Modern workplace management with Enterprise Mobility + Security- part 1

How to do (modern) workplace management is a continuous question which keeps me busy. It is a great topic to think about and to try to figure out how you can make workplace management easier and give the user a better experience.

New technologies arrive, old ones disappear, new insights, new use cases, new devices, new cloud services etc. The “workplace” is evolving and it should, but that means you need to evolve with it to support the change. Trying to put the new world inside the old management framework, isn’t the right thing to do. Users will be unhappy because you can’t provide them with features they have at home. I’m fully aware that stepping out of the known management framework isn’t easy. It requires change of mindset and that’s always uncomfortable. So, let’s be open minded together and see if new possibilities can work in your organization. This post, for sure, isn’t meant to tell you this is the only right way of doing things. I’m prejudiced, of course, because I do work for Microsoft, but I also like this topic.

One thing I have learned though, is that there isn’t a 1 size fits all solution. I wish, but the fact is, in a lot of organizations, there are some (small groups) which require something special. However, don’t let those specials be leading in the decisions you make around workplace management. Treat them as an exception.

So, let’s define a workplace because you can make that definition a lot bigger when you include the actual office space for example, or the area at home where you work. That I won’t touch, although, it is a very part of the workplace. In my definition, the workplace consists of:

  1. Identity,
  2. Client apps and cloud services,
  3. Content/data,
  4. Devices,

The order above isn’t randomly chosen by me. In my opinion identity is the most important part of the workplace today followed by client apps/cloud services and data. To me, numbers 2 and 3 are equal. The devices however don’t have the same importance to me anymore what it used to have in terms of management. To manage and secure modern workplace, you need layers of control. With layers, think about Azure Active Directory, conditional access, Identity Protection, Mobile Application Management, Mobile Device Management, rights management and access management on data, data labeling and classification etc. I know I’m prejudiced but I believe Microsoft Enterprise Mobility + Security platform is the integrated platform to realize this modern management by providing you the layers of controls for management, security and also gives a great end user experience.

Next, Modern workplace management with Enterprise Mobility + Security- part 2

Windows 10+Azure AD: register or join? Turn on Auto Enrollment to Intune?

In Windows 10, under Settings- Accounts and Access work or school, you have a couple of actions to pick from: setting up a work or school account, join the Windows 10 device to Azure Active Directory or join it to a local Active Directory. Personally I know  the local AD and I do understand Azure AD but what is setting up a work or school account? And how is that different than Azure AD? When will I use one or the other?

Let’s start with setting up a school or work account. With this option you register your Windows 10 device in Azure AD. So, this isn’t an Azure AD join. The use case behind this is Bring Your Own Device. Personal owned Windows devices being used for work as well. By registering your personal W10 device in AAD (Azure AD), you will enjoy the benefits of Single Sign On to your company’s cloud apps, seamless multi-factor authentication and access to on-premises apps via the Web Application Proxy and ADFS Device Registration.

Device registration is possible for Windows, IOS and Android devices. In fact, registration is the only option for IOS and Android devices since they cannot be joined to AAD.

In Azure (the Azure Portal- Active Directory- Applications- Intune), you can turn on “Auto Enrollment” to Intune. What this means is that when Windows 10 devices are registered by users, those devices are automatically being enrolled in Intune. You can set this up for all users, none of them or by group. After enrollment, IT can manage your device by applying device and application policies. My question is: do you want BYOD/personal devices being enrolled automatically into Intune after registration? Thinking out loud, I would say no. Not automatically. Maybe registering a device, so that the user can benefit from SSO is more than enough for that user. And also thinking but the upcoming W10 Creators Update with fancy Mobile Access Management features, maybe that is enough and there is no need to manage the device. I can imagine that a user doesn’t want IT to manage his/her own personal device. This could change if that user would like to access more company resources, like email. In that case, conditional access could require the user to enroll his device in order to get access to mail. It’s up to the user to do that or not. Do realize, with IOS and Android devices, there is no choice of registering and/or (automatically) enrolling the device. It always is both. You enroll those devices and then they are registered in AAD.

 

So, now Azure AD join. Here, the use case is corporate owned devices. And again, only Windows devices can be joined. Besides the SSO, Multi-Factor Authentication benefits like with registering devices, a join adds a couple of other features: Phone/PIN sign in and AAD cloud Bitlocker key storage, to name a couple. Would you auto enroll those devices into Intune automatically? In this case I would say yes. The devices are corporate, users have access to many resources so you would like to manage and protect these devices and users. Automatically enrolling the devices and deploying policies is a great way in doing that.

I won’t discuss the local AD join because it’s been around for ages and it’s known to the public. I always like to say it is the “old school” way of Windows device management: AD with SCCM and GPO’s. The new way in my opinion is AAD join/registration with Enterprise Mobility Management- Intune. However, know it is possible to register a local AD joined Windows device to AAD.

Some background resources can be found here:

  • Differences between AAD join/registration here,
  • Automatic enrollment,
  • Managing AAD joined devices with Intune,
  • Windows 10 AAD join

Credits to Pieter Wigleven and Bjorn Axell, both Microsoft colleagues for helping me out!