Let’s not focus on Microsoft365 security for a moment…Let’s focus on the user

When you think about End User Computing, the Modern Workplace, which companies would you relate that to? VMware with their Horizon/Workspace ONE proposition? Citrix, with XenApp and XenDesktop? Both companies even having their proposition coming out of the cloud (Azure and AWS). I bet many people would answer that question with yes, and not a lot of people would mention Microsoft and I cannot blame them. Some people might mention Microsoft’s O365.

Microsoft does have a Modern Workplace unit, which I am part of. Within that unit, there are specialties, like Windows 10, Office/collaboration, Identity & Information Protection, Thread Management and Voice. All of those components make up the Modern Workplace so I fully get that. However, Windows 10, Thread Management, Identity & Information Protection are very security focussed, and so is in general the Microsoft’s Modern Workplace approach.

In my (humble) opinion, Microsoft is not focussing enough on the “other side” of the balance: the end user and the end user experience. In my opinion regarding the Workplace, you need to balance IT/management/security with the end user (experience). IT/Security/Management is the cost side, the “boring (controlling the user, restrictions)” part. The end user side is the “sexy” side- giving users a smooth experience, multiple devices, being more productive etc.

I fully understand why Microsoft is taking the security approach though: their layered Identity, Apps, Data and Devices security approach. It is very solid! I truly like Azure AD’s Conditional Access possibilities- checking on the Identity, sign in risc, device compliance, trusted IP’s, countries etc and securing (granting with MFA or blocking access) applications based on those conditions. I also like Azure Information Protection for securing documents. However, when a customer is asking what’s in it for a user if going for Microsoft365…….I am afraid Microsoft is falling back to the security story again.

And that is unfortunate because the end user experience story with M365 is great! Windows 10 Auto Pilot, Azure AD join, Single Sign on to apps, automatic enrolment into Intune and getting your required apps, the Company Portal giving you optional/additional MSI apps, cloud storage with OneDrive, cross device experiences and device independencies are there!

In this post I would like to show you a couple of short videos showing the end user experience- from onboarding a device, to accessing apps, using a personal iPad, cross device having a meeting etc. It is my goal to show you Microsoft365 can be as “sexy” as other solutions from an end user perspective. That the onboarding of devices is easy, self service, smooth and personal. That M365 does offer great BYO possibilities with the Office apps and also being secure and that it can be very smooth regarding cross device workloads.

1. Windows Auto Pilot: a very quick and easy way of getting a user up and running. From unwrapping the new Windows device, turning it on and moving into Windows. Also with Multi Factor being setup in a very easy way as well:

2. From the moment the user is logged in, the machine is AAD joined, enrolled into Intune and receiving policies (and let’s be quiet about them for now : ) and apps. In this case, Office Pro Plus is being pushed by Intune and so is the Microsoft Company Portal (CC). The CC is giving users additional apps to install. Before everything is downloaded and installed in the background, the user can SSO into O365 and already be productive. Also, when starting the new Office desktop apps, all is very smooth as well- no user names, server names etc:

3. Now, I would like to show you what M365 can do in a BYO(iPad) scenario. Intune is able to control the Windows desktop- and mobile Office apps so users can have the same universal experience across devices- Office apps everywhere. In the next 2 videos it is about using the Office apps on a BYO device- with security measures like allowing copy/paste to the managed Office apps but not allowing it to native apps. Also, allowing company content being saved to the company’s OneDrive but not locally:

 

 

4. Working cross devices with, in this example, OneNote. In this case a user starts a meeting on an iPad, types meeting notes and moves, later on to a Windows 10 device, continuing in OneNote with Ink:

5. Lastly, a nice gadget which can make your life a bit easier: Continue on PC. Just a step back, Microsoft is a huge IOS and Android app maker. Search the Apple Store for example and see how many Microsoft apps are on there. One of the “cool” apps is to make it very easy to start reading the news, Twitter etc on your mobile device, and send that article, or link, to your Windows device. No more copying the link, emailing it and opening the article from your email:

I hope you have discovered the smooth, easy, quick onboarding and access to apps with M365. It is a great story and we should mention it more. Combined with the more talked about security story, M365 is a very solidModern Workplace proposition.

Modern Workplace management with Enterprise Mobility + Security- part 3

In my second post, I started with identity and client apps/cloud services as part of the workplace and their Layer of Controls within EM+S. In this post, I would like to discuss data/content and devices. Don’t forget, It is the combination of Layers of Control which make the EM+S solution powerful. Also, I’m purely discussing the Enterprise Mobility + Security Layers of Control. Within Windows you will find more controls and the same for O365. These last area’s aren’t my expertise but do investigate the controls in these products.

Data/content:

The Layer of Control EM+S has to offer regarding data/content is Azure Information Protection. With AIP you can Label, classify and protect data/content, and make sure only the right people can open and modify content. You also can track usage of your document and revoke access if needed. I wrote a more detailed post on AIP which you can read here. A great additional layer on top of MAM policies on the Office apps or Windows Information Protection. AIP is one of the great tools regarding the coming GDPR.

 

Device management:

Last layer of control EM+S has to offer when you look at the device level is Intune. Intune offers a platform to manage all your devices whether those are Apple, Microsoft or Android devices. Sometimes you hear that this is “modern device management vs legacy device management”: lightly managed/Intune/AAD/policies vs fully managed/SCCM/AD/GPO’s

I’m aware that some customers require more features than what Intune has to offer today. SCCM can do a lot more on the Windows platform than Intune. Legacy Win32 app distribution is one of them, especially complex multi .MSI chain distribution. Hopefully, in that case, the focus will be on modernizing the app landscape so customers can make the full move to modern workplace management. Again, I’m aware that changing applications isn’t easy. My personal opinion if the switch to Intune is challenging; move as many users from the legacy way to the modern way and stick to SCCM for the devices which need it. However, keep on modernizing your apps! Read more about legacy apps and modernizing management here.

I believe Intune, on the device management side of things, has more than enough to offer today. Recently I was browsing in Intune to see which settings I could configure for Windows 10 and IOS devices. I realized that I only would set a couple of them: a password, Windows Update, enable Windows Defender and probably a Wi-Fi profile.

Besides the fact it is a lot of work to lock down devices (remember creating Windows images, turning off many features, use specific user settings solutions to disable even more settings, slower machines and unhappy users), with just a couple of very reasonable settings (and I truly hope everybody has configured those- on corporate and personal devices), I have the feeling it will be easier to make BYOD users enroll their  personal devices into a corporate management solution, because your Exchange policy might require an enrollment. With that, you have some control over the device (you can wipe corporate data) and the user can use its know Office apps.

Hopefully you have a better picture of what EM+S has to offer. To me, it offers Layers of Control, which are additional, on top of each other and not one or the other. Time has changed and purely focusing and protecting the device isn’t the way forward anymore. Identities are leaving your perimeter as is data. When you support that, enable that in a user friendly and secure matter, users will be empowered and be productive.

 

 

 

Modern workplace management with Enterprise Mobility + Security- part 1

How to do (modern) workplace management is a continuous question which keeps me busy. It is a great topic to think about and to try to figure out how you can make workplace management easier and give the user a better experience.

New technologies arrive, old ones disappear, new insights, new use cases, new devices, new cloud services etc. The “workplace” is evolving and it should, but that means you need to evolve with it to support the change. Trying to put the new world inside the old management framework, isn’t the right thing to do. Users will be unhappy because you can’t provide them with features they have at home. I’m fully aware that stepping out of the known management framework isn’t easy. It requires change of mindset and that’s always uncomfortable. So, let’s be open minded together and see if new possibilities can work in your organization. This post, for sure, isn’t meant to tell you this is the only right way of doing things. I’m prejudiced, of course, because I do work for Microsoft, but I also like this topic.

One thing I have learned though, is that there isn’t a 1 size fits all solution. I wish, but the fact is, in a lot of organizations, there are some (small groups) which require something special. However, don’t let those specials be leading in the decisions you make around workplace management. Treat them as an exception.

So, let’s define a workplace because you can make that definition a lot bigger when you include the actual office space for example, or the area at home where you work. That I won’t touch, although, it is a very part of the workplace. In my definition, the workplace consists of:

  1. Identity,
  2. Client apps and cloud services,
  3. Content/data,
  4. Devices,

The order above isn’t randomly chosen by me. In my opinion identity is the most important part of the workplace today followed by client apps/cloud services and data. To me, numbers 2 and 3 are equal. The devices however don’t have the same importance to me anymore what it used to have in terms of management. To manage and secure modern workplace, you need layers of control. With layers, think about Azure Active Directory, conditional access, Identity Protection, Mobile Application Management, Mobile Device Management, rights management and access management on data, data labeling and classification etc. I know I’m prejudiced but I believe Microsoft Enterprise Mobility + Security platform is the integrated platform to realize this modern management by providing you the layers of controls for management, security and also gives a great end user experience.

Next, Modern workplace management with Enterprise Mobility + Security- part 2

Azure Information Protection- part 4: the AIP Viewer-client

In part 3, I discussed the end user side of Azure Information Protection: How can users classify and label document by using the Microsoft Office apps. To get the ribbon inside the office apps, as mentioned before, you need to install the AIP client on your Windows device. Besides the ribbon, the client also is a full client app to label content and share it with externals. It also is a viewer for other (than Office) supported formats, like a protected .pdf file (which will be a .ppdf file). You can check here which file formats are supported with the AIP client-viewer, for protection and classification.

So, what is the flow of sharing a classified and protected document with an external (or internals who weren’t part of the users in the RMS template)? Remember, a classified and protected (with RMS) document can only be shared with internal users, within your organisation, out of the box- set in the RMS template. Sometimes you want to share a document with someone outside your org. The AIP Viewer/client has shell integration, so the only thing you need to do is to right-click on your document and clic
k on “Classify and protect”.

 

The AIP Viewer/client will open you you will see the same labels as in the ribbons of your Office apps. Here you can change the classification of a document (when setting a lower classification, optionally with a justification) and you can check “Protect with custom permissions” . Then it will be possible to select permissions: like Viewer- View Only, Reviewer- View/Edit, Co-Author and Co-Owner. You set these permissions for groups of user, which you can add manually. Optionally, you can set an expiration date. After applying the settings, you can send the document to new internal users and external users, you have added.

From that moment on, you will be able to track the document. At the top of the Viewer, you see “Track and Revoke”. When you click on that button, your browser will open and you will see an overview of your document: when was it shared with others, the list of users it was shared with, who viewed, denied access, expiration date etc. There also is a timeline of activities and a map with geo locations of your viewers. At the button, in black, you see the Revoke Access button. This way, you can monitor the usage of your document and take action when needed.

 

 

There are no ribbons in, for example Adobe Reader. However, you can still label and protect .pdf files if you want. Again, the AIP Viewer/client supports several file formats. Just right-click on a .pdf file and click on “Classify and protect”.  You can now label your .pdf file or label + protect it. Meta data and optionally protection is being added to the file. With pdf files, you can see the AIP logo being added in the icon, as shown in the picture.

With the Azure Information Protection Viewer/client, users can now easily share content with others, but in a very controlled way. They intentionally need to take steps to do so. Even if a person you have shared a document with shouldn’t be allowed to view that document anymore, the user can quickly revoke access to the document.

 

Azure Information Protection- part 3: the end user with the Office apps

I have written a couple of posts around Azure Information Protection- what the solution is and the admin side of the solution. In this post, I would like to discuss the end user side of Azure Information Protection. What do end users see and how can they use classification, labeling and share documents? Luckily, it is very simple from an end user perspective, and that is a great thing!

I have mentioned it before; AIP starts with the creation of a document. When a user is creating a document, either a default classification/label has been applied by AIP (based on a company’s policy) or a user classifies/labels the document (also based on the company’s policy around document classification). From that moment on, optionally encryption applies with access control, a user policy and tracking+revocation possibilities.

 

After installing the AIP plug in on a user’s Windows system ( which you can download for free from here), when a user opens Word, Powerpoint, Outlook of Excel, the user will see a new ribbon in the Office app’s interface with the labels. If the automatic default label policy is applied, one of the labels will be grey, thus applied. On the left in the ribbon, you also can see which label is applied.

Which label to chose from all depends on the classification/labeling policy of documents within an organization. Needless to say you need to train/educate your users about the labels and what they stand for. Within the user interface, when a user hoovers over the labels, a textbox pops up with a description of that specific label. Companies can put in their description of liking. Also an open door but don’t use too many labels and add a clear description so users will understand easily which label to pick with different kind of content.

I discussed automatic classification and recommended classification in the post on the admin side of AIP. So, what’s the flow there and how does it look from an end user? Let’s say all documents with the word “draft” need to be classified internal or confidential. A user created a Word document, is typing away and somewhere is the word “draft”. Now the user wants to save the file on its machine (and it doesn’t matter where the user wants to save it). After picking the location and hitting save, the user will be prompted to change the classification of the document, with a reason (wording is up to the company’s policy). The user can change the classification of the document or dismiss the recommendation. Remember, AIP isn’t to prevent intentional behavior or fraud. In this case, the user will be made aware of the situation and can decide, after thinking about it, to change the classification or not. Also, you have the option to enforce the policy automatically, so users don’t have a recommendation. After changing the classification, the user will see the marking, set my the companies policy in the back end of AIP.

In the above case, meta data has been added to the document. When you right-click the document and open the properties, you will see and extra tab called “custom” where you can see the meta data. Besides meta data, the document, in this case, also has RMS attached to it. A users most likely doesn’t know about this and in my opinion, shouldn’t know this. The user classifies the document and based on the classification, the document gets encrypted, has specific access control and user policies attached.

Because of the specific classification/label and the attached RMS template, the user cannot just send the document to people outside the organization (RMS templates apply to users/groups inside the organization/(Azure) Active Directory/Azure tenant. If, by accident, a user would send the document to someone outside the organization (or maybe a user inside the organisation who wasn’t in the RMS template user/groups list), that recipient of the document couldn’t authenticate to open the document. With Echange Online and the Data Loss Prevention tools, you even can set rules on the AIP classifications/labels. Exchange Online and AIP work together.

AIP is easy to use for end users. Success depends on a clear, easy to understand company policy around classifying and labeling content and education of the users. Awareness how to handle content is one of the major benefits when using AIP. It is fair to say it can prevent user mistakes till a certain level but it won’t help you when someone intentionally is trying to get around the system.

My next post will be about the AIP client and sharing documents externally.

Azure Information Protection- part 2: Admin portal

In this blog, I would like to show and explain to you the back end side/admin side of Azure Information Protection. What does it look like, what can you configure, which options do you have. As I mentioned before in part 1, setting up/configuring and using Azure Information Protection is quite easy. Defining the corporate data policy will require some thinking.

Azure Information Protection (AIP) can be found in the Azure Portal and can be added to your dashboard. From there it is very easy to jump to AIP and start configuring.

First item you will see is the policy. In my screenshot you see a policy called “Global” and applies to all users in my tenant. I can add multiple policies and apply those to different groups within my tenant/organisation. So, different groups can have different classifications and labels. In my opinion, keep things simple.

So, everything I will talk about after this, all settings apply to my policy “Global”.

The next part in the AIP portal are the labels. Default labels are defined but you can radjust them- different names, colors and descriptions but also add more labels and sub labels. These labels are what users will see as a ribbon in the Windows Office apps- Excel, Outlook, Powerpoint and Word (I will deiscuss the end user part in another post). Basically, these labels represent your content policy. You translate that policy in labels.

Below the label section, you find some more settings; the title end users see in the ribbon and the tooltip. Also, if all documents and emails must have a label; in other words, is it required for users to classify documents and email or not. A pretty good setting if you want to enforce classification. Another great setting to start using classifying content is the setting to have a default label applied for documents and emails. This means that e new email or a new document automatically will have a classification- in my case; “General”. Users will be able to change the label. You can configure that in the case of a lower label/remove label by a user, a justification needs to be entered by that user. This is being logged in Azure so you can trace all this. Removing a label can be done, but a user always will do this on purpose/with a reason and never by accident.

As I mentioned before, you can name the labels as you want. The description part is pretty important. This description is shown to end users when they hoover over the labels in the Office apps. Good descriptions will help users use the right labels and thus protect the right documents and emails.

Optionally you can attach a Microsoft Right Management Service template to a label. You have to configure this template in the RMS portal . I will discuss the options in RMS in a different post but to summarize it; with an RMS template you can define with which users/groups  the document with that specific label can be shared and what these users/groups can do with that document/email, among other settings.

You also can configure visual settings with your labels like:

  • header/footer text,
  • color,
  • font,
  • watermark,
  • alignment.

 

 

One of the best settings are saved for last: automatic labeling/recommendations. Within AIP, you can define 1 or multiple conditions within a label. When a document/email matches that condition you can either automatically apply that label to the document/email or visually show the user a recommendation with a reason.

In my example, a user will see a recommendation to classify/label the document/email as Confidential- Internal Recipients, when a document contains the word “draft”. You can define custom conditions, like phrases. You can set it to exactly matching or match as expression. There also are built in conditions like IBAN and Swift. In this case, you can automate/enforce classification based on what you believe is important, and you can take human error out of it.

Hopefully this post gives you a general understanding of what you can do on the admin side with AIP.

 

Azure Information Protection- part 1: Document+email protection overview

In one of my earlier post, I wrote about VDI and if the concept is dead. One of my points was that VDI was/is used for content security reasons. Place all your desktops virtually in a central data center, and automatically, the assumption is that content will be protected as well. I have heard this use case many times but I believe there is a better approach to deal with content protection: truly protect your content; your documents and emails. Besides true protection, make your users aware what kind of content they are dealing with. Make them think twice before they send content to others, for example.

Azure Information Protection is a cloud-based solution that helps you to classify, label
and protect documents and emails. This can be done automatically (rules set by administrators), manually (by users) or both- where users are given recommendations. Optionally you can monitor and respond which means you can track & trace content and revoke access.

By using labels you add classifications to files and emails. This is done by adding metadata in clear text to files and email headers.

So, there are 3 components to Azure Information Protection:

  1. Classification/labeling: as an organisation you must think about your content- documents/emails first. There needs to be a organisation wide policy on how to classify/label content. Call it sensitivity levels, like: Personal, General, Confidential etc. You need to describe which content will get what classification/label. This policy will be implemented in Azure Information Protection. I sometimes call this the awareness phase: as an organisation, you need to think documents/emails, get aware of the sensitivity and translate that to labels. As a user, because of the policy, you will become aware of the guidelines set by the organisation how to handle specific content, and become more aware of its sensitivity. Besides coming up with classifications/labels, as an organisation you also need to think about the results/consequences within a classification/label. Is there a result within a label? Does a label require protection? That’s component 2,
  2. Protection: if you decide/agree as an organisation that a specific classification/label needs protection, you will need to define what kind of protection; encryption, access control, expiration data etc. That’s a second policy you need to think about. Do realize that not all classifications/labels will get protection in most cases, as far as I see it. So, as an example: documents with a label “General” aren’t protected and can be send to everyone, opened by everyone. etc. Documents labeled as “Confidential” might have a protection policy- only shared internally, only viewed and not edited, etc. When there is a protection policy in place, attached to a classification/label, users can track&trace the document and optionally revoke access to it. Component 3,
  3. Monitor and Respond: when a document is classified/labeled and protected, a user can monitor the usage of that document when he/she shares it. Via the Azure Information Protection client, a user can monitor who has opened the document and from where. That user also can revoke access to that document.

The beauty of Azure Information Protection is that it can classify/label and protect data no matter where the documents are; file shares, OneDrive, Sharepoint etc. It is very intuitive and easy to use for users through buttons. I will cover what Azure Information Protection looks like from an admin perspective, from a user perspective and use cases in different, coming posts. Stay tuned. If you want to know more/read more, click here.