Microsoft’s Enterprise Mobility Suite is a collection of Microsoft Cloud products designed to allow users to be more agile in the workplace. EMS is the epitome of Microsoft’s mobile first, cloud first vision, in that it provides administrators with the tools to make corporate data available to users on any device, and from any location. This does, however, pose a security issue in that data is then allowed to flow freely around potentially unprotected devices. EMS addresses this by including mobile device management capabilities and data protection features in its product set.
EMS is designed to allow users the freedom to use whichever device they wish, whilst also ensuring that corporate data is kept secure and safe no matter which device the data is accessed from.
There are currently four products included in the Enterprise Mobility Suite. These can be purchased separately if required, but EMS becomes the most cost effective option if two or more products are purchased. Below is a rundown of the feature set of Microsoft’s Enterprise Mobility Suite.
Azure AD Premium
Azure AD Premium builds on the success of Azure AD by providing additional features to make the option of extending your existing Active Directory into the Cloud more attractive than ever before. The feature set includes:
Self Service Password Reset– A portal which a user can visit in order to reset their cloud, or Active Directory password. This alleviates the issue of 1st line support password reset calls and gives the user the control to reset their password when needed without making a call to a service desk.
Cloud App Discovery – This agent can be deployed to client computers and will report back on the usage of web based cloud applications, such as how many people are using them, and how much data is flowing through them. For example, it might report that 40 staff members are using the Dropbox application, and that 5GB of data is flowing through Dropbox every week. This is invaluable information and helps discover and target the increasingly prevalent issue of ‘Shadow IT’ and data leakage.
Cloud App Single Sign On – Based on the findings of the Cloud App Discovery tool, or based on information already available to IT, cloud applications can be integrated with Azure AD.
As an example of this, instead of the marketing team having knowledge of the username and password of the corporate Twitter account, you can integrate it with Azure Active Directory. This means that the marketing team log into Twitter with their Active Directory credentials, and if a user leaves the company, you can revoke access to this account easily by simply disabling the Active Directory account. Over 2500 cloud applications can be integrated into Azure AD, and this number grows by the day. You can effectively use this tool to increase corporate security by obfuscating usernames and passwords for corporate 3rd party accounts behind your existing Active Directory user accounts.
Multi Factor Authentication (MFA) – This allows IT to force a second factor of authentication to be used for login to cloud services. This can be a text message, phone call, or a mobile app (available for Windows Phone, iOS and Android). The Azure MFA server can also be deployed on premise to provide MFA to on premise line of business applications.
Analytics– IT can use Azure analytics to report on password reset activity, suspicious logons and other important data which can help identify potential attacks on user accounts.
This is a mobile device management solution designed to help customers manage their Bring Your Own Device (BYOD) environment. You can manage the following devices with Intune: Windows 8.1/10, Windows Phone, iOS and Android. It includes the following feature set, along with many other configurable options.
Security Policies – These control which security settings mobile devices require in order to connect to corporate resources, such as password locks, client certificates and encryption.
Conditional Access –This forces a mobile device to be enrolled into the Intune service and be compliant with the company’s security policy in order to access resources hosted on Office 365, or even on Exchange On Premise. This means that IT can have control of every mobile device which is connecting to corporate resources.
Mobile Application Management– Office applications can be automatically pushed to managed mobile devices and then secured. For example, copy and paste can be restricted so that corporate data can only be copied/ pasted into approved applications. This helps to prevent corporate data leakage.
Email Profile Management – Deploy Email Profiles automatically to devices.
Selective Wipe – IT can just wipe corporate data from a mobile device. For example, when a user leaves a company, IT can ensure that corporate data is wiped without factory resetting the device.
Rights Management Services are used to apply restrictions to files and emails. Examples of these restrictions are: Do Not Forward, Read Only and Expiry Dates. These restrictions can be applied to Office 365 data, or On Premise data (using a connector). Some examples of this in use are:
Email RMS– If a credit card number is detected in an email which is sent outside the company, a Do Not Forward rule can be applied to the email. This will make sure that the recipient can only Reply or Reply All.
Document RMS – A sensitive document on a File Server, containing financial information, could be marked as Read Only for all users except the Finance Department, who have full access.
Document Expiry – A file could be sent out to people external to the business with an expiry date. Once this file reaches the set expiry date, it will become inaccessible. This file could also be instantly revoked if required, making it instantly inaccessible, no matter where the file was located. This includes copies of the file.
Advanced Threat Analytics
ATA is the latest addition to the EMS product suite and provides Administrators with sophisticated tracking and alerting against advanced targeted attacks. This includes elements such as:
Brute Force Attacks – ATA will monitor and alert administrators if any attacks of this type are recognised.
Reconnaissance – Any recon activities being performed against DNS server, or against Active Directory using account enumeration, are tracked.
Identity Theft – Various forms of identity theft such as pass-the-hash and remote execution can be identified and alerted against.
Abnormal Behaviour – Strange working hours, password sharing, random geographical access and other abnormal behaviours can be identified and alerted against.
Known security issues – ATA will inform you if weak protocols are in place, or if plain text authentication is being used, exposing sensitive information.
You had me at Enterprise! In summary, the Enterprise Mobility Suite provides administrators with the tools to make workplaces more usercentric and device agnostic. It is set to be a fast growing product and is priced to suit.
Additionally, the Enterprise Cloud Suite can be purchased through Microsoft licensing channels, which combines Office 365 E3 licensing, the Enterprise Mobility Suite and Windows Software Assurance, all on a per user basis.
Speak to EACS today about how the Enterprise Mobility Suite can make your business more agile and productive!