1. Microsoft Ignite 2015 4/16/2017 3:58 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. Windows 10 for Mobile Devices: 10 Steps for a Successful Deployment
BRK3300
Windows 10 for Mobile Devices: 10 Steps for a Successful Deployment
Roel Schellens
Architect
World Wide Modern Devices Center of Excellence
Microsoft

3. A Typical Experience After the sales person is gone.
Your Manager says:
“Let’s buy these devices and connect them to our Infrastructure”
That is where you come in the picture!
You ask:
“Which Infrastructure?”

4. Objective
Understand what is required to prepare your supporting infrastructure for a successful deployment of Windows 10 mobile devices.
Prepare and Setup:
BRK33000: Windows 10 for Mobile Devices: 10 Steps for a Successful Deployment Tuesday, May 5 - 1:30 PM - 2:45 PM
Operate:
BRK33008: Windows 10 for Mobile Devices: Get and Stay in Control of Your Mobile Fleet Wednesday, May 65:00 PM - 6:15 PM

5. Assumptions Basic understanding of Windows 10
Windows 10 still under development
Supporting Infrastructure based on Microsoft solutions
Todays Recommended Practices, not the ones of omorrow
Familiar with Enterprise Mobility concepts

6. TAP and Early Deployment Programs Lessons Learned (and still learning)
4/16/2017 3:58 PM
TAP and Early Deployment Programs Lessons Learned (and still learning)
Early Deployment Program (EDP) Windows Phone 8.1
It is all about the supporting infrastructure
PKI, S/MIME, VPN
Windows 10 Technical Adoption Program
Windows Desktop becomes mobile
Mobile Infrastructure Preparation
First Wave (Windows 10)
Goal:
Bigger, Better, Faster
1000+ Win10 devices RTM +30 days and before end of 2015
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7. 10 Steps for a Successful Mobile Deployment
Secure a Sponsor
Agree on Requirements
Setup a Test Environment
Make sure your Public Key Infrastructure supports Mobile!
Ensure the Identity solution supports mobile
Learn and prep for Mobile Device Management (MDM)
Choose a Mobile Device Provisioning and Enrollment approach
Protect Your Data
Allow to Work from Anywhere from any Device
Make your Applications mobile and manageable

8. For the best Windows Mobile Story!

9. 1 – Secure a Sponsor 4/16/2017 3:58 PM
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10. 1 – Secure a Sponsor Why a good sponsor is important?
Resources
Escalations
New standards and policies
How to find the best sponsor?
Who will profit most
Show business value
Come well prepared

11. 2 – Agree on Requirements
4/16/2017 3:58 PM
2 – Agree on Requirements
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12. Define your starting point and end-goal Business Requirements
4/16/2017 3:58 PM
Define your starting point and end-goal Business Requirements
Ask the Business for their functional mobility needs
Common Understanding
Define the End-Goal (Not Technical!)
Pre-defined Questionnaire and Requirements list
Quantify requirements based on business impact
Examples: Improved Acceptance by…, Improved Productivity through…, etc.)
Structure Requirements
Personas
Scenario’s and Processes
Business Impact and Success
Applications and Data required to become mobile
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13. Define your starting point and end-goal Technical Requirements
4/16/2017 3:58 PM
Define your starting point and end-goal Technical Requirements
Ask IT for their (non-functional) mobility needs
Common Understanding
Agree on the End-Goal
The Business Needs is the End-Goal
Pre-defined Questionnaire and Requirements list
Quantify requirements based on business impact
Accept that (security) policies and standards most likely need to be revised
Structure Your Requirements
Identity
MDM
MAM
Security, etc.
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14. 3 – Setup a Test Environment
4/16/2017 3:58 PM
3 – Setup a Test Environment
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15. 3 – Setup a Test Environment
Proof – Validate Requirements
Identify issues and gaps early
Education
Build Your Own Enterprise Mobility Lab

16. 3 – Setup a Test Environment Build Your Own Enterprise Mobility Lab
Blog: The Mobility Guys
From the same people as the Deployment Guys
Mobility Experts blogging about Microsoft Mobility solutions
Blog Series: Build Your Own Enterprise Mobility Lab
Part 1: Register, Obtain and Setup all Prerequisites for the Build Your Own Enterprise Mobility Lab
Part 2: Setup and Configure the On-Orem Identity infrastructure (in Microsoft Azure)
Part 3: Setup Web Application Proxy (for publishing services)
Part 4: Setup and Configure Identity Synchronization
Part 5: Setup AAD Premium and Office 365
Part 6: Setup and Configure Mobile Device Management with Intune
Part 7: Configure Certificate Management for Mobile Devices (NDES)

17. 4 – Make sure your Public Key Infrastructure supports Mobile!
4/16/2017 3:58 PM
4 – Make sure your Public Key Infrastructure supports Mobile!
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18. Why Public Key Infrastructure (PKI) is Important?
Security for Mobile solutions = PKI
Challenge number 1
Microsoft PKI or 3rd Party PKI
Required for:
Identity (Passport)
Enterprise Data Protection
Remote Access (VPN and Reverse Proxy)
Application Protection
S/MIME Signing and Encryption
Simple Certificate Enrollment Protocol (SCEP)
Direct Certificate Enrollment (new in Windows 10)

19. What is SCEP? Introduction to Simple Certificate Enrollment Protocol
SCEP is a very simple certificate enrollment protocol developed 10 years ago for routers and switches to enroll for x509 version 3 certificates from a Certification Authority (CA).
Generally used by Mobile Device Management (MDM).
A standard implementation of SCEP is not considered secure1
Private Key is generated on the device and marked as Non- Exportable
1CERT warns that SCEP does not strongly authenticate certificate requests. Gartner, Mobile Device Certificate Enrollment: Are You Vulnerable?

20. Certificate Deployment
4/16/2017
Certificate Deployment
Understanding the flow – Intune Only
Deploy root CA cert
Deploy SCEP certificate profile. Intune generates a challenge string.
Device gets SCEP profile that contains URI for NDES. Device contacts NDES and presents challenge.
NDES forwards to NDES Connector policy module, which validates the request
If valid, NDES passes on request to issue Cert “on behalf”
Cert is delivered to the device
NDES Connector reports event back to Intune
MDM (Intune) (and Azure AD) 7 4
DMZ DC
DirSync 3 6b
ADFS 1 2 5 6a
NDES + Intune NDES Connector
Web Application
Proxy CA
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21. Microsoft Ignite 2015
4/16/2017 3:58 PM
Challenges and Solutions for Certificates How these are addressed with Windows 10
Non-Microsoft PKI
Windows 10 SCEP Agent
NDES Server (Hardening Guide1)
NDES role placement (DMZ vs Internal)
NDES Windows Server 2012 R2 required
S/MIME Encryption (private key non-exportable)
New in Windows 10: Allow Direct Install of Certificates
“Passport for Work”
Certificate Management/Troubleshooting
Certificate Management App
1NDES Hardening Whitepaper for Intune Stand Alone and Hybrid Link
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22. 5 – Prepare and Setup Identity
4/16/2017 3:58 PM
5 – Prepare and Setup Identity
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23. Identity Challenges Today
Identity needs to be Accessible outside of Organization IT boundaries
Mobile users roam and need access from everywhere
Windows Mobile Devices have to be activated with an MSA
Impossible to manage
Users and IT don’t like a complex Device Unlock Passwords not secure enough
Not enough to protect against modern security threats
Users are required to provide their identity to more places than ever

24. Choosing the right Identity Solution
Cloud Identity
Independent cloud identity
Windows Azure Active Directory
Active Directory
Directory Sync and Password Sync
Synchronized Identity 
Single identity, enabling a same sign-on experience with password hash sync
Windows Azure Active Directory
Federated Identity
Active Directory
Directory Sync
Single federated identity, enabling single sign-on in some scenarios and additional flexibility
Windows Azure Active Directory
Federation

25. Azure Multifactor Authentication
Any two or more of the following factors:
Something you know: a password or PIN.
Something you have: a phone, credit card or hardware token.
Something you are: a fingerprint, retinal scan or other biometric.
Stronger when using two different channels (out-of-band).
Hardware token
01234
Certificates
Smartcard
Phone

26. Windows Hello Biometrics Authentication
Using fingerprint, face, iris
Integrated Biometrics Framework
False Acceptance Rate 1/100,000
False Rejection Rate 2-4%
No personal identifiable data is stored
Enable anti-spoofing detection
MDM Managed

27. Microsoft Passport Replace passwords with a private key
Unlocked with solely through a “user gesture” (PIN, Windows Hello)
To IT it’s familiar as it’s based on asymmetrical key pair or certificate
To the user, it’s familiar (Windows Hello or PIN)
Choice of Identity Providers (IDP)
Identity providers validate and proof user by OTP, PhoneFactor …
IDPs map Passport public key to a user account
Private key is never shared
Keys are ideally generated in hardware (TPM)
Hardware bound keys are attested (Trusted Computing Group Protocols)
Single “unlock gesture” aka “Windows Hello” provides access to multiple credentials (origin isolated)
So do I

28. Deployment Requirements Per Directory deployment configuration
Microsoft Ignite 2015
4/16/2017 3:58 PM
Deployment Requirements Per Directory deployment configuration
NGC
Azure AD only
Hybrid AD
AD on-prem only
Key-based
AAD subscription
AAD subscription AAD Sync w/ NGC key write-back
AD DS 10 DCs AD FS 10
Cert-based
AAD subscription PKI infrastructure Intune
AAD subscription PKI infrastructure SCCM 2015/Intune
AD DS 10 schema AD FS 10 PKI infrastructure SCCM 2015
Need more info on Microsoft “Passport”? See session Ignite on “Secure authentication with Windows Hello” by Nelly Porter
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29. 6 – Learn and Prep for Mobile Device Management (MDM)
4/16/2017 3:58 PM
6 – Learn and Prep for Mobile Device Management (MDM)
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30. Mobile Device Management
Microsoft Ignite 2015
4/16/2017 3:58 PM
Mobile Device Management
Significant investments in added functionality for both mobile and desktop devices
Fully managed corporate device
Phone
Desktop
Device Lockdown
Phone
Desktop
BYOD: simple security settings
Windows 8.1
Windows 10
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31. Windows 10 Management Architecture
Microsoft Ignite 2015
4/16/2017 3:58 PM
Windows 10 Management Architecture
EAS
Provisioning
MDM (Intune)
ConfigMgr
Device/OS
Service/Server
MDM Client
Common Device Configurator
WMI providers
Provisioning Engine
MDM Configuration Service Providers (CSP’s)
EAS Client
WMI Bridge
Common component
PC component
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32. Windows 10 – OMA-DM Communication
4/16/2017 3:58 PM
Windows 10 – OMA-DM Communication
Configuration Service Provider
A CSP is an interface to read, set, modify, or delete configuration settings on the device
SyncML
File with all information to configure CSP
SyncML
MDM Client
Common Device Configurator
MDM Configuration Service Providers (CSP’s)
MDM (Intune)
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

33. Sample Policy in Intune MinDevicePasswordLength CSP
4/16/2017
Sample Policy in Intune MinDevicePasswordLength CSP
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

34. Sample SynML - MinDevicePasswordLength
4/16/2017
Sample SynML - MinDevicePasswordLength
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncHdr>
<VerDTD>1.2</VerDTD>
<VerProto>DM/1.2</VerProto>
<SessionID>1</SessionID>
<MsgID>1</MsgID>
<Target>
<LocURI>{unique device ID}</LocURI>
</Target>
<Source>
<LocURI>
</Source>
</SyncHdr>
<SyncBody>
<!-- update device setting -->
<Replace>
<CmdID>2</CmdID>
<Item>
<LocURI>./Vendor/MSFT/PolicyManager/My/DeviceLock/MinDevicePasswordLength</LocURI>
<Meta>
<Type xmlns="syncml:metinf">text/plain</Type>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>6</Data>
</Item>
</Replace>
<Final />
</SyncBody>
</SyncML>
Device
SyncHeader
OMA-URI
Open Mobile Alliance Uniform Resource Uniform Resource Identifier
SyncML
SyncBody
Value
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

35. Mobile Device Management Lifecycle
4/16/2017
Mobile Device Management Lifecycle
ENROLLMENT
INVENTORY
APPLICATION MANAGEMENT
DEVICE CONFIGURATION AND SECURITY
REMOTE ASSISTANCE
UNENROLLMENT
Un-enrollment with alerts
Removal of configuration
& EDP protected data
Provisioning
Bulk enrollment
Simple bootstrap
Converged protocol
Azure AD Integration
One consistent set of MDM capabilities across Mobile, Desktop, and IoT
Remote Lock, PIN reset, Ring, Find
Full device wipe
Enhanced inventory for compliance decisions
Curated Windows Store
Volume Purchase Program and app distribution
License reclaim/re-use
Enterprise App management
LOB app management
App inventory (MDM/Store)
App allow/deny list
Enterprise data protection
Extended set of policies
Context based policies
Client certificates – Direct install (PFX)
Enterprise Wi-Fi profiles
VPN profiles
provisioning
MDM Push when user not logged in
Kiosk Mode, Start screen configuration and control
Ignite on “Windows 10 Mobile Device Management (MDM)” by Janani Vasudevan
Ignite on “Windows 10 for Mobile Devices - Get and Stay in Control of Your Mobile Fleet” by Sumit Parikh and Roel Schellens
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

36. Custom URI settings for Windows 10 devices
References
Custom URI settings for Windows 10 devices
Configuration service provider reference

37. 7 –Mobile Device Provisioning and Enrollment approach
4/16/2017 3:58 PM
7 –Mobile Device Provisioning and Enrollment approach
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

38. Enrollment Options Device Ownership & Identity Choices
4/16/2017
Enrollment Options Device Ownership & Identity Choices
ORGANIZATION OWNED
PERSONALLY OWNED (BYOD)
Azure AD
Active Directory
Computer joins AD to establish trust
User signs on using AD account
Group Policy + System Center
Computer joins AAD to establish trust
User signs on using AAD account
MDM
Computer registers with AAD via Workplace Join to establish trust for remote resource access
User signs in with a Microsoft account, associates an AAD account
MDM
Single sign-on to enterprise and cloud-based services
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

39. Windows 10 Provisioning and Enrollment Gives you more options
Build 2015
4/16/2017 3:58 PM
Windows 10 Provisioning and Enrollment Gives you more options
ENROLLMENT
INVENTORY
APPLICATION MANAGEMENT
DEVICE CONFIGURATION & SECURITY
REMOTE ASSISTANCE
UNENROLLMENT
Password
Sign in to your work or school account
Sign in
Cancel
Privacy statement
Forgot your password?
If your organization uses Office 365 or other business services from Microsoft, use the same user name and password to sign in here.
What account should I use?
Work or school account
Allow this PC to be managed ?
Accept
Contoso requires this PC to be managed before it can access org resources.
What you get on this PC:
, Calendar, Contacts
OneDrive for Business
Access to company apps
How this PC is controlled by Contoso:
Enforce PIN lock
Partial device wipe
Enforce password policy
Monitor device location
Questions? Contact Contoso IT Help Desk at (206)
Auto MDM enroll with Azure AD
AAD join: Company owned
Add AAD account: Personally owned
Bulk enrollment and provisioning simplifying IT setup
Removable media (SD/USB) on Desktop and Mobile
NFC (Mobile only)
Click on .PPKG file (from , local storage, media, URL)
USB tether (Mobile only)
Contoso Corp
Curious to know AAD Join? See session Ignite Managing Windows 10 with Microsoft Intune and System Center Configuration Manager Jason Githens, Mark Florida, E450
Need more info on Bulk provisioning? Session Ignite on “Provisioning Windows 10 Devices with New Tools” by Vladimir Holostov
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

40. What can be Provisioned
Initial Setup
Edition Upgrade
Certificates
Connectivity Profiles
Management Enrollment
Modern
Applications
Win32 Applications
Scripts
Enterprise Policies
Offline content
Browser Settings
Start Menu Customization
Assigned Access

41. 8 - Protect Your Data 4/16/2017 3:58 PM
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

42. Data Protection Challenges Today
How to prevent access to Company data by non-compliant mobile devices
Insecure devices put your company data at risk
Keep Company data separate from Personal Data
Company owned data should be protected and controlled
End users don’t like “Containerized” solutions
Users prefer to work with applications they are familiar with (e.g. Mail, Web browser, File Explorer)
Users don’t like to switch between different environments on the same device
How to prevent data loss by lost devices and unenrolled (BYOD) devices
Ensure Company Data will be wiped or is unaccusable

43. Microsoft Ignite 2015
4/16/2017 3:58 PM
Condition Access / Health Attestation Need access? Prove you’re healthy
Important resources
Documents 2 1 5 3 4
Here is my proof
Prove to me you are healthy
Access please
MDM & Windows Attestation Service
Important resources
Documents 1 2
Access please
You’re in
MDM evaluates compliance
HealthAttestation CSP
Device health attestation
Windows health attestation service
Ignite “Securing Access to Microsoft Exchange and SharePoint Online services with Microsoft Intune“ by Dilip Radhakrishnan & Chris Green
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

44. Enterprise Data Protection Company data stays separate & secure
Build 2015
4/16/2017 3:58 PM
Enterprise Data Protection Company data stays separate & secure
for business
personal
“Enterprise data protection”
User friendly work-personal separation
Manage what data is “Enterprise”
Audit intentional data disclosure
Data exchange is blocked or audited
Business Apps & Data
Managed
Personal Apps & Data
Unmanaged
Ignite: “Protecting your data with containers without boxing yourself in” by Yogesh Mehta
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

45. 9 - Allow to Work from Anywhere from any Device
4/16/2017 3:58 PM
9 - Allow to Work from Anywhere from any Device
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

46. MDM (Intune) (Azure AD and O365)
Remote Access
4/16/2017
2 Types of Remote Access
VPN - New in Windows 10
“Auto Connect” / Always on VPN
Per App VPN (New in Windows 10)
VPN Plugin and vSC Support (Passport)
Intranet
DMZ
SharePoint/
EAS
VPN
MDM (Intune) (Azure AD and O365)
DirSync DC
ADFS
DNS
(CNAME)
WAP ADFS Proxy
ConfigMgr R2
Web Application Proxy
Challenge today: Kerb.DomJoined
New in Windows 10:Passport
NDES CA
Need more info? Session Ignite “Secure Enterprise Network Access and VPN” by Aman Arneja
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

47. 10 - Make your Applications mobile and manageable
4/16/2017 3:58 PM
10 - Make your Applications mobile and manageable
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

48. Windows 10 Application Store and Portal Options
4/16/2017
Windows 10 Application Store and Portal Options
Windows Store
Modern apps
Sign in with MSA
Pay with credit card, gift card, PayPal, mobile operators
Business Store
Modern apps
Leverages Azure AD
Private store in the store for Store and LOB apps
Pay with credit card or PO/invoice
Modern app license management
Company Portal
MDM-driven
Deploy Line-of-business modern apps from catalogue
Deploy Windows Store apps (even when the Store UI is disabled) and as well as uploaded LOB apps through BSP integration
Screen shot
Ignite: “Windows 10 for mobile devices Enterprise business apps and app management” by Alan Meeus
Ignite: “BRK3338-Using the Business Store with Windows 10 Devices” by Ford McKinstry and Patel
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

49. Related Sessions Augusto Valdez; Nick Hedderman, S502
Microsoft Ignite 2015
4/16/2017 3:58 PM
May 5, 9:00 AM - 10:15 AM BRK Windows 10 for Mobile Devices: What’s Next
Augusto Valdez; Nick Hedderman, S502
May 5, 10:45 AM - 12:00 PM BRK Windows 10 for Mobile Devices: Making the Mobile Shift and Drive Business Performance and Innovation
Arno Harteveld, S501
May 5, 1:30pm-2:45pm BRK Windows 10 for Mobile Devices: 10 Steps for a Successful Deployment
Roel Schellens Tuesday, E351
May 5, 3:15 PM - 4:30 PM BRK Windows 10 for Mobile Devices: Top 5 “Get Ready” Activities to Prepare for Windows 10
Frank Pinto, S505
May 5, 5:00 PM-6:15 PM BRK Windows 10 for Mobile Devices: To Bring Your Own or Not?
Alain Meeus, S502
May 6, 9:00am-10:15am BRK Windows 10 for Mobile Devices: Secure by Design
Alain Meeus , S503
May 6, 10:45am-12:00pm BRK Windows 10 for Mobile Devices: Provisioning Is Not Imaging –
Samesh Singh, S502
May 6, 1:30pm - 2:45pm BRK Managing Windows 10 with Microsoft Intune and System Center Configuration Manager Jason Githens, Mark Florida, E450
May 6, 3:15 PM - 4:30 PM BRK Windows 10 for Mobile Devices: Tips and Tricks Demo Fest
Augusto Valdez; Nick Hedderman, S505
May 6, 4:35pm - 4:55pm THR Windows 10 management with Microsoft Intune and System Center Configuration Manager
Jason Githens, THR0333
May 6, 5:00pm - 6:15pm BRK Windows 10 for Mobile Devices: Get and Stay in Control of Your Mobile Fleet
Sumit Parikh, Roel Schellens, S105D
May 7, 10:45am - 12:00pm BRK Windows 10 for Mobile Devices: Enterprise Business Apps and App Management –
Alain Meeus, S105D
May, 7, 1:30 PM - 2:45 PM BRK Windows 10 Mobile Device Management (MDM) in Depth
Janani Vasudevan, N426
May, 7, 1:30 PM - 2:45 PM BRK Windows 10 for Mobile Devices: From the Support Trenches
David  Alessi; Mike Danoski, S502
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

50. Windows 10 Mobility Links and Blogs
4/16/2017 3:58 PM
Windows 10 Mobility Links and Blogs
Windows 10 MDM documentation ONLINE
Microsoft Intune
Blog: The Mobility Guys
A new blog originating from the Deployment Guys
A group of Mobility Experts blogging about Microsoft Mobility solutions including EMS and Windows 10.
Blog Series: Build Your Own Enterprise Mobility Lab
Blog: Microsoft Intune Official Microsoft Intune blog of the Microsoft Intune
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

51. 4/16/2017 3:58 PM
Connect with Microsoft Services about enterprise mobile and cloud strategies for your business
Learn more about what we’re doing at Ignite: aka.ms/digitalforbusiness
Visit our interactive Ignite booths
Daily raffles for mobile devices and wearables
Ask us about scheduling a free Windows 10 Deployment Assessment or Enterprise Strategy Briefing
Join the conversation on Twitter
@MSservices
#MSIgnite
#Windows10
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

52. Please evaluate this session
4/16/2017 3:58 PM
Please evaluate this session
Your feedback is important to us!
Visit Myignite at or download and use the Ignite Mobile App with the QR code above.
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

53. 4/16/2017 3:58 PM
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.