Transcript Windows Server 2012R2 Capabilities for BYOD
Windows Server 2012 R2 Capabilities for BYOD Scenario
Yuri Diogenes
Senior Knowledge Engineer Data Center, Devices & Enterprise Client – CSI
Team’s Page: http://technet.microsoft.com/cloud @yuridiogenes http://aka.ms/yuridio
What’s happening?
Before
What’s happening?
Now
90% of enterprises will have two or more mobile operating systems to support in 2017
GARTNER
GARTNER PRESS RELEASE, GARTNER SAYS TWO THIRDS OF ENTERPRISES WILL ADOPT A MOBILE DEVICE MANAGEMENT SOLUTION FOR CORPORATE LIABLE USERS THROUGH 2017, OCTOBER 25, 2012, HTTP://WWW.GARTNER.COM/NEWSROOM/ID/2213 115 32% of employees use two or three PCs for work from multiple locations
FORRESTER RESEARCH
THE STATE OF WORKFORCE TECHNOLOGY ADOPTION: GLOBAL BENCHMARK 2012, FORRESTER RESEARCH, INC., APRIL 12, 2012
What’s happening?
Today
32% of your employees—power laptop users—access 21 different applications, while desktop users—36% of your employees—use 9.8 applications at work
FORRESTER RESEARCH
THE STATE OF WORKFORCE TECHNOLOGY ADOPTION: GLOBAL BENCHMARK 2012, FORRESTER RESEARCH, INC., APRIL 12, 2012
Mobility is the new normal
67% of the people who use a smartphone for work and 70% of people who use a tablet for work are choosing
the devices themselves
905M tablets in use for work and home globally by 2017
FORRESTER RESEARCH
BRING THE BUSINESS CASE FOR A BRING YOUR-OWN-DEVICE (BYOD) PROGRAM, FORRESTER RESEARCH, INC., OCTOBER 23, 2012
FORRESTER RESEARCH
2013 MOBILE WORKFORCE ADOPTION TRENDS, FORRESTER RESEARCH, INC., FEBRUARY 4, 2013
Today’s challenges
Users
Users expect to be able to
work in any location
and have access to all their work resources.
Devices
The
explosion of devices
eroding the standards-based approach to corporate IT.
is
Apps
Deploying and managing applications
across platforms
is difficult.
Data
Users need to be productive while
risk.
maintaining compliance and reducing
Starts with a person… whose identity is verified… across multiple devices… with access to apps… in a consistent manner.
EMPLOYEE #
0000000-000 CONTOSO
People-centric IT
Users Devices Apps
Management. Access. Protection.
Data Enable users
Allow users to work on the devices of their choice and provide consistent access to corporate resources.
Hybrid Identity
Deliver a unified application and device management on premises and in the cloud.
Protect your data
Help protect corporate information and manage risk.
Access and Information Protection
Enable users
Simplified registration and enrollment for BYO devices Automatically connect to internal resources when needed Access to company resources is consistent across devices
Hybrid Identity
Common identity to access resources on-premises and in the cloud
Protect your data
Centralize corporate information for compliance and data protection Policy-based access control to applications and data
Enable users
Challenges
Users
want to
use the device of their choice
access to both their personal and work-related applications, data, and resources.
and have
Users
want an easy way to be able to
access their corporate applications
from anywhere.
IT
departments want to empower users to work this way, but they also need to
control access to sensitive information
policies.
and remain in compliance with regulatory
Solutions
Users
can
register their devices
IT, who can then use device authentication as part of providing
access to corporate resources
.
, which makes them known to
Users
can
enroll their devices
, which provides them with the company portal for
consistent access to applications
and data, and to manage their devices.
IT
can
publish access to corporate resources
conditional access based on the user’s identity, the device they are using, and their location.
with
Registering and Enrolling Devices
Users can
enroll devices
which configure the device for management with Windows Intune. The user can then use the
Company Portal
for easy access to corporate applications Data from
Windows Intune
sync with
Configuration
is
Manager
which provides
unified management
across both on premises and in the cloud Users can
register
BYO devices for data with
single sign-on
and access to corporate
Workplace Join
. As part of this, a
certificate
is installed on the device IT can
publish access
the
authentication
to corporate resources with
Web Application Proxy
based on device awareness and the users identity.
Multi-factor
can be used through
Windows Azure Multi-Factor Authentication
integration with Active Directory Federation Services
.
As part of the registration process, a new
device record
is created in Active Directory, establishing a link between the user and their device
Publish access to resources with the Web Application Proxy
AD Integrated
Developers
can leverage Windows Azure
Mobile Services
to integrate and enhance their apps Use conditional access for
granular control
can be accessed over how and where the application
Published applications Devices
Users can
and data access corporate applications
wherever they are
Apps & Data
IT can use the
Web Application Proxy
to pre-authenticate users and devices with multi-factor authentication through
integration with AD FS Active Directory user identity
provides the central repository of as well as the
device registration
information
Make corporate data available to users with Work Folders
IT can
selectively wipe
the corporate data from Android)
managed devices
(Windows 8.1, Windows Phone 8, iOS,
Devices
IT can configure a File Server to provide
Work Folder sync shares
for each user to store data that syncs to their devices, including integration with
Rights Management Active Directory discoverability
provides users Work Folders location
Users
can
sync their work data
their devices. to Users can
register their devices
to be able to sync data when IT enforces
conditional access Apps & Data
IT can publish access directly through a reverse proxy (such as the
Web Application Proxy
, or
conditional access
with
AD FS
can be enforced through integration
Effective working with Remote Access
An
automatic VPN connection
VPN resources.
provides automated starting of the
when a user launches
an application that requires access to corporate
Traditional VPNs
are user initiated and provide
on demand
connectivity to corporate resources.
With
DirectAccess
, a users PC is
automatically
connected whenever an Internet connection is present.
Cannot originate admin connection from intranet VPN Can originate admin connection from intranet Firewall DirectAccess Connection to intranet is always active
Video Demo
Windows 8.1 and iPad Workplace Join and Company Portal
Hybrid Identity
Challenges
Providing
users
based platforms.
with a
common identity
when they are accessing resources that are located both on premises in a corporate environment, and in cloud-
Managing multiple identities
and keeping the information in sync across environments is a
drain on IT
resources.
Solutions
Users
have a
single sign-on experience
when accessing all resources, regardless of location.
Users and IT
can leverage their common identity for access to
external resources through federation
.
IT
can
consistently manage identities
across on premises and cloud-based identity domains.
Delivering a seamless user authentication experience
Cloud Authentication Multi-Factor Authentication
can be configured through
Windows Azure
User attributes are synchronized using DirSync
including the password hash
, Authentication is completed against
Windows Azure Active Directory Federated Authentication with Single Sign-On AD FS
provides
conditional access
to resources,
Work Place Join Multi-Factor Authentication
for device registration and integrated User attributes are synchronized using DirSync,
Authentication is passed back through federation
and completed against
Windows Server Active Directory
Protecting information with multi-factor authentication
1. Users attempts to login or perform an action that is subject to MFA 2. When the user authenticates, the application or service performs a MFA call 3. The user must respond to the challenge, which can be configured as a txt, a phone call or using a mobile app 4. The response is returned to the app which then allows the user to proceed 5. IT can configure the type and frequency of the MFA that the user must respond to
Protect your data
Challenges
As users
bring their own devices
in to use for work, they will also want to
access sensitive information
and have access to this information locally on the device.
A significant amount of
corporate
found
locally on user devices
.
data can only be
IT
needs to be able to
secure, classify, and protect data
based on the content it contains, not just where it resides, including
maintaining regulatory compliance
.
Solutions Users
can work
on the device of their choice
and be able to access
all their resources
, regardless of location or device.
IT
can enforce a set of
central access and audit polices
, and be able to protect sensitive information
based on the content of the documents
.
IT
can
centrally audit and report
on information access.
Policy based access to corporate information
Desktop Virtualization IT can provide a secure and familiar solution for users to access sensitive corporate data from anywhere with
VDI
and
RemoteApp
technologies.
Centralized Data Devices
Users
can access corporate data regardless of device or location with
Work Folders
for data sync and
desktop virtualization
for centralized applications.
Distributed Data IT can publish resources using the
Web Application Proxy
and create business-driven access policies with
multi-factor authentication
based on the content being accessed.
IT can audit user access to information based on
central audit policies
.
Protect data with Dynamic Access Control
Automatically identify and classify
data based on content. Classification applies
as files are created or modified
.
File classification
works against
distributed data
, access policies and automated Rights Management
client
through
Work Folders
.
Centrally manage
access control and audit polices from
Windows Server
Active Directory.
Integration with
Active Directory Rights Management Services
provides automated encryption of documents.
Central access and audit policies can be
applied across multiple file servers
, with
near real-time
classification and processing of new and modified documents.
Video Demo
Work Folders with DAC and RMS
For More Information
System Center 2012 R2 Configuration Manager http://technet.microsoft.com/en us/evalcenter/hh667640.aspx?wt.mc_id=TEC_105_1_33 Windows Intune http://www.microsoft.com/en-us/windows/windowsintune/try-and buy Windows Server 2012 R2 http://www.microsoft.com/en-us/server-cloud/windows server/windows-server-2012-r2.aspx
More Resources:
http://www.microsoft.com/en-us/server-cloud/solutions/access information-protection.aspx
http://www.microsoft.com/en-us/server-cloud/solutions/user-device management.aspx