Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows Infra @MaccaMSOz.

Similar presentations


Presentation on theme: "Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows Infra @MaccaMSOz."— Presentation transcript:

1 Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows

2 System Center Marketing
4/25/2017 Today’s challenges The explosion of devices is eroding the standards-based approach to corporate IT. Devices Users expect to be able to work in any location and have access to all their work resources. Users Deploying and managing applications across platforms is difficult. Apps Data Users need to be productive while maintaining compliance and reducing risk. The explosion in use and number of consumer devices and ubiquitous information access is changing the way that people perceive their technology, in addition to how that technology shapes their personal and work lives. The constant use of information technology throughout the day, along with the easy access of information, is blurring traditional boundaries between work and home life. These shifting boundaries are accompanied by a belief that personal technology— selected and customized to fit user’s personalities, activities, and schedules—should extend into the workplace. Accommodating the consumerization of IT presents a variety of challenges. Historically, most or all devices used in the workplace were owned, and therefore managed, by the organization. Policies and processes were focused on device management—and usually on a relatively small, tightly controlled, and managed set of corporate-approved hardware that was subject to predetermined corporate replacement cycles. The consumerization of IT dramatically alters this scenario. There is greatly increased device and operating system diversity and volume in the organization. This can fundamentally change the IT landscape and necessitate a shift in management objectives from tight control over hardware to effective, user-centric governance. The way resources and applications are accessed and consumed is also changing. With the shift to personal devices and mobility, there is a need to adapt how applications work. IT departments must also now consider authentication of the user, validation of the device, and updated service consumption models when planning their consumerization policies and implementation. The best organizational response is IT policies that match business realities and priorities, moving toward a people-centric model that replaces the older paradigm of device-centric policies and management. The Microsoft people-centric vision helps IT administrators increase their organizations’ productivity by enabling access to corporate resources, regardless of location or device used. This shift in focus requires policies, processes, and technologies that give people the freedom to select the devices they want to use, along with device-agnostic access to applications and data. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 System Center Marketing
4/25/2017 People-centric IT Users Devices Apps Data Enable users Allow users to work on the devices of their choice and provide consistent access to corporate resources. Hybrid Identity Deliver a unified application and device management on- premises and in the cloud. Microsoft has a history of providing rich IT-infrastructure solutions to help manage every aspect of enterprise operations. Microsoft’s people-centric solution consists of products and technologies that can help IT departments handle the influx of consumer-oriented technology and the work style expectations of users, thereby helping increase productivity and satisfaction for the people within their organizations. Microsoft’s people-centric IT vision helps organizations enable and embrace the consumerization of IT by: Enabling your end users by allowing users to work on the device(s) of their choice and providing consistent access to corporate resources from those devices. Helping protect your data by protecting corporate information and managing risk Unifying your environment by delivering comprehensive application and device management from both your existing on-premises infrastructure, including System Center Configuration Manager, Windows Server, and Active Directory, as well as cloud-based services, including Windows Intune and Windows Azure. Let’s discuss each of these areas in more detail. Protect your data Help protect corporate information and manage risk. Management. Access. Protection. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 Access and Information Protection
System Center Marketing 4/25/2017 Access and Information Protection Across the people-centric IT scenarios and solutions, we think about delivering on the needs of users and IT in three distinct ways. Empower Users Empowering users is about ensuring that users can work on the device of their choice and access resources they need to get their jobs done. New in Windows Server 2012 R2 is the ability for users to register their devices in order to access corporate resources, and then enroll their devices with the management services in order to use the company portal for access to applications, and to manage their devices. Also new in Windows Server 2012 R2 is the ability for the Windows client to automatically connect to internal resources when needed with an automatic VPN connections. And then it provides users with the ability to access company resources in a consistent way across devices, including new ways to sync corporate data with Work Folders. Hybrid Identity When it comes to managing the complexity of existing platforms and the new capabilities to deliver cloud- based services to corporately managed devices and user-provided devices, our customers are looking for unified solutions that can provide a consistent way to manage their environments regardless of where the services are delivered and consumed from. From an AIP point of view, we deliver on this need through a common identity for users, along with a unified way to manage identities for IT. Common identity to access resources on-premises and in the cloud is provided to users as we leverage the existing investments that customers have in Active Directory and connect to Windows Azure Active Directory, providing IT with the ability to federate the users’ identities with WAAD and other cloud-based identity domains. Protect your data And then finally we take a look at the last mile, the data. Users want to be able to access their information on the devices that they bring into the corporate world; however, IT is tasked with ensuring that corporate compliance policies are adhered to. Windows Server 2012 R2 provides the ability for customers to achieve these somewhat dichotic scenarios in a couple of ways: Customers can centralize corporate information for compliance and data protection. Moving data from unmanaged decentralized locations such as laptops into a managed location, and then enabling data sync to devices achieves the dual goals of allowing customers to gain control of information, and empowering users to work in the way they want. It also provides the means for customers to create policy-based access control to applications and data, taking into account the user’s identity, whether the user’s device is “known” (registered), and also the location – whether they are internal or external to the corporate environment. Lets take a closer look at each of these three pillars. Enable users Hybrid Identity Common identity to access resources on-premises and in the cloud Protect your data Centralize corporate information for compliance and data protection Policy-based access control to applications and data Simplified registration and enrollment for BYO devices Automatically connect to internal resources when needed Access to company resources is consistent across devices © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 System Center Marketing
4/25/2017 Enable users Challenges Solutions Users want to use the device of their choice and have access to both their personal and work-related applications, data, and resources. Users want an easy way to be able to access their corporate applications from anywhere. IT departments want to empower users to work this way, but they also need to control access to sensitive information and remain in compliance with regulatory policies. Users can register their devices, which makes them known to IT, who can then use device authentication as part of providing access to corporate resources. Users can enroll their devices, which provides them with the company portal for consistent access to applications and data, and to manage their devices. IT can publish access to corporate resources with conditional access based on the user’s identity, the device they are using, and their location. First up is “Empower users.” The challenges that customers are facing are: Users want to use the device of their choice and have access to both their personal and work-related applications, data, and resources. This blending of work and personal worlds is a challenge for IT because it makes it difficult to distinguish between these, and when a device is lost, sold, or the user leaves the company, how do they ensure no information is lost or made available to people not authorized for it? Users want an easy way to access their corporate applications from anywhere. After you have a device, when you want to get your work done and integrate it into your personal world, getting access to work- related applications can be challenging, with internal applications not available in public app stores, or not being available for the platform that the device runs on. These devices are also typically connected to public networks and not internal managed networks. IT departments want to empower users to work this way, but they also need to control access to sensitive information and remain in compliance with regulatory policies. Microsoft is answering these challenges with the following solutions: Users can register their devices, which makes them known to IT, who can then use device authentication as part of providing access to corporate resources. Device registration is a “give and get” scenario. The user “gives” by registering the device, and in turn “gets” access to resources. From an IT perspective, after the device is registered, it is now an object in Active Directory, and as such it can be used as a security principal as part of the authentication and access policies. Additionally, users can enroll their devices with the Windows Intune management service, which provides them with the company portal for consistent access to applications and data, and to be able to manage their devices. And finally, IT can publish access to corporate resources with conditional access based on the user’s identity, the device the user is using and the user’s location (internal versus external). This provides IT with additional levels of capability to control where information can be sync to and accessed from. So now we will take a deeper look at how we have approached delivering on these solutions. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 Helping IT to enable users
System Center Marketing 4/25/2017 Helping IT to enable users Users can enroll devices for access to the Company Portal for easy access to corporate applications IT can publish Desktop Virtualization (VDI) for access to centralized resources RD Gateway Session host VDI Users can work from anywhere on their device with access to their corporate resources. IT can publish access to resources with the Web Application Proxy based on device awareness and the users identity Web Application Proxy Web Apps Lets begin by thinking about we can enable IT to empower users, how they can deliver on the users desire to work on their own device and have access to all their apps and data, and yet still retain control so that business and compliance requirements can be met. Lets start with the ultimate goal: users can work from anywhere on their device with access to their corporate resources. This can be achieved through native applications for the device platform, web based applications and through data sync via Work Folders. Now, there may be some applications and data that we do not want to be available locally on devices, and for these users can access centralized applications and data through Desktop Virtualization, whether that be VDI, Session Host or RemoteApp. We can empower users to register their devices for single sign-on and access to corporate data with Workplace Join. As previously covered, this is a give and get, and allows IT to be able to open up access to applications and data that otherwise would not be available, in return for knowing about the device. An easy way for users to get all their applications in one place is by enrolling their devices for access to the Company Portal. This enrollment joins the device to the Windows Intune management service and allows the installation of the Company Portal which IT can populate with internal LoB applications as well as links to applications that are available in the public app stores. From within the Company Portal users can also manage their devices and perform actions such as wiping a lost or replaced device. Now when it comes to connecting to the corporate resources, we have 3 options that customers can use in the combination that best suits their needs: IT can provide seamless corporate access with DirectAccess and automatic connections with automatic VPN connections. DirectAccess allows users to work remotely and always be connected to the corporate network without the need to initiate a VPN connection. New with Windows Server 2012 R2 and Windows 8.1 is the ability to configure applications to initiate the VPN connection when the application is launched. IT can publish access to resources with the Web Application Proxy based on device awareness and the users identity. New in Windows Server 2012 R2 using the Web Application Proxy, IT can publish access to internal web applications which can be connected to from user devices, either by native applications or via a web browser. Additionally, the Web Application Proxy can pre-authenticate the user and the device and enforce access policies such as requiring the device to be registered or invoking multi-factor authentication. IT can publish Desktop Virtualization (VDI) for access to centralized resources, either through Client VDI (virtual copies of the Windows Client), Session Host (Remote Desktop Services, previously known as Terminal Services) or RemoteApp (publishing of virtualized applications). Files LOB Apps Remote Access IT can provide seamless corporate access with DirectAccess and automatic VPN connections. Active Directory Users can register devices for single sign-on and access to corporate data with Workplace Join © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 Registering and Enrolling Devices
System Center Marketing 4/25/2017 Registering and Enrolling Devices Users can enroll devices which configure the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications Data from Windows Intune is sync with Configuration Manager which provides unified management across both on- premises and in the cloud Multi-Factor Authentication Active Directory Active Directory When a user wants to use their own device, this immediately raises requirements from both the user and IT. The user needs access to apps and data, and IT needs to ensure that corporate information remains secure and that the business continues to deliver on it’s compliance and regulatory requirements. With Windows Server 2012 R2, we introduce a new concept known as device registration. Users can register their BYO devices for single sign-on and access to corporate data using Workplace Join. As part of this registration process, a certificate is installed on the device, and a new device object is created in Active Directory. This device object establishes a link between the user and their device, making it known to IT, and allowing the device to be authenticated, effectively a seamless 2nd factor authentication. In return for registering their device and making in known to IT, the user gains access to corporate resources that were previously not available outside of their domain joined PC. IT can publish access to corporate resources with the Web Application Proxy based on device awareness (i.e. is it registered) and the users identity. Multi-factor authentication can be used through Windows Azure Active Authentication (previously known as PhoneFactor). Users can enroll devices which configures the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications, data and to be able to manage their own devices, performing tasks such as remote wiping them in the event they are lost, stolen or replaced. And in order to provide administrators with a unified view of their entire environment, the data from Windows Intune is synchronized with Configuration Manager which provides unified management across both on-premises and in the cloud Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device Web Application Proxy AD FS IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the users identity. Multi-factor authentication can be used through Windows Azure Multi-Factor Authentication integration with Active Directory Federation Services. As part of the registration process, a new device record is created in Active Directory, establishing a link between the user and their device © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Publish access to resources with the Web Application Proxy
System Center Marketing 4/25/2017 Publish access to resources with the Web Application Proxy AD Integrated Developers can leverage Windows Azure Mobile Services to integrate and enhance their apps Other cloud based apps and identity stores Mobile Services Published applications Restful OAuth apps Office Forms Based Access Claims & Kerberos web apps Use conditional access for granular control over how and where the application can be accessed Active Directory AD FS Devices Apps & Data Web Application Proxy Making information and applications available to users when they are outside the corporate environment can be challenging when the devices being used are under full corporate control. When users start using their own devices, this introduces some additional considerations! The goal of people-centric IT is that users can access corporate applications and data wherever they are, on the device of their choice. When this happens, IT needs a way to validate the users identity, and may wish to apply additional conditions on what types of devices are able to access the information and applications provided by the company. To help IT provide this capability to their users, they can use the Web Application Proxy to authenticate users and devices with multi-factor authentication. This means that as a user connects, they can be asked to provide not only their identity credentials, but also be able to pass additional credential challenges. We leverage our customers investments in Active Directory to provide the central repository of user identity as well as the device registration information, storing not only the users credentials but also the device information that we can use as part of the authentication process. The Web Application Proxy technically has 2 services: A generic reverse HTTP proxy that is used for publishing applications with straight pass through, e.g. NTLM & Basic apps A specialized reverse HTTP proxy that is used by the authentication service to support cases of certificate authentication (user or device) who’s client needs to terminate at the edge and transmitted securely to ADFS inside the network. Both are referred to as reverse proxies, and provide the capability for our customers to either publish applications and use pass through authentication against the application, or to leverage ADFS and apply conditional access for granular control over how and where the application can be accessed. The types of applications that can be published this way include Claims & Kerberos web apps, Office Forms Based Access, and Restful OAuth apps. And finally, Developers can leverage Windows Azure Mobile Services to integrate and enhance their apps. The Azure Mobile Services provide a number of capabilities to help developers get going quickly, and integrate complex capabilities in with little effort, such as linking to data sources, authentication and configuring push notifications. Reverse proxy pass through e.g. NTLM & Basic based apps Users can access corporate applications and data wherever they are Active Directory provides the central repository of user identity as well as the device registration information Active Directory IT can use the Web Application Proxy to pre-authenticate users and devices with multi-factor authentication through integration with AD FS © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 System Center Marketing
4/25/2017 Make corporate data available to users with Work Folders Active Directory discoverability provides users Work Folders location IT can selectively wipe the corporate data from managed devices (Windows 8.1, Windows Phone 8, iOS, Android) IT can configure a File Server to provide Work Folder sync shares for each user to store data that syncs to their devices, including integration with Rights Management Active Directory Devices Apps & Data Reverse Proxy File Services Web Application Proxy AD FS Domain joined devices One of the most challenging things IT departments have been tasked with delivering has been user data … that is, corporate documents stored user machines on file shares. Maintaining control of this information AND making it consistently available to users across all on their devices is often viewed as opposing sides of the same coin … you can do one OR the other! With Windows Server Work Folders, we let you do both! Because of this, users are well adapted as working around the restrictions in place … ing the documents, copying to USB keys or uploading and working from consumer based storage platforms such as Box, Dropbox or SkyDrive. The challenge with this is that a corporation loses all control of the information when this happens, both from a risk point of view (i.e. the information falling into the wrong hands) or from a compliance point of view with the information only being available on users devices, not backed up or discoverable from a regulatory compliance stance. So, the first goal here is to enable users to be able to sync their work data to their devices, and still be able to classify information and apply protection to sensitive data. The second goal is to centralize the data – that is, ensure that a copy of the information is kept within the corporate realm so that the information is available and backed up, as well as being subject to corporate business rules. When we provide this however, IT needs to be able to selectively wipe the corporate data from the clients in the event that the device is lost, stolen or otherwise needs to be decommissioned. The ability to do this is delivered through Windows Intune (or any other management solution that leverages the Windows EFS API), and exactly how this is performed and what happens to the data is dependent on the device platform. In all cases we render the information inaccessible, and where possible we remove the data also. To make the data available, we do need a solution to publish access to Work Folders. This can be achieved by publishing directly through a reverse proxy, or conditional access can be enforced via device registration through the Web Application Proxy for additional levels of authentication and authorization. The power behind this ability to sync users data to their devices is Work Folders, and to enable this IT can configure a File Server to provide Work Folder sync shares for each user to store data that syncs to their devices. This is configured one share per user, and quota can be enforced for the amount of data that a user can store in their share. And as mentioned previously, users can register their devices to be able to sync data when IT enforces conditional access policies. Now lets take a look at enabling users to work remotely with network based connections. Users can sync their work data to their devices. Users can register their devices to be able to sync data when IT enforces conditional access IT can publish access directly through a reverse proxy (such as the Web Application Proxy, or conditional access can be enforced through integration with AD FS © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 Effective working with Remote Access
System Center Marketing 4/25/2017 Effective working with Remote Access An automatic VPN connection provides automated starting of the VPN when a user launches an application that requires access to corporate resources. Web Apps Session host LOB Apps Files VDI Cannot originate admin connection from intranet VPN Traditional VPNs are user- initiated and provide on- demand connectivity to corporate resources. Firewall When it comes to working remotely, it is not always possible to provide users with the ability to do their jobs without providing a network level connection to corporate resources. So with Windows Server R2, Microsoft provides three ways that IT can provide this connectivity to users. With DirectAccess, a users PC is automatically connected whenever an Internet connection is present, meaning that the user has no action to take; they are simply “always connected” and have access to corporate resources. Traditional VPNs are user-initiated and provide on-demand connectivity to corporate resources. The user launches the VPN connection, typically enters credentials, and often two-factor authentication and a connection is established from the user’s machine to the corporate environment. New in Windows Server 2012 R2 are automatic VPN connections, which provide automated starting of the VPN when a user launches an application that requires access to corporate resources. The user may still be prompted for two-factor credentials, but the requirement to initiate the connection before starting the application is removed; it will start whenever an application requires it. Can originate admin connection from intranet With DirectAccess, a users PC is automatically connected whenever an Internet connection is present. DirectAccess Connection to intranet is always active © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 System Center Marketing
4/25/2017 Hybrid Identity Challenges Solutions Providing users with a common identity when they are accessing resources that are located both on- premises in a corporate environment, and in cloud- based platforms. Managing multiple identities and keeping the information in sync across environments is a drain on IT resources. Users have a single sign-on experience when accessing all resources, regardless of location. Users and IT can leverage their common identity for access to external resources through federation. IT can consistently manage identities across on- premises and cloud-based identity domains. Now lets take a look at unifying your environment. The challenges that customers are facing are: Providing users with a common identity when they are accessing resources that are located both on-premises in a corporate environment and in cloud-based platforms is a challenge. Managing multiple identities and keeping the information in sync across environments is a drain on IT resources. Microsoft is answering these challenges with the following solutions: Users have a single sign-on experience when accessing all resources, regardless of location; meaning that users do not have to remember multiple sets of credentials. Users and IT can leverage their common identity for access to external resources through federation. IT can consistently manage identities across on-premises and cloud-based identity domains. So now we will take a deeper look at how Microsoft has approached delivering on these solutions. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 Active Directory for the cloud
4/25/2017 Active Directory for the cloud Leverage cloud platforms to run Windows Server Active Directory and Active Directory Federation Services to reduce infrastructure on-premises. Infrastructure Services Files LOB Apps Web Apps Developers can integrate applications for single sign-on across on-premises and cloud- based applications. Manage Active Directory using Windows PowerShell, use the improved deployment experience and leverage the Active Directory Administrative Center for centralized management Active Directory Today’s organizations need the flexibility to respond rapidly to new opportunities. They also need to give workers access to data and information—across varied networks, devices, and applications—while still keeping costs down. Innovations that meet these needs—such as virtualization, multitenancy, and cloud-based applications—help organizations maximize existing infrastructure investments, while exploring new services, improving management, and increasing availability. Although some factors—such as hybrid cloud implementations, a mobile workforce, and increased work with third-party business partners—add flexibility and reduce costs, they also lead to a more porous network perimeter. When organizations move more and more resources into the cloud, and grant network access to mobile workers and business partners outside the firewall, managing security, identity, and access control becomes a greater challenge.  In order to help our customers respond to these needs and challenges, Microsoft has enhanced Active Directory in a number of ways: Run Active Directory at scale with support for virtualization and rapid deployment through domain controller cloning. Virtualizing Active Directory in the past has been challenging, and was fraught with potential issues when administrators used common virtualization platform management tasks such as snapshots. Active Directory has been updated to be “virtualization aware” and to respond accordingly. Manage Active Directory using Windows PowerShell, use the improved deployment experience and leverage the Active Directory Administrative Center (AD AC) for centralized management. The new AD AC centralized all the management tasks into a single location, making it much easier to complete everyday administrative tasks against Active Directory and associated features such as dynamic access control. Leverage cloud platforms to run Windows Server Active Directory and Active Directory Federation Services (AD FS) to reduce infrastructure on-premises. Microsoft supports running domain controllers and AD FS on Windows Azure IaaS, connected back on premises via the Azure Connect bridge, making it easier and faster for customers to connect and authenticate cloud based users, devices and applications. Developers can integrate applications for single sign-on across on-premises and cloud-based applications, providing a more productive experience for users and an easier way for customers to manage the identity of users within these applications. You can also Activate clients running Office on at least Windows 8 or Windows Server 2012 automatically using existing Active Directory infrastructure. This provides customers with the ability to activate both the Windows operating system and Office simply by joining the Active Directory domain! Activate clients running Office on at least Windows 8 or Windows Server automatically using existing Active Directory infrastructure. Run Active Directory at scale with support for virtualization and rapid deployment through domain controller cloning. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13 Increasing the value in Active Directory Federation Services
System Center Marketing 4/25/2017 Increasing the value in Active Directory Federation Services SaaS Apps Organizations can connect to SaaS applications running in Windows Azure, Office 365 and 3rd party providers Enhancements to AD FS include simplified deployment and management Active Directory AD FS Organizations can federate with partners and other organizations for seamless access to shared resources Resources in other businesses or identity realms ADFS Firewall Web Application Proxy (includes AD FS Proxy) Published applications Restful OAuth apps Office Forms Based Access Claims & Kerberos web apps AD FS simplifies end-user access to systems and applications by using a claims-based access authorization mechanism to maintain application security. In Windows Server 2012 R2, there are significant enhancements to ADFS including simplified deployment and management. Using the Web Application Proxy, Conditional access with multi-factor authentication is provided on a per-application basis, leveraging user identity, device registration & network location. The Web Application Proxy reads ADFS and makes it very easy to publish applications securely. As we have previously covered, Users can register their devices to gain access to corporate data and apps and single sign-on through device authentication. This registration process is enabled by the Web Application Proxy and ADFS. Organizations can federate with partners and other organizations for seamless access to shared resources, allowing administrators to authenticate users from federated organizations, and organizations can connect to SaaS applications running in Windows Azure, Office 365 and 3rd party providers, providing users with a single sign-on experience. Additional information: You can deploy AD FS to: Provide your employees or customers with seamless access to Web-based resources in any federation partner organization on the Internet without requiring employees or customers to log on more than once. Retain complete control over your employee or customer identities without using other sign-on providers (Windows Live ID, Liberty Alliance, and others). Provide your employees or customers with a Web-based, SSO experience when they need remote access to internally hosted Web sites or services. Provide your employees or customers with a Web-based, SSO experience when they access cross- organizational Web sites or services from within the firewalls of your network. Federation Service - Provides security tokens to client applications in response to requests for access to resources. Federation Service Proxy - Collects user credentials from browser clients and Web applications and forwards the credentials to the Federation Service on their behalf. Claims-aware Agent - Provides federated access control for applications which use claims directly for authentication. Windows Token-based Agent -Provides federated access control for Windows applications that use traditional Windows token-based authentication. There have been significant investments in ADFS in Windows Server 2012 R2, including: BYOD Registration service for consumer devices to drive conditional access Device Authentication Conditional Access on a per-application basis based user, device & network location Flexible Authentication policies Per-app MFA trigger support Enhanced SSO Pluggable MFA Support for Modern LOB Apps Native Client Oauth* (‘code’ profile) JWT tokens Support for Web Authentication Broker Client in Windows vNext Better smartcard enforcement for Compliance Initiatives Improved Sign-In experiences Extranet Pwd Change (not reset) Pwd Expiry Notification In-box support for mobile form factors Default aligned with AAD Easy customization of sign-in experiences Persistent SSO (e.g. Keep Me Signed In) Improved Deployment Experience GUI support for SQL deployments Remote Deployment with SM Improved Geo support for SQL Conditional access with multi- factor authentication is provided on a per-application basis, leveraging user identity, device registration & network location Users can register their devices to gain access to corporate data and apps and single sign-on through device authentication © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 Single sign-on with device registration
System Center Marketing 4/25/2017 Single sign-on with device registration Not Joined Workplace Joined Domain Joined User provided devices are “unknown” and IT has no control. Partial access may be provided to corporate information. Registered devices are “known” and device authentication allows IT to provide conditional access to corporate information Domain joined computers are under the full control of IT and can be provided with complete access to corporate information As you have seen so far, we have expanded our investments around Active Directory to now be able to register information about BYO devices. These new capabilities mean that we have more points on the scale between non-domain joined and domain joined. There is a new middle ground. With Windows Server 2012 R2, we now have 3 possible states for a device to be in with regards to Active Directory. A user provided device, which is “unknown” and IT has no control over which is not domain joined. Partial access may be provided to corporate information in this state, such as the ability to sync or access information that is not sensitive. When a user registers a device, it becomes “known” and device authentication using the certificate on the device and the AD registration object allows IT to provide conditional access to corporate information. The device effectively provides seamless 2 factor authentication. Domain joined computers are under the full control of IT and can be provided with complete access to corporate information Now, as far as the BYO scenarios go, beyond the authentication capabilities we have already discussed, we also enable a number of single sign-on scenarios, and these differ for each of the 3 states. The most basic one is browser session single sign-on, this is possible across all 3 states, as the sign-on is cached only so long as the browser is open and no time-out limits are enforced. The next one is seamless 2-Factor Auth for web apps, and this becomes possible with device registration. This is achieved be leveraging the certificate on the device paired with the registration object in AD. Thirdly, we can enable Enterprise apps single sign-on which is also possible with device registration And then finally Desktop Single Sign-On is only possible with a fully domain-joined PC Browser session single sign-on Seamless 2-Factor Auth for web apps Enterprise apps single sign-on Desktop Single Sign-On © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Managing cloud identities
4/25/2017 Managing cloud identities 3rd party services Apps in Azure Developers can build applications that leverage the common identity model Active Directory Web Apps LOB Apps Files Users get access through accounts in Windows Azure Active Directory to Windows Azure, Office 365 and non-Microsoft applications DirSync Active Directory ADFS As with users blending their work and personal lives, companies are looking to blend their existing on-premises applications to take advantage of new cloud-based services. When this happens, customers need a way to consistently manage identity across their on-premises environments as well as the and cloud-based services. Microsoft provides solutions that enable customers to achieve this by leveraging their existing investments and connecting out to the cloud-based services. The goal here is to make users more productive by having a single sign-on to all their resources. IT can provide users with a common identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Windows Azure Active Directory In order to provide this experience to users, IT is able to use Active Directory Federation Services to connect with Windows Azure for a consistent cloud based identity Users can leverage their common identity through accounts in Windows Azure Active Directory to Windows Azure, other Microsoft online services like Office 365 and non-Microsoft applications. Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Windows Azure for cloud based applications Active Directory Directory Synchronization, or DirSync, synchronizes the local Active Directory with the Microsoft Online Services Directory. DirSync lets you control and manage user accounts in the traditional way through Active Directory Users and Computers. In addition, the Global Address List (GAL) can be synchronized between the Local Active Directory and the online environment Users are more productive by having a single sign-on to all their resources IT can use Active Directory Federation Services to connect with Windows Azure for a consistent cloud based identity. IT can provide users with a common identity across on-premises or cloud- based services leveraging Windows Server Active Directory and Windows Azure Active Directory © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 Delivering a seamless user authentication experience
4/25/2017 Delivering a seamless user authentication experience Cloud Authentication Multi-Factor Authentication can be configured through Windows Azure Active Directory Active Directory DirSync with password hash sync User attributes are synchronized using DirSync including the password hash, Authentication is completed against Windows Azure Active Directory DirSync Federated Authentication with Single Sign-On Active Directory Active Directory AD FS User attributes are synchronized using DirSync, Authentication is passed back through federation and completed against Windows Server Active Directory AD FS provides conditional access to resources, Work Place Join for device registration and integrated Multi-Factor Authentication © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 Windows Server Management Marketing
4/25/2017 Windows Azure Active Directory More than a directory in the cloud Choose among hundreds of popular SaaS apps from a pre-populated application gallery. 3rd party services Sync identity with DirSync or provide SSO with AD FS Active Directory Active Directory Web Apps LOB Apps Multi-Factor Authentication Windows Azure Active Directory, is more than a directory in the cloud. Its actually an Identity and access management solution as a service. (IDaaS) Pre-integrated SaaS apps To make single sign on configuration even easier, we have chosen the most popular cloud applications, regardless of the public cloud they are hosted on, and we have preconfigured all the parameters needed to federate with them. We have created an application gallery with all of them for an administrator to be able to choose those that your enterprise is using to configure Single Sign on to them. In the application gallery you can find Microsoft and 3rd Party SaaS apps.  Some examples are: Office 365, Windows Intune, Salesforce, Box, Google Apps mail, Concur. More applications will follow in the next weeks.  Custom LOB apps and developers facilitation. If your enterprise uses cloud-based, SaaS or custom LoB, applications that are not pre-integrated into Windows Azure Active Directory, you can follow simple steps to add them and enable single sign on to them too. Windows Azure Active Directory also provides developers a way to integrate identity management in their new apps. A developer can build an application on any platform (.Net, Node, Java) and host it in any cloud, (we strongly recommend to use our rich platform and host it on Azure) and to leave the identity management to Azure AD. Access Control Service provides the authentication for identities hosted in Windows Azure Active Directory or even social logins like Microsoft accounts (live id), Facebook, Yahoo, Google. Graph API provides the ability for developers query the directory and return to get a view of an enterprise directory and the relationships between its objects, and use them in the application. For example, if an application has a workflow that must include the manager or the team of the user, the developer can retrieve their identities through Graph API . More info on what we offer to developers for application integration: In this point we must highlight that Windows Azure Active Directory can also provide identity management for cloud only solutions. If there is a need for a custom branded cloud directory  to host identities and provide authentication to cloud based apps that are built on azure on any other public cloud, Windows Azure Active Directory can address your needs. Create a Windows Azure Active Directory tenant, give it a name that you want, add users and assign to them access to cloud based apps with a new set of credentials. That could be a solution for customer-partner-vendor related projects or for new companies that are focused on cloud. Pre-integrated or easily added SaaS apps, custom LoB cloud-based apps, newly developed apps, hosted on Azure or any other cloud can be connected with Windows Azure Active Directory and make it the home of all the CLOUD-BASED applications you need. Add multi-factor authentication for additional user identity verification Easily add custom cloud-based apps. Facilitate developers with identity management. Comprehensive identity and access management with a common identity across on-premises and in the cloud © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 System Center Marketing
4/25/2017 Protect your data Challenges Solutions As users bring their own devices in to use for work, they will also want to access sensitive information and have access to this information locally on the device. A significant amount of corporate data can only be found locally on user devices. IT needs to be able to secure, classify, and protect data based on the content it contains, not just where it resides, including maintaining regulatory compliance. Users can work on the device of their choice and be able to access all their resources, regardless of location or device. IT can enforce a set of central access and audit polices, and be able to protect sensitive information based on the content of the documents. IT can centrally audit and report on information access. And lastly, lets take a look at protecting your data. The challenges that customers are facing are: Providing users with a common identity when they are accessing resources that are located both on-premises in a corporate environment, and in cloud-based platforms is a challenge. As users bring their own devices in to use for work, they will also want to access sensitive information and have access to this information locally on the device. A significant amount of corporate data can only be found locally on user devices, which means it is not backed up or available for compliance classification, and it is unprotected in the event a device is lost, stolen, or sold. IT needs to be able to secure, classify, and protect data based on the content it contains not just where it resides, including maintaining regulatory compliance. Microsoft is answering these challenges with the following solutions: Users can work on the device of their choice and be able to access all their resources, regardless of location or device. IT can enforce a set of central access and audit polices, and be able to protect sensitive information based on the content of the documents. IT can centrally audit and report on information access. So now we will take a deeper look at how Microsoft has approached delivering on these solutions. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 Policy based access to corporate information
System Center Marketing 4/25/2017 Policy based access to corporate information IT can provide a secure and familiar solution for users to access sensitive corporate data from anywhere with VDI and RemoteApp technologies. Centralized Data Desktop Virtualization RD Gateway Distributed Data Devices LOB Apps Web Apps Session host Files VDI Users can access corporate data regardless of device or location with Work Folders for data sync and desktop virtualization for centralized applications. Protecting the access to and consumption of corporate information can be a very challenging and costly exercise for our customers. In Windows Server 2012 R2, Microsoft has made it easy for customers to make information available to users, but retain control of how and where they can consume the information. Users can access corporate data regardless of device or location with Work Folders for data sync and desktop virtualization for centralized applications. The most common requirements for information locally on devices relates to access to files, and the ability to run applications. Work Folders allows the publishing and sync of data from inside the corporate boundary to client devices (and vice versa), and when applications are not able or desired to be available locally on devices, Microsoft has desktop virtualization solutions to allow users to still work effectively. IT can publish resources using the web application proxy and create business-driven access policies with multi-factor authentication based on the content being accessed. The web application proxy is able to authenticate users and devices, and make policy-based decisions on who and what can access information, including integration with MFA options such as ActiveAuth (PhoneFactor), RSA, and so on. And then after users do get access, Microsoft provides the ability for IT to audit access to information based on central audit policies, configured and distributed through Group Policy. Looking at desktop virtualization specifically, Microsoft is enabling IT to provide a secure and familiar solution for users to access sensitive corporate data from anywhere with VDI and RemoteApp technologies, as stated earlier; this is for applications and data for which it is desired to keep them centralized rather than being available in a distributed fashion locally on user devices. Access Policy IT can publish resources using the Web Application Proxy and create business-driven access policies with multi-factor authentication based on the content being accessed. IT can audit user access to information based on central audit policies. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 Protecting information with multi-factor authentication
System Center Marketing 4/25/2017 Protecting information with multi-factor authentication Multi-Factor Authentication 1. Users attempts to login or perform an action that is subject to MFA 2. When the user authenticates, the application or service performs a MFA call 3. The user must respond to the challenge, which can be configured as a txt, a phone call or using a mobile app 4. The response is returned to the app which then allows the user to proceed Integration with Windows Azure Active Authentication (previously PhoneFactor) provides IT with the ability to enforce multi-factor authentication when users connect. The flow of this process is: Users attempts to login or perform an action that is subject to MFA When the user authenticates, the application or service performs a MFA call The user must respond to the challenge, which can be configured as a txt, a phone call or using a mobile app The response is returned to the app which then allows the user to proceed IT can configure the type and frequency of the MFA that the user must respond to. Application authentication e.g. Active Directory, Radius, LDAP, SQL, Custom apps ADFS 5. IT can configure the type and frequency of the MFA that the user must respond to User 20 © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 Protect data with Dynamic Access Control
System Center Marketing 4/25/2017 Protect data with Dynamic Access Control File Services Active Directory Introduced in Windows Server 2012, Dynamic Access Control is a function of the File Server role that allows for the configuration of polices that: Automatically identifies and classifies data based on content. Classification applies as files are created or modified. This is effectively metadata tagging to the properties of the files, and it can be enforced in a central way across the entire environment. File classification, access policies, and automated Rights Management works against client distributed data through Work Folders. So when a user creates a file locally on a device that contains information that meets the criteria for classification and/or RMS encryption, the file syncs up to the server, is classified and updated, and then it syncs back down to the client with this new metadata and file encryption. Centrally manage access control and audit polices from Windows Server Active Directory. All policies are stored and enforced from Active Directory, leveraging common Group Policies for deployment and updating of the policies. Central access and audit policies can be applied across multiple file servers, with near real-time classification and processing of new and modified documents. IT can pre-stage and simulate the effect of changes to policies prior to enforcement. Integration with Active Directory Rights Management Services provides automated encryption of documents based on expression based content rules. Automatically identify and classify data based on content. Classification applies as files are created or modified. File classification, access policies and automated Rights Management works against client distributed data through Work Folders. Centrally manage access control and audit polices from Windows Server Active Directory. Integration with Active Directory Rights Management Services provides automated encryption of documents. Central access and audit policies can be applied across multiple file servers, with near real-time classification and processing of new and modified documents. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22 Recap: Access and Information Protection
System Center Marketing 4/25/2017 Recap: Access and Information Protection Across the people-centric IT scenarios and solutions, we think about delivering on the needs of users and IT in three distinct ways. Empower Users Empowering users is about ensuring that users can work on the device of their choice and access resources they need to get their jobs done. New in Windows Server 2012 R2 is the ability for users to register their devices in order to access corporate resources, and then enroll their devices with the management services in order to use the company portal for access to applications, and to manage their devices. Also new in Windows Server 2012 R2 is the ability for the Windows client to automatically connect to internal resources when needed with an automatic VPN connections. And then it provides users with the ability to access company resources in a consistent way across devices, including new ways to sync corporate data with Work Folders. Unify your environment When it comes to managing the complexity of existing platforms and the new capabilities to deliver cloud- based services to corporately managed devices and user-provided devices, our customers are looking for unified solutions that can provide a consistent way to manage their environments regardless of where the services are delivered and consumed from. From an AIP point of view, we deliver on this need through a common identity for users, along with a unified way to manage identities for IT. Common identity to access resources on-premises and in the cloud is provided to users as we leverage the existing investments that customers have in Active Directory and connect to Windows Azure Active Directory, providing IT with the ability to federate the users’ identities with WAAD and other cloud-based identity domains. Protect your data And then finally we take a look at the last mile, the data. Users want to be able to access their information on the devices that they bring into the corporate world; however, IT is tasked with ensuring that corporate compliance policies are adhered to. Windows Server 2012 R2 provides the ability for customers to achieve these somewhat dichotic scenarios in a couple of ways: Customers can centralize corporate information for compliance and data protection. Moving data from unmanaged decentralized locations such as laptops into a managed location, and then enabling data sync to devices achieves the dual goals of allowing customers to gain control of information, and empowering users to work in the way they want. It also provides the means for customers to create policy-based access control to applications and data, taking into account the user’s identity, whether the user’s device is “known” (registered), and also the location – whether they are internal or external to the corporate environment. Lets take a closer look at each of these three pillars. Enable users Hybrid Identity Common identity to access resources on-premises and in the cloud Protect your data Centralize corporate information for compliance and data protection Policy-based access control to applications and data Simplified registration and enrollment for BYO devices Automatically connect to internal resources when needed Access to company resources is consistent across devices © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23 For More Information System Center 2012 R2 Configuration Manager
us/evalcenter/hh aspx?wt.mc_id=TEC_105_1_33 Windows Intune buy Windows Server 2012 R2 server/windows-server-2012-r2.aspx With the release of Windows 8, Windows Server 2012, Configuration Manager 2012 SP1, and the latest Windows Intune release, we have a comprehensive solution to help you manage your users and devices. We encourage you to evaluate and deploy all of these technologies. You can find more resources on microsoft.com. information-protection.aspx management.aspx More Resources:

24 © 2013 Microsoft Corporation. All rights reserved
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.


Download ppt "Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows Infra @MaccaMSOz."

Similar presentations


Ads by Google