[email protected] Users Devices Apps Data Users expect to be able to work in any location and have access to all their work resources. The explosion of devices is eroding.
Download ReportTranscript [email protected] Users Devices Apps Data Users expect to be able to work in any location and have access to all their work resources. The explosion of devices is eroding.
[email protected] Users Devices Apps Data Users expect to be able to work in any location and have access to all their work resources. The explosion of devices is eroding the standards-based approach to corporate IT. Deploying and managing applications across platforms is difficult. Users need to be productive while maintaining compliance and reducing risk. Enable your end users Allow users to work on the devices of their choice and provide consistent access to corporate resources. Unify your environment Users Devices Apps Data Deliver a unified application and device management onpremises and in the cloud. Protect your data Management. Access. Protection. Help protect corporate information and manage risk. √ Empower users Unify your environment Protect your data Simplified registration and enrollment for BYO devices Automatically connect to internal resources when needed Access to company resources is consistent across devices Common identity to access resources on-premises and in the cloud Centralize corporate information for compliance and data protection Policy-based access control to applications and data Empower users Challenges Solutions Users want to use the device of their choice and have access to both their personal and work-related applications, data, and resources. Users can register their devices, which makes them known to IT, who can then use device authentication as part of providing access to corporate resources. Users want an easy way to be able to access their corporate applications from anywhere. Users can enroll their devices, which provides them with the company portal for consistent access to applications and data, and to manage their devices. IT departments want to empower users to work this way, but they also need to control access to sensitive information and remain in compliance with regulatory policies. IT can publish access to corporate resources with conditional access based on the user’s identity, the device they are using, and their location. Users can enroll devices for access to the Company Portal for easy access to corporate applications IT can publish Desktop Virtualization (VDI) for access to centralized resources Users can work from anywhere on their device with access to their corporate resources. IT can publish access to resources with the Web Application Proxy based on device awareness and the users identity Users can register devices for single sign-on and access to corporate data with Workplace Join IT can provide seamless corporate access with DirectAccess and automatic VPN connections. Users can enroll devices which configure the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the users identity. Multi-factor authentication can be used through Windows Azure Active Authentication. Data from Windows Intune is sync with Configuration Manager which provides unified management across both onpremises and in the cloud As part of the registration process, a new device object is created in Active Directory, establishing a link between the user and their device Developers can leverage Windows Azure Mobile Services to integrate and enhance their apps AD Integrated Use conditional access for granular control over how and where the application can be accessed Published applications Devices Users can access corporate applications and data wherever they are Apps & Data IT can use the Web Application Proxy to authenticate users and devices with multi-factor authentication Active Directory provides the central repository of user identity as well as the device registration information Make corporate data available to users with Work Folders IT can selectively wipe the corporate data from Windows 8.1 clients Devices IT can configure a File Server to provide Work Folder sync shares for each user to store data that syncs to their devices, including integration with Rights Management Apps & Data Users can sync their work data to their devices. Users can register their devices to be able to sync data when IT enforces conditional access IT can publish access directly through a reverse proxy, or conditional access can be enforced via device registration through the Web Application Proxy Active Directory discoverability provides users Work Folders location An automatic VPN connection provides automated starting of the VPN when a user launches an application that requires access to corporate resources. Traditional VPNs are userinitiated and provide ondemand connectivity to corporate resources. With DirectAccess, a users PC is automatically connected whenever an Internet connection is present. Cannot originate admin connection from intranet VPN Can originate admin connection from intranet DirectAccess Connection to intranet is always active Firewall Unify your environment Challenges Solutions Providing users with a common identity when they are accessing resources that are located both onpremises in a corporate environment, and in cloudbased platforms. Users have a single sign-on experience when accessing all resources, regardless of location. Managing multiple identities and keeping the information in sync across environments is a drain on IT resources. Users and IT can leverage their common identity for access to external resources through federation. IT can consistently manage identities across onpremises and cloud-based identity domains. Not Joined User provided devices are “unknown” and IT has no control. Partial access may be provided to corporate information. Browser session single sign-on Seamless 2-Factor Auth for web apps Enterprise apps single sign-on Desktop Single Sign-On Workplace Joined Registered devices are “known” and device authentication allows IT to provide conditional access to corporate information Domain Joined Domain joined computers are under the full control of IT and can be provided with complete access to corporate information Leverage cloud platforms to run Windows Server Active Directory and Active Directory Federation Services to reduce infrastructure on-premises. Manage Active Directory using Windows PowerShell, use the improved deployment experience and leverage the Active Directory Administrative Center for centralized management Run Active Directory at scale with support for virtualization and rapid deployment through domain controller cloning. Developers can integrate applications for single sign-on across on-premises and cloudbased applications. Activate clients running Office on at least Windows 8 or Windows Server 2012 automatically using existing Active Directory infrastructure. Developers can build applications that leverage the common identity model Users get access through accounts in Windows Azure Active Directory to Windows Azure, Office 365 and 3rd party applications Users are more productive by having a single sign-on to all their resources IT can provide users with a common identity across on-premises or cloudbased services leveraging Windows Server Active Directory and Windows Azure Active Directory IT can use Active Directory Federation Services to connect with Windows Azure for a consistent cloud based identity. Dirsync keeps user attributes in sync across directories. Organizations can connect to SaaS applications running in Windows Azure, Office 365 and 3rd party providers Enhancements to ADFS include simplified deployment and management Organizations can federate with partners and other organizations for seamless access to shared resources Firewall Conditional access with multifactor authentication is provided on a per-application basis, leveraging user identity, device registration & network location Users can register their devices to gain access to corporate data and apps and single sign-on through device authentication Published applications Manage the complete life cycle of certificates and smart cards through integration with Active Directory. Self-service group and distribution list management, including dynamic membership calculation in these groups and distribution lists, is based on the user’s attributes. Users can reset their passwords via Windows logon, significantly reducing help desk burden and costs. Sync users identity across directories, including Active Directory, Oracle, SQL Server, IBM DS, and LDAP. Allow users to manage their identity with an easy to use portal, tightly integrated with Office. Automate the process of on-boarding new users Real-time de-provisioning from all systems to prevent unauthorized access and information leakage LDAP Certificate Management Built-in workflow for identity management Automatically synchronize all user information to different directories across the enterprise Protect your data √ Challenges Solutions As users bring their own devices in to use for work, they will also want to access sensitive information and have access to this information locally on the device. Users can work on the device of their choice and be able to access all their resources, regardless of location or device. A significant amount of corporate data can only be found locally on user devices. IT can enforce a set of central access and audit polices, and be able to protect sensitive information based on the content of the documents. IT needs to be able to secure, classify, and protect data based on the content it contains, not just where it resides, including maintaining regulatory compliance. IT can centrally audit and report on information access. Desktop Virtualization IT can provide a secure and familiar solution for users to access sensitive corporate data from anywhere with VDI and RemoteApp technologies. Centralized Data Devices Users can access corporate data regardless of device or location with Work Folders for data sync and desktop virtualization for centralized applications. Distributed Data IT can publish resources using the web application proxy and create business-driven access policies with multi-factor authentication based on the content being accessed. IT can audit user access to information based on central audit policies. 1. Users attempts to login or perform an action that is subject to MFA 2. When the user authenticates, the application or service performs a MFA call 3. The user must respond to the challenge, which can be configured as a txt, a phone call or using a mobile app Devices 4. The response is returned to the app which then allows the user to proceed 5. IT can configure the type and frequency of the MFA that the user must respond to User Apps & Data Automatically identify and classify data based on content. Classification applies as files are created or modified. File classification, access policies and automated Rights Management works against client distributed data through Work Folders. Centrally manage access control and audit polices from Windows Server Active Directory. Integration with Active Directory Rights Management Services provides automated encryption of documents. Central access and audit policies can be applied across multiple file servers, with near real-time classification and processing of new and modified documents. √ Empower users Unify your environment Protect your data Simplified registration and enrollment for BYO devices Automatically connect to internal resources when needed Access to company resources is consistent across devices Common identity to access resources on-premises and in the cloud Centralize corporate information for compliance and data protection Policy-based access control to applications and data WCA-B204 Active Directory Enables User Productivity and IT Risk Management Strategies Across a Variety of Devices WCA-B214 Windows Server Work Folders overview – my corporate data on all my devices WCA-B332 Windows Server Work Folders – a deep dive into the new Windows Server data sync solution WCA-B333 Enable work from anywhere without losing sleep: remote access with the Web Application Proxy and VPN solutions WCA-B334 Secure anywhere access to corporate resources such as Windows Server Work Folders using ADFS Hands on lab Active Directory Deployment and Management Enhancements Hands on lab Using Dynamic Access Control to Automatically and Centrally Secure Data Hands on lab Introduction to DirectAccess in Windows Server 2012 Hands on lab Windows Server 2012 R2 Work Folders For More Information System Center 2012 Configuration Manager http://technet.microsoft.com/enus/evalcenter/hh667640.aspx?wt.mc_id=TEC_105_1_33 Windows Intune http://www.microsoft.com/en-us/windows/windowsintune/try-andbuy Windows Server 2012 http://www.microsoft.com/en-us/server-cloud/windowsserver Windows Server 2012 VDI and Remote Desktop Services: http://technet.microsoft.com/enus/evalcenter/hh670538.aspx?ocid=&wt.mc_id=TEC_108_1_33 http://www.microsoft.com/en-us/server-cloud/windowsserver/virtual-desktop-infrastructure.aspx More Resources: microsoft.com/workstyle microsoft.com/server-cloud/user-device-management http://channel9.msdn.com/Events/TechEd www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn