Data Devices People 6.5B Wireless connections today >42% of global population owns smartphone by end...
-
Upload
sheena-henry -
Category
Documents
-
view
218 -
download
0
Transcript of Data Devices People 6.5B Wireless connections today >42% of global population owns smartphone by end...
Windows 10 for mobile devices To bring your own or not?Alan MeeusArchitect, Microsoft ServicesCenter of Excellence Modern Devices & Mobility
BRK3305
Data
Devices
People
6.5BWireless
connections today
>42%
of global population
owns smartphone
by end of 2015
>50%User will go to
tablet or smartphone
first for online activities by
2018Everything is mobile
Device, network and
app diversity is
staggering
The network perimeter has
vanished
Hackers threaten
Sony employees
Attacks have become
organized, targeted,
and persistent
Businesses are moving faster than
IT
Another major
retailer hacked
With mobility comes new security challenges
Identity challenges todayWindows Mobile Devices have to be activated with an MSAImpossible to manage
Users don’t like complex unlock PIN to access the devicePasswords Not enough to protect against modern security threatsUsers are required to provide their identity to more places than ever
Organizations want greater control over the way users provide their identity IT has a need to understand patterns, identify potential threats and proactively detect suspicious activity
Windows Hello
Biometrics AuthenticationUsing fingerprint, face, iris
Integrated Biometrics FrameworkFalse Acceptance Rate 1/100,000False Rejection Rate 2-4%Live-ness and anti-spoof measures, detection (3D/infrared)
Regular password/PIN is still availableMDM managed
Microsoft PassportReplace passwords with a private key Unlocked with solely through a “user gesture” (PIN, Windows Hello)To IT it’s familiar as it’s based on asymmetrical key pair or certificateTo the user, it’s familiar (Windows Hello or PIN)
Choice of Identity ProvidersIdentity providers validate and proof user by OTP, PhoneFactor …IDPs map Passport public key to a user account
Private key is never sharedKeys are ideally generated in hardware (TPM)Hardware bound keys are attested (Trusted Computing Group Protocols)Single “unlock gesture” aka “Windows Hello” provides access to multiple credentials (origin isolated)
Authentication for Orgs & Consumers
IDPActive Directory
Azure Active DirectoryMicrosoft Account
Other IDP’s
1
Create Account or proves identityCreate and trust unique key
Authentication by validating this signed request2
3
Resource 4
Authentication tokenTrusts tokens
from IDP
So do I
User Unlock Windows identity
container w/ PIN or Hello
Token binding
Access Token
Relying Party
Windows 10 Passport scenariosUser (BYO)
Activates with MS AccountAdds Azure AD Account
User uses MS Account to register with MSUsers use Org Id to register with Azure ADMobile device registration establishes trust for remote resource accessUser signs in with a Microsoft account, associates an Azure AD accountIntune/MDM to configure the device and manage appsSettings roaming with MS Account
IT (Organization owned)
Azure AD
Users use Org ID to register with Azure ADComputer joins Azure AD to establish trustMobile device registration establishes trust for remote resource accessUser signs in with a Microsoft account, associates an Azure AD accountIntune/MDM to configure the device and manage appsSettings roaming with Azure
MS Account Can be added if allowed (Cortana)
Enterprise data protectionProvides user friendly data separation and containment (corporate v. personal)Enables data protection wherever the data isEnsures only trusted apps can access your dataSharing of EDP content protected with IRM
Enterprise Data Protection
IDPActive Directory
Azure Active DirectoryMicrosoft Account
Other IDP’s
1
Create Account or proves identityCreate and trust unique key
2
MDM 4
Authentication token
So do I
User Unlock Windows identity
container w/ PIN or Hello
MDM enrollmentEDP Policies Key ManagementEnterprise allowed appsNetwork / StorageApp data flow managementBlock or Allow/Audit controlsSelective wipe on un-enroll
Enterprise Data ProtectionOne experience
Data is isolatedData is encrypted at restBlock/audit data exchangeOrganization holds keysEnlightened appsAPIs for 3rd party apps
MDM managed
Personal Apps & Data(Unmanaged)
Business Apps &
Data(Managed)
Data exchange is controlled
Expanded VPN capability setPer-Application VPNMDM managed app list and port restrictionsIntegrated with Enterprise Data Protection
Always ON supportAlways connected until user disconnectsMDM managed
Ease of deployment and managementMDM solutions can uniformly manage both Windows and Windows Phone VPN based remote connectivity. User experience integrated across mobile devices
Uniformity in Store based distributionOpen to all VPN solution providers, always up-to-dateMicrosoft SSTP client also available as a Store application
UPDATE ARTWORK
Cortana assets from Shane
Pasting content from a Fabrikam file to a personal file is discouraged, and if you choose “paste anyway” your action and the content will be logged for IT review.
Early Designs Not Final UI
Mobile device management
One consistent set of MDM capabilities
across Mobile, Desktop, and IoT
•Provisioning•Bulk enrollment•Simple bootstrap•Converged protocol•Azure AD Integration
• Extended set of policies
• Context based policies• Client certificates –
Direct install (PFX)• Enterprise Wi-Fi
profiles• VPN profiles• Email provisioning• MDM Push when user
not logged in• Kiosk Mode, Start
screen configuration and control
•Curated Windows Store•Business Store app distribution •License reclaim/re-use•Enterprise App management•LOB app management•App inventory (MDM/Store)•App allow/deny list•Enterprise data protection
•Remote Lock, PIN reset, Ring, Find•Full device wipe
•Un-enrollment with alerts•Removal of configuration & EDP protected data
ENROLLMENT
INV
EN
TO
RY
APPLICATION
MANAGEMENT
DEVICE
CONFIGURATIO
N AND
SECURITY
REM
OTE
ASS
ISTA
NC
E
UNENROLLMENT
•Enhanced inventory for compliance decisions
Device health and conditional access
Access please
1
Blocking unhealthy devices to protect resources and prevent proliferation
Important resources
OneDriveFile Servers
Email Wireless2Prove to me you are
healthy
Windows PPCH
and Intune
Trusted Boot and Integrity Data (Azure AD)
3Request
Here is my proof
5
Approved4
Client policies state (MDM)
Windows 10 at a GlanceBusiness Store
Modern appsLeverages Azure Active Private store in the store for Store and LOB appsPay with credit card or PO/invoiceModern app license management
Windows Store
Modern appsSign in with MSAPay with credit card, gift card, PayPal, mobile operators
Company Portal
MDM-drivenDeploy Line-of-business modern apps from catalogueDeploy Windows Store apps (even when the Store UI is disabled) and as well as uploaded LOB apps through BSP integration
Business StoreA web site for businesses, schools, or other organizationsFree to use, easy to sign upUsed by IT administrators, purchasers
Provides key functionality for acquiring, using, and deploying apps in an organizationIncluding line-of-business apps
Complements the existing management solutionsFlexible scenarios for any need
Private online storeIT Manager
Sign in to Business StoreUses Azure AD account
Acquire appsFree appsPurchased using a PO, invoice, or credit card
Create private store Add apps
End User
Log into windowsUsing Azure AD account
Open Windows Store appPrivate store and public categories available
Install apps as neededSelected from the Private Store using Azure AD, or public categories using MSA
Infrastructure
Cloud-based
No on-premises infrastructure requirements
No MDM service required
Apps automatically updated from the Windows Store
Can include LOB apps
Scenario
Online with Mobile Device Management Infrastructure
Cloud-based or on-premises (depending on the MDM service used)
Store Apps automatically updated from the Windows Store
The Windows Store app can be disabled if desired
APIs available to ISVs to automate the BSP interactions
Scenario
IT Manager
Sign in to Business StoreUses Azure AD account
Acquire appsFree appsPurchased using a PO, invoice, or credit card
Add apps to MDMLink to the app in the Business Store
End User
Log into windowsUsing Azure AD account
Open Company Portal appSelected Windows Store apps and private LOB apps available
Install apps from Company PortalInstall public Windows Store apps using MSA
EdgeOnly browser on MobileModern BrowserManaged by MDMAllow BrowserDefault BrowserAllow pop-upsAllow CookiesConfigure SmartScreenAllow Active ScriptingConfigure Home PageConfigure Multi MediaAllow AutofillConfigure password manager
Deployment requirementsPer Active Directory deployment configuration
NGC Azure AD only Hybrid AD AD only
Key-based AAD subscription AAD subscriptionAAD Sync w/ NGC key write-back
AD DS 10 DCsAD FS 10
Cert-based AAD subscriptionPKI infrastructureIntune
AAD subscriptionPKI infrastructureSCCM 2015/Intune
AD DS 10 schemaAD FS 10PKI infrastructureSCCM 2015
BYOD summary
Build on solid identitiesProtect contentManage and proof healthcontrol apps
Cloud is
here
Next StepsEvaluate Windows 10 for your businessWindows Insider Program insider.windows.com
Evaluate your readiness for Windows 10BYO mobility Lab
Investigate developing Universal Windows app//BUILD channel9.msdn.com
Complete your evalAppreciated, thanks
Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.
Please evaluate this sessionYour feedback is important to us!