’s processor and the amount of total and used memory, and is not a function of Intune.
- When deploying iOS apps via Windows Intune, if the application’s IPA and Manifest file have been uploaded; does the device need an AppleID specified to continue installing?
- No. When Intune is providing the bits (IPA uploaded to Intune), the applications are sideloaded and don’t require an Apple ID.
- Is there a way to enable the installation of applications on iOS without allowing access to the Apple Store?
- No, but you can enable the App Store and use blacklisting/whitelisting of apps on iOS to keep an eye on what users are doing. Sideloaded LOB apps don’t require access to the Apple App Store.
- Do Apple Store apps distributed through the Company Portal require that the end user have an iTunes account?
- Yes, the end user will not be able to obtain the apps without an ITunes account.
- How can I add a recommended app?
- In Microsoft Intune, these are called “featured apps” and are documented in Deploy software to mobile devices in Microsoft Intune
- Can I get additional cloud storage for apps I want to deploy?
- Yes. You can read about this in Get started with app deployment in Microsoft Intune on TechNet, in the section Cloud storage requirements.
- Can BitLocker be enforced by Intune?
- The OMA-DM agent in Windows 8.1/RT allows you to read (get) the encryption status. You cannot set it. This is true for Microsoft Intune and for other mobile device management services.
- If I encrypt a Windows 8 tablet using BitLocker, may I enforce full device wipe if a user consecutively fails logon several times?
- There is no option for full wipe on Windows 8.1/RT devices for any mobile device management service, including Intune. Intune provides selective wipe for those devices. For more information on wipe/selective wipe in Intune, see http://technet.microsoft.com/en-us/library/jj676679.aspx.
- Can I customize my Company Portal?
- Yes. In the Intune admin console, go to Admin>Company Portal for those settings
- How can I troubleshoot mobile device enrollment?
- Information for admins to provide to their end users about troubleshooting enrollment is available here.
Microsoft Intune with Configuration Manager 2012
- Can I do a selective wipe on devices?
- If you are using Configuration Manager 2012 R2 or later with Intune, you can do a selective wipe that removes company data. For more information see How to remote wipe mobile devices using Configuration Manager with Microsoft Intune.
- If I’m using Configuration Manager together with Intune, can I still use the Intune Admin Portal?
- You can, but only PCs with the Intune agent installed will be manageable from that portal. There is also some other useful information in the portal regarding alerts about the service, service status, etc. but any device management settings there won’t apply to enrolled devices.
- Is it possible to change the MDM authority from Configuration Manager to Intune and from Intune to Configuration Manager? How?
- You can change it from Intune to SCCM by making a request to Microsoft Support. You cannot change it from Configuration Manager to Intune.
Holistic, identity-driven protection
Help guard your data from attacks on multiple levels using innovative, identity-driven security techniques.
Productivity without compromise
Preserve the mobile and desktop experiences your workers need to stay working with familiar apps and tools.
Flexible, comprehensive solutions
Do more with less—protect users, devices, apps, and data with intuitive mobile management on a future-ready platform.
Who Uses Microsoft EMS?
The person who uses Microsoft EMS most frequently will be your “IT Guy”; the person in charge of setting up network security, employee devices, employee permissions, etc. Alternatively, EMS can be configured by a Microsoft Partner.
Every person in your organization is a Microsoft EMS “user”, but they should never know what it’s doing – it just works.
Control identity + access in the cloud
Centrally manage single sign-on across devices, your datacenter, and the cloud.
Get identity-driven security
Comprehensive, intelligent protection against today’s advanced attacks.
Manage mobile devices + apps
Securely manage apps and data on iOS, Android, and Windows from one place.
Do you have Office 365?
Expand your Office 365 management and security capabilities with Enterprise Mobility + Security. Read the at-a-glance
Microsoft provides global pre-sales, billing, subscription, and technical support for Enterprise Mobility + Security (EMS). Administrators can request support through the Office 365 portal or by contacting Office 365 Support.
Answers to common EMS support questions
Q: Do I need to purchase an Azure support plan to submit an Enterprise Mobility + Security support request?
A: Support is included with Enterprise Mobility + Security. You can submit support requests for Azure Active Directory Premium, Azure Information Protection, and Microsoft Intune through the Office 365 portal. The Office 365 portal provides the intended support experience for EMS, but you can also submit Azure Active Directory Premium and Azure Information Protection support requests through the Azure portal without purchasing a support plan by choosing a Subscription with technical support included.
Q: How do I get Intune support?
A: Enterprise Mobility + Security customers can submit support requests for Intune using the Office 365 portal. Learn more about Intune support options.
Q: I am not able to submit a support request through the Office 365 portal. Is there a phone number to call for support?
A: Go to Office 365 Support to find the support phone number for your region.
Q: How do I get support with Volume Licensing, Volume Licensing Online Service Activation, or if I need to have the activation email resent?
A: Contact Microsoft Volume Licensing Support for support with these issues.
Q: If I purchased my Enterprise Mobility + Security licenses through a Microsoft partner, should I contact them for support?
A: Yes, your Microsoft partner should be able to provide you with support directly. Contact your Microsoft partner first to understand the level of support they can provide.
Q: I previously owned Intune but renewed my Enterprise Agreement with Enterprise Mobility + Security licenses. How do I handle license management?
A: Go to the Azure portal for license assignment. Please follow the instructions in your welcome email to manage your new Enterprise Mobility + Security licenses.
Q: I previously had an Office 365 subscription but renewed my subscription through Enterprise Cloud Suite (ECS), which includes Office 365 and Enterprise Mobility + Security. How do I handle license management?
A: Go to the Azure portal for license assignment. Please follow the instructions in your welcome email to manage your new Enterprise Mobility + Security licenses.
Additional help for other questions