13. Unified Enrollment
Azure AD
Device object
- device id
- isManaged
- MDMStatus
Quarantine Website
Step 1: Enroll device
Outlook App
Access control from mobile apps on iOS/Android
4
Register device in
Azure AD
Outlook
Cloud Service
1
(Workplace Join +
management)
3
Enroll into Intune
4
Intune
Set device
management/
compliance
status
5
6Access Outlook
Cloud service with
AAD token
7
8
Get EAS service
access token for
user
9Get Corporate
email
10
Email delivered
Redirect to
Intune
2
Office 365 Email
service
14. Azure AD
Browser
Unified enrollment
Device object
- Device ID
- isManaged
- MDMStatus
Quarantine website
Step 1: Enroll device
Office 365 Email
service
Intune
4
Register device in
Azure AD
1
(Workplace join +
management)
3
Enroll into Intune
4
Set device
management/
compliance
status
5
8
Documents
viewed &
downloaded
Redirect to
Intune
2Access Exchange
Online service
through sign-in
cookie
7
6
Access control to O365 from mobile browser
Site provides cookie
to let user sign in
25. ロックダウン
デバイス
企業資産の
端末
個人の
デバイス
不明な
デバイス
例 Point-of-sale or
maintenance tablet or
PC
Company provided
phone, tablet or PC
Personal phone, tablet
or PC
Kiosk at a hotel
ユーザー Task Worker Information Worker Information Worker Information Worker
Level of Access Desired by Organization varies across the spectrum組織が与えたいアクセス権は幅広い
デバイス管理
(MDM)
ꭕ MDM は NG ꭕ MDM 不可
32. PC からモバイル端末まで一元管理したい
• System Center Configuration Manager と Intune を連携し Domain Join している
PC も外部で利用されているモバイル デバイスも1画面で管理
• 必要なアプリを正しいデバイスを利用している特定のユーザーに提供可能
情報セキュリティは Azure Rights Management 機能 (現 Azure
Information Protection) を利用し暗号化
• メールの本文から添付データまで一括してセキュアに転送
33. Mobile devices and PCs Mobile devices
System Center
Configuration
Manager
Domain joined PCs
Configuration Manager integrated with Intune (hybrid)Intune standalone (cloud only)
IT IT
Intune web console Configuration Manager console
39. EAS Client
Attempt email
connection
1
Block
If not managed,
block device
3
On Prem
Exchange Server
2010/2013
Who does what?
Intune: Evaluate policy,
manage device state and
mark device record in AAD
Exchange Server: Provides
API and infrastructure for
quarantine
10
If managed, email
access is granted
Unified Enrollment
Register EAS
email client
7
Create EASID to
device ID binding
8
Set device management/ compliance status
6
Azure AD DRS
Device object
- device id
- isManaged
- MDMStatus
- EASIDs
Azure AD
Quarantine email
Step 1: Enroll device
Step 2: Register EAS
client
(Workplace Join +
management)
4
Intune
5
Register device in
Azure AD
5 Enroll into Intune
2
Block non Managed
devices
9
Allow Managed device
Single sign-on to 1000s of cloud and on-premises applications. Identity protection with notifications, analysis, recommended remediation, and risk-based conditional access.
Identify suspicious activities and advanced attacks that target your on-premises platform. Quickly focus on what is most important with clear, actionable reporting.
Leverage mobile device management and mobile app management to protect corporate apps and data on almost any device.
Encryption, identity, and authorization to secure corporate files and email across phones, tablets,
and PCs.
MDM is great for some really critical scenarios, including primary work devices, but by itself is not enough to cover all of the work scenarios in the modern world.
This really illustrates how employees using personal devices to do “some” work are just not going to accept the level of control and intrusion that the MDM model allows for. And governments are starting to back them up.
[DESIGN NOTES]More focus on the bug, need to indicate the device is compromised more prominently
On the very last build, the malicious app should be removed (since the user clicked “Uninstall”)
The Office 365, Lookout, and Windows Intune labes should all be about the same size, and should blend with the cloud. I’m seeing the outline of the text boxes.
Change “Everything is OK” the “Threat Remediated”