Slides from the Intro session as part of the Windows 10 and Enterprise Mobility section of the bootcamp

1. Jan Ketil Skanke
@janke75 jankesblog.com

2. Easily manage identities across
on-premises and cloud. Single
sign-on and self-service for
corporate resources.
Manage and protect corporate
apps and data on almost any
device with MDM and MAM.
Encryption, authorization
policies and track usage
options to secure corporate
files across devices
Unify
identity
Manage apps
and devices
Protect
data
Enterprise Mobility Suite
Azure Active
Directory Premium
Microsoft Intune
Azure Rights
Management

3. Protect application
access
Help secure data
everywhere
Flexible device & app
management
Why EMS?
What benefit does EMS provide Windows 10 customers?

4. Protect application
access

5. Use EMS to protect application access on Windows
Protect application access
Windows
foundation
provides:
EMS provides:
• Conditional access with MFA across devices & apps leveraging Windows device health data
• Self-service group and application management
• Password reset with write-back to on-premises directory
• Secure remote access and SSO to on-premises web applications with no need for VPN.
• Microsoft Identity Manager for on-premises identity, smart-cards, certificate management & more
• Enhanced security with Microsoft Passport
• Users can set up company devices without preparation from IT with MDM auto enrollment
• Device sign in with company credentials
• Single sign-on to thousands of SaaS application hosted in any public cloud

6. Windows 10
identity
choices
Protect application access
Organization-owned
• Computer joins AD to
establish trust
• User signs on using AD
account
• Group Policy + System
Center Configuration
Manager
Personally-owned
• Computer joins Azure
AD to establish trust
• User signs on using
Azure AD account
• MDM auto enroll with
Intune or 3rd party MDM
• Settings roaming
• Computer registers with AD or Azure AD via
Device Registration to establish trust for
remote resource access
• User signs in with a Microsoft account,
associates an Azure AD account
• MDM auto enroll with Intune or 3rd party MDM
Single sign-on to enterprise + cloud-based services

7. Flexible device and
application management

8. Leverage MDM and MAM support in Windows 10
Flexible device and application management
• MDM support capabilities
• Corporate app isolation support – MAM
• Corporate app distribution leveraging Windows Store for Business
• Advanced OS distribution and upgrade support
EMS provides:
• Automatic enrollment into MDM (via Azure AD Premium)
• MDM & MAM across Windows, iOS, and Android in a single tool
• Application distribution and updates with Company Portal
• Secure content viewer for media and web across device platforms
• Agent-based management of Windows devices
• Domain joined via System Center Configuration Manager
• Internet-based via Intune
• Windows in-place upgrade & OS deployment via System Center Configuration Manager
• Certificate, WiFi, VPN, email profile provisioning
Windows
foundation
provides:

9. One consistent set of
MDM capabilities across
Mobile, Desktop, and IoT
Flexible device and application management
EMS orchestrates
MDM in Windows 10
One consistent set of
MDM capabilities
across mobile,
desktop, and IoT

10. Help secure data
everywhere

11. Help secure data everywhere
Extend Windows 10 security to protect your data and identities
• Corporate application isolation and management
• Automatic encryption for data on the device and included in roaming and backup
• Storage of Bitlocker device encryption keys in Azure
• Encrypt data during collaboration w/ consistent experience across multiple device platforms
• Track protected files and revoke access to files
• Advanced security reporting
• Cloud security reports based on machine learning
• On premises Behavioral analytics for advanced threat detection & Detection for known malicious attacks and
security issues
• Simple, actionable feed for suspicious activity alerts with recommendations
• Integration with your existing Security Information and Event Management (SIEM) systems
EMS provides:
Windows
foundation
provides:

12. Identify and authorize user
Apply device policies
Apply application policies
Apply content policies
User IT
ActiveDirectoryPremium
RightsManagement
Enterprise Mobility Suite

14. Windows 10
Enterprise
Mobility
Suite
Mobile device and app
management
Information
protection
• Single sign-on for business cloud
apps
• Device set up and registration for
Windows devices
• Windows Store for Business
• Traditional domain join
manageability
• Manageability via MDM and MAM
• Encryption for data at rest and
generated on device
• Encryption for data included in
roaming settings
• Conditional access policies for
enhanced single sign on security
• MDM auto enrollment
• Self-service group and application
management
• Password reset with write-back to
on-premises directory
• Cloud based advanced security
reports
• Microsoft Identity Manager
• Mobile device management
• Mobile app management
• Secure content viewer
• Certificate, WiFi, VPN, email profile
provisioning
• Agent-based management of
Windows devices (domain joined via
ConfigMgr and internet-based via
Intune)
• Tracking and notifications for shared
documents
• Protection for content stored in
Office & Office 365
• Protection for on-premises Windows
Server file shares
• Behavioral analytics for advanced
threat detection
• Detection for known malicious
attacks and security issues
Identity and access
management

15. Existing Differentiated Features in Win7 /Win8.1
Domain Join and Group Policy Management
Existing Win7 / Win 8.1 Enterprise features
Windows 10: Management and Deployment
Side-loading of LOB apps
MDM auto enrollment
Azure AD Join
The Business Store
Private Catalog
Granular UX Control and Lockdown
Windows 10: Security
Microsoft Passport
Enterprise Data Protection (EDP)
Pass the Hash Mitigations (using Virtual Secure Mode)
Device Guard
Windows 10: Windows as a Service, Support, and Entitlements
Windows Update for Business and Current Branch for Business
Access to Long Term Servicing Branch
Home Pro Enterprise
EMS
Management with Intune or
ConfigMgr
Intune
MDM auto enrollment requires
Azure AD Premium.
Management and app delivery
via Intune
Advanced management via
Intune Company Portal
Management with Intune or
ConfigMgr
Extend EDP w/ Azure Rights
Management for data encryption
when files leave the device
Management with Intune or
ConfigMgr
EMS and Windows 10
EMS
EMS
EMS