2. Per Larsen
Solution Architect | per.larsen@atea.dk | m: +45 3078 1828 | f: +45 7025 2575
Co-Organizer - Everything Windows User Group Denmark | www.ewug.dk
in: http://www.linkedin.com/in/perlarsen1975 | t: @PerLarsen1975
Blog: http://osddeployment.dk
3. • User chooses apps (unsanctioned, shadow IT)
• User can access resources from anywhere
• Data is shared by user and cloud apps
• IT has limited visibility and protection
• Only sanctioned apps are installed
• Resources accessed via managed devices/networks
• IT had layers of defense protecting internal apps
• IT has a known security perimeter
Life with cloudLife before cloud
On-premises
Storage, corp data Users
What is driving change?
4. • Windows 10 and AzureAd join
• Automatic MDM enrollment
• Microsoft Passport for Work
• Deploy MSI to Windows 10 MDM Joined devices
• Device Group Mapping
• Use OMS to view System Update Assessment
Agenda
EMS the next level
5. • Windows Store for Business integrated into Intune
• How to deploy Application from Windows Store for
Business with Intune
• Disable private Store with OMA-URI
Agenda
EMS the next level
6. • Security
• Identity as a service: core architecture
• Conditional Access
• Conditional Access - Challenge from the Real Life
• AD Connect new feature – Device Write back
Agenda
EMS the next level
7. Devices | Windows 10 | Cloud
Azure AD Join and Automatic MDM enrollment
8. • Requirements
• Azure AD Premium
• Settings in Azure AD
• AzureAD Maximum number of devices per user =
20
• Intune Maximum number of devices per user = 5
Auto MDM enroll Windows 10 when Azure AD join
10. • Intune - Custom URI settings for Windows 10 devices
• Experience/AllowManualMDMUnenrollment
• How to setup AzureAD Join a Windows 10 device
• Demo
Auto MDM enroll Windows 10 when Azure AD join
11. • What is Microsoft Passport
• Microsoft Passport is set up on the user's device
• The user sets a gesture, which can be Windows
Hello or a PIN
What is two-step verification/Microsoft Passport
21. Identity as a service: core architecture
On-premises and private cloud
Enabling users
(Active Directory) Federation Services
SaaS
apps
Custom
apps
10,000 + apps
Windows Server
Active Directory
Other apps
Core Identity Management
HR
Other Directories
Sync
Other Directories
Devices
22. On-Premises
applications
Introducing ‘Conditional Access Control’
Application
Business sensitivity
Other
Inside corp. network
Outside corp. network
Risk profile
Devices
Authenticated
MDM Managed (Intune)
Compliant with policies
Not lost/stolen
User attributes
User identity
Group memberships
Auth strength (MFA)
Conditional access
control
24. Intuitive end-user experience
To access your Contoso e-mail and
other company resources, this device
needs to be enrolled with Contoso.
Part of this process includes installing
the Company Portal. Click first link
below to begin this process.
Step 1
Enroll your device.
Step 2
Once you’ve enrolled your device, click
here to Activate your enrollment.
25. • Different mobile OS
• Outlook App not working on IOS and Android
• CA for Windows - Not working with RDS or Citrix
• Apple DEP enrollment not working with CA
Conditional Access - Challenge from the Real Life
26. • Requirements
• Azure AD Premium
• How to Enable??
• What can we use Device Write back for?
AD Connect new feature – Device Write back
This diagram displays the integration with O365 to manage access to the email.
Requires users enroll their devices as well as being compliant with Intune policies before getting access to email.
Let’s take a closer look at the end user experience when the device is not enrolled or compliant. When the user tries to access email from his personal device, the access is blocked and the user get an email explaining the reason why the email is not available as well as instructions on what to do to get access to the email. First thing to do is to enroll the device to Intune. Once the device is enrolled, Intune company portal will check the device for compliance and fix the issues, if necessary, in order to make the device compliant. After that the user will get the email flowing to the device.