Spark the future.

May 4 – 8, 2015Chicago, IL

Windows 10 for mobile devices To bring your own or not?Alan MeeusArchitect, Microsoft ServicesCenter of Excellence Modern Devices & Mobility

BRK3305

Data

Devices

People

6.5BWireless

connections today

>42%

of global population

owns smartphone

by end of 2015

>50%User will go to

tablet or smartphone

first for online activities by

2018Everything is mobile

Device, network and

app diversity is

staggering

The network perimeter has

vanished

Hackers threaten

Sony employees

Attacks have become

organized, targeted,

and persistent

Businesses are moving faster than

IT

Another major

retailer hacked

With mobility comes new security challenges

BYOD Scenarios

Build on solid identitiesProtect contentProof healthManage apps

Cloud is

here

Identity

Identity challenges todayWindows Mobile Devices have to be activated with an MSAImpossible to manage

Users don’t like complex unlock PIN to access the devicePasswords Not enough to protect against modern security threatsUsers are required to provide their identity to more places than ever

Organizations want greater control over the way users provide their identity IT has a need to understand patterns, identify potential threats and proactively detect suspicious activity

Windows Hello

Biometrics AuthenticationUsing fingerprint, face, iris

Integrated Biometrics FrameworkFalse Acceptance Rate 1/100,000False Rejection Rate 2-4%Live-ness and anti-spoof measures, detection (3D/infrared)

Regular password/PIN is still availableMDM managed

Microsoft PassportReplace passwords with a private key Unlocked with solely through a “user gesture” (PIN, Windows Hello)To IT it’s familiar as it’s based on asymmetrical key pair or certificateTo the user, it’s familiar (Windows Hello or PIN)

Choice of Identity ProvidersIdentity providers validate and proof user by OTP, PhoneFactor …IDPs map Passport public key to a user account

Private key is never sharedKeys are ideally generated in hardware (TPM)Hardware bound keys are attested (Trusted Computing Group Protocols)Single “unlock gesture” aka “Windows Hello” provides access to multiple credentials (origin isolated)

Authentication for Orgs & Consumers

IDPActive Directory

Azure Active DirectoryMicrosoft Account

Other IDP’s

1

Create Account or proves identityCreate and trust unique key

Authentication by validating this signed request2

3

Resource 4

Authentication tokenTrusts tokens

from IDP

So do I

User Unlock Windows identity

container w/ PIN or Hello

Token binding

Access Token

Relying Party

Windows 10 Passport scenariosUser (BYO)

Activates with MS AccountAdds Azure AD Account

User uses MS Account to register with MSUsers use Org Id to register with Azure ADMobile device registration establishes trust for remote resource accessUser signs in with a Microsoft account, associates an Azure AD accountIntune/MDM to configure the device and manage appsSettings roaming with MS Account

IT (Organization owned)

Azure AD

Users use Org ID to register with Azure ADComputer joins Azure AD to establish trustMobile device registration establishes trust for remote resource accessUser signs in with a Microsoft account, associates an Azure AD accountIntune/MDM to configure the device and manage appsSettings roaming with Azure

MS Account Can be added if allowed (Cortana)

Demo

Data Protection

Enterprise data protectionProvides user friendly data separation and containment (corporate v. personal)Enables data protection wherever the data isEnsures only trusted apps can access your dataSharing of EDP content protected with IRM

Enterprise Data Protection

IDPActive Directory

Azure Active DirectoryMicrosoft Account

Other IDP’s

1

Create Account or proves identityCreate and trust unique key

2

MDM 4

Authentication token

So do I

User Unlock Windows identity

container w/ PIN or Hello

MDM enrollmentEDP Policies Key ManagementEnterprise allowed appsNetwork / StorageApp data flow managementBlock or Allow/Audit controlsSelective wipe on un-enroll

Enterprise Data ProtectionOne experience

Data is isolatedData is encrypted at restBlock/audit data exchangeOrganization holds keysEnlightened appsAPIs for 3rd party apps

MDM managed

Personal Apps & Data(Unmanaged)

Business Apps &

Data(Managed)

Data exchange is controlled

Expanded VPN capability setPer-Application VPNMDM managed app list and port restrictionsIntegrated with Enterprise Data Protection

Always ON supportAlways connected until user disconnectsMDM managed

Ease of deployment and managementMDM solutions can uniformly manage both Windows and Windows Phone VPN based remote connectivity. User experience integrated across mobile devices

Uniformity in Store based distributionOpen to all VPN solution providers, always up-to-dateMicrosoft SSTP client also available as a Store application

UPDATE ARTWORK

Cortana assets from Shane

Early Designs Not Final UI

Office

Early Designs Not Final UI

UPDATE ARTWORK

Cortana assets from Shane

Pasting content from a Fabrikam file to a personal file is discouraged, and if you choose “paste anyway” your action and the content will be logged for IT review.

Early Designs Not Final UI

Policy

Mobile device management

One consistent set of MDM capabilities

across Mobile, Desktop, and IoT

•Provisioning•Bulk enrollment•Simple bootstrap•Converged protocol•Azure AD Integration

• Extended set of policies

• Context based policies• Client certificates –

Direct install (PFX)• Enterprise Wi-Fi

profiles• VPN profiles• Email provisioning• MDM Push when user

not logged in• Kiosk Mode, Start

screen configuration and control

•Curated Windows Store•Business Store app distribution •License reclaim/re-use•Enterprise App management•LOB app management•App inventory (MDM/Store)•App allow/deny list•Enterprise data protection

•Remote Lock, PIN reset, Ring, Find•Full device wipe

•Un-enrollment with alerts•Removal of configuration & EDP protected data

ENROLLMENT

INV

EN

TO

RY

APPLICATION

MANAGEMENT

DEVICE

CONFIGURATIO

N AND

SECURITY

REM

OTE

ASS

ISTA

NC

E

UNENROLLMENT

•Enhanced inventory for compliance decisions

Device health and conditional access

Access please

1

Blocking unhealthy devices to protect resources and prevent proliferation

Important resources

OneDriveFile Servers

Email Wireless2Prove to me you are

healthy

Windows PPCH

and Intune

Trusted Boot and Integrity Data (Azure AD)

3Request

Here is my proof

5

Approved4

Client policies state (MDM)

Applications

Windows 10 at a GlanceBusiness Store

Modern appsLeverages Azure Active Private store in the store for Store and LOB appsPay with credit card or PO/invoiceModern app license management

Windows Store

Modern appsSign in with MSAPay with credit card, gift card, PayPal, mobile operators

Company Portal

MDM-drivenDeploy Line-of-business modern apps from catalogueDeploy Windows Store apps (even when the Store UI is disabled) and as well as uploaded LOB apps through BSP integration

Business StoreA web site for businesses, schools, or other organizationsFree to use, easy to sign upUsed by IT administrators, purchasers

Provides key functionality for acquiring, using, and deploying apps in an organizationIncluding line-of-business apps

Complements the existing management solutionsFlexible scenarios for any need

Private online storeIT Manager

Sign in to Business StoreUses Azure AD account

Acquire appsFree appsPurchased using a PO, invoice, or credit card

Create private store Add apps

End User

Log into windowsUsing Azure AD account

Open Windows Store appPrivate store and public categories available

Install apps as neededSelected from the Private Store using Azure AD, or public categories using MSA

Infrastructure

Cloud-based

No on-premises infrastructure requirements

No MDM service required

Apps automatically updated from the Windows Store

Can include LOB apps

Scenario

Online with Mobile Device Management Infrastructure

Cloud-based or on-premises (depending on the MDM service used)

Store Apps automatically updated from the Windows Store

The Windows Store app can be disabled if desired

APIs available to ISVs to automate the BSP interactions

Scenario

IT Manager

Sign in to Business StoreUses Azure AD account

Acquire appsFree appsPurchased using a PO, invoice, or credit card

Add apps to MDMLink to the app in the Business Store

End User

Log into windowsUsing Azure AD account

Open Company Portal appSelected Windows Store apps and private LOB apps available

Install apps from Company PortalInstall public Windows Store apps using MSA

EdgeOnly browser on MobileModern BrowserManaged by MDMAllow BrowserDefault BrowserAllow pop-upsAllow CookiesConfigure SmartScreenAllow Active ScriptingConfigure Home PageConfigure Multi MediaAllow AutofillConfigure password manager

Demo

App distribution

Deployment requirementsPer Active Directory deployment configuration

NGC Azure AD only Hybrid AD AD only

Key-based AAD subscription AAD subscriptionAAD Sync w/ NGC key write-back

AD DS 10 DCsAD FS 10

Cert-based AAD subscriptionPKI infrastructureIntune

AAD subscriptionPKI infrastructureSCCM 2015/Intune

AD DS 10 schemaAD FS 10PKI infrastructureSCCM 2015

BYOD summary

Build on solid identitiesProtect contentManage and proof healthcontrol apps

Cloud is

here

Next StepsEvaluate Windows 10 for your businessWindows Insider Program insider.windows.com

Evaluate your readiness for Windows 10BYO mobility Lab

Investigate developing Universal Windows app//BUILD channel9.msdn.com

Complete your evalAppreciated, thanks

Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.

Please evaluate this sessionYour feedback is important to us!

© 2015 Microsoft Corporation. All rights reserved.