3 Agenda Enterprise Mobility Strategy Overview Conditional access to and Collaboration servicesSecure resource accessDeep dive on Certificate management, VPN and WifiNew Security PoliciesSelective wipe
4 Mobile device and app management evolution PC SecurityData protection through device lockdown (Group Policy, app mgmt., OSD, compliance)Hardening devices against attack (patch, anti-malware, etc.)Early Mobile securityDevice Policies tied to MailboxPINEncryptionDevice restrictionsFull wipe of deviceMDMMobile Device ManagementGranular device policy controlsProvision access to corp resources ( , VPN etc)Selective wipeMAMMobile application management:Corporate data containerizationPer application policy restrictionsCompliance based access control to corporate resources
5 Enterprise Mobility Vision Protect your dataEnable your usersUserITUnify Your EnvironmentDevicesAppsDataHelp organizations enable their users to be productive on the devices they love while helping ensure corporate assets are secure
7 Mobile Data Protection approach Protect corporate data accessed ‘from the device’& collab servicesNetwork services – VPN,WifiIntranet sitesOn Prem File SharesOn Premise SharePointOn PremiseFile ServerCloud based /collab servicesRemote access services (VPN, App Proxy etc)DMZMobile data protectionProtect corporate data cached ‘on the device’s, AttachmentsCached documentsApps syncing corp dataApps sharing corp dataBYOD and Corp owned Mobile devices
8 MDM Lifecycle Concepts EnrollmentEnroll in MDM to get access to corporate resourcesKey FeaturesBlock /SharePoint etc until enrolledCustomizable Terms & ConditionsSimple end user experienceUserInitial ProvisioningQuick access to corporate resourcesKey FeaturesSecurity policy settingsVPN, Wifi, CertificatesMandatory app installsApp restriction policiesRetireDisconnect from Company resources, Lost/stolen device etcKey conceptsSelective wipeDevicesOn going managementDevice and App level policiesKey FeaturesBlock access if IT policies violated (Eg: Jailbreak)Enforce data leak preventionSelf service portal for user initiated app installs/help desk operations
9 Conditional access to email and collaboration services
10 FeaturesBlock access to O365 services like if device is not compliant to IT policiesSimple end user experience for remediating the non compliance status
46 Resource Access Configuration Features*Configure VPN profilesSupport for Automatic VPNWi-Fi protocol and authentication settingsaccount profilesManagement and distribution of certificatesBenefitsEnd users get access to company resources with no manual steps for themPlatformsWindows 8.1Windows 8.1 RTiOSAndroidWindows Phone 8.1Samsung KNOX Standard* Varies based on device platform
47 Certificate Management ChallengesPassword based authentication is vulnerable but the alternative Cert based authentication is complex.How to issue certificate to mobile devices that are not on my trusted network?How do I manage the lifecycle of certificates?How do I secure my network resources like , VPN, Wifi etc with certificates?
49 Issuing certificates Approaches Simple Certificate Enrollment Protocol (SCEP)Generate and deploy PFX (Personal Information Exchange) filesChoice depends on:Security requirements, especially Where is the private key generated and stored?What are the deployment requirements/constraints?
50 SCEP solution Challenges and Solutions PFX approach – MDM servers generates private key and certificate and deploy it to the mobile device.SCEP approach – Mobile device generates the private/public key pairUnlike PFX method, the Private key never leaves the device.Unique key and certificate on every device allows certificate revocation for just a specific deviceIs not useful for S/MIME encryption scenariosChallenges and SolutionsChallengeSolutionSCEP is an old protocol designed to for use in closed networks.CERT warns that SCEP does not strongly authenticate requests.Intune’s integration with Microsoft NDES (Network device Enrollment service) Policy module offers higher security and integrity of issued certificatesSecurity concerns with Microsoft NDES deploymentUse Microsoft Web Application Proxy
52 Manage, Renew and Revoke certificates Intune provides rich certificate compliance reportingRenew certificateAutomated renewal prior to certificate expiryAdmin can specify the # days prior to expiryRevoke certificateDevice is lost, stolen or repurposed then initiate a Device retire operationSelective wipe triggers device clean up as well as revokes any certificates issued to that device automatically
54 Email profile management Automate configuration of account settingsSecure access to by requiring Certificate based authenticationEnable selective wipe of corporate
55 profiles FAQsWhat happens if an account already exists on the device?On iOS, profile will be rejected with an erroriOS: fails if hostname + username + address are matchingSolutionsUse Conditional access feature to block access to until manually created MDM profile is removed by the user.Set up cert based authentication for access. Whitepaper can be found here.Can I change an existing profile?Yes, unless you modify the key values (which will result in a new profile being pushed)On IOS device the profile key is : HostName + AddressOn Windows Phone device the profile key is : AccountName + AddressWhat versions of Exchange are supported?Any version that supports Exchange ActiveSync (Exchange 2007, 2010, 2013, Exchange Online)
56 VPN Profile Management FeaturesSupport for major SSL VPN vendorsSSL VPNs from Cisco, Juniper, Check Point, Microsoft, Dell SonicWALL, F5Support for VPN standardsPPTP ,L2TP, IKEv2Automatic VPN connectionApplication ID based initiation support for Windows 8.1 and Windows Phone 8.1Per-app VPN for iOSAutomatic VPN connection
57 Per App VPN (iOS 7+) Concepts Create a secure connection between your Line of business or Productivity applications and the corporate networkConceptsTraditional VPN :VPN tunnel established at the device levelIntroduces risk of providing corporate access to unauthorized appsDepending on VPN infrastructure, can impact end user’s internet access speedsPrivacy issue associated with routing user’s personal traffic to corporate serversPer App VPNOn demand VPN connection for corporate apps onlyRoutes only specific app’s data to corporate VPN
58 Wi-fi Profiles Connect Manage Wi-Fi protocol and authentication settingsWEPWPA/WPA2 PersonalWPA/WPA2 EnterpriseProvision Wi-Fi networks that device can auto connectSpecify certificate to be used for Wi-Fi connectionUser provides credentials (username/password or cert)User Trusts this certificateUser attempts to connect to Wifi EndpointConnectServer presents its identity certificateServer establishes tunnelServer asks for user credentialsEAP- TLS – Authenticate with certificateEAP-TTLS – Authenticate with user name/pwd through PAP, CHAP, MSCHAP v2PEAP – Authentication determined by Wifi infra – Either password or Cert based.