Microsoft Enterprise Mobility suite is designed provide end users to use their own devices or devices they prefer to access the corporate resources. In simple words it will support onboarding BYOD’s while providing consistency and security. EMS is a full cloud solution, it does not depend on the on premise environment. Each users and the device will connect to the EMS through internet securely, so users can access corporate resources more seamlessly while corporate can protect the data and the device security by managing them.
Enterprise Mobility
“Work from anywhere” concept is evolved and evolving throughout the industries. Organizations understands its benefits and getting ready to move to a mobile workspace. When enabling enterprise mobility there are four main elements need to address.
Users and devices are main elements but considerations need to take how applications are deployed to devices and how it’s consumed in mobile devices. Also security of the corporate data need to be addressed. And all these should be deployed to the users without much hassle.
Mobile First Cloud First is Microsoft business strategy which they align their products to the future.
BYOD Concept, Bring your own devices is effective strategy to improve overall user experience.
- Enable users to choose their devices
- Unify the management of applications and devices
- Protect corporate data
Main Components of EMS
Enterprise mobility suite is combination of 3 Microsoft cloud technologies.
- Azure Active Directory Premium
- Azure Rights Management
- Microsoft Intune
Azure Active Directory Premium
Microsoft Azure Active Directory is a cloud service which provide identity and access management capabilities to users. It can provide identity, access management and Single sign on for Office 365, Web apps and SaaS applications like Sales force, Work day, Google apps etc.
Azure AD Premium is a paid edition which comes with many enhanced capabilities. It can use with the existing Azure AD Basic, while only enabling to selected users to the premium licensing. AD Premium comes with following features.
- Self-service password reset and Password Write Back
Users can change or reset their password from the self-sign portal. In Hybrid environments which on-primes identities are sync to the Azure AD using AD connect, passwords can be written back to the on premise active directory by Azure AD premium.
- Multi factor authentication
With Multifactor authentication, applications like Office 365 can be secured using an additional authentication layer like using mobile device SMS, call or Pin number.
- Advanced security reports and alerts
- Organization Branding
- Forefront Identity management
FIM is right to use with the AD Premium license.
Azure Rights Management
When organizations moving to BYOD and mobility, unauthorized data sharing and protecting enterprise data becoming a huge challenge. Microsoft Azure Rights Management solution can protect documents and sensitive information from unauthorized use. Using RMS policies data will encrypted and only be accessed by an authorized person regardless of the device they use.
Azure RMS works with Microsoft Office documents including Word, Excel, PowerPoint and Emails with Outlook. RMS policies can use to restrict data, such as not allowing to print, emails cannot be forwarded, cannot edit, copy or save etc. Also RMS polices can set to pick up sensitive information keywords like “confidential”, “password” from documents and stop sharing those to external parties.
Not only for the Microsoft Office, Azure RMS can be used for protect data from fileservers, SharePoint online to across multiple platforms like Windows, Mac OS, iOS, Android and windows phones.
Windows Intune
Windows Intune is a Cloud SAAS solution from Microsoft, which can manage PC’s and mobile devices either connected or not connected to the corporate network. When organizations moving to mobility, there should be mechanism to manage and provide security to employee devices. Windows Intune is a MDM (Mobile device management) solution which can used to deploy corporate applications, updates, malware protection, device security, and a contingency plan if the device was stolen or destroyed. Such as device wipe out or corporate data wipe.
After enrolling a device to Windows Intune, that device will be listed in the Intune cloud portal. Company administrator can push updates, push applications, check malware or wipe the device from the portal. Also the mobile device will have a self-service portal that can used access corporate documents, applications etc.
Windows Intune capabilities can be categorized in to following 3 areas
Mobile Device management
- Provide a self-service Company Portal for users to enroll their own devices and install corporate applications across the most popular mobile platforms
- Deploy certificates, WiFi, VPN, and email profiles automatically once a device is enrolled, enabling users to access corporate resources with the appropriate security configurations
- Deliver comprehensive settings management for mobile devices, enabling the execution of remote actions such as passcode reset, device lock, data encryption, and full wipe to protect corporate data on lost or stolen devices
- Protect corporate data by restricting access to Exchange email, Outlook email, and OneDrive for Business documents when a user tries to access resources on an unenrolled or non-compliant device based upon policies set by the administrator
- Streamline the enrollment of iOS devices purchased directly from Apple or an authorized reseller with the Device Enrollment Program (DEP)
- Enable the enforcement of more strict “lock down” policies for Supervised iOS devices, Android devices using Kiosk Mode, and Windows Phone devices using Assigned Access
Mobile Application Management (MAM)
- Enable your workforce to securely access corporate information using the Office mobile apps
- Allow users to securely view content on devices within your managed app ecosystem using the Managed Browser, PDF Viewer, AV Player, and Image Viewer apps for Intune
- Enable administrators to push required apps automatically during enrollment and allow users to easily install corporate apps from the self-service Company Portal
- Provide the ability to deny specific applications or URL addresses from being accessed on mobile device
PC Management
- Integrate your existing System Center 2012 Configuration Manager infrastructure with Intune, further enhancing your ability to manage PCs, Macs, and Unix/Linux servers, as well as mobile devices from a single management console, while building on existing investments and skills
- Provide real-time protection against malware threats on managed computers, keep malware definitions up-to date, and automatically scan computers to help protect against malware infections and other potentially unwanted software
- Collect information about hardware configurations and software installed on managed computers, allowing you to generate reports, organize groups of computers, and more effectively target software deployments
- Simplify administration by deploying software and configuring Windows Firewall settings on computers based upon policies defined by the administrator
EMS Licensing
As we discussed earlier, EMS is combination of 3 products. Azure AD premium, Azure Rights Management and Windows Intune. These 3 products can be purchased separately. With EMS, Microsoft sell all 3 products rather cheaper than buying them individually. EMS is a technical license so you have to enable the license to each user from the Azure portal.
Use the following link to get the pricing details.
https://www.microsoft.com/en/server-cloud/enterprise-mobility/pricing.aspx
Hope this post is useful
Cheers
Asitha De Silva
References
https://www.microsoft.com/en/server-cloud/enterprise-mobility/pricing.aspx
https://docs.microsoft.com/en-us/rights-management/understand-explore/what-is-azure-rms
