In my second post, I started with identity and client apps/cloud services as part of the workplace and their Layer of Controls within EM+S. In this post, I would like to discuss data/content and devices. Don’t forget, It is the combination of Layers of Control which make the EM+S solution powerful. Also, I’m purely discussing the Enterprise Mobility + Security Layers of Control. Within Windows you will find more controls and the same for O365. These last area’s aren’t my expertise but do investigate the controls in these products.
The Layer of Control EM+S has to offer regarding data/content is Azure Information Protection. With AIP you can Label, classify and protect data/content, and make sure only the right people can open and modify content. You also can track usage of your document and revoke access if needed. I wrote a more detailed post on AIP which you can read here. A great additional layer on top of MAM policies on the Office apps or Windows Information Protection. AIP is one of the great tools regarding the coming GDPR.
Last layer of control EM+S has to offer when you look at the device level is Intune. Intune offers a platform to manage all your devices whether those are Apple, Microsoft or Android devices. Sometimes you hear that this is “modern device management vs legacy device management”: lightly managed/Intune/AAD/policies vs fully managed/SCCM/AD/GPO’s
I’m aware that some customers require more features than what Intune has to offer today. SCCM can do a lot more on the Windows platform than Intune. Legacy Win32 app distribution is one of them, especially complex multi .MSI chain distribution. Hopefully, in that case, the focus will be on modernizing the app landscape so customers can make the full move to modern workplace management. Again, I’m aware that changing applications isn’t easy. My personal opinion if the switch to Intune is challenging; move as many users from the legacy way to the modern way and stick to SCCM for the devices which need it. However, keep on modernizing your apps! Read more about legacy apps and modernizing management here.
I believe Intune, on the device management side of things, has more than enough to offer today. Recently I was browsing in Intune to see which settings I could configure for Windows 10 and IOS devices. I realized that I only would set a couple of them: a password, Windows Update, enable Windows Defender and probably a Wi-Fi profile.
Besides the fact it is a lot of work to lock down devices (remember creating Windows images, turning off many features, use specific user settings solutions to disable even more settings, slower machines and unhappy users), with just a couple of very reasonable settings (and I truly hope everybody has configured those- on corporate and personal devices), I have the feeling it will be easier to make BYOD users enroll their personal devices into a corporate management solution, because your Exchange policy might require an enrollment. With that, you have some control over the device (you can wipe corporate data) and the user can use its know Office apps.
Hopefully you have a better picture of what EM+S has to offer. To me, it offers Layers of Control, which are additional, on top of each other and not one or the other. Time has changed and purely focusing and protecting the device isn’t the way forward anymore. Identities are leaving your perimeter as is data. When you support that, enable that in a user friendly and secure matter, users will be empowered and be productive.