Post on 21-Dec-2015
Securing Mobile Device Access to Corporate Resources with Intune
Dilip RadhakrishnanPrincipal Program Manager, Microsoft Intune
EM-B320
Enterprise Mobility Strategy OverviewConditional access to Email and Collaboration services Secure resource access
Deep dive on Certificate management, VPN and WifiNew Security PoliciesSelective wipe
Agenda
Mobile device and app management evolution
PC
Secu
rity
• Data protection through device lockdown (Group Policy, app mgmt., OSD, compliance)
• Hardening devices against attack (patch, anti-malware, etc.)
Earl
y M
obile
secu
rity • Device Policies
tied to Mailbox• PIN• Encryption• Device restrictions
• Full wipe of device
MD
M • Mobile Device
Management• Granular device policy controls
• Provision access to corp resources (Email, VPN etc)
• Selective wipe
MA
M • Mobile application management:• Corporate data containerization
• Per application policy restrictions
• Compliance based access control to corporate resources
Enterprise Mobility Vision
Protect your data
Enable your users
User IT
Unify Your Environment
Devices Apps Data
Help organizations enable their users to be productive on the devices they love while helping ensure corporate assets are secure
Enterprise Mobility Platform
Microsoft Differentiation• Managed Mobile Productivity• Layered Protection • Hybrid Solutions
Azure Active Directory
Enterprise Mobility Suite
Office 365 Dynamics Workday
Mobile Data Protection approach
Mobile data protection
Protect corporate data cached ‘on the device’
• Emails, Attachments
• Cached documents
• Apps syncing corp data
• Apps sharing corp data
Protect corporate data accessed ‘from the device’
• Email & collab services
• Network services – VPN,Wifi
• Intranet sites
• On Prem File Shares
On Premise SharePoint
On PremiseFile Server
Cloud based email/collab services
BYOD and Corp owned Mobile devices
Remote access services (VPN, App Proxy etc) DMZ
On going managementDevice and App level policiesKey Features • Block access if IT policies violated (Eg: Jailbreak)• Enforce data leak prevention• Self service portal for user initiated app
installs/help desk operations
RetireDisconnect from Company resources, Lost/stolen device etcKey concepts • Selective wipe
User
EnrollmentEnroll in MDM to get access to corporate resourcesKey Features• Block email/SharePoint etc until
enrolled• Customizable Terms & Conditions• Simple end user experience
Initial Provisioning
Quick access to corporate resources Key Features• Security policy settings• VPN, Wifi, Certificates• Mandatory app installs• App restriction policies
MDM Lifecycle Concepts
8
Devices
Conditional access to email and collaboration services
Block access to O365 services like email if device is not compliant to IT policies Simple end user experience for remediating the non compliance status
Features
Demo – Conditional Resource accessDilip Radhakrishnan
Solution architecture
Azure AD
EAS Client
Office 365 EAS Service
IntuneAttempt email
connection1
Is Device
Managed &
Compliant 2
Quarantine
If not compliant,
Push device into quarantine
4
Set device managemen
t/ compliance
status
6
Solution architecture – Secure email in O365
Who does what?
Intune: Evaluate policy compliance for device
Azure AD: Auth user, provide device compliance status
Exchange Online: Enforces access to email based on device state.
Return Device
state
3
Enrollment / Compliance Remediation
5Quarantine email with remediation
steps
Link to enroll device/Compliance Remediation steps
7
If compliant, email access is
granted
Secure resource access
Resource Access Configuration
46* Varies based on device platform
Platforms
Windows 8.1Windows 8.1 RTiOSAndroidWindows Phone 8.1Samsung KNOX Standard
Benefits
End users get access to company resources with no manual steps for them
Features*• Configure VPN profiles• Support for Automatic VPN• Wi-Fi protocol and authentication settings• Email account profiles• Management and distribution of certificates
Certificate Management
Challenges
Password based authentication is vulnerable but the alternative Cert based authentication is complex. How to issue certificate to mobile
devices that are not on my trusted network?
How do I manage the lifecycle of certificates?
How do I secure my network resources like Email, VPN, Wifi etc with certificates?
Certificate management lifecycle
Issue/Enroll
certificates
Manage Certificat
es
Automated renewal
Certificate Revocation
Issuing certificatesApproaches• Simple Certificate Enrollment Protocol (SCEP)• Generate and deploy PFX (Personal Information
Exchange) filesChoice depends on:• Security requirements, especially Where is the
private key generated and stored?• What are the deployment
requirements/constraints?
SCEP solutionPFX approach – MDM servers generates private key and certificate and deploy it to the mobile device.SCEP approach – Mobile device generates the private/public key pair • Unlike PFX method, the Private key never leaves the device. • Unique key and certificate on every device allows certificate revocation for just a
specific device• Is not useful for S/MIME encryption scenarios
• Challenges and SolutionsChallenge Solution
SCEP is an old protocol designed to for use in closed networks. CERT warns that SCEP does not strongly authenticate requests.
Intune’s integration with Microsoft NDES (Network device Enrollment service) Policy module offers higher security and integrity of issued certificates
Security concerns with Microsoft NDES deployment
Use Microsoft Web Application Proxy
Certificate Deployment with Intune
DMZ
ConfigMgr2012 R2
ADFS
CA
Intune (and Azure AD)
ADFS Proxy
DC
1. Deploy root CA cert2. Deploy SCEP
certificate profile (with challenge based on User/Type of Cert)
3. Device gets SCEP profile that contains URI for NDES
4. Device contacts NDES presents challenge
5. NDES contacts CRP and validates the challenge
6. If valid, NDES passes on request to issue Cert “on behalf”
7. Cert is delivered to the device and event is reported back to Intune
12 3
4
NDES
5 6
7
DirSync
Reverse ProxyBlog: Protecting NDES with WAP by Pieter Wigleven
Coming soon: Whitepaper on NDES deployment best practices
ManageIntune provides rich certificate compliance reporting
Renew certificateAutomated renewal prior to certificate expiryAdmin can specify the # days prior to expiry
Revoke certificateDevice is lost, stolen or repurposed then initiate a Device retire operationSelective wipe triggers device clean up as well as revokes any certificates issued to that device automatically
Manage, Renew and Revoke certificates
Demo – Certificate ManagementDilip Radhakrishnan
Email profile management
Automate configuration of Email account settings
Secure access to email by requiring Certificate based authentication
Enable selective wipe of corporate email
What happens if an email account already exists on the device?
On iOS, profile will be rejected with an erroriOS: fails if hostname + username + email address are matching
SolutionsUse Conditional access feature to block access to email until manually created MDM profile is removed by the user. Set up cert based authentication for email access. Whitepaper can be found here.
Can I change an existing profile?Yes, unless you modify the key values (which will result in a new profile being pushed)
On IOS device the email profile key is : HostName + EmailAddressOn Windows Phone device the email profile key is : AccountName + EmailAddress
What versions of Exchange are supported?Any version that supports Exchange ActiveSync (Exchange 2007, 2010, 2013, Exchange Online)
Email profiles FAQs
VPN Profile Management
Automatic VPN connection
Features
Support for major SSL VPN vendorsSSL VPNs from Cisco, Juniper, Check
Point, Microsoft, Dell SonicWALL, F5
Support for VPN standardsPPTP ,L2TP, IKEv2
Automatic VPN connectionApplication ID based initiation support for Windows 8.1 and Windows Phone 8.1
Per-app VPN for iOS
Create a secure connection between your Line of business or Productivity applications and the corporate networkConcepts
Traditional VPN :VPN tunnel established at the device level Introduces risk of providing corporate access to unauthorized appsDepending on VPN infrastructure, can impact end user’s internet access speeds Privacy issue associated with routing user’s personal traffic to corporate servers
Per App VPNOn demand VPN connection for corporate apps onlyRoutes only specific app’s data to corporate VPN
Per App VPN (iOS 7+)
Wi-fi Profiles
• Manage Wi-Fi protocol and authentication settings • WEP• WPA/WPA2
Personal• WPA/WPA2
Enterprise• Provision Wi-Fi
networks that device can auto connect
• Specify certificate to be used for Wi-Fi connection
User attempts to connect to Wifi Endpoint
Server presents its identity certificate
User Trusts this certificate
1) Server establishes tunnel2) Server asks for user
credentials
User provides credentials (username/password or cert)Connect
EAP- TLS – Authenticate with certificateEAP-TTLS – Authenticate with user name/pwd through PAP, CHAP, MSCHAP v2PEAP – Authentication determined by Wifi infra – Either password or Cert based.
Demo – VPN & Wi-fi configurationDilip Radhakrishnan
New security settings
• iOS• Allow/Block applications• Kiosk Mode• Custom Payload: Import profiles created in Apple
configurator
• Windows Phone• Allow/Block applications• Custom Payload: Configure Any Window Phone (OMA
URI) setting
• Android• Allow/Block applications• Kiosk mode
Demo – Security settings & Custom ProfilesDilip Radhakrishnan
Selective Wipe
“Work” email profile is first provisioned to the device
iOS selective wipe - email
68
iOS selective wipe - email
69
iOS selective wipe - email
70
Securing access to corporate data resources is a key component of your corporate Data protection strategyMicrosoft Intune’s tight integration with Azure AD’s Identity and O365’s productivity services offers an unique comprehensive solution for MDM/MAM.Microsoft continues to innovate at the OS platform level for securing your corporate assets on PCs and Mobile devices.
Key Takeaways
Breakout SessionsTuesday, October 28th, 3:15 PM-4:30 PM: EM-B216 - Enterprise Client Management with System Center Configuration Manager and Intune
Tuesday, October 28th, 5:00 PM-6:15 PM: EM-B326 - What’s New and Upcoming with OS Deployment in System Center Configuration Manager and the Microsoft Deployment Toolkit
Wednesday, October 29th, 8:30 AM – 9:45 AM: EM-B321 - Infrastructure Deployment for Mobile Device Management with System Center Configuration Manager and Intune
Wednesday, October 29th, 5:00 PM – 6:15 PM - Securing Mobile Device Access to Corporate Resources with Intune
Thursday, October 28th, 3:15 PM-4:30 PM: EM-B312 - Mobile Application Management with Intune
Friday, October 31st, 8:30 AM – 9:45 AM: EM-B317 - Configuring Corporate-Owned Mobile Devices with Intune
Related content
Enterprise Mobility Suitehttp://aka.ms/enterprisemobilitysuite
Microsoft Intunehttp://aka.ms/microsoftintune
Configuration Managerhttp://aka.ms/configmgr
Enterprise Mobility Track Resources
Hybrid Identityhttp://aka.ms/hi
Access & Info Protectionhttp://aka.ms/aip
Desktop Virtualizationhttp://aka.ms/virtualdesktop
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
Developer Network
http://developer.microsoft.com
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Please Complete An Evaluation FormYour input is important!TechEd Schedule Builder CommNet station or PC
TechEd Mobile appPhone or Tablet
QR code
Evaluate this session
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.