Secure Android devices and apps with Microsoft Intune

Secure Android devices and apps with Microsoft Intune
Microsoft Ignite 2016 4/17/2018 8:23 AM BRK2273 Secure Android devices and apps with Microsoft Intune Chris Baldwin Senior Program Manager © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

The Microsoft Vision Help organizations enable their users to be productive on the devices they love while helping ensure corporate assets are secure. Devices Employees Business partners Customers Apps Data Users Secure and protect against new threats Maximum productivity experience Comprehensive and integrated

Intune Android overview Android for Work MAM without enrollment
4/17/2018 Intune Android overview Android for Work MAM without enrollment Enabling apps for MAM © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Intune Android overview
Microsoft Ignite 2016 4/17/2018 8:23 AM Intune Android overview © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Continuum of Android management choices
Microsoft Ignite 2016 4/17/2018 8:23 AM Continuum of Android management choices Intune provides choice for IT depending on management needs Identity Protect your identity and authentications MFA Azure sign-in protections Conditional Access Right app, right identity, right risk profile Application Control how data is used and shared inside your apps Multi-identity controls Cloud storage controls Data transfer protection Enforceable without device enrollment Device Multiple choices for device management Android for Work Samsung KNOX Standard Core Android 4.X © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Enterprise Mobility Management
Microsoft Ignite 2016 4/17/2018 8:23 AM Enterprise Mobility Management Enrolling corporate devices for management Enrolling personal devices for management Provisioning settings, certs, profiles Reporting device inventory Measuring device compliance Removing corporate data from devices All of the above using OS standards Mobile Device Management Publishing mobile apps to users Configuring mobile apps Securing corporate data in mobile apps Removing corporate data from mobile apps Updating mobile apps Reporting app inventory and usage All of the above with or without MDM Mobile App Management © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Android fragmentation challenges
Microsoft Ignite 2016 4/17/2018 8:23 AM Android fragmentation challenges Android: the power of choice 24,000 distinct devices 1,294 brands Great for end users Causes difficulty in the enterprise Source: © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Intune Android manageability areas
4/17/2018 Intune Android manageability areas Native Android 4.0+ MDM Intune supports MDM standard functions, applicable to all Android devices Also supports certificates, Wi-Fi profiles, app installs, and MAM policies Most APIs require user interactions for approval Samsung KNOX extends native Android in a number of areas Cert & app installation: Can be silent, done without user action Device-wide settings: 28 additional settings exposed by Samsung APIs profile support: Samsung provides configurable client Kiosk mode with multi-app support Enforced app allow/deny list © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Intune Android manageability areas
4/17/2018 Intune Android manageability areas MAM policies for data protection Data protection built into apps Supports device management, or non-managed devices Companion apps Supports Intune MAM policies Managed browser RMS Viewer for image, PDF, and other content viewing Threat protection from Lookout Control access based on device risk assessment Lookout uses file system, network stack, device, and application telemetry © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Tour of Android MDM and MAM
Demo

Common Android pain points…
Android is missing some key features, like per-app VPN, silent app installs, and a configurable client. Android security is fundamentally lacking. I don’t want to allow installations from unknown sources. Android OEM fragmentation affects manageability and user experience. Too many prompts!

Android for Work overview
4/17/2018 8:23 AM Android for Work overview Enhanced on-device management capabilities Requires Android 6.0+ devices Work profile a native part of the OS Reduces fragmentation Feature requests and enhancements will be on AFW going forward App management App installs brokered by Google Play for Work service Targeted at reducing malware threat App configuration (for apps that support them) Productivity apps , Calendar, Contacts apps Partnership community EMM, VPN, ISV, OEM © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Intune support for Android for Work
4/17/2018 8:23 AM Intune support for Android for Work Enhanced device management settings Manage a work profile on the device Enforce complex PIN policy App management improvements Unified app install experience for all app types Push deploy Play Store apps Managed app configuration Security improvements Installation from unknown sources no longer required Mandatory device encryption client app configuration Gmail and Nine Work apps Rolling out starting in October service release © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Android for Work major scenarios
Employees can use their personal AFW-capable devices for work while allowing IT to manage only work apps and data through a separate, native profile. BYOD Corp-owned devices provisioned by IT and provided to IWs to use. IT manages the entire device. Requires IT provisioning step. Corp owned, personally enabled Single-use, kiosk-style devices Kiosk (COSU)

New provisioning requirements
TechReady 23 4/17/2018 8:23 AM New provisioning requirements App config App config IT admin must onboard Intune tenant before enrollment Previous requirements for Google domain are no longer necessary © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Android for Work tour Demo

Android for Work and Intune MAM for data protection
Microsoft Ignite 2016 4/17/2018 8:23 AM Android for Work and Intune MAM for data protection Android for Work work profile MDM features Copy/paste restriction on profile boundary Redaction of notifications on locked devices Managed configuration for participating apps Work profile deleted entirely upon device retire Intune MAM policies for comprehensive data protection and BYOD flexibility Available for devices without MDM enrollment Personal/corp context aware (multi-identity) Preserves the Office user experience Cloud service controls prevent sharing to personal locations Can control sharing with other apps in the profile © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

App management process
TechReady 23 4/17/2018 8:23 AM App management process LOB apps published to Play for Work Approved apps are synced into and deployed from Intune © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

App deployment with Android for Work
Initial release Any free app available in the public Play Store today IT pro approves apps and accepts permissions on behalf of org Free public store IT pro publishes LOB APK to private Play for Work domain Requires Android developer account Private LOB License management and tracking for purchased apps Paid public store APK content is hosted on separate content server For APKs that have security-sensitive content Self-hosted LOB Roadmap

Android for Work app deployment
Demo

MAM without enrollment
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Manage mobile productivity without device enrollment
4/17/2018 Manage mobile productivity without device enrollment MAM policies Corporate apps Azure Rights Management File policies MDM – optional (Intune or 3rd-party) Personal apps MDM policies © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Intune mobile app management for BYOD
4/17/2018 Intune mobile app management for BYOD Microsoft Intune Personal MAM policies Personal Data Corporate LOB App #1 LOB App #2 Corporate Data © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Intune mobile app management for MDM coexistence
4/17/2018 Intune mobile app management for MDM coexistence MDM vendor MDM policies Personal Microsoft Intune Personal Data Corporate LOB App #1 LOB App #2 MAM policies Corporate Data © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Mobile application management policies
Enforce corporate data access requirements Require a PIN for launching the app Require authentication using corporate credentials before launching the app Verify device health before launching the app Prevent data leakage on the device Allow/block copy/paste Allow/block screen capture Prevent file saving to unauthorized locations Restrict sharing of data between applications Enforce encryption of app data at rest App-level selective wipe

Expanding App ecosystem

Apps for MAM without enrollment
4/17/2018 Apps for MAM without enrollment Available now Coming soon Coming later iOS Android © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

BYOD using MAM-WE Demo Microsoft Ignite 2016 4/17/2018 8:23 AM
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Enabling apps for MAM

Enabling Protection for Apps Paths to MAM policies
4/17/2018 Enabling Protection for Apps Paths to MAM policies Microsoft Applications Microsoft Office and Productivity Apps Natively manageable with Intune MAM Same App Store Apps for Personal and Corporate Intune Companion Apps Support protected web browsing and content viewing App Wrapping Tool Enables protection for LOB apps No code changes required, targeted for IT Pros Supported on iOS and now Android App SDK Enables full DLP for any app, including Store Apps you publish Requires app participation, targeted for Developers Xamarin and Cordova Support © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

When to wrap and when to integrate SDK
Single identity versus multi-identity Apps that use concepts such as multiple users or accounts are better suited to SDK integration, as wrapped apps consider the entire app to managed. User experience considerations The SDK exposes more granular policy information that the app can use to modify its user interface for a more streamlined experience. Source code access Integrating the Intune SDK requires you to have access to the source code for the app. Ease of use Wrapping an app with the Intune App Wrapper is easier and faster than integrating the SDK.

Intune app SDK Available at github.com/msintuneappsdk
Developer guide: Xamarin, Cordova framework support MAM without enrollment preview available now How to update apps for MAM without enrollment Need to rebuild for new SDK version Code changes required for MAM without enrollment support

App Wrapping Tool Download Center today but moving to Github soon
MAM without enrollment support is in preview Support MAM without enrollment in coming weeks Will need to re-wrap existing apps

Android App Wrapper Demo

Check out other sessions
4/17/2018 8:23 AM Check out other sessions BRK Learn what's new with OSD in System Center Configuration Manager and Microsoft Deployment Toolkit (Tuesday 9 A.M.) BRK2138 – Intune and Configuration Manager overview (Tuesday 10:45 A.M.) BRK Secure access to Office 365, SaaS, and on-premises apps and files with Azure AD and Intune (Tuesday 2:15 P.M.) BRK Manage and secure iOS and Mac devices in your organization with Intune (Wednesday 2:15 P.M.) BRK Manage modern enterprise applications with Microsoft Intune & HockeyApp (Wednesday 4 P.M.) BRK Enhance Windows 10 security and management with ConfigMgr, Intune, and new cloud services (Wednesday 4 P.M.) BRK Accelerate your Microsoft Enterprise mobility and security deployment with FastTrack (Thursday 9 A.M.) BRK Conduct a successful pilot deployment of Microsoft Intune (Thursday 10:45 A.M.) BRK Learn how Intune helped Avanade’s global workforce get more productive (Thursday, 12:45 P.M.) BRK Align your Windows 10 management strategy to end-user and IT needs (Thursday 4 P.M.) BRK Deliver a BYOD program that employees and security teams will love with Intune (Friday 12:30 P.M.) © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Free IT Pro resources To advance your career in cloud technology
Microsoft Ignite 2016 4/17/2018 8:23 AM Free IT Pro resources To advance your career in cloud technology Plan your career path Microsoft IT Pro Career Center Cloud role mapping Expert advice on skills needed Self-paced curriculum by cloud role $300 Azure credits and extended trials Pluralsight 3 month subscription (10 courses) Phone support incident Weekly short videos and insights from Microsoft’s leaders and engineers Connect with community of peers and Microsoft experts Get started with Azure Microsoft IT Pro Cloud Essentials Demos and how-to videos Microsoft Mechanics Connect with peers and experts Microsoft Tech Community © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Please evaluate this session
4/17/2018 8:23 AM Please evaluate this session Your feedback is important to us! From your PC or tablet, visit MyIgnite at On your phone, download and use the Ignite Mobile App by scanning the QR code above or visiting © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Secure Android devices and apps with Microsoft Intune

Similar presentations

Presentation on theme: "Secure Android devices and apps with Microsoft Intune"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Secure Android devices and apps with Microsoft Intune

Similar presentations

Presentation on theme: "Secure Android devices and apps with Microsoft Intune"— Presentation transcript:

Similar presentations

About project

Feedback