An overview of EPC Group's Microsoft Intune Consulting

1. Microsoft Intune
Deployments
Mobile device and application
management from the cloud
with EPC Group

2. 52 percent of information
workers across 17 countries
report using three or more
devices for work*
>80 percent of employees
admit to using non-approved
software-as-a-service (SaaS)
applications in their jobs***
90 percent of enterprises will
have two or more mobile
operating systems to support
in 2017**
52% 90% >80%
* Forrester Research: “BT Futures Report: Info workers will erase boundary between enterprise & consumer technologies,” Feb. 21, 2013
** Gartner Source: Press Release, Oct. 25, 2012, http://www.gartner.com/newsroom/id/2213115
*** http://www.computing.co.uk/ctg/news/2321750/more-than-80-per-cent-of-employees-use-non-approved-saas-apps-report

3. Devices Apps Data

4. Protect
your data
Enable
your users Unify your environment
People-centric approach
Devices Apps Data

5. It just worksPreserve existing investments
It’s integrated on common identityAccess from many devices
Support iOS, Android, Windows It’s comprehensive
Protection at all layers Identity, device, apps, data—built in
It protects Office betterManage and secure productivity

6. Easily manage identities across
on-premises and cloud. Single sign-on
and self-service for corporate resources.
Azure Active Directory
Premium
Unify identity Manage apps and devices Protect data
Microsoft Intune
Azure Rights
Management
Manage and protect corporate apps
and data on almost any device with
MDM and MAM.
Encryption, identity, and authorization
policies to secure corporate files and
email across phones, tablets, and PCs.

8. Mobile application
management
PC managementMobile device
management
ITUser
Microsoft Intune
Intune helps organizations provide their employees with access to corporate
applications, data, and resources from virtually anywhere on almost any
device, while helping to keep corporate information secure.

9. Enroll
• Provide a self-service Company
Portal for users to enroll devices
• Deliver custom terms and
conditions at enrollment
• Bulk enroll devices using Apple
Configurator or service account
• Restrict access to Exchange
email if a device is not enrolled
Retire
• Revoke access to corporate
resources
• Perform selective wipe
• Audit lost and stolen devices
Provision
• Deploy certificates, email, VPN,
and WiFi profiles
• Deploy device security policy
settings
• Install mandatory apps
• Deploy app restriction policies
• Deploy data protection policies
Manage and Protect
• Restrict access to corporate
resources if policies are violated
(e.g., jailbroken device)
• Protect corporate data by
restricting actions such as copy, cut,
paste, and save as between Intune-
managed apps and personal apps
• Report on device and app
compliance
User IT

10. Enable users to be
productive

11. ITUser
Actions upon device enrollment
• Deploy email, VPN, and WiFi profiles
• Deploy certificates
• Deploy and install apps
• Deploy managed app configuration policies
• Apply and enforce device configuration settings
• Collect hardware and software inventory data
Microsoft Intune
Devices
enrolled

12. Microsoft Intune
Corporate email server
IT
Deploy email profile upon enrollment
• Configure account settings and security restrictions
• Enable certificate authentication
• Synchronize email, task, contacts, and calendar
• Support for iOS, Samsung KNOX, and Windows Phone
Any email service supported by Exchange ActiveSync
User

13. Microsoft Passport replaces passwords with strong two-factor authentication to
help protect user identities and user credentials
• Intune can deploy certificates to Microsoft Passport to
authenticate users and help them to access corporate
resources
• Intune manages Passport for Work policy including PIN
settings, biometrics settings, Trusted Platform Module
(TPM) requirements
Intune provides comprehensive management of
Microsoft Passport
• Credentials protected by hardware or software
• Credentials can be based on certificate or local keys
• Can be accessed using biometrics (Windows Hello) or PIN

14. Azure AD Join makes it possible to connect
work-owned Windows 10 devices to your
company’s Azure Active Directory.
With Azure AD Join, you can auto enroll
devices in Microsoft Intune for management.
Azure AD Join for Windows 10
Windows 10 Azure AD
Joined Devices
Intune / MDM
auto-enrollment
Intune auto-enrollment
Enterprise-compliant services
Support for hybrid environments
Single sign-on from the desktop to cloud
and on-premises applications with no VPN

15. Windows apps
anywhere
RemoteApp
Native apps
Intune
SaaS apps
Azure AD Premium

16. Consistent experience across Windows,
Windows Phone, Android, and iOS
Discover and install corporate apps
Manage devices and data
Ability to contact IT
Customizable terms and conditions

17. Volume purchasing integration
Assign licenses to users
Purchase licenses in bulk for paid
apps using the Windows Store for
Business and Apple Volume
Purchasing Program (VPP)
Deploy licenses to users with
Intune and install apps as required
License and app
installed by store
Deploy offline app packages to
Windows 10 devices that cannot
access the Windows Store with
System Center Configuration
Manager

18. Corporate-
owned
devices
Corporate-owned devices
(CYOD), with personal use
allowed
Retail outlets using tablets
as point of sales devices,
gift registries, etc.
Schools providing
tablets for technology-
based learning

19. Service account
enrollment
Apple
Configurator
Apple Device
Enrollment Program
(DEP)
Windows 10
provisioning profile

20. Business
Manager
IT
Apply policies
School Retail StoreRestaurant
Deploy policies using Intune to lock down devices so
they can only run applications allowed by IT
Allow multiple users to use the same device and
customize device experience based on identity
Deploy Device Guard policies using Intune to only allow
trusted applications to run on Windows 10 devices

21. Protect corporate data
from virtually anywhere

22. The perimeter cannot help protect data stored in the cloudAccess control to corporate data today
Mobile devices
PCs
Web browsers
AppsData

23. Enterprise
Mobility Suite
Access control and data protection
integrated natively in the apps, devices,
and the cloud
SharePoint
Online
Exchange
Online

24. Conditional
access policies
IP Range
Device State
Advanced
Windows 10
options
User Group
User
On-premises
Cloud
Corporate
apps

25. Windows
Provable PC
Health (PPCH)
SharePoint
Online
Exchange
Online
User
Microsoft Intune
SharePoint
Online
Exchange
Online
User
Microsoft Intune

26. Apply and enforce device configuration settings across iOS,
Android, and Windows via Intune MDM
Collect hardware and software inventory data for reporting
Manage settings across Windows 10 PC, phone, and IoT devices via Intune MDM –
including Windows Defender (anti-malware), Firewall, and Cortana

27. Enforce corporate data
access requirements
Prevent data leakage
on the device
Enforce encryption
of app data at rest
App-level
selective wipe

28. Maximize mobile productivity and protect corporate resources
with Office mobile apps – including multi-identity support
Extend these capabilities to your existing line-of-business
apps using the Intune App Wrapping Tool
Enable secure viewing of content using the Managed Browser,
PDF Viewer, AV Player, and Image Viewer apps
Managed apps
Personal appsPersonal apps
Managed apps
ITUser
Corporate
data
Personal
data
Multi-identity policy

29. Prevent data leakage for Office
mobile and other apps on
unmanaged devices or devices
managed by a third-party MDM.
Protect data at the file level for
Office documents and more with
Azure Rights Management.
Enable familiar Office experiences
for employees. No enrollment.
Personal apps
Corporate apps
Azure Rights
Management
MDM
policies
MAM
policies
File
policies
MDM – optional
(Intune or 3rd-party)

30. Familiar Office experience
• Seamless “enrollment” into app management
• Use for personal and corporate accounts
Comprehensive protection
• App encryption at rest
• App access control – PIN or credentials
• Save as/copy/paste restrictions
• App-level selective wipe
MDM mgmt. by Intune or third-party is optional
Extend protection to a file level with Azure RMS
Might be a good solution for these scenarios:
• BYOD when MDM is not required
• Extending app access to vendors and partners
• Already have an existing MDM solution
Personal apps
Corporate apps
Azure Rights
Management
MDM
policies
MAM
policies
File
policies
MDM – optional
(Intune or 3rd-party)

31. 1 User installs an app from the Apple
App Store or Google Play
2 User logs in with Office 365
credentials
3 Azure AD verifies that the app and
user are allowed to access Office 365
4 Intune applies MAM policies to the
managed apps
5 Access to Office 365 is granted
6 User continues to use the app as per
usual
User
Office 365
Azure AD

32. Microsoft apps, such as Office, Dynamics CRM, Power BI, and more
Partners that integrated their apps with Intune App SDK

33. Personal apps
Managed apps
Perform selective wipe via self-service
company portal or admin console
Remove managed apps and data
Keep personal apps and data intact
IT
IT

34. Configure and manage EDP policies with Intune
and Azure Rights Management
Separate personal and corporate data with
limited impact to employee’s day-to-day activities
Protect data at rest and wherever it may
roam*
User
Corporate
network
Microsoft Intune
&
Azure Rights
Management
Apply policies
Save
Save
Share files and
enforce policies
File share
Personal
storage
Secure content collaboration through
integration with Azure Rights Management
* Some roaming scenarios use Azure Right Management
Control app access to corporate data and
prevent copy and paste-related data leaks

35. Microsoft Intune Microsoft Intune Azure Rights Management
Device protection
BitLocker
Device Guard
Device settings
Windows
Defender
Data separation Leak protection
Enterprise
Data Protection
Sharing protection
Rights
Management

36. Containers
Depends on
specific DMZ
infrastructure
Works on-
premises only
SharePoint
Server
Exchange
Server
Corporate
network
Active Directory
Firewall
Firewall
DMZ/
Perimeter
network
SDK/wrapper, managed browser,
managed viewers
Custom SDK/wrapper
enables line-of-business
apps to be managed
Mobile application
management
Custom data container
provides mobile productivity
apps integrated with content
and access systems
Custom
email app
Custom
file app
Custom
collab app
Native device MDM
Standard MDM provides
device configuration and
management

37. Standard
on-premises
integration
SharePoint
Online
Exchange
Online
Cloud integration
Intune App SDK
Intune App Wrapping Tool
Extensibility based on Azure
AD and Intune Enable business
apps to interoperate with Office
mobile apps
SharePoint
Server
Exchange
Server
Corporate
network
Active Directory
Firewall
Firewall
DMZ/
Perimeter
network
Managed Office
productivity and moreOffice 365: Mobile productivity
Azure AD: Access control to
Office 365 and SaaS apps
Intune: App restrictions for
Office mobile and LOB apps
Azure Rights Management:
Information protection at the
file layer
Native device MDMIntune: Cross-platform MDM

38. Identify and authorize user
Apply device policies
Apply application policies
Apply content policies
User IT
ActiveDirectoryPremium
Rights Management
Enterprise Mobility Suite

39. Summary
Deployment
flexibility
Modern
architecture
Enable
enterprise mobility with
EMS

40. Mobile devices and PCs Mobile devices
System Center
Configuration
Manager
Domain joined PCs
Configuration Manager integrated with Intune (hybrid)Intune standalone (cloud only)
IT IT
Intune web console Configuration Manager console

41. • Always up-to-date, no need to migrate
• Always available and reachable
• Easy to try, adopt, and deploy
• Integrates with existing on-premises infrastructure
• Disaster recovery and geo-diversity
• Assign your data to a region
• Built from the ground up: datacenter, fabric, SaaS
• Built using world-class engineering and security
• Compliant and certified
• Financially backed Service Level Agreements (SLAs)
Intune
Office 365
Azure
Active Directory
Azure
Rights Management

42. Security reports,
audit reports,
multi-factor
authentication
Self-service
password reset
and group
management
Single sign-on
to over 2,400
popular SaaS
applications
Information
protection
Document tracking Bring your
own key
Mobile device
settings
management
Mobile application
management with
Office mobile apps
Conditional
access and
selective wipe
Active Directory Premium
Rights Management

43. Devices Apps Data
Management. Access control. Information protection.
Protect
your data
Enable
your users
User IT

44. Identity
Application
Device (optional)
Data

45. Microsoft Intune
Access corporate
resources
Authentication
token
Authenticate and
trust my unique key
Deploy a certificate and
Microsoft Passport settings
Azure Active Directory
and
Active Directory

46.  Need fast and easy way to enroll CYOD
devices
 Should not be able to un-enroll devices
that are corporate-owned
 Need access to corporate apps and
other MDM capabilities on devices to
be productive
User
 Need easy way to prepare corporate-
owned devices for enrollment
 Need to distinguish corporate-owned
devices from personal-owned devices in
the management console
 Need fast and easy way to bulk enroll
shared devices
 Need devices to be secure at all times
and within IT control
IT
End usersIT admins

47. Windows 8.1 Windows 10
Basic management and
security settings
Device lockdown
Comprehensive
device management
Phone Desktop Phone Desktop
Significant investments in added functionality for both mobile and desktop devices

48. Personal apps
Managed apps
Maximize productivity while preventing leakage of company
data by restricting actions such as copy, cut, paste, and save
as between Intune-managed apps and unmanaged apps
User

49. New intuitive dashboard
Respond to alerts
Manage software deployments
Configure and deploy policies
View reports
Role-based management
Intune web console

50. Mobile devices and PCs
Intune standalone (cloud only)
IT
Intune web console
Manage and Protect
• No existing infrastructure necessary
• No existing Configuration Manager
deployment required
• Simplified policy control
• Simple web-based administration console
• Faster cadence of updates
• Always up-to-date
Devices Supported
• Windows PCs (x86/64, Intel SoC)
• Windows RT
• Windows Phone 8.x
• iOS
• Android
• OS X

51. Mobile devices
System Center
Configuration
Manager
Domain joined PCs
Configuration Manager integrated with Intune (hybrid)
IT
Configuration Manager console
System Center 2012 R2 Configuration
Manager with Microsoft Intune
• Build on existing Configuration Manager
deployment
• Full PC management (OS deployment, endpoint
protection, application delivery control, custom
reporting)
• Deep policy control requirements
• Greater scalability
• Extensible administration tools (RBA, PowerShell,
SQL reporting services)
• Windows RT
• Windows Phone 8.x
• iOS
• Android
Devices Supported
• Windows PCs
(x86/64, Intel SoC)
• Windows to Go
• Windows Server
• Linux
• OS X

52. Intune standalone (cloud only)
Lightweight, agentless OR agent-based management
PC protection from malware
PC software update management
Software distribution
Proactive monitoring and alerts
Hardware and software inventory
Policies for Windows Firewall management
Intune standalone (cloud only) Configuration Manager integrated with Intune (hybrid)
Lightweight, agentless OR agent-based management Lightweight, agentless OR comprehensive agent-based management
PC protection from malware PC protection from malware
PC software update management PC software update management
Software distribution Software distribution
Proactive monitoring and alerts Proactive monitoring and alerts
Hardware and software inventory Hardware and software inventory
Policies for Windows Firewall management Policies for Windows Firewall management
Operating system deployment
PC, mobile device, Windows Server, Linux/Unix, Mac, and virtual desktop management
Power management
Custom reporting

53. Comprehensive security
policies are enforced on
each platform
Reporting available on
each setting whether it is
applicable, conformant or
has an error
Extensive configuration
settings are available for
each platform
Policies can be applied to
user and device groups
User

54. Automatic VPN
connection
Per-app VPN (iOS)VPN

55. WiFi settings Manage and distribute certificates
Provision networks
Setup certificate based authentication

56. ITUser
Hardware properties for mobile
devices are collected
Company app inventory is collected
Personal app inventory is not collected
Reporting

57. If compliant,
email access is
granted
7
Enrollment /
compliance
remediation
5
If not compliant,
push device into
quarantine
Quarantine
4
2
Quarantine email with
remediation steps
Link to enroll device
and compliance
remediation steps
Who does what?
Intune: Evaluate policy
compliance for device
Azure AD: Authenticate
user and provide device
compliance status
Exchange Online:
Enforces access to email
based on device state
Attempt
email
connection
1
3
Azure
Active Directory
Set device
management/
compliance
status
6
Office 365
Mobile device
Microsoft Intune

58. 2
Attempt
email
connection
1
Block unmanaged
device
5
Allow managed
device
Device
enrollment4
6
If managed,
email access
is granted
Who does what?
Intune: Evaluate and
manage device state
Exchange Server:
Provides API and
infrastructure for
quarantine
Quarantine email with
remediation steps
Link to enroll device
3
If not managed,
push device into
quarantine
Quarantine
Mobile device
Microsoft Intune
On-premises
Exchange
server

59. Microsoft Office mobile
apps are natively
manageable with Intune
• Word
• Excel
• PowerPoint
• OneNote
• Outlook
• OneDrive for Business
Office mobile apps
Intune provides apps for
secure content viewing
• Managed Browser
• PDF Viewer
• AV Player
• Image Viewer
Intune Viewer apps
Make any app manageable
without modifying code
• ‘Wrap’ internal line-of-
business (LOB) apps to
manage with Intune
MAM policies
Intune App Wrapping
Tool
Build your apps from the
ground-up with Intune App
SDK
• Developers can easily
integrate applications for
manageability
• Provide more control
over user experience
with App SDK (vs. App
Wrapping Tool)
Intune App SDK

60. Allows you to apply Intune MAM policies to
existing line-of business (LOB) apps:
• Post-compilation command line tool for IT Pros
• Supports repackaging unencrypted applications
• Applications are signed with company-specific certificates
Intune App Wrapping Tool:
• Platform-specific tools for iOS (Mac OS X 10.8.5+) and
Android (Windows)
• Published by Microsoft (available on Download Center)
• Product documentation and in-tool command line help
Intune App Wrapping Tool
Enables additional options to manage internal
apps with Intune MAM policies:
• Intune App SDK and App Wrapping Tool use the same
processing and enforcement engine
• SDK can be used for both LOB apps and store apps
• Enables additional MAM functionality over the app than
the App Wrapping Tool (for example: disable save as
functionality of the app)
Intune App SDK

61. Intune
app wrapping tool
or SDK
Apply MAM policiesDeploy app
LOB application
ITUser

62. App origination Scenarios
Windows
8.1/10
Windows
Phone 8.1
iOS Android
Line-of-business apps
(Sideloading)
Available in Company Portal; targeted to
users
● ● ● ●
Mandatory install and uninstall; targeted
to users and devices
● ● ●
User consent
required
●
User consent
required
Public store apps Deep linked app; available in Company
Portal; targeted to users
● ● ● ●
Managed store app; available in Company
Portal; targeted to users
● ●
Managed store app; mandatory install
and uninstall; targeted to users and
devices
●
User consent
required
●
User consent
required

63. • End user is taken to the store for installation
• Installation status is not reported in the admin
console
• IT Pro can only make it available in Company Portal
• App on the device is marked as a personal app in
inventory
• Works for both free and paid apps
• MAM policies cannot be applied
External/Deep linked apps
• No trip to the store; installation begins directly
• Installation status is reported in the admin console
• Push apps; apps can be installed directly.
• App on the device is marked as a managed app in
the inventory
• Works only for free store apps
• MAM policies can be applied
Managed store apps

64. Restore device to factory defaults
• All data on the device is removed
• Device is reset to factory defaults
• Typically used for lost/stolen devices or resetting
corporate-owned devices
Full wipe
Remove company assets from device
• Company resources (apps, data, profiles,
certificates, settings, and email) are removed
• MAM support adds ability to remove only
corporate data from multi-account applications
• Typically used for personal-owned devices
Selective wipe

65. • Bulk enroll devices with a service account
• Support for Apple Configurator
• Support for Apple Device Enrollment Program
• Windows 10 provisioning profiles
Bulk enrollment
• Custom iOS policy
• Device lockdown
• Policies and apps targeted to devices
• Application install allow/deny list
Configuration policies

66. Enrolls devices
on behalf
of users
Apply policies
ITBusiness
Manager
Distributes
to users Restaurant School Retail Store

67. Export device enrollment
profile from Intune
Configure iOS
devices with the
Apple Configurator
iOS devices will
automatically enroll on
first power on
Import to Apple
Configurator
ITUser

68. User IT

69. ITUser
Export a custom
configuration policy
from Apple
Configurator
Import the custom
configuration file to
Intune
Deploy a custom
policy to iOS devices

70. Platform Allow/block enforcement
Windows 10 Enforced by device OS (always compliant)
Windows Phone 8.1 Enforced by device OS (always compliant)
iOS Audit reporting
Android Audit reporting

71. *
*
App origination Scenarios
Windows
8.1/10
Windows
Phone 8.1
iOS Android
Installation
status
Application
update
Line-of-business
apps (Sideloading)
Available in Company
Portal; targeted to users
● ● ● ● ● ●
Mandatory install and
uninstall; targeted to
users and devices
●
User consent
required
●
User consent
required
● ●
Public store apps Deep linked apps;
available in Company
Portal; targeted to users
● ● ● ●
Managed store apps;
available in Company
Portal; targeted to users
● ● ●
Managed store apps;
mandatory install and
uninstall; targeted to
users and devices
●
User consent
required
●
User consent
required
●

72. Category Win 8.1/10 Windows
Phone 8.1
iOS Android/KNOX Exchange
ActiveSync
Password ● ● ● ●
Encryption ● ● ●
Malware ●
System Settings ● ● ● ●
Cloud ● ●
Window Server Work Folders ●
Accounts and Sync ● ●
Email ● ● ●
Browser ● ● ● ●
Store Applications & Gaming ● ● ●
Device Hardware ● ● ●
Device Cellular/Roaming ● ● ●
Device Features ● ● ●

73. Platform
Desktop Apps
(.msi, .exe) *
Modern App Types Managed
Store
app
Side loading Deep
Links
Web
apps.app .app .ipa .apk
Windows 8.1/10 ● ● ● ●
Windows RT ● ● ●
iOS ● ● ● ●
Android ● ● ● ●
Windows Phone ● ● ●
Windows 7 and below ● ●

74. Category Feature Exchange
ActiveSync
MDM for
Office 365
Microsoft Intune
(cloud only)
Intune + ConfigMgr
(hybrid)
Device
configuration
Inventory mobile devices that access corporate applications ● ● ● ●
Remote factory reset (full device wipe) ● ● ● ●
Mobile device configuration settings (PIN length, PIN required, lock time, etc.) ● ● ● ●
Self-service password reset (Office 365 cloud only users) ● ● ● ●
Office365
Provides reporting on devices that do not meet IT policy ● ● ●
Group-based policies and reporting (ability to use groups for targeted device configuration) ● ● ●
Root and jailbreak detection ● ● ●
Remove Office 365 app data from mobile devices while leaving personal data and apps intact (selective wipe) ● ● ●
Prevent access to corporate email and documents based upon device enrollment and compliance policies ● ● ●
Premium
mobiledevice&
appmanagement
Self-service Company Portal for users to enroll their own devices and install corporate apps ● ●
App deployment (Windows Phone, iOS, Android) ● ●
Deploy certificates, VPN profiles (including app-specific profiles), email profiles, and Wi-Fi profiles ● ●
Prevent cut/copy/paste/save as of data from corporate apps to personal apps (mobile application management) ● ●
Secure content viewing via Managed Browser, PDF Viewer, Image Viewer, and AV Player apps for Intune ● ●
Remote device lock via self-service Company Portal and via admin console ● ●
PC
management
Client PC management (e.g. Windows 8.1, inventory, antimalware, patch, policies, etc.) ● ●
PC software management ● ●
Comprehensive PC management (e.g. Group Policy, login scripts, BitLocker management, virtual desktop and
power management, custom reporting, etc.) ●
Windows Server/Linux/UNIX/Mac OS X support ●
OS deployment and imaging ●