Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux
-
Upload
summit-7-systems -
Category
Technology
-
view
859 -
download
0
Transcript of Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux
![Page 1: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/1.jpg)
Office 365 Mobile Device Management: What Is It,
and Why Should You CarePaul Robichaux
Summit 7 Systems [email protected]
![Page 2: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/2.jpg)
Introduction
![Page 3: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/3.jpg)
The rise of BYOD
• Mobile devices have become ubiquitous– Blame BlackBerry and Steve Jobs
• Work time has expanded– “You can work anywhere, anytime” has become “you must”
• Employers are stingy– If you can get employees to provide their own devices and data plans…
![Page 4: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/4.jpg)
The dark side of BYOB
• Your data, their device– Can’t guarantee physical or data integrity– Theft, loss, damage are all threats– Security policies viewed with suspicion and hostility
• Version, device, and application support• End-to-end troubleshooting
![Page 5: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/5.jpg)
BYOD coping strategies*
• Denial– Don’t allow any user-provided devices
• Barganining– Allow user-provided devices subject to ToU
• Acceptance– Perhaps better described as “resignation”
*Anger, depression strategies are options
![Page 6: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/6.jpg)
Common MDM tools
• Restrict which devices are allowed to sync• Restrict which users are allowed to sync• Restrict what users can sync• Store all synced content in a separate container
![Page 7: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/7.jpg)
The MDM lifecycle
1. Enrollment places a device under management
2. Configuration applies settings / policies
3. Secure enforces settings4. Manage5. Monitor
Image courtesy Microsoft; https://technet.microsoft.com/en-us/library/mt143184.aspx
![Page 8: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/8.jpg)
Exchange ActiveSync
• EAS is both a transport protocol and an MDM protocol• Designed years ago, it has many limitations
– Doesn’t address many capabilities customers: app policies jailbreak protection, etc.
– Rate of change is low due to installed base• But it’s also ubiquitous and cheap
– Great 80% solution
![Page 9: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/9.jpg)
Exchange ActiveSync
Pros• Cheap• Widely available• Fully integrated with
Exchange• Equivalent on-prem/online
feature sets
Cons• Limited feature set• Not every device supports
the full protocol• No integrity protection• No containerization• Only supports Exchange
![Page 10: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/10.jpg)
MDM Pieces and Parts
![Page 11: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/11.jpg)
Surpassing EAS
• Competing MDM solutions have taken significant market share
• Microsoft’s previous effort was SCMDM• Second attempt was Intune• O365 MDM is a subset of Intune
![Page 12: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/12.jpg)
What is Intune?
• Microsoft says…“Intune is a cloud-based service that lets you manage
mobile devices, PCs, and apps so your users can be productive while you protect your company's information.”
![Page 13: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/13.jpg)
What is Intune?
• Part of Enterprise Mobility Suite (EMS)• Can manage PCs and mobile devices• Offers mobile app management (MAM)
• We won’t talk about it further in this session
![Page 14: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/14.jpg)
What is Office 365 MDM?
• Subset of Intune– Doesn’t manage PCs– Doesn’t integrate with SCCM– Managed using O365 admin center
• Cloud-only• Provides three main functions
– Conditional access– Device management– Selective wipe
![Page 15: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/15.jpg)
Conditional access
• Blocks access to Office 365 resources unless policy conditions are met– Mail through EAS– Mail through Outlook– OneDrive– Documents through Office apps
![Page 16: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/16.jpg)
Device management
• Enforces security policies you specify• Devices that don’t meet policy may not be allowed to connect• Policies vary between device families
– E.g. “force encrypted cloud backup” only works on iOS
![Page 17: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/17.jpg)
Selective wipe
• EAS wipe erases the entire device– Users don’t like this
• O365 MDM wipe allows you to choose:– Wipe the whole device, EAS-style– Wipe only data that came from O365– Wipe the device after multiple wrong password attempts
![Page 18: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/18.jpg)
What “selective” means
• The Company Portal app is removed• Data synced into Outlook is removed• Data synced into OneDrive for Business is removed• Policy settings are no longer enforced• Managed email profiles are removed• The device is removed from the list of managed devices• Everything else stays
![Page 19: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/19.jpg)
Configuring O365 MDM
![Page 20: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/20.jpg)
Setting up O365 MDM
• Remember the lifecycle diagram?
• Turns out there are 2 extra steps
Image courtesy Microsoft; https://technet.microsoft.com/en-us/library/mt143184.aspx
![Page 21: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/21.jpg)
Step 0: Audit devices
• Audit your devices!• Admins are always surprised by the audit results
– Ancient devices– Departed employees
• Best way: use Paul Cunningham’s Get-EASDeviceReport.ps1: http://bit.ly/1zEbJG5
![Page 22: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/22.jpg)
Step 0, part 2: Config tenant
• Before you can enroll devices you must configure the tenant in Office 3651. Enable MDM in the Mobile Devices tab2. Configure DNS3. Configure APNS
![Page 23: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/23.jpg)
Enabling feature in tenant
• Go to “Mobile Devices” tab on left nav bar in Office 365 admin portal
• Follow instructions
![Page 24: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/24.jpg)
Creating DNS records
• You may already have done this• Two required CNAME records
– Enterpriseregistration: used to register/re-register devices• Also used by Workplace Join
– Enterpriseenrollment: used to enroll brand-new devices
![Page 25: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/25.jpg)
APNS enrollment
• Apple Push Notification Service needed if you have iOS devices
• You request a cert then upload it to Apple’s portal
![Page 26: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/26.jpg)
The enrollment process
Image courtey Microsoft; “Windows 8.1 Enterprise Device Management Protocol.pdf”
![Page 27: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/27.jpg)
Configuring security policies
• You manage policies through the Compliance Center– Show of hands: who’s been to that page?
![Page 28: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/28.jpg)
Policies and groups
• You assign policies to security groups– So create the groups first
• Single org-wide exclusion group• Policies apply to users, not devices
– Joe has two iOS devices and a Lumia 950…– This is different from EAS
![Page 29: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/29.jpg)
What do policies do?
• Depends on device OS– Not every device OS supports every setting– E.g. “Block access to application store” works on WP + iOS, not Android
• Depends on your policy setting– You can allow non-compliant devices or not
• See http://summit7systems.com/office-365-mobile-device-management-policies/
![Page 30: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/30.jpg)
Policy application
• Devices must download policy– No download, no policy– Devices that report that they don’t have a policy are blocked
• Up to 6-hour window when you apply a policy to existing users– Newly created users get the policy immediately when they’re added to
the target group
![Page 31: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/31.jpg)
DEMO: MDM security policies
![Page 32: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/32.jpg)
Enrolling devices
• Automatic enrollment happens when you add a user to a group that has a policy assigned
• Manual enrollment may require the user to install an app– iOS: install Company Portal app– Android: install Company Portal app– WP8.x: built-in– Win10: built-in
![Page 33: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/33.jpg)
Setting up O365 MDM
• When you add a user to a group that has a policy assigned, that user’s devices will be enrolled
• User must opt in
Image courtesy of MVP Paul Cunningham since I stupidly forgot to bring an iOS device
![Page 34: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/34.jpg)
Auto-enrollment
• After user accepts opt-in prompt, they must download and install Company Portal app for their OS– Fairly simple process that still may confuse non-technical users
![Page 35: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/35.jpg)
New enrollment experience
• MS is rolling out a “new” end user experience• Users who are blocked by policy get an email with a link to get
the Company Portal app
![Page 36: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/36.jpg)
Manage and monitor
• Office 365 admin center shows you enrolled devices and their states
• Compliance Center device compliance reports• Third-party reporting tools (e.g. Cogmotive)
![Page 37: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/37.jpg)
DEMO: MDM management and reporting
![Page 38: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/38.jpg)
The big picture
![Page 39: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/39.jpg)
What should I use?
• O365 MDM replaces EAS– Any existing EAS policy will be overwritten when you enroll the device
• Intune replaces O365 MDM– Much broader feature set– Aggressive bundle pricing through EMS
• Several third-party solutions– Installed base and feature set drive this decision
![Page 40: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/40.jpg)
EAS
• EAS is cheap, cheerful, compatible– Very wide range of supported devices– Basic policy management only– You’re probably already using it– Don’t expect much future investment– The split may be coming…
![Page 41: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/41.jpg)
Office 365 MDM
• Included in most SKUs• Good functionality• Can easily be expanded to Intune
![Page 42: Office 365 Mobile Device Management: What Is It, and Why Should You Care - Paul Robichaux](https://reader035.fdocuments.us/reader035/viewer/2022070603/5872ba7f1a28ab523c8b7735/html5/thumbnails/42.jpg)
Intune
• Tons of functionality– More complex to deploy and manage