Let’s not focus on Microsoft365 security for a moment…Let’s focus on the user

When you think about End User Computing, the Modern Workplace, which companies would you relate that to? VMware with their Horizon/Workspace ONE proposition? Citrix, with XenApp and XenDesktop? Both companies even having their proposition coming out of the cloud (Azure and AWS). I bet many people would answer that question with yes, and not a lot of people would mention Microsoft and I cannot blame them. Some people might mention Microsoft’s O365.

Microsoft does have a Modern Workplace unit, which I am part of. Within that unit, there are specialties, like Windows 10, Office/collaboration, Identity & Information Protection, Thread Management and Voice. All of those components make up the Modern Workplace so I fully get that. However, Windows 10, Thread Management, Identity & Information Protection are very security focussed, and so is in general the Microsoft’s Modern Workplace approach.

In my (humble) opinion, Microsoft is not focussing enough on the “other side” of the balance: the end user and the end user experience. In my opinion regarding the Workplace, you need to balance IT/management/security with the end user (experience). IT/Security/Management is the cost side, the “boring (controlling the user, restrictions)” part. The end user side is the “sexy” side- giving users a smooth experience, multiple devices, being more productive etc.

I fully understand why Microsoft is taking the security approach though: their layered Identity, Apps, Data and Devices security approach. It is very solid! I truly like Azure AD’s Conditional Access possibilities- checking on the Identity, sign in risc, device compliance, trusted IP’s, countries etc and securing (granting with MFA or blocking access) applications based on those conditions. I also like Azure Information Protection for securing documents. However, when a customer is asking what’s in it for a user if going for Microsoft365…….I am afraid Microsoft is falling back to the security story again.

And that is unfortunate because the end user experience story with M365 is great! Windows 10 Auto Pilot, Azure AD join, Single Sign on to apps, automatic enrolment into Intune and getting your required apps, the Company Portal giving you optional/additional MSI apps, cloud storage with OneDrive, cross device experiences and device independencies are there!

In this post I would like to show you a couple of short videos showing the end user experience- from onboarding a device, to accessing apps, using a personal iPad, cross device having a meeting etc. It is my goal to show you Microsoft365 can be as “sexy” as other solutions from an end user perspective. That the onboarding of devices is easy, self service, smooth and personal. That M365 does offer great BYO possibilities with the Office apps and also being secure and that it can be very smooth regarding cross device workloads.

1. Windows Auto Pilot: a very quick and easy way of getting a user up and running. From unwrapping the new Windows device, turning it on and moving into Windows. Also with Multi Factor being setup in a very easy way as well:

2. From the moment the user is logged in, the machine is AAD joined, enrolled into Intune and receiving policies (and let’s be quiet about them for now : ) and apps. In this case, Office Pro Plus is being pushed by Intune and so is the Microsoft Company Portal (CC). The CC is giving users additional apps to install. Before everything is downloaded and installed in the background, the user can SSO into O365 and already be productive. Also, when starting the new Office desktop apps, all is very smooth as well- no user names, server names etc:

3. Now, I would like to show you what M365 can do in a BYO(iPad) scenario. Intune is able to control the Windows desktop- and mobile Office apps so users can have the same universal experience across devices- Office apps everywhere. In the next 2 videos it is about using the Office apps on a BYO device- with security measures like allowing copy/paste to the managed Office apps but not allowing it to native apps. Also, allowing company content being saved to the company’s OneDrive but not locally:

 

 

4. Working cross devices with, in this example, OneNote. In this case a user starts a meeting on an iPad, types meeting notes and moves, later on to a Windows 10 device, continuing in OneNote with Ink:

5. Lastly, a nice gadget which can make your life a bit easier: Continue on PC. Just a step back, Microsoft is a huge IOS and Android app maker. Search the Apple Store for example and see how many Microsoft apps are on there. One of the “cool” apps is to make it very easy to start reading the news, Twitter etc on your mobile device, and send that article, or link, to your Windows device. No more copying the link, emailing it and opening the article from your email:

I hope you have discovered the smooth, easy, quick onboarding and access to apps with M365. It is a great story and we should mention it more. Combined with the more talked about security story, M365 is a very solidModern Workplace proposition.

Windows 10+Azure AD: register or join? Turn on Auto Enrollment to Intune?

In Windows 10, under Settings- Accounts and Access work or school, you have a couple of actions to pick from: setting up a work or school account, join the Windows 10 device to Azure Active Directory or join it to a local Active Directory. Personally I know  the local AD and I do understand Azure AD but what is setting up a work or school account? And how is that different than Azure AD? When will I use one or the other?

Let’s start with setting up a school or work account. With this option you register your Windows 10 device in Azure AD. So, this isn’t an Azure AD join. The use case behind this is Bring Your Own Device. Personal owned Windows devices being used for work as well. By registering your personal W10 device in AAD (Azure AD), you will enjoy the benefits of Single Sign On to your company’s cloud apps, seamless multi-factor authentication and access to on-premises apps via the Web Application Proxy and ADFS Device Registration.

Device registration is possible for Windows, IOS and Android devices. In fact, registration is the only option for IOS and Android devices since they cannot be joined to AAD.

In Azure (the Azure Portal- Active Directory- Applications- Intune), you can turn on “Auto Enrollment” to Intune. What this means is that when Windows 10 devices are registered by users, those devices are automatically being enrolled in Intune. You can set this up for all users, none of them or by group. After enrollment, IT can manage your device by applying device and application policies. My question is: do you want BYOD/personal devices being enrolled automatically into Intune after registration? Thinking out loud, I would say no. Not automatically. Maybe registering a device, so that the user can benefit from SSO is more than enough for that user. And also thinking but the upcoming W10 Creators Update with fancy Mobile Access Management features, maybe that is enough and there is no need to manage the device. I can imagine that a user doesn’t want IT to manage his/her own personal device. This could change if that user would like to access more company resources, like email. In that case, conditional access could require the user to enroll his device in order to get access to mail. It’s up to the user to do that or not. Do realize, with IOS and Android devices, there is no choice of registering and/or (automatically) enrolling the device. It always is both. You enroll those devices and then they are registered in AAD.

 

So, now Azure AD join. Here, the use case is corporate owned devices. And again, only Windows devices can be joined. Besides the SSO, Multi-Factor Authentication benefits like with registering devices, a join adds a couple of other features: Phone/PIN sign in and AAD cloud Bitlocker key storage, to name a couple. Would you auto enroll those devices into Intune automatically? In this case I would say yes. The devices are corporate, users have access to many resources so you would like to manage and protect these devices and users. Automatically enrolling the devices and deploying policies is a great way in doing that.

I won’t discuss the local AD join because it’s been around for ages and it’s known to the public. I always like to say it is the “old school” way of Windows device management: AD with SCCM and GPO’s. The new way in my opinion is AAD join/registration with Enterprise Mobility Management- Intune. However, know it is possible to register a local AD joined Windows device to AAD.

Some background resources can be found here:

  • Differences between AAD join/registration here,
  • Automatic enrollment,
  • Managing AAD joined devices with Intune,
  • Windows 10 AAD join

Credits to Pieter Wigleven and Bjorn Axell, both Microsoft colleagues for helping me out!

Microsoft Intune+mobile Office apps = Greatness!

Microsoft Office: Word, PowerPoint, Outlook, Excel, OneNote, OneDrive, etc, who doesn’t know these applications? Most of you know the apps from a corporate point of view and I think it is safe to say the Office suite of products is the corporate standard. As we know, there is another world besides the laptop/desktop/Windows based one: the mobile devices world. And besides desktop/laptop vs mobile, we also have a corporate vs private world. To make it even more exciting, the mixture of all worlds is happening all around us.

Wouldn’t it be great to use the same productivity apps you are used to use among all these different devices? What maybe isn’t known to many people is the fact Microsoft has developed many apps for IOS and Android. You can use the complete Office suite on your mobile devices. Find the Microsoft apps on iTunes here. So, if you want to have the same experience on your mobile devices, or even on your Apple Macs as on your corporate device, you can. The Office Suite is developed for all platforms.

Great, users can have the same experience, on Windows, Mac and mobile devices. But when these mobile devices are used professionally, IT would like to manage at least the productivity apps. It is great you can access and consume corporate data by using the Office apps, but you would like to secure the data as well.

To do this security, other MDM/MAM (Mobile Device Management/Mobile Application Management) vendors have created their own productivity apps. Their own email clients and data clients which previews Microsoft Word, Excel and PowerPoint documents. Those apps are not what end users know and like. Also, it isn’t the core business of these MDM/MAM vendors to develop Office/productivity tools.

With Microsoft Intune, it is possible to let users use what they know and like and secure the Office apps in multiple ways:

  1. Traditionally, you can enrol your device in Intune and manage the device and the Office apps: MDM-MAM,
  2. It also is possible to use the apps and secure them without enrolment: MAM Only
  3. If you currently are using another MDM tool, you still can use #2 by using Intune for the MAM part.

Bullit 1 is pretty clear: you enrol the device and policies are being pushed regarding the device and apps, by using Intune. With #2 and #3, the application policies are being pushed after users sign in, within the office apps on IOS and Android, with their accounts in Microsoft Azure/Intune.

 

 

 

So, what can be configured using MDM-MAM or MAM only?

  1. You can allow/deny copy/past from the Office apps to other native apps,
  2. You could allow copy/paste from native apps to the Office apps,
  3. You can set a PIN on all apps for another level of security,
  4. You can specify that links need to open in the Managed Browser,
  5. You can prohibit “save as”, to prevent users to save a corporate document on another, unmanaged location.

With Intune and the Microsoft productivity apps, users use familiar apps for productivity, and which are built for that purpose and IT can secure access to and from these apps, and secure corporate data. Check out this Microsoft blog for more details and screen shots. Also, check out this website to see more apps that can be managed by Intune.