Skip to content

Enterprise Mobility + Security


One of the things I love discussing with other organizations are their world views on where a particular market or industry segment will go in the future and why. Every organization has strategies they’ve defined and are executing on, and I love learning about the details of those strategies – as well as the assumptions and views behind them.

With this is mind, I want to share the assumptions or world views that are behind our Enterprise Mobility strategy.

These world views are something I’ve shared with hundreds of organizations over the past few months, and I’ve found that these views are aligned with just about every organization I’ve met with during that time.

Here are the views and assumptions we have developed for Enterprise Mobility and Enterprise Mobility Management:

  • Rich PC management will continue to be an on-premises workload.
  • Enterprise Mobility Management will be delivered via cloud services.
  • IT wants a single tool for managing PCs and mobile devices.
  • Organizations will begin to shift to MDM-like management for some their PCs.
  • Hybrid Identity is the new control plane for the enterprise.
  • Cyber-attacks will accelerate in number and severity.
  • Data must become self-protecting.
  • Significant customer value will be created from combining unique data sets.
  • Productivity, identity and management are converging to deliver secure mobile productivity.
  • The end-user is the authoritative source for change on their personal devices.
  • IT is the authoritative source for change on corporate data anywhere it is stored.

Rich PC management will continue to be an on-premises workload

Organizations who need to deliver rich and sophisticated management of PCs will continue to utilize System Center Configuration Manager (SCCM) on-premises. It is common to see Enterprise organizations deploying 100’s or 1,000’s of applications through SCCM today, and these organizations have developed rich rules and dependencies across those apps (with many utilizing App-V to isolate their apps).

The richness of these capabilities in SCCM is incredible and it maps to the diverse needs of the customer base.

Most organizations also use SCCM for their Enterprise roll-outs of new versions of Windows – SCCM is, after all, the clear leader in the PC management segment, with a market share of over 70% worldwide. There are also organizations who have decided to move entirely to the cloud and are managing 10,000’s of PCs from the cloud with Intune today. These Intune-based use cases are more light-weight in their nature and they center around locking down the device and the deployment of a small number of apps.

Enterprise Mobility Management will be delivered via cloud services

The pace of innovation, and the amount of change across Windows, iOS, and Android, will continue to accelerate – and this will require continuous innovation and updates to be delivered via cloud services. It would be nearly impossible for organizations to continually add these updates to their distributed on-premises infrastructures.

By delivering our Enterprise Mobility Management (EMM) as a cloud service, we can update Intune as we work with the previews from Apple and Google – and this puts us in the position to make the new capabilities available in the service on the first day of a new release.

For example: On the first day a new version of iOS is released, a huge percentage of the world upgrades – and organizations need to be able to manage the new capabilities on that very first day.

This is why we have built the Enterprise Mobility Suite (EMS) as a cloud service.

IT wants a single tool for managing PC’s and mobile devices

Organizations want “a single pane of glass” they can use to enable their users across all their devices.

As a general rule, I’ve noticed these three things to be true:

  1. IT wants fewer tools, not more.
  2. IT needs and expects to fully leverage any investment it makes.
  3. IT wants to deliver a rich and consistent experience for end-users.

We have always believed that the PC management and EMM market segments would converge – and that’s exactly what we are seeing now. Our research also indicates that the PC management team is the most common group in charge of operating any EMM solution that is deployed, and “Integration with SCCM” is a common requirement we are seeing in the RFP’s from customers.

These realities have led us to integrate our on-premises products with our cloud services: Active Directory (AD) – Azure Active Directory (AAD), SCCM–Intune, etc.

For example: As we update the EMM capabilities in Intune, we are simultaneously able to update the SCCM console accordingly. Now, the SCCM console can act as that single pane of glass.

SCCM/Intune integration will be a continued area of focus during this calendar year.

Organizations will begin to shift to MDM-like management for some their PC’s

As organizations do more mobile device management, many of them will update their strategy for PC management towards a MDM-style management paradigm. This move is a natural part of wanting to align management methodology across an entire organization.

Organizations will start with wanting a single pane of glass for managing all their devices, and, after seeing the widespread benefits of this, the natural next step is aligning not just the tools but the processes and paradigm.

Hybrid Identity is the new control plane for the enterprise

This really can’t be overstated: Organizations need simple ways to extend their existing identity investments into to the cloud as they consume more and more cloud applications.

Active Directory is the authoritative source of identity in the Enterprise (with more than 95% of Enterprises utilizing AD), and, via the Cloud App Discovery capabilities of EMS, we know that employees of the average enterprise are utilizing more than 300 SaaS apps today.

By putting these two facts together we know two key things:

  1. Every IT team needs to stretch its investments in AD to the cloud.
  2. Every IT team needs capabilities like automated user provision and de-provisioning, as well as the ability to provide a great single-sign-on experience for their users as they consume these SaaS apps.

Cyber-attacks will accelerate in number and severity

The cyber-attacks we have all read about will, unfortunately, accelerate and organizations need tools that help them to identify and block these attacks. Many of these attacks begin with the attackers launching a phishing attack against an organization – and all it takes is a single employee falling for the trick in order for the attackers to have a valid username and password. Once the attackers have a valid username and password, they are able to access corporate resources. The next step is attempting to spread laterally across an organization.

It is a nightmare scenario – and one that is very real.

This danger is one of the reasons we have developed the powerful identity management capabilities in EMS. These capabilities can identify suspicious or anomalous user identity activities and bring them to the attention of IT – and from that point IT can then block the account, change the password, or challenge the user with a multi-factor authentication.

This is a topic I’ve discussed in depth on the ITC podcast several times, including episodes dedicated to Cloud-based Data Protection and How Machine Learning Makes You More Secure.

Data must become self-protecting

Directly tied to this idea of security is the fact that data must flow freely while also being secure. Data of all types needs to be born protected/encrypted, and its usage policy needs to subsequently flow with it. It also must be easily accessible to the people and services that should be able to access it, and it needs to be secured against those that shouldn’t.

No small feat, to say the least.

Addressing these needs is the reason we’ve developed the Rights Management Services in EMS. With Azure RMS, we are able to store the access privileges in the file itself, and the file then validates the user before being opened. If a file is accidentally sent to someone who shouldn’t have it, that’s no problem because the file understands who is authorized to open it – and it blocks everyone else.

You can hear a detailed discussion about these features here.

Significant customer value will be created from combining unique data sets

Data and data management is where a massive amount of new business value is being (and will continue to be) created. I’m talking about a TON of value: When diverse sets of data are combined the value is not just additive – it is non-linear and accounts for many times the value of the individual parts.

At Microsoft, we are currently operating more than 200 cloud services (both consumer and enterprise), and we get more than 1M pieces of new malware reported to us every day. We also get detailed telemetry from more than 1B PC’s (every month via Windows Update). All of this data allows us to learn about common access points, usage patterns, and the geographical distribution of our users. When this data is combined in the Azure Machine Learning engine we can start identifying anomalous and suspicious activities like unusual/rare authentications that likely point to an attack through a compromised account.

This is a great example of the value and power of bringing big sets of diverse data together. Microsoft’s operation of these massive cloud services (including Azure Active Directory) makes it unique in the EMM market – no other EMM vendor has data this vast or this capable. None come even close.

You can read more about these reports and see them here.

Productivity, identity and management are converging to deliver secure mobile productivity

To deliver the richness and flexibility users require to be productive, while still providing the level of security and protection required by IT, we are seeing the categories of productivity, identity and management converging.

Organizations want access to apps and data to be governed with successful identification (and moving to multi-factor authentication) by the end user, and they want the corporate apps and data to be isolated/contained from the personal data. To deliver this, the productivity apps, identity management, and device/application management all need to be integrated.

We have already done the technical and operational work to integrate Office 365 with EMS to ensure users will have the absolute best experience using the Office tools, and we have also done the technical integration that enables the separation of the Office mobile apps and data from consumer apps and data (MAM containers) which enable organizations to apply policy to the Office mobile apps (and any app) to protect their apps and data.

Not only was that a really long sentence, it is also a value completely unique to EMS. No other EMM vendor can deeply manage the Office mobile apps.

You can hear a lot more about this topic in a recent webcast I did with my counterpart on the Office 365 team, or this episode of The Endpoint Zone, or this post about Office on Android, or this post about mobile data protection.

The end-user is the authoritative source for change on their personal devices

Before IT can secure these devices, and before corporate content arrives on the device, users will first approve/accept any changes IT wants to make to their personal devices. Our mobile devices are intensely personal, and, understandably, end users want to ensure IT is not venturing into the personal content of these devices.

We have to remember that, in the case of BYO, this is the user’s personal device and IT needs to ask for permission to change the way the device works.

For example:  IT may require a power-on password for corporate e-mail to be accessed, but the user should be prompted to accept the configuration change. If the users decides he/she doesn’t want to have a power-on password, that is fine – but they also won’t get corporate e-mail on that device.

IT is the authoritative source for change on corporate data anywhere it is stored

IT must be able to define and enforce policy for corporate data anywhere it is stored. Everyone wins when IT can effectively and efficiently separate corporate apps and data from the personal apps and data on a mobile device (especially a BYO device) and apply the appropriate data protection policies on the corporate assets. This is essentially doing Mobile Application Management (MAM) without doing Mobile Device Management (MDM).

* * *

These assumptions and views of Enterprise Mobility and Enterprise Mobility Management are driving our current execution and our ongoing planning in this very exciting – and very important – area of the tech industry.

There are so many rapid changes, and so much innovation, that every EMM vendor involved must wrestle with the fact that what was state-of-the-art a year ago is now a baseline requirement – and all of this must be accounted for while still providing the best possible value/quality for customers.

With this rapid pace in mind, however, this post’s set of assumptions and views has held true since I first wrote them down over a year ago.

My recommendation to you is simple:  Take this set of views and debate them within your own organization. If you are able to deliver an Enterprise Mobility Management service to your end-users that aligns with these views, then your service will be well received by your end-user community and well received by the individuals responsible for ensuring the corporate data is secure and protected.

Microsoft is the only organization able to help you deliver on each of these views and assumptions – and that is made possible only with the combination of Office 365+EMS!

 

In_The_Cloud_Logos