Microsoft Intune Mobile device and application management from the cloud Be sure to welcome and thank the audience, introduce yourself and your role before.

Microsoft Intune Mobile device and application management from the cloud Be sure to welcome and thank the audience, introduce yourself and your role before you get started with the presentation. Speaker Name Date

Mobility is the new normal
52% 90% >80% 52 percent of information workers across 17 countries report using three or more devices for work* 90 percent of enterprises will have two or more mobile operating systems to support in 2017** >80 percent of employees admit to using non-approved software-as-a-service (SaaS) applications in their jobs*** There are a couple of mega trends that have been changing the world of work as we know it. The place where people actually get their work done is no longer exclusively a traditional office or workplace. People now work from home, cafes, customer sites, on the road, in the air. In fact, people can—and do—work from just about anywhere. Even when they’re in the office, people don’t expect to be sitting at their desk in order to be productive. We are in an era where mobility really is the new normal. The cloud-first, mobile-first world is here. People expect to have the ability to work where, when, and how they choose—using the devices they love and the apps they are familiar with. Just look at the story told by some of these stats: 52% of information workers across 17 countries report using three or more devices for work. 90% of enterprises will have two or more mobile operating systems to support in More than 80% of employees admit to using non-approved software-as-a-service (SaaS) applications in their jobs. * Forrester Research: “BT Futures Report: Info workers will erase boundary between enterprise & consumer technologies,” Feb. 21, 2013 ** Gartner Source: Press Release, Oct. 25, 2012, ***

What's driving change? User Devices Apps Data IT (Build devices)
What’s behind this shift in work practices? As I mentioned, there are a couple of mega trends that have taken hold. Firstly, there’s the proliferation of consumer devices – sometimes called the consumerization of IT. Users have a lot more devices to choose from. New form factors. Different platforms. Different sizes, shapes and colors. The net result is that devices become an object of personal choice and users of those devices feel a strong affinity with the devices they use. Try to force a user to settle for a device they don’t love or stop them from using the device they want and you’re asking for trouble. As it stands, over 60% of devices in the workplace are personally owned. (Build apps and data) Then there’s the cloud. People are always connected. And there’s an app for just about everything. This explosion of low-cost SaaS apps means that if a user can’t find a way to do what they want with the tools IT give them, it’s very easy and cheap to find their own solutions – and so Shadow IT is born. Apps need data – very soon users are finding ways to use not only personal devices but also apps to access corporate data. (Build user) Finally, there’s a natural shift as a younger generation, a generation that has grown up in this always-connected world, enters the workforce. Your new college graduates are huge social collaborators already and are bringing those connected, collaboration skills to the workplace and expecting an infrastructure that will support them in how they work. Whatever the drivers, the shift has created a tension between what users need and what IT is responsible for. 60% of users think that IT is incapable of providing productivity capabilities while Gartner predicts that by 2016, 20% of BYOD projects will fail because IT has imposed too tight a control on personal devices.

Empowering enterprise mobility
Enable your users People-centric approach Protect your data User Devices Apps Data IT Unify your environment Microsoft takes a people-centric approach to enterprise mobility – meaning we focus on productivity and efficiency for everyone – IT and users. We look across user devices, data and application – but always centered on the needs of the users. Microsoft has a history of providing rich IT-infrastructure solutions to help manage every aspect of enterprise operations. Microsoft’s people-centric solution consists of products and technologies that can help IT departments handle the influx of consumer-oriented technology and the work style expectations of users, thereby helping increase productivity and satisfaction for the people within their organizations. Microsoft’s people-centric IT vision helps organizations enable and embrace the consumerization of IT, addressing the three constant business challenges: Enabling your end users to be as productive as possible by allowing users to work on the device(s) of their choice and providing consistent access to corporate resources from those devices. Helping IT to protect your data by protecting corporate information and managing risk. Unifying your environment by delivering comprehensive application and device management from both your existing on-premises infrastructure, including System Center Configuration Manager, Windows Server, and Active Directory, as well as cloud-based services, including Microsoft Intune and Microsoft Azure.

Why Microsoft? Our mobility solution is different
EMS Overview 10/3/2017 Why Microsoft? Our mobility solution is different It’s integrated on common identity Access from many devices It protects Office better Manage and secure productivity It just works Preserve existing investments How Microsoft’s solution is different Only Microsoft offers enterprise-grade cloud identity and access management solutions designed to help secure your IT environment. Microsoft Azure Active Directory has hundreds of millions of users, is available in 35 datacenters around the world, and has processed more than 1 trillion (yes, trillion) authentications. Also, protecting and other corporate data on mobile devices—without bogging down workers—is one of today’s biggest IT challenges. Other vendors solve it with apps that compromise user experience and put the brakes on productivity. Microsoft enterprise mobility solutions integrate deeply with Microsoft Office, the gold standard of productivity. We’re the only solution that brings managed mobile productivity with Microsoft Office across devices. Architecture matters. That’s why our enterprise mobility management solutions are designed to run in the cloud and work seamlessly with your existing on-premises infrastructure. Our cloud-first approach to managing a mobile enterprise is the fastest, most cost effective way to meet new business challenges and accommodate new devices, new apps, and new hires—without worrying about scale, maintenance or updates. We have the only enterprise mobility solution designed to help manage and protect users, devices, apps (PC or mobile), and data. Not only is Microsoft the most comprehensive solution, it’s also a great value: Our Enterprise Mobility Suite is 58% less than standalone products from other vendors. And finally, as we you’ve probably heard before: Microsoft protects all layers. Not just devices and apps. Our solution is built on identity and access management at its core, and it has protection all the way down to the file layer with Azure Rights Management Services (RMS). Support iOS, Android, Windows It’s comprehensive Protection at all layers Identity, device, apps, data—built in © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Surface and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Enterprise Mobility Suite
Easily manage identities across on-premises and cloud. Single sign-on and self-service for corporate resources. Azure Active Directory Premium Unify identity Manage apps and devices Protect data Microsoft Intune Azure Rights Management Manage and protect corporate apps and data on almost any device with MDM and MAM. Encryption, identity, and authorization policies to secure corporate files and across phones, tablets, and PCs. Microsoft Enterprise Mobility Suite is the only enterprise mobility solution designed to help manage and protect users, devices, apps (PC or mobile), and data. Unify identity: Give users single sign-on and self-service password management for any corporate resource and easily manage identities across on-premises and cloud – Azure Active Directory Premium. Manage and protect corporate apps and data: on virtually any device with Microsoft's mobile device management (MDM) and mobile application management (MAM) solution – Microsoft Intune. Protect data: Stay in control of your corporate data even when it’s shared with others, inside or outside of your organization. Encryption, identity, and authorization policies to secure corporate files and across phones, tablets, and PCs.

Device management challenges
Traditional PC management BYOD CYOD Regulated devices Internet of Things (IoT) / Embedded devices Let’s now focus on mobile device and application management. It’s not just about managing PCs anymore – we’re here to provide a complete solution for all these major scenarios And it’s not simple No one scenario will win (at least in the near term) Customer will need a management solution that covers all or at least a subset of these scenarios And Microsoft has a solution that does just that Traditional PC Management Company-owned devices Full management of the devices – Manage the whole device; imaging Agent-based BYOD Personal-owned devices Light management – Protect corporate data; may not be able to enroll Highly mobile, cross-platform CYOD Light Management Light management – Protect corporate data; imaging not required Regulated Devices Some devices are used for highly regulated purposes and can’t connect to the Internet Internet of Things (IoT) – i.e., Embedded devices Not always allowed/capable of connecting to the Internet Future: Windows 10 Core and Mobile – MDM only management

Enterprise mobility management with Intune
User Mobile device management Mobile application management PC management IT Now let’s take a closer look at Microsoft Intune and how Intune delivers enterprise mobility management. With Intune, you can provide employees with access to corporate applications, data, and resources from anywhere on almost any device, while helping to keep corporate information secure. With Intune’s Mobile Device Management (MDM) capabilities, you can: Restrict access to Exchange based upon device enrollment and compliance policies Deploy certificates, WiFi, VPN, and profiles automatically once a device is enrolled for management Simplify device enrollment in the case of large scale deployments using Apple Configurator or Intune service accounts Provide a self-service Company Portal for users to enroll their own devices and install corporate applications across iOS, Android, Windows and Windows Phone Intune also provides Mobile Application Management (MAM) capabilities, you can: Maximize mobile productivity with Intune-managed Office mobile apps while still protecting corporate data by restricting actions such as copy/cut/paste/save outside of your managed app ecosystem Extend these same management capabilities to your existing line-of-business apps using the Intune App Wrapping Tool Provide secure viewing of content using the Managed Browser, PDF Viewer, AV Player, and Image Viewer apps for Intune Additionally, you can also manage PCs using Intune: Provide lightweight, agentless management from the cloud or deliver agent- based management Connect Intune to System Center 2012 R2 Configuration Manager to manage all of your devices on-premises and in the cloud, including Macs, Unix/Linux servers, PCs, and mobile devices from a single management console Provide real-time protection against malware threats on managed computers Collect information about hardware configurations and software installed on managed computers Deploy software based on policies set by the administrator Microsoft Intune Intune helps organizations provide their employees with access to corporate applications, data, and resources from virtually anywhere on almost any device, while helping to keep corporate information secure.

Comprehensive lifecycle management
System Center Marketing 10/3/2017 Comprehensive lifecycle management Enroll Provide a self-service Company Portal for users to enroll devices Deliver custom terms and conditions at enrollment Bulk enroll devices using Apple Configurator or service account Restrict access to Exchange if a device is not enrolled Provision Deploy certificates, , VPN, and WiFi profiles Deploy device security policy settings Install mandatory apps Deploy app restriction policies Deploy data protection policies User IT Retire Revoke access to corporate resources Perform selective wipe Audit lost and stolen devices Manage and Protect Restrict access to corporate resources if policies are violated (e.g., jailbroken device) Protect corporate data by restricting actions such as copy, cut, paste, and save as between Intune- managed apps and personal apps Report on device and app compliance Intune enables organizations to manage devices throughout the entire lifecycle from device enrollment and provisioning to management and protection – through to retirement of the device when an employee leaves the company or in the unfortunate event when a device is lost or stolen – all using Intune’s web console. The end-users also has the ability to enroll their own devices, install recommend company apps and perform a selective wipe from Intune’s self-service Company Portal which we’ll talk more about shortly. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

System Center Marketing
10/3/2017 Enable users to be productive Enable user to be productive on the devices of their choice while on-the-go. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Enroll devices to access corporate resources
User IT Microsoft Intune In most cases, users expect consistent access to corporate resources across a variety of different devices. In this scenario, the user has a PC and a couple of tablets—an iPad and a Windows device. She’s also has a number of phones, spanning iOS, Android, and Windows Phone. Some of them were supplied by the company and others she purchased herself. Our user ultimately doesn’t care who owns the device; she just wants to access her work resources on whatever device she happens to be using at that time. And since some of the devices are her own, she doesn’t really think or care much about the management of these devices, but she knows that there is some degree of regulation required. She is happy to accept a few corporate policies on her devices as long as they’re not too intrusive. She just wants to access the apps and data that she needs. To support this proliferation of devices in the workplace, IT needs an efficient way to manage each of these devices, and many of them are not corporately owned or under management. The IT admin also needs a way to deploy required apps onto the users’ devices. Using Intune, IT can provide a customized Company Portal app where users can enroll their device into Intune and the IT pro can apply policies and can use the identity settings he already has in place to target apps to different users based on their identity and the device type they’re using. This means that when our user gets a new device, she simply has to enroll it through the Company Portal and IT’s policies will be automatically applied to that device. Then, our user can view all the apps available to her and download them onto her device herself. Actions upon device enrollment Deploy , VPN, and WiFi profiles Deploy certificates Deploy and install apps Deploy managed app configuration policies Apply and enforce device configuration settings Collect hardware and software inventory data Devices enrolled

Email profile management
Corporate server Any service supported by Exchange ActiveSync User IT Microsoft Intune Another important functionality is the ability of Intune to deploy profiles to the enrolled devices. This enables users to quickly get access to their corporate without any manual configuration. As you can see on the screen, Intune deploys profile to the device after it is enrolled which includes various options such as: Configure account settings and security restrictions Enable certificate authentication Synchronize , task, contacts, and calendar Support for iOS, Samsung KNOX, and Windows Phone Having this information, the device is able to contact the corporate server, authenticate and get access to the . The user does not need to do any manual work and can get productive right away! Deploy profile upon enrollment Configure account settings and security restrictions Enable certificate authentication Synchronize , task, contacts, and calendar Support for iOS, Samsung KNOX, and Windows Phone

Microsoft Passport management for Windows 10
Microsoft Passport replaces passwords with strong two-factor authentication to help protect user identities and user credentials Credentials protected by hardware or software Credentials can be based on certificate or local keys Can be accessed using biometrics (Windows Hello) or PIN Intune provides comprehensive management of Microsoft Passport Note: The capabilities shown on this slide are still in development. Enterprise security threats are on the rise. Windows 10 delivers entirely new ways to protect your systems and data. With features like Windows Hello and Microsoft Passport, we make it easier to adopt biometrics and multi-factor authentication. Providing a user-friendly way to move away from passwords once and for all. With Microsoft Intune, you can deploy certificates to the Microsoft Passport container and manage Passport for Work policies such as pin settings, biometrics settings, and TPM requirements. NOTE: PKI is not a requirement but can be used. Intune can deploy certificates to Microsoft Passport to authenticate users and help them to access corporate resources Intune manages Passport for Work policy including PIN settings, biometrics settings, Trusted Platform Module (TPM) requirements

Windows 10 Azure AD Joined Devices
Apps in Azure 3rd party apps & clouds Azure AD Join for Windows 10 Azure AD Join makes it possible to connect work-owned Windows 10 devices to your company’s Azure Active Directory. With Azure AD Join, you can auto enroll devices in Microsoft Intune for management. Azure Active Directory Microsoft Intune Windows 10 Azure AD Joined Devices Intune / MDM auto-enrollment Intune auto-enrollment Enterprise-compliant services Support for hybrid environments Single sign-on from the desktop to cloud and on-premises applications with no VPN On-premises apps One of the new enrollment options that is available both for BYOD and CYOD scenarios when using Windows 10 is Azure AD join which makes it possible to connect work-owned Windows 10 devices to your company’s Azure Active Directory. With Azure AD Join, you can auto enroll devices in management with Microsoft Intune or a 3rd party MDM. This means that a user can use his or her device and use the corporate credentials to preform Azure AD join and get access to corporate resources in the cloud and on-premises as well as gain benefits such as SSO and auto-enrollment to Intune.

Manage a broad set of apps with EMS
SaaS apps Azure AD Premium Native apps Intune Windows apps anywhere RemoteApp Employees can access native apps (both from public app store and internal line-of-business (LOB) apps) from the Intune company portal but that’s just one type of apps that employees need to get their work done. Software as a Service or shortly SaaS apps have been growing very rapidly in the past few years, and EMS is able to provide a secure access to them as well. Employees can access all of their SaaS apps through MyApps portal that can be accessed through an app or through the web browser. MyApps provides SSO to SaaS apps, group management, and self-service experience. Next question is how do I enable access to Windows-based applications across all the devices in my enterprise? Azure RemoteApp enables organizations to provide windows-based applications for employees to work across devices, from anywhere. These applications are run in the cloud, and scaled as needed. Files can be securely located in the cloud or on-premises. So no data is held on the local device. Even if the mobile device is lost or comprised, the data is still protected.

Company portal self-service experience
Consistent experience across Windows, Windows Phone, Android, and iOS Discover and install corporate apps Manage devices and data Customizable terms and conditions Users can leverage the self-service Intune Company Portal for a variety of things. The portal provides a consistent experience across popular mobile platforms where users can enroll their own devices, install corporate applications, and quickly access support information for their corporate IT department. From this portal, users also have the ability to wipe corporate data off of their enrolled device or devices and retire devices that will no longer be used. A new feature that is also now available is customizable terms and conditions. This new feature enables an organization to outline the specific conditions and policies that apply to the enrolled device and user at enrollment into the Intune service. Also – It’s important to highlight is that the company portal design conforms to the UX guidelines of each device platform to retain platform consistency. Ability to contact IT

Volume purchasing Purchase licenses in bulk for paid apps using the Windows Store for Business and Apple Volume Purchasing Program (VPP) Volume purchasing integration Assign licenses to users Deploy licenses to users with Intune and install apps as required License and app installed by store Deploy offline app packages to Windows 10 devices that cannot access the Windows Store with System Center Configuration Manager Note: The capabilities shown on this slide are still in development. Initially, Intune will not support displaying these apps in the Company Portal. Apple Volume Purchasing Program (VPP) makes it simple to find, buy, and distribute apps in bulk to your organization – on iPhone and iPad. Intune integrates with Apple VPP to allow admins to deploy licenses and apps to users. With Windows 10, organizations can fully control Windows Store features and distribution using System Center Configuration Manager and Microsoft Intune. This includes the ability to install and uninstall apps, control app updates and manage app licenses. We also recognize that some organizations need to install apps on devices that do not have Internet access. Organizations will be able to download the app installation files from the Store portal and include them in custom Windows images, deploy them in run-time provisioning packages or automatically install them from an on-premises server using System Center Configuration Manager.

Corporate- owned devices
Corporate-owned devices (CYOD), with personal use allowed Retail outlets using tablets as point of sales devices, gift registries, etc. Schools providing tablets for technology-based learning So far we’ve talked about BYOD which is a very common scenario but many of our customers are also looking for solutions to manage corporate-owned devices. Common scenarios are: Corporate owned PCs, phones and tablets (CYOD), with personal use allowed Retail outlets using tablets as point of sales devices, gift registries, etc. Restaurants using tablets as hostess devices, for monitoring equipment Medical staff at hospitals using tablets for patient charts and data, or procedural training Schools providing tablets for technology based learning Airlines providing pilots tablets to securely host flight manuals, or to transact

Bulk enrollment options
These are some of the bulk enrollment options that are available when using Intune to empower organizations to enable CYOD. More detailed slides and descriptions can be found in the appendix. Service account enrollment Apple Configurator Apple Device Enrollment Program (DEP) Windows 10 provisioning profile

Device lockdown Business Manager IT School Retail Store Restaurant Apply policies Note: The Windows 10 capabilities shown on this slide are still in development. Another capability in Intune is the ability to enforcement more strict “lock down” policies for Supervised iOS devices, Android devices using Kiosk Mode, and Windows devices using Assigned Access and Device Guard. With lockdown policies, IT admins can lockdown a device so that only a single managed app can be used and lock down the configuration of other device attributes. Users will not have the ability to modify the device state. Windows 10 Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. Device lockdown capabilities come in handy in a variety of situations. Scenarios include: Customers ordering food on a device at a restaurant Customers adding items to their gift registry at a retail store Allowing students to complete a project on a school-owned device Deploy policies using Intune to lock down devices so they can only run applications allowed by IT Allow multiple users to use the same device and customize device experience based on identity Deploy Device Guard policies using Intune to only allow trusted applications to run on Windows 10 devices

Protect corporate data from virtually anywhere
Enabling users to be productive is critical for organization to stay competitive in the modern world, but organizations also need to ensure that their corporate data is protected while their employees are on-the-go..

Control access to corporate data
Mobile devices PCs Web browsers On-premises Data Users Devices Apps Data Apps In the past, almost all the corporate data was stored on-premises which means that organizations could use the perimeter to manage access to the corporate data. Typically, this was a challenging project, that often required gateways, servers in the perimeter network, lots of configuration, and custom scripts. However, a lot of corporate data today is stored in the cloud either because of the organization’s decision or because employees themselves intentionally or unintentionally stored in the cloud by using apps like Dropbox or SalesForce. This creates a security risk where the corporate data might end up in the wrong hands, and most of the EMM vendors in the market today don’t really have a good solution for this. Access control to corporate data today The perimeter cannot help protect data stored in the cloud

Protect data in a mobile-first, cloud-first world
On-premises Managed cloud Enterprise Mobility Suite Data Users Devices Apps SharePoint Online Exchange Microsoft takes a different approach where we believe that access control and data protection should be integrated natively in the apps, devices, and the cloud. With EMS, organizations can manage the access to the corporate data on-premises and in the cloud with conditional access capabilities but also protect the data once it is on the device with 4 layers of protection: identity, device, application, and data. And due to our cloud architecture, we significantly reduced the complexity, and made it very easy to configure. We will discuss this in more detail shortly. Access control and data protection integrated natively in the apps, devices, and the cloud

Conditional access with EMS
10/3/2017 Conditional access with EMS User Conditional access policies On-premises Cloud Corporate apps IP Range Device State Advanced Windows 10 options Using conditional access capabilities in EMS, organizations are able to restrict access to cloud and on-premises resources based upon user health and device health. User health can be defined based upon IP range, user group membership, and additional options will be added over the coming months. Device health can be defined based upon if the device is managed by Intune and is compliant based upon the policies set by the IT administrator. Additionally, for Windows 10, using Azure AD Join, organizations can restrict access to corporate resources. User Group © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Windows Provable PC Health (PPCH)
Conditional access SharePoint Online Exchange SharePoint Online Exchange Policy compliance verification User User Device management Device compliance Measured boot integrity status (Windows PPCH) Policy verification Advanced device compliance (antivirus, firewall, patch state, etc.) Note: The Windows 10 conditional access capabilities shown on this slide are still in development. Corporate is one of the most important resources that employees need to access in order to be productive. But organizations want to keep corporate information secure by restricting access on device that are not enrolled or not compliant with corporate policies. In the scenario that you see here, the user has enrolled their device into the Intune service and is now trying to access their corporate using Office 365 or Exchange on-premises. Based upon the settings defined by their IT administrator at their company, the user’s device is still not compliant. During the policy verification process performed by Intune, the user’s access has been blocked until the device is encrypted, a passcode is set, and the device is no longer jailbroken or rooted. Now, if a user tries to access corporate and their device is not enrolled or not compliant based upon settings defined by the IT admin, the user experience is pretty intuitive. The user will receive an explaining why their access has been blocked with steps for how to resolve the issue. With Windows 10, Intune can verify additional device compliance attributes such as antivirus status, firewall status, patch state and can verify measured boot integrity status using Windows Provable PC Health (PPCH) service. Windows 10 Microsoft Intune Microsoft Intune Windows Provable PC Health (PPCH)

Mobile device management
Apply and enforce device configuration settings across iOS, Android, and Windows via Intune MDM Manage settings across Windows 10 PC, phone, and IoT devices via Intune MDM – including Windows Defender (anti-malware), Firewall, and Cortana Collect hardware and software inventory data for reporting Now let’s take some time to talk about mobile device management. With Intune, IT admins can apply and enforce device configuration settings across iOS, Android, and Windows via MDM. You can also collect hardware and software inventory data for reporting.

Mobile application management policies
Intune includes multiple features that help protect corporate apps and data on the user devices. Enforce corporate data access requirements Require a PIN for launching the app Require authentication using corporate credentials before launching the app Require compliance to device policies for launching the app Restrict data leakage Allow/Block Copy/Paste Allow/Block Screen Capture Allow/Block Print Prevent file backup to unauthorized locations Restrict sharing of data between applications Enforce encryption of app data at rest App level selective wipe Enforce corporate data access requirements Prevent data leakage on the device Enforce encryption of app data at rest App-level selective wipe

Mobile application management
Personal apps Managed apps Managed apps Personal apps Corporate data Personal Multi-identity policy User IT If we take a closer look at our user’s newly enrolled device which is now compliant and ready to go, we can see that she is still able to maintain a personal experience on her device. She has organized her applications the way she wants, with all of her apps available on one screen. She has her managed corporate apps—the Office mobile apps she knows and loves and personal apps that she uses outside of work and may even consider using these personal apps to try to boost her productivity at work. Even though our user has all of her apps at hand on her personal device, IT is able to enjoy unparalleled management of the Office mobile apps, so that with Microsoft Intune, our IT pro has a different perspective on the organization of our user’s personal device. With the new multi-identity management feature, you an enable users to access both their personal and work accounts using the same Office mobile apps while only applying the MAM policies to their work account – providing a seamless experience while employees are on-the-go. For our IT pro, there is still a clear separation of the managed corporate apps and our user’s personal apps. But, this doesn’t affect the user’s access to apps. By applying policy at the app level, our IT pro can support mobile productivity while maintaining user preferences, and still have the ability to protect corporate data and resources with the Intune-managed Office mobile apps. The Intune App Wrapping Tool also allows IT to apply similar policies to your existing line-of-business applications so that these resources are equally protected through the organization’s proprietary apps. You can enable users to securely view content on devices within your managed app ecosystem using the Managed Browser, PDF Viewer, AV Player, and Image Viewer apps for Intune as well. Maximize mobile productivity and protect corporate resources with Office mobile apps – including multi-identity support Extend these capabilities to your existing line-of-business apps using the Intune App Wrapping Tool Enable secure viewing of content using the Managed Browser, PDF Viewer, AV Player, and Image Viewer apps

Manage mobile productivity without device enrollment
10/3/2017 Manage mobile productivity without device enrollment MAM policies Corporate apps Enable familiar Office experiences for employees. No enrollment. Azure Rights Management Prevent data leakage for Office mobile and other apps on unmanaged devices or devices managed by a third-party MDM. File policies Protect data at the file level for Office documents and more with Azure Rights Management. MDM – optional (Intune or 3rd-party) Personal apps MDM policies © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Manage mobile productivity without device enrollment
10/3/2017 Manage mobile productivity without device enrollment MAM policies Familiar Office experience Seamless “enrollment” into app management Use for personal and corporate accounts Comprehensive protection App encryption at rest App access control – PIN or credentials Save as/copy/paste restrictions App-level selective wipe MDM mgmt. by Intune or third-party is optional Extend protection to a file level with Azure RMS Might be a good solution for these scenarios: BYOD when MDM is not required Extending app access to vendors and partners Already have an existing MDM solution Corporate apps Azure Rights Management File policies MDM – optional (Intune or 3rd-party) Personal apps MDM policies © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

MAM without enrollment architecture
10/3/2017 1 . MAM without enrollment architecture 1 User installs an app from the Apple App Store or Google Play Office 365 2 User logs in with Office 365 credentials Azure AD 3 Azure AD verifies that the app and user are allowed to access Office 365 4 Intune applies MAM policies to the managed apps 5 Access to Office 365 is granted User 6 User continues to use the app as per usual © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Intune app partners Microsoft apps, such as Office, Dynamics CRM, Power BI, and more Partners that integrated their apps with Intune App SDK

Selective wipe Personal apps IT Managed apps IT IT can safeguard against the leakage of corporate data by applying policies to the apps themselves, but with most employees working from multiple enrolled devices, the IT pro still needs a broader way of protecting access to the corporate applications on any user’s enrolled device. Perhaps our user decides to replace or retire her device, perhaps she leaves the company or just doesn’t want to use the device for work any longer. Using the Intune Company Portal the user can selectively wipe corporate applications and data from their enrolled devices at any time. And, in the event that our user’s device is lost or stolen, she can completely wipe the device from this same Company Portal. The self-service option can save time, frustration, worry, and IT resources! The IT pro can also perform a full or selective wipe of an enrolled device using the Intune admin console. Perform selective wipe via self-service company portal or admin console Remove managed apps and data Keep personal apps and data intact

“Enterprise data protection” for Windows 10
Configure and manage EDP policies with Intune and Azure Rights Management Microsoft Intune & Azure Rights Management Separate personal and corporate data with limited impact to employee’s day-to-day activities Control app access to corporate data and prevent copy and paste-related data leaks Apply policies User File share Save Protect data at rest and wherever it may roam* Secure content collaboration through integration with Azure Rights Management Note: The Windows 10 “enterprise data protection” capabilities shown on this slide are still in development. These capabilities could be modified before commercially released. With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data disclosure through apps and services that are outside of the enterprise’s control like , social media, and the public cloud. Many of the existing solutions try to address this issue by requiring employees to switch between personal and work containers and apps, which can lead to a less than optimal user experience. The Windows 10 feature code-named Enterprise Data Protection (EDP) offers a better user experience, while helping to better separate and protect enterprise apps and data against disclosure risks across both company and personal devices, without requiring changes in environments or apps. Additionally, EDP when used with Azure Rights Management (RMS) can help to protect your enterprise data locally, persisting the protection even when your data roams or is shared. With Intune, IT admins can manage EDP policies to protect corporate data (this is similar to the Intune MAM capabilities for iOS and Android). Additional management capabilities for data protection and separation are also available with Windows 10. Note: With EDP, you can protect Windows 10 apps and data without the need for an App Wrapping Tool or App SDK. Save Personal storage Share files and enforce policies Corporate network * Some roaming scenarios use Azure Right Management

Protect corporate data with Windows 10
10/3/2017 Protect corporate data with Windows 10 Device protection BitLocker Device Guard Device settings Windows Defender Data separation Leak protection Enterprise Data Protection Sharing protection Rights Management Windows 10 coupled with Azure Rights Management and Microsoft Intune provide the comprehensive set of capabilities they you need to cover each of these areas. BitLocker, Device Guard, device settings, and Windows Defender provide comprehensive protection of the device and operating system. These settings can be managed by Microsoft Intune. Using Enterprise Data Protection in Windows 10, you can separate corporate and personal data, enabling corporate data to easily be wiped and make sure that only authorized applications can access your corporate data. When it comes to Leak Protection, as you can see on this slide, Enterprise Data Protection, also provides basic leak protection. It will help ensure that corporate data can’t be leaked with actions such as copy, paste, and “save as”. For those looking for advanced leak protection like the ability to prevent printing or forwarding of documents or Azure Rights Management is there to take things to the next level. With Microsoft Intune, you can manage EDP policies to enforce data separation as well as prevent leakage of corporate data by preventing actions such as copy, paste, and “save as”. Then finally when it comes to Sharing Protection, meaning sharing protected content, whether that’s B2B, B2C or sharing a sensitive document to just a select few within your organizations Azure Rights Management is there to cover you. Microsoft Intune Azure Rights Management © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Typical EMM stack DMZ/ Corporate network Perimeter network Containers
Microsoft Ignite 2015 10/3/2017 7:17 PM Typical EMM stack Standard MDM provides device configuration and management Native device MDM SharePoint Server Exchange Server Corporate network Active Directory Firewall DMZ/ Perimeter network Mobile application management Custom data container provides mobile productivity apps integrated with content and access systems Containers Depends on specific DMZ infrastructure Works on-premises only Custom app Custom collab app Custom file app Let’s take a look at how most of EMM vendor try to protect corporate data today. First, they use MDM to protect the device. This is pretty much a commodity nowadays as almost all the vendors provide similar capabilities in this area. Second, there is usually a container where EMM vendor provide their own and productivity apps that also protected with mobile application management (MAM) capabilities. These custom apps usually have limited functionality and confusing user interface. Employees want Office. Third, EMM vendor also provide their our SDK or app wrapper so organizations can wrap their internal apps, so they can be managed by the EMM tool. Finally, they often also have a gateway or appliance in the DMZ that they use to control access to the internal corporate network. As mentioned earlier, this does require custom appliance, lots of configuration, and custom scripts. And the bigger problem is that this does not solve the problem where corporate data is stored in the cloud. Custom SDK/wrapper enables line-of-business apps to be managed SDK/wrapper, managed browser, managed viewers © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft’s EMM stack DMZ/ Corporate network Perimeter network
Microsoft Ignite 2015 10/3/2017 7:17 PM Microsoft’s EMM stack SharePoint Online Exchange Intune: Cross-platform MDM Native device MDM Cloud integration Managed Office productivity and more Office 365: Mobile productivity Azure AD: Access control to Office 365 and SaaS apps Intune: App restrictions for Office mobile and LOB apps Azure Rights Management: Information protection at the file layer SharePoint Server Exchange Server Corporate network Active Directory Firewall DMZ/ Perimeter network Standard on-premises integration Now let’s take a look at how Microsoft tries to solve the enterprise mobility challenges. First, Intune provides a cross-platform MDM. At the next layer, Intune is uniquely able to manage and enforce app restrictions for Outlook and Office mobile apps on iOS and Android. This provides best in class and consistent user experience for , productivity and collaboration while protecting corporate data. Employees are productive with real Office, not Office like proprietary apps with limited functionality. Not only this provides a great user experience, but with EMS, corporate data is also uniquely protected at 4 layers that we will discuss later. Other vendors can’t say this. Intune also provide Intune App SDK and App Wrapping tool so organizations and developers can bring their application under the management with Intune. However, there are some differences that are worth to mention: with extensibility based on Azure AD and Intune, organizations and developers can interoperate with Office mobile apps and Office 365. When it comes to data access control, Intune is also able to manage access to the internal corporate network such as Exchange on-premises but there is not requirement for gateways or other servers. Where the difference really stands is the ability of EMS and Intune to secure the access to corporate data stored in the cloud (such as O365) without any infrastructure requirements. Complete identity management based on AAD Native multi-factor authentication support Access control both on premise and in the cloud User experience based on Office Separate work apps supported but not required Isolate corporate data from personal data in the same app File layer protection Integrated cloud services infrastructure Extensibility based on Azure AD and Intune Enable business apps to interoperate with Office mobile apps Intune App SDK Intune App Wrapping Tool © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Multiple layers of protection
User IT Identify and authorize user Enterprise Mobility Suite Active Directory Premium Apply device policies Microsoft has 4 layers to protect the data stored on the device. First, we have Azure Active Directly that can identify and authorize the user to access corporate data including features like single sign-on and multi-factor authentication. Next, Intune can protect the device by enforcing corporate policies on the device. Intune also provides the next layer of protection by directly managing apps and data on the device with Intune MAM. Finally, Azure RMS protects the files when they roam inside or outside of the organization. Azure RMS protected files can independently identify the users who do or do not have access to the files. Identify & Authorize User Apply Device Policies - Policies to restrict device behaviors. E.g., PIN, Encryption, Camera etc. Apply Application & Information Policies - App specific policies to restrict data leakage, enforce corporate data protection, data encryption at rest and App level selective wipe Apply Content Policies - Rights management policies to protect data when it roams inside or outside the organization boundaries. Apply application policies Rights Management Apply content policies

enterprise mobility with EMS
Summary Deployment flexibility Modern architecture Enable enterprise mobility with EMS Now that seen all of the capabilities delivered by EMS and Intune to enable users to be productive from virtually anywhere on almost any device while helping protect corporate data, now let’s talk about: Deployment flexibility Modern architecture Enabling enterprise mobility with EMS

Deployment flexibility
Intune standalone (cloud only) Configuration Manager integrated with Intune (hybrid) IT IT Intune web console Configuration Manager console System Center Configuration Manager First let’s talk about Intune deployment options. This slide specifically shows the two scenarios that are available to customers today. On the left with Intune standalone, you’ll continue to be able to manage mobile devices and Windows PCs completely from the cloud using the Intune web console. With the hybrid scenario on the right, System Center Configuration Manager is integrated with Microsoft Intune. Here you can manage both domain-joined PCs, Macs, Linux/Unix Servers, Windows Servers, as well as mobile devices from a single management console – the Configuration Manager console. You can extend device management to the cloud by integrating System Center 2012 R2 Configuration Manager with Microsoft Intune to manage corporate-connected PCs, Macs and Unix/Linux servers on-premises along with cloud-based mobile devices running Windows, Windows Phone, iOS, and Android, all from a single management console. Both of these scenarios require an Intune subscription for MDM and MAM capabilities. Mobile devices and PCs Domain joined PCs Mobile devices

System Center Marketing
10/3/2017 Architecture matters Always up-to-date, no need to migrate Always available and reachable Easy to try, adopt, and deploy Integrates with existing on-premises infrastructure Disaster recovery and geo-diversity Assign your data to a region Built from the ground up: datacenter, fabric, SaaS Built using world-class engineering and security Compliant and certified Financially backed Service Level Agreements (SLAs) Azure Active Directory Azure Rights Management Intune Microsoft’s enterprise mobility solutions such as Office 365 and EMS are tightly integrated and designed to run in the cloud from the ground up to provide easily configurable but powerful tools for organizations to solve new business challenges and accommodate new devices, new apps, and new hires—without worrying about scale, maintenance, or updates. However, different organizations have different needs to meet their business goals. That is why EMS is also designed to seamlessly integrate with existing on-premises investments such as Active Directory, Exchange Server, or System Center Configuration Manager (ConfigMgr). This flexibility provides additional benefits such as the ability to connect on-premises Active Directory with EMS, enabling organizations to provide employees with access to all of their company resources such as , documents, and applications both on-premises and in the cloud using a single username and a password. Bugs are fixed instantly for all customers---no rollout required. Service is maintained at multiple 9’s of availability. Failures happen, but they are almost completely invisible to our customers because of the scale of our redundancy. Automation: When we have an error in our system, our synthetic transactions running around the clock catch problems before our customers do, enabling us to fix them before they impact customers. Our 24/7 service engineering process assures there is always an engineering expert available to resolve issues we find through automation, before they impact our customers. Our SLA is financially backed---if we don’t meet our SLAs, we refund our customers’ their service fees. We are absolutely differentiated here, this is not something our competition guarantees. We are building and maintaining our own data centers globally---our competition is using other data centers and services. We take this very seriously at Microsoft, so our customers are benefiting from our commitment here. This service excellence and our scale and capability within Microsoft, is a very strong piece of our value prop. Office 365 © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Enterprise Mobility Suite
EMS Overview 10/3/2017 Enterprise Mobility Suite Identity and access management Security reports, audit reports, multi-factor authentication Self-service password reset and group management Single sign-on to over 2,400 popular SaaS applications Active Directory Premium Mobile device and application management Mobile device settings management Mobile application management with Office mobile apps Conditional access and selective wipe The Enterprise Mobility Suite (EMS) delivers on Microsoft’s cloud-based people-centric IT vision with a combination of products that integrates identity and access management, mobile device and application management, and information protection, all into one simple licensing bundle. EMS is composed of three products: Microsoft Intune, Microsoft Azure Active Directory (AD) Premium, and Microsoft Azure Rights Management. We have the only enterprise mobility solution designed to help manage and protect users, devices, apps (PC or mobile), and data. Not only is Microsoft the most comprehensive solution, it’s also a great value: Our Enterprise Mobility Suite is 58% less than standalone products from other vendors. Note: These products can also be purchase separately. Try EMS out today: mobility/free-trial.aspx Information protection Information protection Document tracking Bring your own key Rights Management © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Surface and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

One vendor. Unified solutions.
Many customers have seen success with our mobile device and application management solutions and have solved a number of different business challenges. Aston Martin: Founded in 1913, Aston Martin sports cars are synonymous with luxury, heritage, and authentic craftsmanship. They were able to build on investments they had already made to manage the laptops and devices of their highly mobile and distributed workforce. They see benefit from managing all devices through a single console: “It’s one more example of how the interoperability of Microsoft products makes our lives easier.” Callaway Golf: Like many companies, Callaway Golf had to cut spending due to the global recession of 2009. Callaway needed a way to keep sales people productive by proactively manage sales computers and mobile devices. Our unified solution allows Callaway to maintain revenue flow by keeping salespeople’s computers running. Mitchells & Butlers: Established in 1898, Mitchells & Butlers runs many of the United Kingdom’s most famous restaurant and pub brands. For them empowering enterprise mobility is about efficiency for their IT staff. By taking a unified approach to management they can remotely manage a total of 20,000 corporate and mobile devices with only two people. So harnessing the power of enterprise mobility can be about cost or time efficiency, about providing a better service or staying at the cutting edge of your industry. Let’s take a deeper look at what Empowering Enterprise Mobility means for your business. Making it easier to deliver a great brand experience Keeping the selling workforce productive Bringing a new level of efficiency to management

Next Steps Sign up for a free trial: aka.ms/IntuneFreeTrial
Request an enterprise mobility proof-of- concept from your account team or partner Find a partner with competency in devices, deployment, identity, and access Take advantage of your Software Assurance Planning Services benefits Learn more about our enterprise mobility products and solutions: Enterprise Mobility Suite: aka.ms/EnterpriseMobilitySuite Mobile device and application management: aka.ms/MDM-MAM Microsoft Intune: aka.ms/MicrosoftIntune System Center 2012 R2 Configuration Manager: aka.ms/ConfigMgr What are the next steps for you to take around enterprise mobility? You can set up a free trial of Microsoft Intune or work with your partner and Microsoft to set up an enterprise mobility proof of concept. If you don’t already have a certified partner who is familiar with the Microsoft Enterprise Mobility Suite, you can use our Find a Partner tool to connect to an IT consultant with the right skills. And don’t forget to take advantage of your software benefits to utilize Deployment Planning Services. Also – make sure to check out the links on this slide for more information on our enterprise mobility products and solutions.

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Appendix

Mitchells and Butlers, a pub and restaurant company, boosts service and satisfaction with mobile device and application management. “By using Microsoft Intune, we can improve staff members’ work experience and guest satisfaction, while reducing IT labor and operational costs. Everyone wins.” Tim Banham Solution Architect Mitchells and Butlers Mitchells & Butlers Case Study: Established in 1898, Mitchells & Butlers runs many of the United Kingdom’s most famous restaurant and pub brands. Behind the great food and memorable experiences served up daily at every Mitchells & Butlers establishment, technology plays a significant supporting role. “We want to take advantage of available tools to enhance customer service and management efficiency,” says Tim Banham, Solution Architect at Mitchells & Butlers. “So we’re performing a technology upgrade across all our sites. As part of the project, we’re replacing pen and paper with mobile devices for our hosts, hostesses, managers, and retail teams.” Mitchells & Butlers distributed iPod touch devices running iOS 6 for its wait staff and Samsung Galaxy Tab 3 tablets running the Android operating system for its front-of-house staff and site managers. “To enable our business strategies, we needed a mobile device management solution,” says Banham. ”In our restaurants and pubs, many employees share one mobile device, so we wanted a flexible management solution to accommodate that scenario.” The company’s IT staff uses Microsoft System Center 2012 R2 datacenter solutions to manage Mitchells & Butlers corporate devices that operate behind its firewall. “Our biggest priority was to find a solution that interoperated with System Center 2012 R2 so that we could manage all our devices from one console,” says Andy Turner, Technical Lead, Infrastructure, at Mitchells & Butlers.” Solution Mitchells & Butlers chose Microsoft Intune, the PC and mobile device management service solution from Microsoft that provides both cloud-based and on-premises capabilities. IT staff will use Microsoft Intune to remotely run mobile device management tasks, including software distribution and self-service application delivery. “We looked at Air Watch and Mobile Iron, but Microsoft Intune required no infrastructure, is user-friendly, and connects with the Configuration Manager component of System Center 2012 R2 to offer a single console for both PCs and mobile devices,” says Banham. “We get the device management capabilities we need: we can deploy software to individual devices or collections of devices that we assign to a manager at each site. And Microsoft went out of its way to help us with extra resources, time, and expertise.” In December 2013, Mitchells & Butlers subscribed to 8,500 Microsoft Intune licenses for its mobile devices. Site visits to configure the iPods will commence in spring The iPods will run an app called iServe, which was developed for the company’s retail teams to take orders and send them to the kitchen. However, Mitchells & Butlers wants to upgrade the iPods to iOS and is waiting for a version of the app that can run in that environment. “We have delayed the iOS upgrade until we have completed certification testing on the iServe app,” says Turner. “We’ll do site visits to upgrade the iPods to iOS 7.1.1, then enroll the devices in Microsoft Intune, and download the app from our internal company app store. That’s the only site visit we will need. Going forward, we’ll use Microsoft Intune to manage the devices from our datacenter.” Another app, called iZone Tables is being developed for front-of-house staff. “iZone Tables is a browser-based, hosted app that runs on Android tablets that we plan to manage with Microsoft Intune,” says Turner. “By the end of 2014, we’ll have enrolled 8,500 devices in total.” Benefits Mitchells & Butlers considers Microsoft Intune a foundational technology solution that will help the company enact its strategic business plans. “Thanks to Microsoft Intune, we can deploy a mobile computing platform that’s key to furthering our reputation for great dining experiences and expanding our business,” says Banham. The company expects the following benefits: Improved guest experience. Every year, Mitchells & Butlers’ retail teams serve approximately 130 million meals and 410 million drinks. That task will be easier when the mobile device platform is up and running and staff can spend more time talking to customers and less time writing down orders and running back and forth to the cash register and the kitchen. Plus, hosts and hostesses can use iZone Tables to more efficiently process the more than 2.4 million online bookings that the company gets every year, and managers can ensure that equipment is running in peak performance for customers’ comfort. “By using the hybrid model of Microsoft Intune and Configuration Manager, we can remotely manage a total of 15,000 corporate and mobile devices with only a small team,” says Turner. “This is a cost-effective mobile device management solution.” Gained an extensible mobile device management platform. Now that Mitchells & Butlers has laid the groundwork for a mobile platform for the field, it can use Microsoft Intune to easily deploy more apps to the devices. “This is just the beginning of a new way of working for our retail teams,” says Banham. “By using Microsoft Intune, we can improve staff members’ work experience and guest satisfaction, while reducing IT labor and operational costs. Everyone wins.”

Empire Today, a national flooring company, uses mobile device management to expedite sales and boost efficiency. “Our competitive strategy depends on deploying Microsoft Intune to manage 1,200 tablets used by our independent sales contractors to improve our in-home sales process and win more business.” Steven Creaney Senior .NET Developer Empire Today Empire Today Case Study: Empire Today built its home furnishings business on fast, efficient shop-at-home convenience, including free, in-home estimates and next-day installation. To solidify its reputation for expedient, professional service, Empire wanted to improve the in-home sales process by providing its 1,200 sales representatives with mobile technology. These reps carried binders of product information and use paper to draw diagrams, calculate floor space, and create sales contracts for the customer to sign. They wanted to standardize the sales process and make it easier for reps to enter correct data for calculating material requirements to ensure accurate quotes. They created a mobile app that would remove the guesswork for the order management team who have to decipher the rep’s faxed instructions. They needed a way to easily deploy and update the app, including updated state-specific contractual regulations. They also wanted to reduce paper costs. And with more than 1,200 tablets in the hands of sales reps across the United States, Empire needed a mobile device management solution that reduced the support burden on Empire IT staff. Microsoft Intune and System Center 2012 R2 Configuration Manager enabled Empire Today to centrally manage a fleet of Nokia Lumia tablets running the Windows 8.1 RT operating system and a touch-enabled app called Precision Quote™ and provided a way to deploy the app and any subsequent updates. Empire is using its mobile technology solution from Microsoft to achieve a new service paradigm that builds on its reputation for efficient, professional, in-home service. Their competitive strategy depends on using having technology that enables their 1,200 staff to be productive with well-managed tablets, so they can improve their in-home sales process and win more business. Equally, the unified Microsoft approach has helped Empire be more efficient with existing staff. Without the Microsoft solution, they would have had to hire approximately 20 people to support the sales force and the mobile devices.

EMS Overview 10/3/2017 Foxtons, a real estate agency, boosts business, customer service, with remotely managed solution. “By adding Microsoft Intune to our environment … we can deploy, secure, and manage mobile apps that staff use to move faster than the competition and drive business.” Gurdip Kundi Senior Systems Engineer Foxtons Foxtons Case Study: Founded in 1981, British real estate agency Foxtons is headquartered in West London, England. The company provides property rental and sales services from 49 offices in London and Surrey. Foxtons uses Microsoft Intune to secure and manage employees’ smartphones running Windows Phone 8 and two productivity- enhancing apps. The solution plays a crucial role in enabling the mobility that contributes to Foxtons’ competitive advantage. Situation: Enhance estate agents’ mobility with smartphones running Windows Phone 8 and proprietary apps. Solution: Subscribed to Microsoft Intune to centrally manage the smartphones and provide better support to agents in the field. Benefits: Improved mobile productivity and service Improved security Reduced development time, IT management Expedited remote support Enhanced reputation for business innovation © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Surface and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

The Walsh Group, a Chicago-based construction firm, uses cloud-based tools to advance mobility and productivity “We use the Enterprise Mobility Suite to empower employees to use their own devices to securely access and share their data. The upshot? We’re improving project management and reducing costs.” Patrick Wirtz Innovation Manager The Walsh Group The Walsh Group Case Study: The Walsh Group, a construction firm, is busy building strategies to accommodate the proliferation of employee-owned devices used on job sites across the United States. For Walsh, the business case for enabling BYOD (bring your own device) is clear: the more employees can use their devices to access and share corporate resources from anywhere at any time, the better they can collaborate on efficient project management. The company turned to the Microsoft Enterprise Mobility Suite to enable this new workplace scenario. IT staffers are using the suite’s three cloud-based services—Microsoft Azure Active Directory Premium, Microsoft Intune, and Azure Rights Management—for user identity and access management, mobile device management, and file and data protection capabilities. “The Enterprise Mobility Suite offered everything we needed in one, cost-effective package,” says Wirtz. “We spent less on 2,700 licenses for the entire suite than it would have cost for one third-party mobile device management solution.” The Walsh Group is using Microsoft Intune to administer 2,400 nondomain-joined devices. When employees enroll their devices in the Intune service, they can access the Microsoft Intune Company Portal to download company-endorsed applications and services such as Office 365 services like Microsoft SharePoint Online collaboration sites and OneDrive for Business online storage space. “It is only because we use Microsoft Intune to manage and secure employees’ devices that we can enable mobile access to corporate resources,” says Wirtz. A rendering of the new Tom Bradley International Terminal’s great hall. (credit: Los Angeles World Airports)

Empowering enterprise mobility
Enable your users User IT Protect your data Devices Apps Data To recap, empowering enterprise mobility isn’t just about managing devices. It isn’t just about identity or data protection, either. It’s a unified, people-centric approach that spans identity, devices, apps, and data to ensure that users are as productive as possible, data is protected, and cost and complexity is reduced. And for most organizations, aligning to the Microsoft strategy means you can build on top of investments you have already made. Here are some interesting stats: 66% of businesses are already using System Center Configuration Manager. There are 240 million user accounts for Azure Active Directory. We now see 14 billion Azure Active Directory authentications every week. Management. Access control. Information protection.

Managed email and productivity
Identity Device (optional) Application Let’s quickly see how these 4 layers of protection can help deliver a great and secure experience with EMS and Outlook. First, EMS ensures that only authorized users are permitted to access corporate and documents by using security features at the identity layer such as cloud-based authentication and authorization, multi-factor authentication, and advanced security reports that leverage Microsoft Azure machine learning capabilities. At the next layer, EMS is able to manage and enforce device-level settings such encryption and password requirements via mobile device management (MDM). EMS also provides the protection at the application layer with mobile application management (MAM) capabilities that help prevent the leakage of corporate data by restricting actions in Office mobile apps such as cut, copy, paste, and save as. And with the unique multi-identity capabilities, employees can use a single app (such as Outlook) for both personal and corporate use while EMS helps to ensure the corporate data is separated and protected. Finally, EMS goes beyond app-layer protection to help secure highly confidential documents at the file-layer. Using EMS, employees can encrypt virtually any type of a file, set granular permissions, and track usage to ensure that only the right people inside and outside of the organization can access attachments and documents, wherever the files are located. Data

Microsoft Passport management for Window 10
Microsoft Intune Deploy a certificate and Microsoft Passport settings Note: The capabilities shown on this slide are still in development. This architecture diagram shows the management capabilities of Intune to deploy a certificate (either through SCEP or directly a .pfx cert) to user’s Microsoft passport container as well as to set Passport for Work policies to enable user’s Windows 10 device to access corporate resources on-premises and in the cloud. Authenticate and trust my unique key Access corporate resources Azure Active Directory and Active Directory Authentication token

Why CYOD? IT admins End users
Need easy way to prepare corporate- owned devices for enrollment Need to distinguish corporate-owned devices from personal-owned devices in the management console Need fast and easy way to bulk enroll shared devices Need devices to be secure at all times and within IT control IT Need fast and easy way to enroll CYOD devices Should not be able to un-enroll devices that are corporate-owned Need access to corporate apps and other MDM capabilities on devices to be productive User This slide details some of the core reasons why an organization may consider CYOD approach instead of BYOD (or in parallel with BYOD approach). CYOD is important for many organizations, and Intune provides multiple options to enable this approach.

Evolution of mobile device management in Windows
10/3/2017 Evolution of mobile device management in Windows Significant investments in added functionality for both mobile and desktop devices Comprehensive device management Device lockdown In Windows 8.1 and Windows Phone 8.1, we introduced mobile device management (MDM) capabilities. For PCs, these capabilities focused on BYOD scenarios, such as ensuring the devices met the your security requirements before they could access corporate and resources. For Windows Phone 8.1, these capabilities went a little further, enabling more “device lockdown” capabilities for configuring special-purpose devices for running specific line-of-business apps. Now with Windows 10, we have greatly expanded these capabilities to provide much more robust mobile device management. It’s important to note that we did not recreate the 3,600 group policy settings that Windows has today. Instead, we are providing an appropriate set of high-level capabilities. With the July release of Windows 10, we have added over 100 settings and more will be added incrementally over the coming months. Basic management and security settings Phone Desktop Phone Desktop © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Mobile application management
Personal apps Managed apps User attachment Copy Paste Save Paste to personal app Save to personal storage Let’s now take a closer look at how app-level policies can help keep company data and information secure. Our user receives a work through her managed Outlook account with an attached Excel spreadsheet containing information she needs for a report. Our user opens the attachment in her Excel mobile application to find the information she needs. She then wants to copy the info to add to her report. But when she tries to paste it into her personal notepad, it doesn’t work—the personal notepad is not a managed app and our IT pro has applied policies that restrict copy, paste, and cut functions to only apps that are part of the managed app ecosystem (for Intune enrolled devices). So our user opens her Microsoft Word mobile app which is managed by Intune and she is successfully able to paste her information. Now our user wants to save the working copy of her report to her personal OneDrive account so that she can access it from her home computer. Because her personal OneDrive account is not one of the managed applications, she’s unable to save it here. IT has applied policies restricting the ability to save to only apps that are part of the managed app ecosystem. So our user must save her working copy to her managed OneDrive for Business account, which means when she does want to work on this report from another device, this device will have to be an enrolled for management . By using the mobile application management capabilities of Intune, the IT pro can help prevent leakage of important company data and make sure that this information doesn’t get into the wrong hands. Maximize productivity while preventing leakage of company data by restricting actions such as copy, cut, paste, and save as between Intune-managed apps and unmanaged apps

Manage devices from virtually anywhere
New intuitive dashboard Respond to alerts Manage software deployments Configure and deploy policies View reports Now when we talked about extensive number of features in Intune, it is important to discuss how they actually are configured. The newly re-designed Intune admin console provides an intuitive dashboard shows the summary of the environment that should enable your IT admin to notice issues at glance, and start working on them as soon as possible. The console is easy to use and accessible from anywhere. It gives IT pro the ability to manage policies, applications, and updates in your organizations as well as view reports and alerts to get a better insight of the state of your devices as well as start working on the possible issues. Role-based management Intune web console

Manage and Protect No existing infrastructure necessary No existing Configuration Manager deployment required Simplified policy control Simple web-based administration console Faster cadence of updates Always up-to-date Intune standalone (cloud only) IT Intune web console Devices Supported Windows PCs (x86/64, Intel SoC) Windows RT Windows Phone 8.x iOS Android OS X If you want an easy to deploy and maintain solution to manage your mobile devices, then Intune standalone is the way to go. All the features that we discussed earlier are available in Intune standalone. Current scale: PC+MDM: 4K users, 6K PCs, and 7K devices MDM Only: 25k users and 50k mobile devices Mobile devices and PCs

System Center 2012 R2 Configuration Manager with Microsoft Intune Build on existing Configuration Manager deployment Full PC management (OS deployment, endpoint protection, application delivery control, custom reporting) Deep policy control requirements Greater scalability Extensible administration tools (RBA, PowerShell, SQL reporting services) Configuration Manager integrated with Intune (hybrid) IT Configuration Manager console System Center Configuration Manager Windows RT Windows Phone 8.x iOS Android Devices Supported Windows PCs (x86/64, Intel SoC) Windows to Go Windows Server Linux OS X By integrating Intune with System Center 2012 R2 Configuration Manager, the administrator still gets a single pane of glass view, but now incorporating on-premises PC management with the cloud-based device management. Configuration Manager also enables deeper administration capabilities. Domain joined PCs Mobile devices

PC management Intune standalone (cloud only)
EMS Overview 10/3/2017 PC management Intune standalone (cloud only) Configuration Manager integrated with Intune (hybrid) Lightweight, agentless OR agent-based management Lightweight, agentless OR comprehensive agent-based management PC protection from malware PC software update management Software distribution Proactive monitoring and alerts Hardware and software inventory Policies for Windows Firewall management Operating system deployment PC, mobile device, Windows Server, Linux/Unix, Mac, and virtual desktop management Power management Custom reporting Intune standalone (cloud only) Lightweight, agentless OR agent-based management PC protection from malware PC software update management Software distribution Proactive monitoring and alerts Hardware and software inventory Policies for Windows Firewall management Microsoft Intune provides a rich console to address the needs of managing many aspects of the PC and mobile device environment, including software distribution and updates, as well as monitoring and reporting. When choosing between Intune standalone (cloud only) and System Center Configuration Manager integrated with Microsoft Intune (hybrid), you should take into account what features are required to support your environment. The hybrid solution provided the following additional PC management features: Comprehensive PC management (including management of Windows Server/Linux/Mac OS X, and virtual desktop) as well as mobile device management Operating system deployment Power management Custom reporting With Intune, you can manage via lightweight, agentless management (via OMA DM) or manage via agents. With the hybrid solution, you must manage via an agent. Integrating System Center Configuration Manager with Intune is a great option for when you want to manage both domain-joined PCs, Macs, Linux/Unix Servers, Windows Servers, as well as mobile devices from a single management console. © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Surface and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Settings management User
Comprehensive security policies are enforced on each platform Now, let’s talk in a little more detail about the policies and resource access profiles that are deployed to the device upon enrollment to Intune. When it comes to deploying policies to the devices, Intune can do the following: Deploy security policies such as encryption, password, etc. Deploy configuration policies Provide reporting on per setting for each device in the Intune Admin console Deploy policies to user groups or devices directly For expanded list of policies see: Extensive configuration settings are available for each platform Reporting available on each setting whether it is applicable, conformant or has an error Policies can be applied to user and device groups

Automatic VPN connection
TechReady 18 10/3/2017 VPN profiles VPN VPN profiles are another really cool feature. Intune can deploy VPN profiles straight to the user’s devices which enables user to gain access to the internal corporate resources without any configuration or manual work. In addition, Intune can also configure Automatic VPN connection which automatically starts the VPN connections based on the pre-configured settings. VPN Support - Support for major SSL VPN vendors - Support for VPN standards like PPTP, L2TP, IKEv2 Automatic VPN Connection - DNS name-based initiation support for Windows 8.1 and iOS - Application ID based initiation support for Windows 8.1 For iOS, there is also an option for per-app VPN, when the VPN tunnel is created for a specific app when it is launched. On demand VPN connection for corporate apps only. Routes only specific app’s data to corporate VPN Supported VPN vendors: Cisco, Juniper, Check Point, Microsoft, Dell SonicWALL, F5 Automatic VPN connection Per-app VPN (iOS) © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Manage and distribute certificates
TechReady 18 10/3/2017 WiFi and certificates Another useful set of features in Intune is the ability to deploy WiFi profiles and certificate to the user devices. With WiFi profiles, Intune can provision WiFi networks, so the device can auto connect to the network when it is in range. For example, my phone can be connected to the conference WiFi right now, but when I go to my office, it will connect to WiFi there automatically. No entering passwords, no figuring out how to get certificates on my device, it just works. When it comes to certificates, Intune can deploy trusted root certificates to the devices as well as SCEP profiles that instruct the devices to get additional certificates from the NDES server in your organization. WiFi: Manage Wi-Fi protocol and authentication settings Provision Wi-Fi networks that device can auto connect Specify certificate to be used for Wi-Fi connection Certificates: Deploy trusted root certificates Support for Simple Certificate Enrollment Protocol (SCEP) WiFi settings Manage and distribute certificates Provision networks Setup certificate based authentication © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Mobile device inventory
IT User Hardware properties for mobile devices are collected As part of the management capability of Intune, inventory data is collected from the mobile devices and available via Intune admin console. This enables the administrator to easily track what hardware is in use, and track potential issues such as when devices approach storage capacity limits. In addition to hardware inventory, Intune also collects inventory on the apps installed on the devices. For employee owned devices, Intune only collects corporate deployed apps but not personal apps installed by the users. For corporate owned devices, all app inventory is collected. Finally, Intune also provides multiple reports that can be used to get a better insight into your managed devices and apps. Company app inventory is collected Personal app inventory is not collected Reporting

Conditional access for Office 365
Identity & Access Productivity Conditional access for Office 365 Azure Active Directory Who does what? Intune: Evaluate policy compliance for device Azure AD: Authenticate user and provide device compliance status Exchange Online: Enforces access to based on device state Is device managed & compliant ? 2 Set device management/ compliance status 6 Return device state 3 Office 365 If compliant, access is granted 7 If not compliant, push device into quarantine Quarantine 4 Attempt connection 1 Microsoft Intune This diagram displays the integration with O365 to manage access to the . Requires users enroll their devices as well as being compliant with Intune policies before getting access to . Enrollment / compliance remediation 5 Quarantine with remediation steps Link to enroll device and compliance remediation steps Mobile device

Conditional access for Exchange on-premises
5 Allow managed device On-premises Exchange server Microsoft Intune 6 If managed, access is granted Who does what? Intune: Evaluate and manage device state Exchange Server: Provides API and infrastructure for quarantine 1 Block unmanaged device 2 Attempt connection 3 If not managed, push device into quarantine Quarantine Device enrollment 4 This diagram displays the integration with Exchange on-premises to manage access to the . Requires users enroll their devices before getting access to . Quarantine with remediation steps Link to enroll device Mobile device

Paths to managed applications
10/3/2017 Paths to managed applications Microsoft Office mobile apps are natively manageable with Intune Word Excel PowerPoint OneNote Outlook OneDrive for Business Office mobile apps Intune provides apps for secure content viewing Managed Browser PDF Viewer AV Player Image Viewer Intune Viewer apps Make any app manageable without modifying code ‘Wrap’ internal line-of- business (LOB) apps to manage with Intune MAM policies Intune App Wrapping Tool Build your apps from the ground-up with Intune App SDK Developers can easily integrate applications for manageability Provide more control over user experience with App SDK (vs. App Wrapping Tool) Intune App SDK So far we were mostly talking about managing Office mobile apps with Intune, but there are multiple options when it comes to managed applications. Let’s quickly go over them. © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Making applications manageable
Allows you to apply Intune MAM policies to existing line-of business (LOB) apps: Post-compilation command line tool for IT Pros Supports repackaging unencrypted applications Applications are signed with company-specific certificates Intune App Wrapping Tool: Platform-specific tools for iOS (Mac OS X ) and Android (Windows) Published by Microsoft (available on Download Center) Product documentation and in-tool command line help Intune App Wrapping Tool Enables additional options to manage internal apps with Intune MAM policies: Intune App SDK and App Wrapping Tool use the same processing and enforcement engine SDK can be used for both LOB apps and store apps Enables additional MAM functionality over the app than the App Wrapping Tool (for example: disable save as functionality of the app) Intune App SDK For organizations that would like make their internal line-of-business (LOB) apps manageable, Intune app wrapping tool can be used. The tool enables IT Pro to add MAM functionality to company internal apps and then deploy them with Intune MAM policies. Intune will enforce the MAM polices for the managed apps on the users’ devices. This is a relatively quick way to enable mobile application management for the internal apps. Another way to add Intune MAM functionality to the internal company apps is with Intune SDK. It enables developers to recompile their apps using Intune SDK which adds expanded MAM functionality to the apps (when compared to Intune app wrapping tool). In addition, apps that were recompiled with the SDK, can be added to the public app stores (iOS, Android) which means that Intune can directly install apps from the store and be manage them with MAM policies. Both Intune app wrapping tool and SDK use the same core policy processing and enforcement “engine”. For the SDK, there are specific calls that the SDK sends to the device to customize the behavior. Examples are: Disable App PIN – used to tell the app to not show a PIN (if the app has one) because the IT Pro managed PIN will be displayed by the SDK Disable Save As – used to tell the app to disable in app save as features Identity Selective Wipe – used to tell the app the UPN of the user account that should be wiped, so only the managed data is removed from the app. For the app wrapping tool, these specific calls are not available because the app is not rewritten to use them.

Steps for protecting LOB apps
User IT Intune app wrapping tool or SDK LOB application This is the workflow of adding MAM functionality to the internal apps and then deploying them to users. Acquire Option 1: Wrap LOB apps or recompile with the Intune App SDK Option 2: Purchase store applications that include the Intune App SDK Import Import LOB App Packages or App deep links into Intune Configure Create MAM Policies Deploy Associate MAM Policy with User group(s) during Application deployment Deploy app Apply MAM policies

Application delivery options
10/3/2017 Application delivery options App origination Scenarios Windows 8.1/10 Windows Phone 8.1 iOS Android Line-of-business apps (Sideloading) Available in Company Portal; targeted to users ● Mandatory install and uninstall; targeted to users and devices User consent required Public store apps Deep linked app; available in Company Portal; targeted to users Managed store app; available in Company Portal; targeted to users Managed store app; mandatory install and uninstall; targeted to users and devices Intune also provides multiple options to directly deploy apps to users or make the apps available in the company portal on the user devices. The app delivery options are displayed on the slide. © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Flexible management of public store apps
End user is taken to the store for installation Installation status is not reported in the admin console IT Pro can only make it available in Company Portal App on the device is marked as a personal app in inventory Works for both free and paid apps MAM policies cannot be applied External/Deep linked apps No trip to the store; installation begins directly Installation status is reported in the admin console Push apps; apps can be installed directly. App on the device is marked as a managed app in the inventory Works only for free store apps MAM policies can be applied Managed store apps One particular new feature that is worth mentioning is the ability to install public apps on devices directly from the app store. Previously, you could only make the public apps available in the company portal which would require the user to manually install the app. This new features saves time for the user and makes the experience more pleasant. In addition, if the app is compiled with Intune SDK then Intune can apply MAM policies to the app and selectively wipe, if needed, when the device is retired.

Options for corporate data removal
10/3/2017 Options for corporate data removal Restore device to factory defaults All data on the device is removed Device is reset to factory defaults Typically used for lost/stolen devices or resetting corporate-owned devices Full wipe Remove company assets from device Company resources (apps, data, profiles, certificates, settings, and ) are removed MAM support adds ability to remove only corporate data from multi-account applications Typically used for personal-owned devices Selective wipe Now let’s talk about the options that Intune provides for the corporate data removal that we talked about on the previous slide. Even though the selective wipe is great for BYOD scenarios because it does not remove personal data and apps, there are cases when the devices need to be fully wiped such as when the device is lost/stolen or when the corporate owned devices need to be reset. Full Wipe Effects depend on the platform and management type (EAS or native): iOS, Android, WP: Complete wipe and reset to factory defaults Android: EAS mailbox removal only Windows RT and Windows 8: Only EAS mailbox removal if managed through EAS Selective Wipe: User or Admin initiated Removes the record of the device from the system Disables further MDM app installation and settings management on the device Selectively wipes corporate app data Uninstalls MDM-installed apps and removes data Removes enterprise EFS certs and iOS and Windows Phone 8.1 selective wipe © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Managed corporate-owned devices
Bulk enroll devices with a service account Support for Apple Configurator Support for Apple Device Enrollment Program Windows 10 provisioning profiles Bulk enrollment Custom iOS policy Device lockdown Policies and apps targeted to devices Application install allow/deny list Configuration policies Intune has multiple features that enable enrollment and management of the corporate owned devices. Here is the summary of features in Intune that are applicable for the corporate owned devices. We will cover each of these features in detail next. Bulk enroll devices with a service account – gives IT Pro the ability to enroll a large number of devices with a single service account. Apple Configurator support – iOS devices automatically enroll to Intune upon first boot. Apple Device Enrollment Program – ability to streamline the enrollment and management process for iOS devices that are purchased directly from Apple. Custom iOS Policy – ability to export custom iOS configuration from Apple Configurator and use it to create a policy that can be deployed to iOS devices. Device lockdown – ability to lockdown your iOS, Android, and Windows Phone devices for specific purposes such as kiosks, menu in restaurants, etc. Policies and apps targeted to devices – IT Pro can now deploy aps and policies to device groups. Application install allow/deny list – IT Pro can specify which apps are allowed or blocked to be used on the user devices.

Bulk enrollment with a service account
Business Manager IT Apply policies With Intune, you can now simplify the enrollment of corporate devices using bulk enrollment capabilities delivered via an Intune service account. This enables IT administrators to set policies and deploy applications on a large scale. With the new Device Enrollment Manager role in Intune, you can enroll up to 1,000 devices using a single service account, speeding up the enrollment process for task worker devices and minimizing account and password management overhead. It also allows customers to create accounts for specific task worker roles (for example: waitress at a restaurant or sales clerk at a retail store), so that all devices associated with that account can be targeted with the same apps and policies. Note: Access to the Company Portal is limited so that the user of the device can’t wipe or lock all other devices associated with that account. Enrolls devices on behalf of users Distributes to users Restaurant School Retail Store

Bulk enrollment with Apple Configurator
User IT iOS devices will automatically enroll on first power on Export device enrollment profile from Intune Another bulk enrollment option in Microsoft Intune is the support for Apple Configurator which can further simplify the enrollment of corporate owned iOS devices. It also enables additional management functionality of the iOS devices. The diagram on this slide shows the process of enrolling corporate owned devices to Intune through the integration with Apple Configurator. Apple Configurator: Provides a free Apple application for Mac OS X computers. Enables IT to prepare multiple devices with specific restrictions and settings. Devices need to be tethered to a Mac. Enables supervised mode and assign mobile devices to certain users or groups. Configure iOS devices with the Apple Configurator Import to Apple Configurator

Apple Device Enrollment Program (DEP)
EMS Overview 10/3/2017 Apple Device Enrollment Program (DEP) User IT Intune also provides support for the Apple Device Enrollment Program. With this new feature, you will be able to streamline the enrollment and management process of iOS devices that are purchased directly from Apple. With DEP, you will be able to install a non-removable MDM profile on a device, automatically provision devices over-the-air in Supervised mode without the use of Apple Configurator, and require enrollment for all end-users. Via a simplified Setup Assistant process, end users only have to go through a clicks after taking their new device out of the box before it is automatically configured with the necessary device profiles. The diagram on this slide shows the following steps: 1. The ITPro registers their organization with Apple® at 2. ITPro establishes a trust link between Apple® and Intune® using a token issued by Apple®. This process mirrors the MDM vendor / APNS process used by Intune today. 3. Intune syncs the ITPro’s information from Apple. This includes: a. Device purchases b. Account properties c. AppleIDs 4. From the Intune interface, the ITPro configures a management profile a. Supervised / unsupervised b. Selects scope of devices c. Configures inclusion / exclusion of Setup Assistant pages i. Passcode requirements ii. Location services iii. Restoring from backup iv. Signing with AppleID & iCloud v. Enabling / disabling Siri vi. Configuring the upload of diagnostic data 5. Deploy the configuration – uploads from Intune to Apple servers © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Surface and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Custom iOS policy User IT Deploy a custom policy to iOS devices
Import the custom configuration file to Intune Export a custom configuration policy from Apple Configurator The support for Apple Configuration provides another benefit. IT Pro will be able to create a custom iOS configuration in the Apple Configurator tool and then export the file. This file can be imported to Intune, and the IT Pro can use this configuration file to create a custom iOS policy that then can be deployed to the iOS devices. This enables additional configuration of the iOS devices that is now available through built-in iOS mobile device management policies. The diagram on this slide shows the process described above.

10/3/2017 Allow or block apps Prevent unauthorized apps from being used on devices Platform Allow/block enforcement Windows 10 Enforced by device OS (always compliant) Windows Phone 8.1 iOS Audit reporting Android Intune also provides the ability for IT Pro to allow or deny a specific list of apps on the user devices. What is a App Allow list? Why does an Admin need it? Apps in allow list are the only apps that an admin wants on certain modern devices and no other apps are allowed on the device. This is a very restrictive list of apps aimed at users who are classified as “Task Worker” – users who use their devices to accomplish only certain tasks. These devices are more than likely only corporate devices. For iOS & Android IT Pro creates an allow or deny list of apps and deploys to users or devices The list is compared against device inventory and compliance is determined IT Pro is presented a report with all non compliant users, devices & apps For Windows Phone 8.1 and Windows 10 The list is sent to the device The device prevents launch and install of the blocked apps Once the policy is applied on Windows Phone 8.1 or Windows 10 device, it is always compliant © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Application update options
10/3/2017 Application update options App origination Scenarios Windows 8.1/10 Phone 8.1 iOS Android Installation status Application update Line-of-business apps (Sideloading) Available in Company Portal; targeted to users ● Mandatory install and uninstall; targeted to users and devices User consent required User consent required Public store apps Deep linked apps; available in Company Portal; targeted to users Managed store apps; available in Company Portal; targeted to users Managed store apps; mandatory install and uninstall; targeted to users and devices * As shown on the slide, Intune is able to update line-of-business application that are either directly deployed to the users or are made available to install in the Intune company portal. * © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Mobile device setting categories in Intune
System Center Marketing 10/3/2017 Mobile device setting categories in Intune Category Win 8.1/10 Windows Phone 8.1 iOS Android/KNOX Exchange ActiveSync Password ● Encryption Malware System Settings Cloud Window Server Work Folders Accounts and Sync Browser Store Applications & Gaming Device Hardware Device Cellular/Roaming Device Features For more details see: and Note: Specific capabilities depend on platform © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Software distribution summary
System Center Marketing 10/3/2017 Software distribution summary Platform Desktop Apps (.msi, .exe) * Modern App Types Managed Store app Side loading Deep Links Web apps .app .ipa .apk Windows 8.1/10 ● Windows RT iOS Android Windows Phone Windows 7 and below This is the summary of types of applications that are supported on various platforms. * = With full Microsoft Intune management client © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Compare Microsoft Intune to MDM for Office 365
EMS Overview Compare Microsoft Intune to MDM for Office 365 10/3/2017 Category Feature Exchange ActiveSync MDM for Office 365 Microsoft Intune (cloud only) Intune + ConfigMgr (hybrid) Device configuration Inventory mobile devices that access corporate applications ● Remote factory reset (full device wipe) Mobile device configuration settings (PIN length, PIN required, lock time, etc.) Self-service password reset (Office 365 cloud only users) Office 365 Provides reporting on devices that do not meet IT policy Group-based policies and reporting (ability to use groups for targeted device configuration) Root and jailbreak detection Remove Office 365 app data from mobile devices while leaving personal data and apps intact (selective wipe) Prevent access to corporate and documents based upon device enrollment and compliance policies Premium mobile device & app management Self-service Company Portal for users to enroll their own devices and install corporate apps App deployment (Windows Phone, iOS, Android) Deploy certificates, VPN profiles (including app-specific profiles), profiles, and Wi-Fi profiles Prevent cut/copy/paste/save as of data from corporate apps to personal apps (mobile application management) Secure content viewing via Managed Browser, PDF Viewer, Image Viewer, and AV Player apps for Intune Remote device lock via self-service Company Portal and via admin console management PC Client PC management (e.g. Windows 8.1, inventory, antimalware, patch, policies, etc.) PC software management Comprehensive PC management (e.g. Group Policy, login scripts, BitLocker management, virtual desktop and power management, custom reporting, etc.) Windows Server/Linux/UNIX/Mac OS X support OS deployment and imaging More content on MDM for Office 365 can be found here: Office Blog Post from 10/28: Office Blog Post from 3/30: Office FAQ Document: MDM for Office 365 Slide Deck: EMS and Office 365 Comparison Deck: Choose between Microsoft Intune and Built-in MDM for Office 365: Recording of MDM for Office 365 Academy Live session: © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Surface and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Intune Mobile device and application management from the cloud Be sure to welcome and thank the audience, introduce yourself and your role before.

Similar presentations

Presentation on theme: "Microsoft Intune Mobile device and application management from the cloud Be sure to welcome and thank the audience, introduce yourself and your role before."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Microsoft Intune Mobile device and application management from the cloud Be sure to welcome and thank the audience, introduce yourself and your role before.

Similar presentations

Presentation on theme: "Microsoft Intune Mobile device and application management from the cloud Be sure to welcome and thank the audience, introduce yourself and your role before."— Presentation transcript:

Similar presentations

About project

Feedback