New MDM Features in Microsoft’s Enterprise Mobility Suite

Mobile device management (MDM) has always been the key feature of Windows Intune, which is available as a stand-alone cloud solution or a hybrid in combination with SCCM 2012. This feature, however, was also extended to Microsoft’s Enterprise Mobility Suite (EMS), bringing Azure Active Directory (AD) Premium and Azure Rights Management Services on board.

Understanding Microsoft’s Enterprise Mobility Suite

Let’s recap key features of each component before jumping into the latest announcements from Microsoft Ignite on EMS.

Microsoft Intune. Microsoft Intune provides key solutions for device and applications management. Microsoft Intune lets you manage Windows phones and tablets, iOS, and Android devices. In additional to mobile devices, it’s important to note that you can also manage devices that run the full Windows 7 or 8 operating system. Key features include inventory of installed hardware and software, deploying application packages, deploying software updates, and providing device and data security by using device and user policies.

Azure AD Premium. Azure AD is the identity and access management component in the Microsoft cloud. Most people know this out of the directory sync (DirSync) with Office 365, where your internal Active Directory domain user objects are synchronized to the cloud. Azure AD has also been extended with premium features, such as multi-factor authentication, security reports, access-control policies, and more. One of the most used features is Single Sign On (SSO) to more than 2,500 cloud applications, such as Dropbox for Business, Office 365, Twitter, Facebook, SalesForce, and more.

Azure Rights Management Services (RMS). By using Azure RMS, you can secure sensitive data and files by configuring access policies to certain types of data. Azure RMS works platform independent and can be configured in a cloud-only or on-premise setup. Not only does Azure RMS policies include files and data encryption, but these policies also prevent data leakage based on a combination of identity, authority, and security keys.

New Features Coming to Enterprise Mobility Suite

Now that you have a better understanding of EMS, let’s dive into announcements made about EMS at Microsoft Ignite.

Conditional access for the Outlook app. Intune will bring policies to control and restrict access to the Outlook app on any platform, based on device and compliance policies. Examples include control of copy and paste behavior between managed and non-managed applications. For example, copy and paste data from an Outlook email to a user’s personal note application won’t be allowed.

Azure AD Cloud App Discovery. I had the pleasure to play with this app, and this is something really cool! Whenever asking an organization’s IT department if they know if or what cloud applications end users are connecting to, the short answer is that they have no idea. By deploying the Azure AD Cloud App Discovery agent on your users’ devices, usage data is being centralized in an Azure portal, which clearly shows you the list of applications, number of users using a specific cloud application, and much more.

Azure AD Premium Privileged Identity Management (PIM). By using Azure AD Premium PIM component, an organization can control the administrative privileges that are bound to cloud admin users. Think of restricting permanent access to the Azure portal, Office 365 Administrative Center, and alike. These features includes extensive configuration settings, dashboards, and detailed reports on administrative account usage.

Windows Intune supports Windows 10 (including Technical Preview). Although Windows 10 is not RTM-ed yet, Brad Anderson announced at Microsoft Ignite that there’s already support for the Windows 10 Technical Preview in Windows Intune. Also, I can tell you that the Windows Phone 10 preview also works fine!

Azure AD Premium Security Reports. Although Azure AD Premium has several security reports readily available, one of the cooler ones being demoed by Brad Anderson at Microsoft Ignite was one what he calls, “the impossible travel report.” This report shows login data from a user account from locations that are too far from each other from being possible within normal travel time, which tips off administrators that the user is sharing credentials.

Windows Update for Business. Windows Server Update Services (WSUS) has always been basic by only providing limited classification of updates and control on when updates get applied to machines. Windows Update for Business is changing that with Windows 10 and will provide more useful and granular business features. For example, there’s a new update ring that lets you define which devices receive updates first, and new maintenance windows lets you specific which updates should or should not be deployed. It is interesting to note that Windows Update for Business will remain free for both Windows Pro and Enterprise editions.

If you’re interested in learning more about these new EMS features, stay tuned for upcoming articles on the Petri IT Knowledgebase. Also, take a look at the Brad Anderson’s demo on EMS, which were made during the Microsoft Ignite keynote.

As always, I’d love to hear feedback, reactions, or questions that you might have in the article comments below.