Today I am kicking off an exciting blog series that will dive deep into the details of the work we are doing to support and expand Enterprise Mobility . I believe that Enterprise Mobility is going to be one of the most impactful and defining trends we work on as an industry – now and for the foreseeable future.
At Microsoft we talk about our focus being “ Mobile First ” and “ Cloud First .” Sure, you might ask how can there be two “Firsts” – but the answer is simple: Mobile and Cloud are so tightly integrated that delivering the premier Enterprise Mobility solution is best delivered from the Cloud . You simply cannot have one without the other. Mobile devices come alive and become intensely personal as they consume cloud services, and the cloud fundamentally changes the industry’s ability to deliver new value and new capabilities to our customers on a daily basis.
What I hope to accomplish through this blog series is to clearly lay out Microsoft’s vision and execution for Enterprise Mobility. I’m going to explain where our solutions are differentiated from others in the market, as well as the major areas of investment we believe will enable organizations to excel.
I believe that by better understanding the scenarios Microsoft is bringing to the market (and by seeing the types of rich end-user experiences and data protection these solutions will provide) IT Pros will be empowered to say YES! to the consumerization (aka BYOD) trends.
Our Vision
Our vision is to help organizations enable their users to be productive on the devices they love, while protecting the company.
The volume and diversity of devices that users and corporations want to use to access corporate assets grows every day, and organizations understand that enabling users across any device (corporate or personal) will make their users more productive and more satisfied. In pure dollars and cents , this satisfaction and efficiency generates significant positive impact for the company. While this efficiency and innovation is important to enable, IT organizations struggle with how to ensure that the corporate assets being accessed and stored on mobile devices are secure. This is a balancing act .
On one end of the balance, end-users want to bring their personal devices to work and are willing to accept some level of intrusion from IT in order to access corporate assets (such as using a power-on password). At the same time, these personal devices are incredibly personal – they are, in many ways, an extension of the individual and they contain information that the end-user wants to shield from IT.
The solution that organizations need (the other side of the balancing act), and that end-users are hoping will be implemented, is something that lets IT control and manage only the corporate assets that are being accessed and stored in these personal devices while never straying to the personal side of the device.
Finding the right balance means creating the appropriate boundary between personal and corporate content on the device. Our approach has been to put the end-user in full control of what happens on their personal device when they bring it to work. The company, however, should be the ultimate authority and in full control of the corporate assets (applications and data) being accessed and stored on the personal device.
While personal device use adds complexity to the IT department, we believe that mobility solutions need to act as a unifying force to cover all device types and all use cases. By delivering one solution that can act across all form factors , three key things will happen:
- End-users will have with a consistent and seamless experience across their devices and be more productive.
- IT complexity will be reduced.
- Corporate data will be better protected.
Getting Started Now: It All Starts With Identity
Organizations all need a way to manage access to corporate assets based on the correct authentication of the user. Active Directory is the authoritative source of corporate identity around the world, and we have extended this to the cloud with Azure Active Directory (AAD). With AAD we are delivering a common and consistent identity/access solution that enables organizations to expand their use of AD across private and public clouds.
Not only should the Enterprise Mobility identity solution require the user to correctly authenticate, but the identity solution should also know about all the devices being used to access corporate resources. This is exactly what Domain Join did for Windows devices for the past 15 years. In our Enterprise Mobility solution we have added what you can think of as a modern Domain Join – what we call Workplace Join . Workplace join enables users to register their personal devices with AAD – which lets AAD know about their devices. This is super critical because you need to be able to express policy on both the user and the device.
Later in this series I’ll go into great detail about the work we’re doing around identity management and just how critical this is to your Enterprise Mobility strategy. Identity Management is one of the areas I feel Microsoft brings significant value – a value that is missing in the solutions available in the market today.
Defining Success: Make the End User and IT Feel Safe
Getting the balance right between non-intrusively enabling the end-user to be productive while protecting corporate assets is the perennial challenge here. All too often the user experience is compromised in the name of protection. Addressing this compromise is a place we have spent a great deal of time and effort.
I believe that, eventually, all the mobile device/OS vendors will deliver native containers for corporate content (SAFE on Android is a specific example today), and these OS components will be integrated into solutions like Intune and Azure Active Directory. As we go through this Enterprise Mobility series , and when I explore this topic in detail at TechEd, I’ll get a lot more specific about our POV and the work we are doing with containers.
The important concept at work here is that with MDM you can provide protection at the device level and with MAM you can provide protection at the application level . Having a layered approach to security is important; protecting at the device and application level is helpful but there are known limitations. In addition to these two layers of protection, we need to make protection a native component of every file .
Right now Microsoft has an in-market a solution that enables security and protection to travel with the file itself: Azure RMS . With Azure RMS (which is a component of the Enterprise Mobility Suite), access controls are natively saved as a part of the file itself from Office and applications like Acrobat (you can learn more about using Office and RMS together here ).
With RMS, when a user goes to open a file a verification is made that the user has correctly authenticated to AD/AAD and therefore has rights to open that file. This protects against scenarios like when an employee leaves an organization but still has files on his/her device, or when a file is accidentally sent to the wrong person. This functionality is unique to what Microsoft is offering (check out this whitepaper for more details). To learn more about getting started with Azure RMS, click here .
It’s impossible to put too much emphasis on this type of security, and the need for it has been underscored lately by several significant security breaches across the industry. One of the most popular ways to attack an organization is through spear-fishing (where users are sent invitations that look legitimate while in reality the user is directed to a web site that collects their username and password) – but this type of attack can be dramatically mitigated with Azure Active Directory Premium. AAD Premium protects against these kinds of attacks by using machine learning to identify abnormal access activities (like an attempt to authenticate from an unusual location). Again, this is something that’s unique to what we are offering.
To see AAD Premium in action, check out this video .
Defining Success: Cloud-based Devices & Management
Enabling your users across all their devices is critical to your businesses – and if it isn’t already, it will be real soon.
When I say I all their devices I am including the PCs the majority of your users are also using. While so much of the conversation today is about the mobile devices, let’s not forget that the majority of users in an Enterprise are using mobile devices and PCs. It is important that you don’t let PCs get forgotten about in these cloud-based management conversations. It is critical that you have every device in mind when you define and implement your management strategy. The ideal endpoint to this strategy is something that delivers an integrated and consistent way to deploy, manage, and secure PC’s and mobile devices via common tools.
This is another place where I believe the solution built by Microsoft is highly differentiated. System Center is by far the most common solution for managing PC’s (managing more than 2 out of 3 PC’s in the Enterprise), and, as we have built our Enterprise Mobility Solution, we have made this the starting point. This means you can use what you already have today, fully leverage the investments you’ve previously made in Active Directory and System Center for years to come, and build a reliable foundation for the future of your business.
Consider it like this: Think of Windows Intune as System Center delivered from the Cloud. With Intune we have built the Mobile Device Management capabilities you would expect (e.g. full and rich support for managing Windows, iOS and Android devices) and we’re delivering these capabilities from the cloud – but you can choose to do all your administration from the familiar SCCM console you already know. This allows IT Pros to leverage their existing knowledge and experience to manage both PCs and devices. There are never any new servers to deploy, or any new infrastructure to maintain – everything is delivered through the solution you already have deployed in SCCM 2012.
Back in March , I wrote about the Enterprise Mobility Suite (EMS) and how, as a part of EMS, updates to Intune now enable MDM/MAM scenarios that are simply best in class. A major benefit of a cloud-centric management solution is that Intune is updated and improved at a cloud cadence. We updated Intune in October 2013 and January 2014 (adding new capabilities like e-mail profile management for iOS, selective wipe, iOS 7 data protection configuration, and remote lock and password reset) and last month another update added more Android device management with support for the Samsung KNOX platform, as well as support for the upcoming update to Windows Phone.
Defining Success: Make it Easy to Acquire and Use
Great solutions to real world problems are wonderful, but we also have to make them easy to acquire and easy use . The Enterprise Mobility Suite is licensed on a per-user basis. This means you no longer have to count the number of devices in the organization or be concerned about your costs increasing as your users bring in more mobile devices.
As a part of this effort to make our Enterprise Mobility solutions easy to use, we are also integrating all of the mobile management capabilities with our industry-leading PC management solution System Center . System Center administrators can now easily expand their impact and influence by using the current System Center console to also manage mobile devices – all from that single console . There’s no need to deploy and maintain any additional infrastructure or get trained on a new platform, and your end users have a consistent experience across PCs and all their mobile devices.
To put all of this in perspective, the EMS has three key elements:
- Identity and access management delivered by Azure Active Directory Premium
- MDM and MAM delivered by Windows Intune
- Data protection delivered by Azure AD Rights Management Services
* * *
There has been a lot written in the last few months about the emergence of a “new” Microsoft, and, in many ways this is true. Teams across the company are working closely to bring high-value scenarios to market in a way that is integrated and cohesive like never before. There are innovations emerging from teams across every corner of the company, and I am incredibly excited to see the work we are doing to deliver deeply, intelligently integrated solutions across System Center, Intune, Azure Active Directory, Office, and Windows.
I believe that what we have in market and what we will bring to market over the next several months will be, by far, the most complete, comprehensive, and elegant solution for your Enterprise Mobility needs.
As you are mapping out your Enterprise Mobility strategy, I encourage you to really think about the breadth of what your organization is going to need to succeed . We are investing broadly to empower your efforts, and we are delivering capabilities across the entire spectrum of what is required to enable your users to be productive on the devices they love. As you read this series, you’ll see that what Microsoft has in-market delivers an integrated and comprehensive set of capabilities across:
- Mobile Device Management
- PC Management
- App and Data Protection
- Identify Management
- Hosted Applications and Desktops
- SaaS Management
- Productivity with Office
These are the capabilities you should demand when you are choosing a partner and choosing the technology for your Enterprise Mobility strategy. I believe we are delivering the most compete, comprehensive, and usable solutions!