Microsoft Enterprise Mobility for Every Business and Every Device

Microsoft Enterprise Mobility for Every Business and Every Device

Earlier today in San Francisco, Satya spoke about the wide-ranging work Microsoft is doing to deliver a cloud for everyone and every device. Satya’s remarks certainly covered a lot of ground – including big announcements about the availability of Office on the iPad, as well as the release of what we call the Microsoft Enterprise Mobility Suite.

Regarding the Enterprise Mobility Suite (EMS), I want to share some additional details about the upcoming general availability of Azure Active Directory Premium, as well as our latest updates to Windows Intune.

If you haven’t had a chance to read this morning’s post from Satya, I really recommend checking in out here. In the post, Satya talks about the focus of our company being “Mobile First – Cloud First.” I love this focus! The mobile devices that we all use every day (and, honestly, could not live without) were built to consume the cloud, and the cloud is what enables these devices to become such a critical and thoroughly integrated part of our lives.

For years I have emphasized that, as we architect the solutions that help organizations embrace the devices their users want to bring into work (i.e. BYOD), the cloud should be at the core of how we enable this. As I have worked across the industry with numerous customers it is clear that embracing a cloud-based infrastructure for Enterprise Mobility has become the go-to choice for forward-looking organizations around the world who want to maximize their Enterprise Mobility capabilities.

Enterprise Mobility is a big topic – so big, in fact, that it extends beyond mobile device management (MDM) and the need to address BYOD. Now Enterprise Mobility stretches all the way to how to best handle new applications and services (SaaS) coming into the organization. Enterprise Mobility also has to address data protection at the device level, at the app level, and at the data level (via technologies like Rights Management).

With these challenges in mind, we have assembled the EMS to help our customers supercharge their Enterprise Mobility capabilities with the latest cloud services across MDM, MAM, identity/access management, and information protection.

On one point I do want to be very specific: The EMS is the most comprehensive and complete platform for organizations to embrace these mobility and cloud trends. Looking across the industry, other offerings feature only disconnected pieces of what is needed. When you examine what Microsoft has built and what we are delivering, EMS is simply the only solution that has combined all of the capabilities needed to fully enable users in this new, mobile, cloud-enabled world.

Additionally, with Office now available on iPad, and cloud-based MDM from Intune, over time we will deliver integrated management capabilities for Office apps across the mobile platforms.

To see Office in action on an iPad, check out this video:

You can check out Office for iPad product guide here.

The capabilities packaged in the EMS are a giant step beyond simple MDM. The EMS is a people-first approach to identity, devices, apps, and data – and it allows you to actively build upon what you already have in place while proactively empowering your workforce well into the future.

The EMS has three key elements:

  • Identity and access management delivered by Azure Active Directory Premium
  • MDM and MAM delivered by Windows Intune
  • Data protection delivered by Azure AD Rights Management Services

Cloud-based Identity & Access Management

Azure Active Directory (AAD) is a comprehensive, cloud-based identity/access management solution which includes core directory services that already support some of the largest cloud services (including Office 365) with billions of authentications every week. AAD acts as your identity hub in the cloud for single sign-on to Office 365 and hundreds of other cloud services.

Azure AD Premium builds on AAD’s functionality and gives IT a powerful set of capabilities to manage identities and access to the SaaS applications that end-users need.

Azure AD Premium is packed with features that save IT teams time and money, for example:

  • It delivers group management and self-service password reset – dramatically cutting the time/cost of helpdesk calls.
  • It provides pre-configured single sign on to more than 1,000 popular SaaS applications so IT can easily manage access for users with one set of credentials.
  • To improve visibility for IT and security, it includes security reporting to identify and block threats (e.g. anomalous logins) and require multi-factor authentication for users when these abnormalities are detected.

The Azure AD Premium service will be generally available in April. For more info, check out this new post from the Azure team.

Cloud-delivered MDM

Windows Intune is our cloud-based MDM and PC management solution that helps IT enable their employees to be productive on the devices they love.

Since its launch we have regularly delivered updates to this service at a cloud cadence. In October 2013 and January 2014 we added new capabilities like e-mail profile management for iOS, selective wipe, iOS 7 data protection configuration, and remote lock and password reset.

Following up on these new features, in April we will also be adding more Android device management with support for the Samsung KNOX platform, as well as support for the upcoming update to Windows Phone.

Data Protection from the Cloud

Microsoft Azure Rights Management is a powerful and easy-to-use way for organizations to protect their critical information when it is at rest or in transit.

This service is already available today as part of Office 365, and we recently added extended capability for existing on-prem deployments. Azure RMS now supports the connection to on-prem Exchange, SharePoint, and Windows Servers.

In addition to these updates, Azure RMS also offers customers the option to bring their own key to the service, as well as access to logging information by enabling access policy to be embedded into the actual documents being shared. When a document is being shared in this manner, the user’s access rights to the document are validated each time the document is opened. If an employee leaves an organization or if a document is accidentally sent to the wrong individual, the company’s data is protected because there is no way for the recipient to open the file.

Cost Effective Licensing

Now with these three cloud services brought together in the EMS, Microsoft has made it easy and cost effective to acquire the full set of capabilities necessary to manage today’s (and the future’s) enterprise mobility challenges.

As we have built the Enterprise Mobility Suite we also have thought deeply about the need to really simplify how EMS is licensed and acquired. With this in mind, EMS is licensed on a per-user basis. This means that you will not need to count the number of devices in use, or implement policies that would limit the types of devices that can be used.

The Enterprise Mobility Suite offers more capabilities for enabling BYO and SaaS than anyone in the market – and at a fraction of the cost charged elsewhere in the industry.

* * *

This is a major opportunity for IT organizations to take huge leaps forward in their mobility strategy and execution, and Microsoft is committed to supporting every element of this cloud-based, device-based, mobility-centric transformation.

EMS is available to customers via Microsoft’s Enterprise Volume Licensing channels beginning May 1st.

There is so much we want to tell you about the Enterprise Mobility Suite and the innovations we are delivering here. This will be a big topic for us at TechEd North America and it will be a big part of the keynote on May 12. See you there!

Click for more at source

Managing a Mac using Microsoft System Center Configuration Manager

Managing a Mac using Microsoft System Center Configuration Manager (SCCM)

A few resources becoming available whilst thinking about using Mac’s in the Enterprise. One item is though do people that bring Mac via BYOD or other methods
what management tools installed on them. Hmmm…

Microsoft now with System Center Configuration Manager (SCCM) 2012 Sp1 have some features


Also Parallels have Parallels Management Suite for Microsoft SCCM which adds support to System Center Configuration Manager (SCCM) 2007 and 2012

Parallels Management-Mac for Microsoft SCCM – Overview

Macs are a reality in businesses today, and they need to be managed. Whether you want to extend your current SCCM-based desktop management infrastructure or consolidate multiple systems to minimize redundancy and save money, we can help. As the leaders in making Windows and Mac work together seamlessly, we understand Apple technologies and the needs of IT teams who use SCCM and also need to manage Macs.

Full visibility of the Macs on your network
No more guessing how many Macs are really there. Automatically scan the network ranges you choose, and discover Macs on your network. Then, have the Parallels Management-Mac for Microsoft SCCM agent auto-install and enroll them. The plug-in ensures you have the broadest range of Macs covered, including Mac OS X 10.8x, 10.7x, and 10.6x.

Gain control – easily 
Software discovery, distribution, and inventory occur just like with your PCs, but without costly Mac-only infrastructure. Our wizard-driven system for application packaging and Mac profile setup makes it easy for SCCM admins with minimal Mac skills, so anyone can be a pro in no time. And we make it simple to use Apple’s latest FileVault 2 technology to provide the best security available on your Macs.

Securely deploy and manage Windows on Mac 
Parallels Management-Mac extends your management abilities even further, to Windows applications on Macs. In conjunction with Parallels Desktop for Mac, manage delivery of your policy-compliant Windows stack to Mac users. All your management needs, centralized in SCCM.



Frimley Park NHS deploys VDI for efficiency and BYOD

Frimley Park NHS deploys VDI for efficiency and BYOD.

When Frimley Park Hospital came under increasing pressure to make its IT budget go further, the IT team opted to deploy a virtual desktop infrastructure (VDI) in its A&E department. Desktop virtualisation did not just bring time and cost efficiencies but also led to better patient care and made its IT ready for a bring your own device (BYOD) programme.

The Surrey-based NHS foundation trust serves over 400,000 people across north-east Hampshire, west Surrey and east Berkshire. In addition to the main hospital site at Frimley, it runs outpatient and diagnostic services from Aldershot, Farnham, Fleet and Bracknell.

When the trust was redeveloping its emergency department, the IT team began thinking of ideas to generate extra revenue and to make its budget go further.

The department has over 100 desktop computers, which can all be used by all staff and each has exactly the same functionality. The team wanted a way to manage these desktops from one central location.

“Our emergency department desktops are all set up to have exactly the same functionality, with auto logging and the clinical functionality they need,” said Jon Petre, infrastructure lead at Frimley Park Hospital.

“But when it came to software upgrades or maintenance, each machine needed upgrading and monitoring individually, which was incredibly time consuming – especially if we needed to deploy a new brand new application or system.”

Using VDI technology for IT efficiency

The trust decided that virtual desktop infrastructure (VDI) would be the most appropriate technology to use across the emergency department.

One of the objectives for the IT team was to have the ability to manage its IT from one central location, while freeing its up workforce to concentrate on the development of strategic technology deployments.

With VDI’s ability to concentrate resources onto one platform and replicate software across an entire IT estate, Frimley’s staff could simply access the clinical applications required with the minimum of effort, while maintaining a consistent desktop delivered from the datacentre, according to Petre.

“With VDI, we could deploy multiple desktops in a short period of time and provide upgrades to existing software centrally with minimal effort,” he said.

The IT team picked VMware’s VDI product View over the more popular Citrix VDI productbecause of the licensing terms.

Unlike Citrix, VMware’s licensing is attributable to a client desktop, rather than a server operating system.

The trust then virtualised all its A&E department desktops using VMware View technologyand created an easy-to-manage unified system, which has helped it meet its main objectives in saving time and reducing energy bills.

The IT team will use the saved time to focus on more strategic operations, such as developing cloud services to the local area. “We can focus on the big picture now, planning for future deployments rather than upgrading desktops one at a time. We can work on a hundred computers at once, making all the necessary upgrades in a matter of hours,” Petre said.

The VDI deployment also helped improve security on-premise, as all of the data is held in the datacentre, rather than cached locally on users’ end-point devices.

“With VDI, we’ve managed to change the old into new overnight and with minimal disruption to the service we provide our staff and, in turn, patient care,” Petre said.

Making the hospital IT ready for BYOD

In the future, the team is looking to build on its VDI use by allowing staff to connect to the desktops from their personal tablets – helping them to keep abreast of information on the go.

“We get a lot of queries from the medical team about their personal devices and whether they could start using these on the ward soon. This is something we are already looking into and are confident of deploying bring your own device (BYOD) solution in the near future,” he said.

Having a BYOD strategy is beneficial for an organisation in many ways. It has the potential for cost savings because it allows employees to bring their own devices to work and save on corporate-issued devices. Another advantage of BYOD is that it supports a mobile and cloud-focused IT strategy. It also leads to a mobile workforce thereby increasing staff’s productivity. But there are also security and legal risks associated with BYOD policies.

click for more at source

Digital identities could help to improve enterprise BYOD

Digital identities could help to improve enterprise BYOD.

Allowing employees to use their own digital identity may reduce issues such as remembering multiple passwords and security reporting.

A lot of the talk around the consumerisation of IT focuses on employees using their own devices, installing their own apps and using social media

The trend to bring your own device (BYOD) is at best seen as employees being innovative in the way they use IT, and at worst a danger to an organisation’s digital assets that needs to be monitored, controlled or blocked.

While employers can exercise some level of control over what their employees do with IT systems, this is not the case with customers.

Recent Quocirca research shows the extent to which the BYOD trend is being exploited more and more by businesses in one particular area – bring your own identity (BYOID). The primary opportunity is the ease of engagement with consumers.

The driver for this is to solve one of the oldest issues in the pantheon of IT security issues – the problem of users having to manage multiple identities and remember many passwords. In effect, BYOID is outsourcing all the issues involved with establishing and managing identity to third parties.

The marketing push

Most providers of internet services want their regular users to create an account of some sort so the relationship can be deepened for marketing and other commercial purposes. Accounts need logins and that means establishing an identity. However, rather than getting users to create a new identity, many now turn to third-party social media sites that the user already has an account with; there are many to choose from: Facebook, Google, Yahoo, Twitter or PayPal for example.

Most of the major social media sites provide widgets and APIs that enable the use of the login credentials the user has for their site as a way of authenticating to another. This is convenient for the consumer as it allows them to register for a service more easily and then, of course, when they return at a later date, they are far more likely to remember their credentials if they are the ones they use for their favoured social media site. Indeed, many of their devices may be set to automatically log in to such services.

Cementing the relationship

It is good for the social media site as it cements its relationship with users too and raises its profile through exposure on hundreds of other sites. JustGiving, Spotify and The Economist are just a few examples of those offering social login. For the provider of a new online service, there will be whole series of questions about doing this, including the veracity of social identities, how to set up and manage them and how to authenticate the actual user behind the identity.

When it comes to veracity, some will worry more than others. A free media service that wants to capture identities for marketing purposes may not care if a few are not real. Users will like the convenience of using a social identity and will be more likely to create an account. Anyway, why would someone want to sign up for a free service in someone else’s name?

However, as soon as money starts changing hands, there is a need to be sure of whom you are dealing with. Using social identities actually reduces the problem, making up an identity on the spot is easier than creating a social identity expressly for the purpose. If it can be established that the account being used has been active for some time and has a history of activity that matches that of a genuine user, then it is arguably far better to be using social identities than ones created on the fly.

The good news is that social infrastructure services such as Gigya, Janrain and Loginradius are, among other things, designed to check the veracity of social logins. By looking at a given user’s history and activity on a given social media site they can verify that they are an established user with a track record. They also help with another obvious problem, which is that many users will want to use different social identities and this needs managing.

Acting as the middleman

Social infrastructure services act as brokers, managing the many-to-many relationship between the social media sites and those providing services that want to enable social login. Social infrastructure services enable a retailer, charity or media company for example, to establish a single view of their customers regardless of how they login – providing a basic form of customer relationship management (CRM).

Using such services, it is possible to establish a high level of confidence that a real person is being dealt with – far more so than if someone had just made up a username and password. The next question is when someone logs in with a social identity, how do you know that in this instance the user is the owner of that identity? Authentication is only as good as that offered by the social media site itself. Some now offer two-factor authentication as an option and have auto-log out settings. Remember, the competition here is ad hoc usernames and passwords scribbled on scraps of paper.

But such an approach is still focused primarily on the consumer. However, for many organisations the need to manage external identity goes well beyond this. There are also external business users, the employees of partners and customers – these are business-tobusiness relationships.

Quocirca’s research shows that in some cases social identities are being used here too. However, there are other sources of identity that come into play, including the other business’s own directories, the membership lists of professional bodies, government databases and so on. To manage all this requires a federated identity management system which can bring together identities from all sources and manage them via a single interface. This may include employees as well as third-party users, many of whom will access common applications (for example, supply chain systems). To this end, many of the big identity management providers such as CA, Oracle, IBM and Intel/ McAfee have adapted their systems to work from multiple identity sources.

A professional passport

Having a unified identity and access management system, regardless of the sources of identity, eases reporting for security and compliance purposes and makes it easier to implement single sign on (SSO) systems. SSO solves the business equivalent of the consumer problem described earlier, the user having to remember multiple usernames and passwords for different systems. SSO also helps solve another growing problem for businesses – controlling access to web-based services. The problem here is if a business uses Google Apps or Microsoft Office 365 for document management, for CRM, SuccessFactors for HR and so on. Enabling every employee for each one and, perhaps more importantly, ensuring access is de-provisioned when they leave, is much easier if all access is provided via an SSO portal. This has led to the emergence of a host of new identity and access management suppliers including Ping Identity, Okta, SaaS-ID and Symplified (the last of which has a partnership with Symantec). Many of these are offering SSO and identity and access management as cloud-based services; if the users can be anywhere and the applications are in the cloud, why not the SSO system too? The big identity suppliers are adapting their products as well, for example CA’s CloudMinder can be deployed as a purely on-demand service or linked with existing on-premise systems creating a hybrid deployment.

Looking to the future, we can speculate that we may all get more ownership of our digital identities as time goes by. As consumers, we can already choose to use a favoured social identity and, with education, we can understand how to protect and harden it. Actually we are quite used to this in the offline world. Most people have a passport and understand the need to care for and protect that.

This raises an interesting point. A new employer does not issue you with a passport for business travel; you use your own. Perhaps in the future employees will provide employers with their favoured digital identities. It may not be long before you are accessing your employer’s IT systems and applications using your Facebook, LinkedIn or Twitter identity. When that happens the age of BYOID will truly have arrived.

Click for more at source