What is Microsoft’s Enterprise Mobility Suite

The Enterprise Mobility Suite combines three products into one.  The purpose of this document is to provide clarity around the three core components of EMS, the features they provide and what is next for EMS.

CORE COMPONENTS

Microsoft Intune:

Intune is a cloud based solution for managing end-users devices both computers and mobile devices such as Windows Phone, Android, and iOS devices.  Intune provides the MDM (Mobile Device Management) and MAM (Mobile Application Management) features of the Enterprise Mobility Suite

Azure Active Directory:

At a basic level Azure Active Directory provides the same functionality as the Active Directory that many companies use on their corporate networks.  This product is entirely cloud based and provides the Identity and Access Management features of the Enterprise Mobility Suite

Azure Rights Management Services:

The third component of the suite is also a cloud based solution and it provides the Information Protection features of the full Enterprise Mobility Suite.  This product will provide encryption of your documents and data allowing secure access to these files the computers and mobile devices managed by EMS.

MICROSOFT INTUNE

 Let’s take a deeper dive now into the Intune product and what it brings to the table.  The first thing to make clear is that Intune and in fact the whole Enterprise Management Suite is entirely in the cloud.  There are no local installations or servers to place in your environment if you are working with this product.

Intune itself provides 3 main components of the overall Enterprise Mobility Suite:

• Mobile Device Management (MDM)
• Mobile Application Management (MAM)
• PC Management

MOBILE DEVICE MANAGEMENT

Mobile Device Management is essentially the ability to manage non computer devices.  This group would include Apple iOS devices, Android devices, and Windows Phone devices.  MDM also is supported in two basic approaches.  Company owned devices being rolled out in bulk to users and BYOD scenarios where your user base wants to have access to company data, email and applications from their personal mobile devices.

In order to achieve this result, the MDM features of Intune provide the following:

• A self-service Company Portal.  This application can be downloaded from any of the main app stores such as the Apple App Store and the Google Play store.  Downloading the app then provides the end user the ability to login and enroll their device with Intune.
• After enrollment such items as certificates, wifi and vpn configurations, email profiles can automatically be downloaded to the mobile device.
  • With VPN users mobile device can now access internal company resources
  • With an email profile and the mobile Outlook applications users can access all their corporate email, calendar and contacts as if they were on their PC’s in the office.
• MDM also allows control over the devices including changing settings on the device and provide options to change passwords, lock the device or even do a full wipe of the device.
• Lockdown access to corporate data and email when a user tries to access those resources from a mobile device not registered in to Intune.

MOBILE APPLICATION MANAGEMENT

 In its first incarnation in IT MDM started as primarily a device control activity for corporate IT departments and basic access to Email.   Companies and their users and customers have come to demand greater and greater access to information and program that allow them to be productive away from their desktop or even laptop computers.

Mobile Application Management (MAM) helps to fill in this gap.  Now when a user enrolls their mobile device through the company portal application administrators can automatically have additional applications install to that device.  Secondly the portal provides access to a catalog of applications that users can voluntarily download as well.

Here are a few ways that MAM is provided:

• Office mobile apps.  Microsoft has created mobile versions of apps like excel, word, PowerPoint and outlook so that users can access their email open attachments and edit and create files.  If you also have access to OneDrive or OneDrive for business your mobile apps can directly access and edit your documents stored in the cloud as well.
• Additional viewer apps.  Beyond the Office mobile applications Intune provides several more application for viewing content.  These include a managed web browser app, PDF Viewer, AV Player for video files and Image Browser for pictures
• Selective Wipe:  Within the bounds of MDM an administrator can do a full wipe of a device if it is lost or stolen.  In a BYOD scenario most users would not be happy with a full wipe occurring removing all their personal data.  With a selective wipe an administrator can only remove corporate apps and data from the device.

PC MANAGEMENT

 Beyond mobile device management Intune can also do basic management of your desktop and laptop PC’s.  In this scenario Intune is positioned as a ‘lite’ version of SCCM that a large number of companies use to manage their devices in an on premise environment.

Some of the core features of pc management within Intune include:

• Deploy software to endpoints
• Basic software updates features to patch Windows
• Inventory of your managed computers
• Basic security and malware protection
• Windows firewall configuration.

With these pc management features Intune can act as a standalone cloud solution for smaller companies to manage their computers.  In larger corporate environments most companies use System Center Configuration Manager (SCCM) to provide all these functions.  SCCM is a larger and more robust tool for computer management

For the best of both worlds Intune can me integrated with SCCM allowing administrators to extend the management capabilities of SCCM to the cloud and mobile devices.

IDENTITY AND ACCESS MANAGEMENT USING AZURE ACTIVE DIRECTORY PREMIUM

 The second of three core components of EMS is Azure AD Premium.  This product provides all the features that cover Identity and Access management features of the full suite.

Azure AD Premium has so many features and components that it could easily fill its own document.  For the purposes of this guide we will focus on the benefits it brings to EMS.

Within the bounds of EMS here are some key benefits:

• Single identity for every user in your company.  This feature is based on a hybrid deployment model for AD.  In this case AD in the could and AD on-prem are synchronized providing end users one single account that works within the corporate network and in the cloud.
• SSO access to your applications.  Microsoft has worked with several thousand vendors to utilize their apps either on mobile devices or through web portals.  These apps are pre-integrated with AD logins so that the single identity created/managed in Azure AD can login to these third party apps as well.  A couple of examples are Box and Salesforce.
• Multi-Factor Authentication for security purposes administrators can enforce second layers of authentication to these applications.
• Provides a self-service portal so users can do their own basic account management such as password resets for their own account

AZURE RIGHTS MANAGEMENT

 The third and final component of the Enterprise Mobility Suite is Azure Rights Management.  This product is what provides the Information Protection features of EMS.

Information Protection is all about encrypting files and securely accessing them and also being able to share them with users outside of the company.

Core features include:

• The ability to access protected files across computers and mobile devices
• Microsoft’s Office Apps are built to integrate with Rights Management.
• Share protected documents with external users.  External users can sign up for the free Rights Management service and download the RMS Sharing application
• Rights Management templates can be created by administrators.  These templates collect together bundles of rights.  Then end users can quickly apply these templates to their own documents making it easy for users to protect their files before sharing them.

As we have now seen through the combination of Intune, Azure AD, and Azure Rights Management customers who purchase the full Enterprise Mobility Suite have a great set of tools to extend corporate data and applications to the cloud and mobile devices.

To conclude here a couple pieces of information to investigate as you consider using EMS.

EMS can integrate with on premise installations of AD, Exchange and SCCM.  Any deployment where you tie the cloud to on premise solutions is called a Hybrid deployment.  If you sync AD with Azure AD you can truly manage only one account per user providing them one login both in the office and on mobile devices.  By itself Intune is in many ways a cloud based lite version of SCCM.  If you want the best of both worlds and already use SCCM in your organization, then you can deploy Intune integrated with SCCM.

When you integrate Intune with SCCM instead of relying on the Intune console you can access and manage the features it provides from within the SCCM Console.  In this fashion you have all the robust features of SCCM to manage computers and providing features such as inventory, patching and software delivery.  This is tied with he mobile management features of Intune as well.

Coming this year will be a few key features that expand what EMS Can provide.  The first item is Mac OS X support.  At this moment only SCCM can managed OS X mac desktops and laptops.  By adding these features to Intune customers who find Intune/EMS provides all the features they need will be able to manage both main computing platforms (Windows and Mac) as well as all main mobile platforms (Windows Phone, Android, and iOS)

The second important features coming this year is the rollout of Windows 10 itself and all the new features and management capabilities this will bring to Intune and SCCM.

In conclusion I hope that this document has helped provide some clarity around Microsoft’s Enterprise Mobility Suite and its three main components, Intune, Azure AD, and Azure Rights Management.  The features providing within each component and how they might benefit you the customer.