Upload
roderick-weaver
View
223
Download
0
Tags:
Embed Size (px)
Citation preview
Deep Dive on Android and iOSChris Baldwin & Kieran GuptaProgram ManagersMicrosoft Intune Device Experiences
BRK3866
(and Mac!)
Enterprise Mobility Vision
Protect your data
Enable your users
User IT
Unify Your Environment
Devices Apps Data
Help organizations enable their users to be productive on the devices they love while helping ensure corporate assets are secure
Conditional AccessSecure access to email, SharePoint Online services using conditional access policy
Data ProtectionPrevent data leakage from mobile apps using Intune data protection SDK
Resource AccessDeploy VPN, Wi-Fi, Certificate profiles to easily enable access
Data Loss PreventionSelectively wipe corporate data off lost/stolen devices
Secure Android Devices and Applications with Microsoft Intune
Wide range of supportSupport for all Android devices 4.0+
UX consistencyConsistent management and user experience across all device OEMs
Best productivity suiteProductivity with Microsoft Office
Separation of business and personal dataIdentity-aware apps let IT control corporate data while leaving personal data untouched
Emphasis on User Experience
What to consider for secure Android email and collaborationDevice & compliance policy
• PIN• Encryption• Root detection
Publish managed apps
• Office• Intune viewer
apps
Architecture: Android MDM and MAM
App Code
MAM External
Managed App
Company Portal App
Company Portal UI
Intune MDM Agent
MAM Internal
When does check in occur?Upon enrollmentEvery 3 mins 5 times Every 15 mins 8 timesEvery 8 hrs thereafter
On demandPress “Sync” in Contact IT menu
When notifiedIT Pro remote action (retire, wipe, remote lock, passcode reset)App or policy deployment
Anatomy of a remote retire
Google Cloud
Messaging Service
Intune1: IT Pro sends retire command
2: Intune tells GCM to notify device
3: “Wake up and check for new policy!”
4: “Got any new stuff for me?”
5: Sends down retire command
6: Device wipes
Application Installation
Samsung supports install without user confirmation
Play Store Apps
Side loading (APK)
Web links
Required installation (mandatory)
Yes Yes Yes
Available installation (in catalog)
Yes Yes Yes
Uninstall No Yes Yes
Remove on Retire
No Yes(KNOX only)
Yes
New
Three Ways to Obtain Logs
Prompt after enrollment failure
On the “Welcome” Page
On the Contact IT tab
Microsoft IntuneApple Cloud Services
iOS Device
AppleMDM Agent
Microsoft Intune Company Portal
Enrollment
PoliciesConfig Profiles
Remote commands
LOB apps
App Store apps
Inventory
check-in
Retire
Microsoft IntuneApple Cloud Services
iOS Device
AppleMDM Agent
Microsoft Intune Company Portal
Enrollment
Remote commands
LOB apps
App Store apps
RetirePoliciesConfig Profiles
Inventory
check-in
Company Portal AppUser-based enrollmentInstall from the App StoreApple ID requiredExample: BYOD
Apple Configurator / DEPUser-less bulk enrollment via Service AccountUser-based enrollmentPre-enroll / out-of-box enrollment Examples: kiosk, retail, corporate-owned CYOD
CorporateBYOD
Users brings device
Install Comp. Portal + Enroll
Apply policy + configuration
Configuring Corporate-Owned Mobile Devices with Intune | Fri 9AM
Out-of-box enrollment
Apply policy + configuration
Install Comp. Portal (user)
+ jailbreak detection+ AAD device registration (conditional access / compliance)+ SSO and selective wipe (managed Office apps)
i
+ lock MDM profile to device+ enable Supervised mode
Supervised modeKiosk mode Activation Lock bypass (Find My iPhone)Silent app installation + prevent app uninstallationCustom background, lock screen message, device nameGlobal HTTP proxy + always-on VPNPrevent device factory resetPrevent USB tetheringmore…
Configuring Corporate-Owned Mobile Devices with Intune | Fri 9AMi
Supervise yourcorporate devices
Jailbreak detection
SymptomsLook for symptoms of jailbroken device changes in OS
behavior binaries, config
files presence of
certain apps/libraries
Future ProofDetection logic not tied to any specific jailbreak kit or version
TestingRegularly verify against latest jailbreak kits
iOS Custom Policy
ConfigureDefine any iOS setting or config payload available in
[ Config Profile Reference]
2 methods Apple Configurator Custom-written
XML
Deploy Custom iOS Policy Import.
mobileconfig Deploy to users
<key>PayloadType<key><string>com.apple.appaccess<string><key>allowCamera</key><false/>…
Forward-thinking: iOS 9
Day 0 supportYour users can upgrade worry-free at GA
How we do it Compatibility
testing against beta drops
Proactive & regular communication with Apple
New FeaturesPrioritized and delivered based on customer demand.
push wrapped app packages
Configuration Manager 2012 R2 / HybridConfig Manager Agent
push settings to device via plist or script
defaults write /Library/Preferences/ com.apple.screensaver askForPassword -integer 1
Mac Support – v1
SecureWeb-based enrollmentPasscode policiesDisk encryption
ConfigurePush WiFi/VPN profilesPush custom policies
AuditHardware inventorySoftware inventoryDevice reports
MacBook Pro
FREE UPGRADE to Visual Studio Enterprise with MSDNLearn more about this offer: http://aka.ms/nbtbvs
Learn more about Visual Studio 2015 at our in-person or online events: http://aka.ms/nbtbevents
There’s no better time than now to get ready for the release of Visual Studio 2015!
For a limited time, get a free upgrade to Visual Studio Enterprise with MSDN
Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.
Please evaluate this sessionYour feedback is important to us!