Let’s not focus on Microsoft365 security for a moment…Let’s focus on the user

When you think about End User Computing, the Modern Workplace, which companies would you relate that to? VMware with their Horizon/Workspace ONE proposition? Citrix, with XenApp and XenDesktop? Both companies even having their proposition coming out of the cloud (Azure and AWS). I bet many people would answer that question with yes, and not a lot of people would mention Microsoft and I cannot blame them. Some people might mention Microsoft’s O365.

Microsoft does have a Modern Workplace unit, which I am part of. Within that unit, there are specialties, like Windows 10, Office/collaboration, Identity & Information Protection, Thread Management and Voice. All of those components make up the Modern Workplace so I fully get that. However, Windows 10, Thread Management, Identity & Information Protection are very security focussed, and so is in general the Microsoft’s Modern Workplace approach.

In my (humble) opinion, Microsoft is not focussing enough on the “other side” of the balance: the end user and the end user experience. In my opinion regarding the Workplace, you need to balance IT/management/security with the end user (experience). IT/Security/Management is the cost side, the “boring (controlling the user, restrictions)” part. The end user side is the “sexy” side- giving users a smooth experience, multiple devices, being more productive etc.

I fully understand why Microsoft is taking the security approach though: their layered Identity, Apps, Data and Devices security approach. It is very solid! I truly like Azure AD’s Conditional Access possibilities- checking on the Identity, sign in risc, device compliance, trusted IP’s, countries etc and securing (granting with MFA or blocking access) applications based on those conditions. I also like Azure Information Protection for securing documents. However, when a customer is asking what’s in it for a user if going for Microsoft365…….I am afraid Microsoft is falling back to the security story again.

And that is unfortunate because the end user experience story with M365 is great! Windows 10 Auto Pilot, Azure AD join, Single Sign on to apps, automatic enrolment into Intune and getting your required apps, the Company Portal giving you optional/additional MSI apps, cloud storage with OneDrive, cross device experiences and device independencies are there!

In this post I would like to show you a couple of short videos showing the end user experience- from onboarding a device, to accessing apps, using a personal iPad, cross device having a meeting etc. It is my goal to show you Microsoft365 can be as “sexy” as other solutions from an end user perspective. That the onboarding of devices is easy, self service, smooth and personal. That M365 does offer great BYO possibilities with the Office apps and also being secure and that it can be very smooth regarding cross device workloads.

1. Windows Auto Pilot: a very quick and easy way of getting a user up and running. From unwrapping the new Windows device, turning it on and moving into Windows. Also with Multi Factor being setup in a very easy way as well:

2. From the moment the user is logged in, the machine is AAD joined, enrolled into Intune and receiving policies (and let’s be quiet about them for now : ) and apps. In this case, Office Pro Plus is being pushed by Intune and so is the Microsoft Company Portal (CC). The CC is giving users additional apps to install. Before everything is downloaded and installed in the background, the user can SSO into O365 and already be productive. Also, when starting the new Office desktop apps, all is very smooth as well- no user names, server names etc:

3. Now, I would like to show you what M365 can do in a BYO(iPad) scenario. Intune is able to control the Windows desktop- and mobile Office apps so users can have the same universal experience across devices- Office apps everywhere. In the next 2 videos it is about using the Office apps on a BYO device- with security measures like allowing copy/paste to the managed Office apps but not allowing it to native apps. Also, allowing company content being saved to the company’s OneDrive but not locally:

 

 

4. Working cross devices with, in this example, OneNote. In this case a user starts a meeting on an iPad, types meeting notes and moves, later on to a Windows 10 device, continuing in OneNote with Ink:

5. Lastly, a nice gadget which can make your life a bit easier: Continue on PC. Just a step back, Microsoft is a huge IOS and Android app maker. Search the Apple Store for example and see how many Microsoft apps are on there. One of the “cool” apps is to make it very easy to start reading the news, Twitter etc on your mobile device, and send that article, or link, to your Windows device. No more copying the link, emailing it and opening the article from your email:

I hope you have discovered the smooth, easy, quick onboarding and access to apps with M365. It is a great story and we should mention it more. Combined with the more talked about security story, M365 is a very solidModern Workplace proposition.

Modern Workplace management with Enterprise Mobility + Security- part 3

In my second post, I started with identity and client apps/cloud services as part of the workplace and their Layer of Controls within EM+S. In this post, I would like to discuss data/content and devices. Don’t forget, It is the combination of Layers of Control which make the EM+S solution powerful. Also, I’m purely discussing the Enterprise Mobility + Security Layers of Control. Within Windows you will find more controls and the same for O365. These last area’s aren’t my expertise but do investigate the controls in these products.

Data/content:

The Layer of Control EM+S has to offer regarding data/content is Azure Information Protection. With AIP you can Label, classify and protect data/content, and make sure only the right people can open and modify content. You also can track usage of your document and revoke access if needed. I wrote a more detailed post on AIP which you can read here. A great additional layer on top of MAM policies on the Office apps or Windows Information Protection. AIP is one of the great tools regarding the coming GDPR.

 

Device management:

Last layer of control EM+S has to offer when you look at the device level is Intune. Intune offers a platform to manage all your devices whether those are Apple, Microsoft or Android devices. Sometimes you hear that this is “modern device management vs legacy device management”: lightly managed/Intune/AAD/policies vs fully managed/SCCM/AD/GPO’s

I’m aware that some customers require more features than what Intune has to offer today. SCCM can do a lot more on the Windows platform than Intune. Legacy Win32 app distribution is one of them, especially complex multi .MSI chain distribution. Hopefully, in that case, the focus will be on modernizing the app landscape so customers can make the full move to modern workplace management. Again, I’m aware that changing applications isn’t easy. My personal opinion if the switch to Intune is challenging; move as many users from the legacy way to the modern way and stick to SCCM for the devices which need it. However, keep on modernizing your apps! Read more about legacy apps and modernizing management here.

I believe Intune, on the device management side of things, has more than enough to offer today. Recently I was browsing in Intune to see which settings I could configure for Windows 10 and IOS devices. I realized that I only would set a couple of them: a password, Windows Update, enable Windows Defender and probably a Wi-Fi profile.

Besides the fact it is a lot of work to lock down devices (remember creating Windows images, turning off many features, use specific user settings solutions to disable even more settings, slower machines and unhappy users), with just a couple of very reasonable settings (and I truly hope everybody has configured those- on corporate and personal devices), I have the feeling it will be easier to make BYOD users enroll their  personal devices into a corporate management solution, because your Exchange policy might require an enrollment. With that, you have some control over the device (you can wipe corporate data) and the user can use its know Office apps.

Hopefully you have a better picture of what EM+S has to offer. To me, it offers Layers of Control, which are additional, on top of each other and not one or the other. Time has changed and purely focusing and protecting the device isn’t the way forward anymore. Identities are leaving your perimeter as is data. When you support that, enable that in a user friendly and secure matter, users will be empowered and be productive.

 

 

 

Modern workplace management with Enterprise Mobility + Security- part 2

In this series of 3 posts I discuss what I see as the modern way of workplace management. In the first post I defined the workplace. Now I would like to start with identity and also add the Enterprise Mobility + Security products of Microsoft in the mix.

Identity:

Since network boundaries are disappearing, identity is the most important part of today’s workplace management. In the past, the Local Area Network was the perimeter to secure. Firewalls, the local network boundary, that was the place to secure. With the adoption of cloud services and also content sharing externally, the original perimeter is being extended to the outside world. The LAN perimeter is fading. What’s there to secure is the identity.

First of all, how do you make it easy for users to access cloud services, preferably with Single Sign On, so using the on-premise’s credential? You extend Active Directory to the cloud and what is a better place to do that than to extend it to Azure. And again, yes I’m prejudiced but 1 of the big advantages is the fact that Microsoft collects a lot of information regarding logons (around 350 billion authentications), logon behaviour, suspicious logons, botnet networks, breaches at major public services (yes Linkedin is one of them, years ago). Microsoft is using that information to make their services better and thus making the services better which customers use. Check out Brad Anderson on Youtube talking about Microsoft Intelligent Security Graph.

With identity becoming very important, you would like to know who is accessing your services, and when it seems to be the right person, you would like to have some reassurance sometimes. Maybe a couple of steps further, you would like to risk assess a person and use that rating or profile to enforce specific policies.

The first Layer of Control is regarding identity. Some of the controls are:

  1. Multi Factor Authentication: an extra layer of security on top of a password. MFA is an Azure cloud service which is very easy to adopt. MFA can be turned on per user, so every time when that user wants to access services via Azure, that user will hit MFA. More granular, it also can be turned on per specific app. This is possible in combination with conditional access. When MFA is turned on, AD/AAD doesn’t accept your domain password anymore but expects a second factor. This can be a text with a code, a phone call where the user needs to push the # key or the use of the Microsoft Authenticator app on a device. It does work with cloud services but also with your on premises environment and even with 3rd party hardware tokens. More details can be found here. Just turning on Azure MFA provides a higher level of identity protection. Be aware that in order to be able to use MFA, you need to enable “Modern Authentication” in your Azure environment on Exchange and Skype for Business. Also be aware that not all clients understand Modern Authentication/MFA, like Apple Mail, Thunderbird and older Office apps. More details on modern authentication and Microsoft clients can be found here,
  2. Azure AD Identity Protection: to put it (too) simply, Azure Active Directory Identity Protection is a cloud based layer of control which helps you detect potential identity vulnerabilities and can define automated actions for those. More details can be found here. On an Azure level, Microsoft can see which identities are trying to log on, from which IP address, location and for example compare that to the last logon (remember the Intelligent Security Graph). Based on many variables a user risk level/profile or sign-in level/profile can be calculated. As a result, for example, a user logging on in the morning in Los Angeles and 3 hours later from an IP address in Madrid can be calculated as a high risk and the last login could be blocked or the user could hit MFA. In this case a very important tool comes around to put an extra layer of control on securing the identity:
  3. Conditional Access: with CA, it is possible to setup policies with several conditions with controls. You can combine the layers of control (identity, trusted/untrusted IP’s, device compliance, MFA and user risk) to grant or block access to cloud services.                                                                                                               Conditional Access is defined as: “When this happens, then do this”. The first part is the Condition Statement and the second part the Controls . An example of a statement: “All users, accessing Exchange Online, from all platforms, using browser and desktop apps, are granted on compliant (Intune managed) devices and when they use MFA. Another example is: “all users, accessing Sharepoint Online, from Windows devices, from all networks except trusted IP’s, using both browser, mobile and desktop apps, are granted when using MFA. Combing the layers of control is very powerful where you can setup a great balance between user friendliness and security.

Client apps/cloud services:

The second Layer of Controls are controls for client apps and cloud services. The first control you have here is the pre-built App Based Conditional Access policy for Exchange Online and Sharepoint Online. With these controls you can force users to use specific Intune manageable apps like the Outlook app to access your Exchange environment. Yes, this is tied to the mobile Android and IOS apps. Again, you can force users to use Outlook by enabling MFA, since Outlook knows about Modern Authentication/MFA. And why would you like to do this, you ask. Very good question but read on about another great feature and I will wrap up an give you my thoughts.

Another great tool to secure your apps and cloud services is Mobile Application Management, provided by Intune on the Microsoft Office apps- desktop and mobile versions. This is a very cool feature and pretty unique. Users can keep on using their well known Office apps like Word, Excel and Powerpoint and you as the organization are able to secure these apps and data inside them. Read here for more details on the MAM features within the Office apps on Android and IOS. Also know that these MAM policies can be configured for the desktop Office apps as well. Windows 10 creators Update (1703) and Office 2016, app versions 1705 and above. Essentially, with MAM you can protect your Office apps on Windows, Android and IOS. An example of what you can do with MAM is that you can deny copy data in Word and paste it in a personal app on your device.  Or, that a PIN is required when opening the apps. This way you prevent data leakage.

Why do I think the client apps/cloud services Layer of Control is such a big deal? Well, Exchange/email is a good example. Within many organization, users are handed a corporate laptop/desktop. That device has a very locked down image, where a lot of settings/features are disabled, I cannot install anything and in a lot of cases the user experience is poor. Within those same companies, you can take any (mobile) device, any browser and any email client and connect to the company’s Exchange environment and download the inbox/create an .OST or use OWA. User experience wise, great! Security wise, maybe not so great!. Data and information we send via email, many times, is very sensitive and I’m sure you don’t want it to be cached on a device with no Layer of Control.

This case of Exchange also is keeping me busy: how would I let my users connect to my Exchange environment (assuming I would have a company and employees). Well for sure I would like to have some sort of control. At least I would like to enforce the Outlook app, and set a PIN on it (maybe even a PIN regardless if there is a device PIN in place). I would disable copy/past from the Outlook app to other, not managed apps, like the device’s notes app. And also, maybe I would add conditional access to the mix to enforce MFA when there is a high risk user profile or the user is at home. Maybe, nowadays, I must consider email as that sensitive that I require an enrollment of the device in Intune. Maybe I would like to have the “corporate data wipe” control in case something bad happens. Of course, I still would like to have the MAM policies in place.

I’m aware this won’t fully protect me against intentional data leakage or fraud. I doubt it if there is a set of tools protecting you against it. Think about the simple camera in your phone. However, the identity layer of control and client apps/cloud services layer of control is a very good start and most likely more than what a lot of customers currently have.

Next, Modern workplace management with Enterprise Mobility + Security- part 3

Modern workplace management with Enterprise Mobility + Security- part 1

How to do (modern) workplace management is a continuous question which keeps me busy. It is a great topic to think about and to try to figure out how you can make workplace management easier and give the user a better experience.

New technologies arrive, old ones disappear, new insights, new use cases, new devices, new cloud services etc. The “workplace” is evolving and it should, but that means you need to evolve with it to support the change. Trying to put the new world inside the old management framework, isn’t the right thing to do. Users will be unhappy because you can’t provide them with features they have at home. I’m fully aware that stepping out of the known management framework isn’t easy. It requires change of mindset and that’s always uncomfortable. So, let’s be open minded together and see if new possibilities can work in your organization. This post, for sure, isn’t meant to tell you this is the only right way of doing things. I’m prejudiced, of course, because I do work for Microsoft, but I also like this topic.

One thing I have learned though, is that there isn’t a 1 size fits all solution. I wish, but the fact is, in a lot of organizations, there are some (small groups) which require something special. However, don’t let those specials be leading in the decisions you make around workplace management. Treat them as an exception.

So, let’s define a workplace because you can make that definition a lot bigger when you include the actual office space for example, or the area at home where you work. That I won’t touch, although, it is a very part of the workplace. In my definition, the workplace consists of:

  1. Identity,
  2. Client apps and cloud services,
  3. Content/data,
  4. Devices,

The order above isn’t randomly chosen by me. In my opinion identity is the most important part of the workplace today followed by client apps/cloud services and data. To me, numbers 2 and 3 are equal. The devices however don’t have the same importance to me anymore what it used to have in terms of management. To manage and secure modern workplace, you need layers of control. With layers, think about Azure Active Directory, conditional access, Identity Protection, Mobile Application Management, Mobile Device Management, rights management and access management on data, data labeling and classification etc. I know I’m prejudiced but I believe Microsoft Enterprise Mobility + Security platform is the integrated platform to realize this modern management by providing you the layers of controls for management, security and also gives a great end user experience.

Next, Modern workplace management with Enterprise Mobility + Security- part 2