software asset management mobile device management · pdf filesoftware asset management mobile...
TRANSCRIPT
A
SAMSOFTWARE ASSET MANAGEMENT
Mobile Device ManagementSAM Engagement Kit
B
SAM Engagement Kit
Table of Contents
Introduction 1
Conducting a Mobile Device Management SAM Assessment 5
Profiling Mobile Use Cases 11
Deployment Considerations 14
Licensing Considerations 20
SAM Policies 25
Mobile Device Management
This document was created in September 2014 with minor updates in June 2016.
1
SAMSOFTWARE ASSET MANAGEMENT
The world of work is changing, and mobility is the new normal. According to research, 66% of employees use personal devices for work purposes, nearly 80% of workers spend at least some portion of their time working outside of their office, and the Software as a Service (SaaS) delivery model is exploding with an anticipated annual growth rate of 30%, reaching $270 billion in 2020. People work from home, cafes, customer sites, on the road, and in the air. In fact, people can, and do, work from just about anywhere. Even when they’re in the office, people don’t expect to be sitting at their desk in order to be productive. People expect to have the ability to work where, when, and how they choose, using familiar devices and applications. The cloud-first, mobile-first world is here.
While the benefits are clear, there are many management factors that also need to be in place to ensure mobile access is secure and does not overload the IT department. While most companies have solid device management solutions for corporately owned PCs, mobile devices have brought new challenges. For example, even if a business doesn’t support personal devices, employees are likely accessing their corporate webmail on their own personal phones. Or take a business that owns all mobile devices intended for employee use—the IT staff still has to be able to keep track of who has the device, what is installed on it, and how it is being used to ensure that no unnecessary risks are taken and that any licensing impacts are understood.
Impact of Bring-Your-Own-Device (BYOD)The explosion in the use and number of consumer devices and ubiquitous information access is changing not only the way that technology shapes their personal and work lives, but also how people perceive their technology. The constant use of information technology throughout the day, along with the easy access of information, is blurring traditional boundaries between work and home life. These shifting boundaries are accompanied by a belief that personal technology—selected and customized to fit users’ personalities, activities, and schedules—should extend into the workplace.
Accommodating the consumerization of IT presents a variety of challenges. Historically, most or all devices used in the workplace were owned and therefore managed by the organization. Policies and processes were focused on device management—and usually on a relatively small, tightly controlled, and managed set of corporate-approved hardware that was subject to predetermined corporate replacement cycles.
The growing trend toward bring-your-own-device (BYOD), dramatically alters this scenario—67% of people who use a smartphone for work and 70% of people who use a tablet for work choose the devices themselves. This brings greatly increased device and operating system diversity and volume in the organization and can fundamentally change the IT landscape, necessitating a shift in management objectives from tight control over hardware to effective, user-centric governance.
Mobile Device Management SAM Engagement ObjectivesManagement of mobile devices has never been more important—according to Gartner, “BYOD strategies are the most radical change to the economics and the culture of client computing in business in decades. The benefits of BYOD include creating new mobile workforce opportunities, increasing employee satisfaction, and reducing or avoiding costs.”
Introduction
66% of employees use personal devices for work purposes, nearly 80% of workers spend at least some portion of their time working outside of their office
Mobile Device Management
2
IntroductionMobile Device Management
The best organizational response to this new mobile world is IT policies that match business realities and priorities. Mobile Device Management (MDM) is the management of mobile devices throughout their lifecycle, including the day-to-day ability to secure, support, monitor, manage, and configure the mobile device. The goal of an MDM system is to unify the management and security for mobile devices, both corporate and user-owned, with an integrated infrastructure that enables users to access company resources while protecting corporate data and adhering to proper licensing requirements.
The Mobile Device Management SAM Engagement helps customers gain a clear view of all the devices accessing their network and data and provides the guidance they need to implement mobile device and user management solutions that enable the right access without jeopardizing security or risking confidential data ending up in the wrong place.
With the proliferation of consumer devices, explosion of apps and data, and influence of younger, more technologically savvy workers accustomed to more connected and collaborative communications, IT managers are challenged to adapt to increasing user expectations while providing productivity capabilities in a secure way. By conducting a Mobile Device Management SAM Engagement with your customers, you have the opportunity to help them improve their mobile device management program by working with them to create a clear picture of their infrastructure, including hardware and software, and then providing them with guidance and best practices around the policies and procedures they can implement to help the organization safely take advantage of the benefits provided by mobile device use.
In addition, you will be able to advise your customers on optimal Microsoft licensing for mobile devices by evaluating which resources are being accessed by mobile devices, by whom, and the ways in which the resources are being accessed.
Challenges• Exposure to higher security risks for data theft and
leakage, particularly if the device is lost or stolen.• Compromised devices can act as a backdoor to the
corporate network.• Need to manage devices securely, providing access to
needed apps and data.• Need to protect organization from non-approved
app use.• Need the ability to selectively wipe corporate data from
personal devices to prevent company data from getting into the wrong hands if stolen or employee leaves.
• Users may be accessing resources that they are not licensed for, putting the organization at risk of non-compliance.
• Struggle to understand what devices must be counted and how BYOD will affect licensing agreements.
• Properly covering employee-owned devices while minimizing licensing costs.
• Simplifying license management while enabling easier ways to track and support compliance.
Opportunities• Enable users to work on the devices of their choice and
provide consistent access to corporate resources.• Increase user empowerment by putting the
right IT controls in place to minimize risk and maximize compliance.
• Increased productivity – mobile workers are less tied to office hours, and can work anywhere, any time.
• Increased flexibility, efficiency, and responsiveness.• Provides access to the apps and data users need,
wherever they are.• Helps ensure the organization is properly licensed for
access of the organization’s software assets from a mobile device.
• Review and determine what counts as a qualified device for more accurate license tracking.
• Gain a greater understanding of the components of the licensing agreement and how devices are tracked and counted.
• Model the licensing options for BYOD programs and assess how to optimize the license agreement and minimize costs.
3
IntroductionMobile Device Management
Customer Benefits• Enhance the ability of your customer’s IT department to leverage mobility for the organization’s competitive
advantage and keep users productive while avoiding unnecessary risks.
• Help make employees more productive and business processes more efficient, while at the same time controlling costs and maintaining a secure environment.
• Increase security by knowing what devices are connected to their environment so they can be controlled.
• Increase the organization’s ability to tailor their mobility strategy to meet the current needs of the organization, and to update the strategy over time as the organization’s needs, capabilities, or resources change.
• Avoid risks of non-compliance with software licensing by knowing what mobile devices, both corporate owned and BYOD, are accessing corporate resources and aligning licensing to match those users/devices.
• Become empowered to make the right decisions for the organization with an accurate picture of mobile device use.
Partner Benefits• Take advantage of the Mobile Device Management SAM engagement as one step towards a larger
customer opportunity.
• Broaden the business value of a SAM engagement by helping your customers solve critical business challenges.
• Develop long-term trusted advisor relationships by establishing credibility and demonstrating customer-focused problem solving.
• Use to highlight the overall benefits of incorporating SAM best practices within the organization.
• Once a library of MDM SAM policies has been developed by you, most policies should be general enough to be of use to other customers, thus facilitating more efficient future customer engagements.
• Solidify your position as a licensing expert through your ability to advise the customer on licensing for mobile devices.
• Mobility is a relatively new trend, and managing mobile devices is becoming an increasingly hot topic for most organizations. Customers will value your assistance as they adapt to the new challenges raised by mobile device use.
Mobile Device Management SAM Engagement Kit ComponentsThe Mobile Device Management SAM Engagement Kit includes:
Customer Facing Presentation DeckPresentation to support customer conversations regarding how SAM can help customers assess their mobile device management program, and policies to identify specific risks and areas of focus to help enable good IT asset management.
Conducting a Mobile Device Management SAM AssessmentGuidance about gathering information, performing an inventory, and conducting a mobile device security survey.
Profiling Mobile Use CasesGuidance about common mobile use scenarios and developing a profile of the customer’s mobile device use.
Deployment ConsiderationsOverview of what to consider when creating mobile device management programs, policies, and procedures for software assets.
4
IntroductionMobile Device Management
Licensing ConsiderationsLicensing guidance including what to consider and the licensing implications of mobile device management.
SAM PoliciesSAM policies and procedures guidance for a successful Mobile Device Management SAM program.
Use the kit as a reference point for successful Mobile Device Management SAM engagements. You’ll find guidance, best practices, tips and tricks, and more. Access the Resource links in each piece to find more detailed information for specific topics.
SAM Services Incentive ProgramThe SAM Services Incentive Program is a worldwide offering designed to increase customer adoption of SAM best practices while simultaneously providing Gold SAM Competency partners opportunities to engage with new customers or deepen existing customer relationships through value-added SAM engagements. The Mobile Device Management SAM engagement is eligible for funding through the SAM Services Incentive Program as of January 2015.
Microsoft Partner Network - SAMhttps://mspartner.microsoft.com/en/us/pages/licensing/software-asset-management.aspx
SAM Partner Playbookhttps://assets.microsoft.com/en-us/SAM-Services-Partner-Playbook.zip
CEB The Future of Corporate IT: 203-2017. 2013http://www.executiveboard.com/exbd/information-technology/future-of-it/
Value Realization with Mobilehttp://blogs.technet.com/b/valuerealization/archive/2014/05/05/mobile-in-the-enterprise-how-to-get-business-value-from-enterprise-mobility.aspx
Global Cloud Computing Market Forecast 2015-2020http://www.marketresearchmedia.com/?p=839
Building the Business Case for a Bring-Your-Own-Device (BYOD) Programhttp://www.forrester.com/Building+The+Business+Case+For+A+BringYourOwnDevice+BYOD+Program/fulltext/-/E-RES61616
Gartner Press Release – Predicts by 2017, Half of Employers will Require Employees to Supply Their Own Device for Work Purposeshttp://www.gartner.com/newsroom/id/2466615
Resources
5
SAMSOFTWARE ASSET MANAGEMENTConducting a Mobile Device
Management SAM Assessment
Mobile Device Management
A Mobile Device Management SAM engagement is primarily about establishing the right processes for managing mobile devices so the organization can find the right balance between productivity gains and security, and to ensure that the correct licensing is in place for all devices accessing corporate resources. The starting point is a discovery of the customer’s environment. One obstacle can be that many enterprise discovery tools were not designed to capture mobile assets. In addition, local privacy laws may restrict the organization’s ability to collect personal data, which can hinder the inventory process. Creating a complete profile will require a combination of using the right tools, collecting additional information, and conducting interviews to develop a solid organizational profile.
Step 1: Gather Preliminary Information about Their Organization:Organizational Profile: What are their objectives from the engagement? Which assets are the most critical to the success and competitive advantage of the company? What level of risk tolerance do they have? Security controls and supporting polices should match the level of risk the organization is willing to tolerate.
Basic Information: How many clients and servers are in the organization? What processes are already in place to manage software and other assets? Is there a mobile device management policy currently in place?
Mobile Device Use: What is the current state of mobile device use in the organization? What percentage of employees use mobile devices for organizational use? Is the number growing and at what rate? How is use tracked? What models are currently allowed (corporate owned or personally owned) and what is the management approach for the devices?
Infrastructure Security: Do employees work remotely? Do external contractors access the network?
Operations Security: Does the corporate network connect to external networks? Does the organization receive data feeds from external parties?
People Security: Are there any existing policies about mobile device use? Do employees respect existing policies about mobile device use? Are any controls currently in place to restrict an individual’s access to corporate information?
Current Licensing Program(s): What Microsoft licensing programs is the customer subscribing to? What aspects of the program address MDM? Examples: Software Assurance, Remote Desktop Services, and Enterprise Enrollment Qualified Devices.
Step 2: Perform an Inventory of Mobile DevicesNext, assess all mobile devices used in the customer environment so the mobile device management discussions are framed around what’s currently deployed and to inform discussions with the customer about any gaps in their software licensing that have occurred because of improperly licensed mobile devices. You will need to choose the right tools for this step. Ask the customer about their existing tool strategy, and any mobile device management tools, identity access management tools, network access control tools, and client device management tools they may use. As part of the process, you will need to help them assess their needs, evaluate their current toolset, and make any recommendations to fill major gaps. Check tools to ensure they are operating as expected, so you can track assets and software licenses across devices and systems. Systems management software, like Microsoft System Center Configuration Manager, will often include integrated mobile device management capabilities and cross-platform management support.
6
For any SAM engagement, collecting all relevant licensing data across all Windows computers in the environment is a standard best practice, but for the Mobile Device Management SAM Engagement, your focus will be on tracking and analyzing usage of Windows applications to determine which applications are being used by which users, and how. A common example is Microsoft Exchange Server; mobile devices accessing email is prevalent in today’s workplace so it’s important to understand the users, devices, and operating systems accessing email via Exchange. Develop a profile of use, determining the total number of mobile devices that are connecting and if the devices are active or not.
Customers are often interested in learning the path that a mobile device follows to get to the network. For example, is it a Citrix web tool, a direct connection using a receiver, or a Microsoft desktop interface? If possible, provide the customer with this level of detail in your final report.
Step 3: Mobile Device Use Security Survey and AssessmentSince providing mobile users with secure access to corporate resources is critical to successful mobile device management, it is important to assess the organization’s ability to securely adopt information systems and software to enroll mobile devices into an organization’s enterprise network, set polices, distribute and manage applications, and protect data within the mobile device. Use interviews with stakeholders in the IT organization to collect information for your report on the customer environment. It is best to use a well-established framework for this evaluation.
A recommended reference point is the Mobile Device Security for Enterprises V.2 building block*, available through the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology. This document profiles desired security characteristics and example capabilities for mobile device and application management, mobile device security, and mobile application security.
As you go through each of the security characteristics with the customer, it’s recommended that you follow the below steps:1. Explain the security characteristics, talk about what it covers. Each characteristic has one or more examples of a
capability that would meet the intent of the characteristic, but the list is not exhaustive, nor are the capabilities meant to be prescriptive. They are to provide context.
2. Assess the customer’s current status in this area by surveying them with the right set of questions. Do not limit your discussions to what has been provided below and use the points below to enrich the conversation.
3. Provide the customer with recommendations on Microsoft service and product offerings in the area and any additional services that your organization provides as well following up from the engagement.
Conducting a Mobile Device Management SAM AssessmentMobile Device Management
• For the most accuracy, capture activity reported in the last 60-90 days to get a full view of usage.
• Data pulled should include device type and manufacturer.• Identify software that is being consumed by device – this should include
virtual applications, virtual desktops, and remote desktop services. • It may not be possible in all cases to track 100% of an environment, but it is
recommended that a minimum of 90% is tracked.
*The NCCoE has released a draft of the next NIST Cybersecurity Practice Guide, Mobile Device Security: Cloud & Hybrid Builds.
7
Conducting a Mobile Device Management SAM AssessmentMobile Device Management
Security Characteristic
Example capabilities
Data Protection • Protected storage० Device encryption: cryptographic protection of all or portions of a device’s data storage locations - primarily NAND flash memory० Secure containers: a combination of mechanisms, such as encryption, to protect a distinct data storage location that can be managed० Trusted key storage: protected locations in software, firmware or hardware in which long-term cryptographic keys can be held० Hardware security modules: tamper-resistant hardware used to perform cryptographic operations and secure storage that may be removable or physically part of the device० Remote wipe: render access to corporate data stored on the device infeasible may only wipe a portion of flash memory
• Protected communications० VPN, to include per-app VPN
• Data protection in process० Encrypted memory० Protected execution environments
Data Isolation • Virtualization: support for hardware-based virtualization
• Sandboxing: OS or application-level mechanisms utilizing multiple protection, isolation, and integrity capabilities to achieve higher levels of overall isolation
• Memory isolation: processes should be unable to access or modify another process’ memory
• Trusted execution: a process is created and runs in a trustworthy and isolated execution environment leveraging distinct memory spaces and controlled interfaces
• Device resource management: ability to enable/disable device peripherals
• Data flow control० Data tagging: as data is accessed by a mobile application, policies relevant to that data are transmitted simultaneously and enforced on that data by the application
• Baseband isolation: ensure that the software/firmware on the application processor and the baseband communicate with one another over well-defined and constrained interfaces
Security Characteristics
8
Conducting a Mobile Device Management SAM AssessmentMobile Device Management
Device Integrity • Baseband integrity checks: ensure that the baseband firmware/operating system has not been maliciously or accidentally modified
• Application black/whitelisting: preventing or allowing applications to run based on a pre-specified list
• Device integrity checks:० Boot validation: validation that the device is in a known working state and unmodified at boot; e.g. BIOS integrity checks० Application verification: ensure corporate applications being installed come from a valid source० Verified application and OS updates० Trusted integrity reports: ensure that integrity reports pulled from the device are representative of the current and true state of the device० Policy integrity verification: ensure that the policies received by the device come from a verified source
Monitoring • Canned reports and ad hoc queries
• Auditing and logging: capture and store device and application information
• Anomalous behavior detection: observe activities of mobile users’ devices and processes, and measure those activities against a baseline of known normal activity
• Compliance checks: provide information about whether a device has remained compliant with a mandated set of policies
• Asset management: identify and track devices, components, software and services residing on a network
• Root and jailbreak detection: ensure that the security architecture for a mobile device has not been compromised
• Geo-fencing: monitor a device’s geolocation and enable/disable device and network resources based on that location
Identity and Authorization
• Authentication of user० Local authentication to applications० Local authentication to device० Remote authentication
• Authentication of device० Remote authentication
• Implementation of user and device roles for authorization
• Credential, token storage and use
• Device provisioning and enrollment
Privacy • Company should not be able to monitor and/or report personal activity or capture personal information such as non-corporate account authentication credentials, contacts, phone logs, or text messages
• Notifications provided to users about the privacy implications of certain device and application functionality
9
Conducting a Mobile Device Management SAM AssessmentMobile Device Management
Functional CharacteristicsAs described in the NCCoE building block, turning theoretical security controls into real-world security requires system security designs that ensure ease of use for both the employee and the enterprise. For security controls to actually deliver increased security they must also be functional from a usability perspective. Per the NCCoE model, the proper implementation of usable security controls results in an enterprise mobile security posture that protects corporate data without encumbering the user. The functional characteristics and capabilities listed below are examples of considerations that can greatly affect the security of an enterprise mobility management strategy.
Security Characteristic Example functional capabilities BenefactorProvisioning • Ability to provision the device remotely User and enterprise
Software Update Management
• Remote application delivery and updates: push application and OS patches, as well as new applications, to the device
• Remote system updates: distribute the newest releases of corporate applications and security software
User and enterprise
Policy Management • Ability to easily specify granular security policies
• Remotely push new or updated policies to the device
• Notify users of any expected functionality changes prior to the update
User and enterprise
Easily Distinguishable Corporate User Interface
• Visual cues within the user interface to help remind the user of when they are accessing corporate data and resources
User and enterprise
Monitoring • Automatic, regular device integrity and compliance checks
• Automated alerts for policy violations
Enterprise
Auditing • Automatically generate reports/dashboard for auditing
• Easy to access and interpret logging
Enterprise
Unobtrusive RemediationProcedures
• Should a device compromise occur, security incident remediation can be performed with little to no loss of personal functionality on the device
User
Unobtrusive ProtectedConnection Establishment
• Ability for the user to quickly and easily establish a protected connection between the device and the corporate resources
User
Unobtrusive Authentication Methods
• Authentication to applications and services done in the background without the need for user interaction
• Authentication that does not require complex passwords requirements to unlock the device
User
Simple Key Management • The ability to easily obtain keys for encrypted e-mail User
Simple Corporate File Sharing
• The ability to transfer enterprise data (e.g., drag-and-drop, SMS, upload to cloud) via the mobile interface
User
Please refer to the NCCoE Mobile Device Security for Enterprises V.2 building block for more information.
10
Conducting a Mobile Device Management SAM AssessmentMobile Device Management
National Cybersecurity Center of Excellence (NCCoE) Mobile Device Security V.2 Building Blockhttps://nccoe.nist.gov/sites/default/files/library/project-descriptions/mds-project-description-final.pdf
National Cybersecurity Center of Excellence (NCCoE) Mobile Device Security: Cloud & Hybrid Buildshttps://nccoe.nist.gov/projects/building_blocks/mobile_device_security
Microsoft SAM Toolshttps://www.microsoft.com/en-us/sam/tools.aspx
SAM Partner Playbookhttps://assets.microsoft.com/en-us/SAM-Services-Partner-Playbook.zip
Microsoft System Center Configuration Managerhttp://www.microsoft.com/systemcenter/en/us/configuration-manager.aspx
Microsoft Intunehttps://www.microsoft.com/en-us/sam/tools.aspxhttp://www.microsoft.com/windows/windowsintune/default.aspx
Microsoft Assessment and Planning (MAP) Toolkithttps://www.microsoft.com/en-us/sam/tools.aspx
Resources
11
SAMSOFTWARE ASSET MANAGEMENTProfiling Mobile Use Cases
Mobile Device Management
Anytime, anywhere access to information and people opens up new avenues for user collaboration and productivity. However, this has left many IT departments scrambling to accommodate user expectations and determine how they will support new technologies while maintaining control over their IT data and network. Interpreting the results of mobile device use inventory along with the security survey and assessment will help you develop recommendations and guidance to assist the customer in making informed decisions about their mobile device program. The recommendations should take into account the customer’s objectives, risk tolerance, and organizational profile.
You will also need to work with the customer to identify over-licensed and under-licensed software, with a focus on inaccurate licensing that has been created through use of mobile devices. Reconcile any licensing gaps, identifying optimal ways to right license mobile device access that is under-licensed, and provide the customer with guidance on the best way to manage their software assets most effectively going forward.
Additional Information GatheringYour goal in this engagement is to empower your customer to make the right decisions going forward. Gathering inventory data is one step in defining a customer’s licensing requirements and security risk position. However, data from the inventory needs to be combined with additional sources in order to make informed choices. This additional information helps to provide a context that is required to make effective licensing and policy decisions.
An important source of information is your customer. Customer conversations can be the key to an effective engagement and should help provide the additional insight needed to fully assess and understand the use of mobile devices in the customer’s environment.
Develop a Profile of the Customer’s Mobile Use Cases
While each customer is different, there are some typical mobile use scenarios that are more common than others. Profiling the customer’s use cases can help you tailor the right solution for the customer to address security concerns and optimize their licensing.
Common scenarios include: • The employee uses own device to access internal portal application.
• The employee uses organization supplied mobile device to access corporate email.
• IT privileged user uses organization supplied device to access internal systems management software.
• An executive accesses sales reporting over own device.
• The employee is working remotely with their own PC or a public terminal.
• As part of a telework initiative, users split their time between working in the office and working from home using corporate devices.
• The employee is a road warrior who is highly mobile, primarily traveling and working from customer or other locations, then working from home the remainder of the time.
12
Profiling Mobile Use CasesMobile Device Management
Assessing the different use cases should help you to reach some conclusions about how mobile devices are used within the customer organization. Each scenario has its own implications for security and software licensing. You can use this information to frame discussions on solutions based upon a clear understanding of system actors, activities, and the data and associated systems providing access to this data.
Key Questions to Ask in Any Scenario In order to determine the licensing requirements for a given scenario, make sure you can answer these key questions about the user, device, and location.
Please see the “Microsoft Licensing for the Consumerization of IT” licensing brief for more details on common scenarios.
User
Is the user covered by the Microsoft Core Client Access License (CAL) Suite or the Microsoft Enterprise CAL Suite on a per-user basis?
Is the user the single primary user* of the device?
Can the organization easily identify the primary user of the device?
Device
Is the device covered by the Core CAL Suite or Enterprise CAL Suite on a per-device basis?
Is the device running a qualified Microsoft operating system?
Is the device a “qualified device” or a “qualified third-party device”?
Is the device accessing a virtual desktop infrastructure (VDI)?
Is the device owned by the employee or the organization?
Location
Will the user access the software on the corporate premises (on-site)?
Will the user access the software remotely from outside of the corporate premises (off-site)?
*“Primary user” means the user who uses the device more than 50 percent of the time in any 90-day period.
Additional Considerations• Is Microsoft Office deployed and licensed correctly? A typical scenario is to see Office deployed via a remote desktop
service, with employees accessing Office from multiple devices, not all of which are licensed.
• If suite components are installed, is the entire suite correctly licensed?
• Where are areas for standardization and consolidation? Understanding the usage patterns of those receiving remote desktop services can highlight who requires access and who may not.
• If remote services include products that are not being used, there is an opportunity to identify those applications/versions and then define a more appropriate model.
• Is there an opportunity for cost savings by moving some or all of the workforce to cloud services such as Microsoft Office 365?
13
Profiling Mobile Use CasesMobile Device Management
Licensing Brief - Microsoft Licensing for the Consumerization of IThttps://www.microsoft.com/en-gb/Licensing/learn-more/brief-consumerization-it.aspx
ISO/IEC 19770http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=56000
SAM Partner Playbookhttps://assets.microsoft.com/en-us/SAM-Services-Partner-Playbook.zip
Resources
14
SAMSOFTWARE ASSET MANAGEMENTDeployment Considerations
Mobile Device Management
Mobility is one of the four mega trends (mobility, social, cloud, and big data) that are changing how people work and how business is conducted. These four mega trends are likely to be the dominant forces of change in the coming decade and represent what is most important to Microsoft customers today. The proliferation of consumer devices and ubiquitous information access is driving the enterprise away from a device-centric model centered on corporate-owned and provisioned devices to a BYOD model in which employees use their own devices to access corporate applications and data. When they’re working, people expect consistent access to corporate tools and data regardless of the type of device they’re using. They also want their corporate-issued technology and resources to look and behave like their personal technology—always on and always available from any device, from virtually anywhere.
The consumerization of IT trend—and with it, the move toward the personalization of IT— presents an opportunity for IT to help increase user productivity and satisfaction. At the same time, this trend brings numerous management and security challenges to IT organizations, which must see that enterprise infrastructure and corporate data are protected from malicious intent, while ensuring that these resources can be accessed in compliance with corporate policies regardless of device type or location.
Devices Apps Data
Users expect to be able work in any location and have access to all their work resources
The explosion of devices is eroding the standards-based approach to corporate IT
Deploying and managing applications across platforms is difficult
Users need to be productive while maintaining compliance and reducing risk
IT is challenged to facilitate change while providing necessary controls
Enterprise Mobility: Mobile Device Management When talking with your customers about mobile device management solutions, take into consideration which offering would best enable people-centric IT. Microsoft takes a layered approach that addresses different levels of device management functionality, all brought together under one console via Microsoft System Center. Microsoft calls this approach Unified Device Management (UDM) since it goes beyond simply managing mobile devices. All devices including servers, desktops, laptops, tablets, and mobile phones can be managed with the same tool set. Consider that: • Many organizations already have Exchange or hosted Exchange in place. • Many organizations already have Configuration Manager in place.• Using an incremental approach allows you to start small using the pieces you already have without purchasing new
software and tailor the solution to your specific needs while controlling costs.
15
Deployment ConsiderationsMobile Device Management
Microsoft System Center Configuration Manager and Microsoft Intune System Center 2012 R2 Configuration Manager can be used to manage iOS®, Android® (including Samsung KNOX), Windows Phone, and Windows devices by using the Microsoft Intune service over the Internet. Although the Microsoft Intune service is used, management tasks are completed by using the Microsoft Intune connector site system role available through the Configuration Manager console. This provides a single management experience that spans across all of the mobile devices and computers used by the enterprise.
System Center 2012 R2 Configuration Manager Provides secure and scalable software deployment, compliance settings management, and comprehensive asset management of servers, desktops, laptops, and mobile devices (when Microsoft Intune is integrated).
Microsoft Intune Manages mobile devices over the internet. When integrated with System Center 2012 R2 Configuration Manager, you can manage both PCs and mobile devices from the Configuration Manager console. Microsoft Intune can help customers manage and protect personal devices, while at the same time protecting their company. To learn about how Microsoft Intune helps manage personal devices, see the Microsoft Intune Evaluation Guide.
For enterprise users, these solutions enable user productivity and provide:
• Access to company resources consistently across devices. Users can use the device of their choice to access corporate resources regardless of location.
• Simplified registration and enrollment of devices. Users can manage their devices as well as install corporate applications through a consistent company portal.
• Synchronized corporate data. Users will have access to data stored on a centralized file server and enable that data to be synchronized onto their mobile device.
IT
Single Admin Console
Unified infrastructure enables IT to manage devices “where they live” Comprehensive settings
management across platforms, including certificates, VPNs, and wireless network pofiles
IT can manage the device and application lifecycle
Microsoft System Center 2012 R2 Configuration
Manager
User
16
Deployment ConsiderationsMobile Device Management
For IT professionals, Microsoft solutions unify the environment and provide:
• Unified management of on-premises and cloud-based mobile devices. IT can extend its System Center Configuration Manager infrastructure with Microsoft Intune to support cloud management of mobile devices. This enables IT to publish corporate applications and services across device types, regardless of whether they’re corporate-connected or cloud-based.
• Simplified, user-centric application management across devices. IT gains efficiency with a single administration console, where policies can be applied across group and device types.
• Comprehensive settings management across platforms, including certificates, virtual private networks (VPNs), and wireless network profiles. Policies can be applied across various devices and operating systems to meet compliance requirements, and IT can provision certificates, VPNs, and Wi-Fi profiles on personal devices within a single administration console.
These solutions also help protect corporate data by providing:
• The ability to protect corporate information by selectively wiping applications and data. IT can access managed mobile devices to remove corporate data and applications in the event that the device is lost, stolen, or retired from use.
• A common identity for accessing resources on-premises and in the cloud. IT can better protect corporate information and mitigate risk by being able to restrict access to corporate resources based on user, device, and location.
Microsoft Intune and System Center Configuration Manager can be configured to enable mobile device management to let users access company resources in a secure, managed way. By using device management, company data is protected while letting users enroll their personal or company-owned mobile devices and giving them access to company data. System Center Configuration Manager, together with Microsoft Intune, provides the following management capabilities:
• Over-the-Air enrollment
• Collect software and hardware inventory
• Remotely retire and wipe devices
• Configure compliance settings on devices, including settings for passwords, security, roaming, encryption, and wireless communication
• Deploy line of business apps to devices
• Deploy apps from the store that the device connects to: Windows Store, Windows Phone Store, App Store, or Google Play
• Self-service portal for end users
An important concept in managing Bring-Your-Own-Device scenarios is the ownership of the device. System Center 2012 R2 Configuration Manager introduces the ability to denote whether devices are corporate owned or personal devices. If a device is personally owned, then a limited set of inventory is collected from the device, to ensure the enterprise does not stray over privacy limits. If a device is corporate owned, then a complete inventory of the device is collected (where permitted by the device platform.) Also, the ownership can be used as a condition for deployment of compliance items or applications, so if you wish to deploy a specific set of policies to corporate devices, or if you wish to deny a particular application from personal devices, you can use the new global condition to control the deployment based on the ownership flag.
17
Deployment ConsiderationsMobile Device Management
Use System Center 2012 Endpoint Protection with Microsoft System Center 2012 Configuration Manager to:• Centrally deploy and configure the Endpoint Protection client.
• Configure default and custom anti-malware policies that apply to groups of computers.
• Create and deploy Windows Firewall settings to groups of computers.
• Use Configuration Manager software updates to automatically download the latest anti-malware definition files to keep client computers up-to-date.
• Control who manages the anti-malware policies and Windows Firewall settings by using the Endpoint Protection Manager security role.
• Use email notifications to alert you when computers report that malware is installed.
• View summary and detailed information from the Configuration Manager console and reports.
Enterprise Mobility The Enterprise Mobility Suite (EMS) is the comprehensive Microsoft cloud solution for consumerization of IT and BYOD challenges, and helps resolve many new challenges of the mobile-first world:
• Users expect to be productive across a variety of device types, with access to the applications they need.
• Businesses need to unify their infrastructure technology environment with a common identity across on-premises Active Directory Domain Services (AD DS) and the cloud, with deeply integrated capabilities for PC and mobile device management.
• Businesses must protect their data, so they require a comprehensive set of access control and data-protection capabilities.
The Enterprise Mobility Suite Add-On is a cost-effective way for Core CAL and eCAL Suite customers to acquire the included cloud services:
• Azure Active Directory (Azure AD) Premium for Hybrid Identity management
• Microsoft Intune for mobile device and PC management
• Azure Rights Management for information protection
Additionally, as of December 1, 2014, the Enterprise Mobility Suite is available as a full User Subscription License which includes all the cloud services from the EMS Add-On, plus:
• Windows Server Client Access License (CAL)
• System Center Configuration Manager Client Management License (CML)
See the Enabling Enterprise Mobility White Paper for more information. The Bring Your Own Device Design Considerations Guide covers issues that need to be considered before implementing a BYOD infrastructure, with design options that can be evaluated and chosen based on identified requirements.
See Preparing for Mobile Device Management and a video of Microsoft mobile device management in action.
Enterprise Mobility Suite is the comprehensive Microsoft cloud solution for consumerization of IT and BYOD challenges, and helps resolve many new challenges of the mobile-first world.
18
Deployment ConsiderationsMobile Device Management
Windows Client under Microsoft Enterprise AgreementAnother consideration, when developing a mobile device management program that supports the use of devices that are not company assets, is how the devices will be accounted for under Microsoft Enterprise Agreement (EA). The EA Enterprise Enrollment requires that every qualified device (QD) be licensed for enterprise products such as the Windows client and Office. To ensure proper license compliance, the customer must understand what constitutes a QD.
Additional Support After conducting a Mobile Device Management SAM Engagement, your customers may be interested in deploying a Microsoft Enterprise Mobility solution. If this support is outside the boundaries of your partner organization’s business model, be aware of additional resources that are available to help your customer that you can recommend. Visit Microsoft Pinpoint to find a partner with the Devices & Deployment or Access & Identity competency. You can also investigate Peer to Peer Networking through the International Association of Microsoft Channel Partners (IAMCP).
Find out more at the Microsoft Partner Portal.
System Center 2012 R2http://www.microsoft.com/en-us/server-cloud/products/system-center-2012-r2/default.aspx
System Center 2012 Configuration Managerhttp://technet.microsoft.com/en-us/library/gg682129.aspx
System Center 2012 Endpoint Protectionhttp://technet.microsoft.com/en-us/library/hh508836.aspx
Microsoft Intunehttp://www.microsoft.com/en-us/server-cloud/products/microsoft-intune/default.aspx
Preparing for Mobile Device Managementhttp://blogs.technet.com/b/enterprisemobility/archive/2014/05/27/preparing-for-mobile-device-management.aspx?loc=zTS1z&prod=zOTprodz&tech=zCLz&prog=zOTprogz&type=zBLz&media=zOTmediaz&country=zUSz
Video of Microsoft Mobile Device Management in Actionhttps://www.youtube.com/watch?v=Tb8XwsHTm_o
Microsoft Enterprise Mobility Suitehttp://www.microsoft.com/en-us/server-cloud/products/enterprise-mobility-suite/default.aspx
Enabling Enterprise Mobility White Paperhttp://download.microsoft.com/download/1/3/7/137B2CF6-79FE-438B-BA00-F343022C3CE3/Enabling_Enterprise_Mobility_white_paper.pdf
Bring Your Own Device Design Considerations Guidehttp://technet.microsoft.com/en-us/library/dn656894.aspx
Azure AD Premiumaka.ms/AzureActiveDirectory
Microsoft Intune Evaluation Guidehttps://docs.microsoft.com/en-us/intune/understand-explore/get-started-with-a-30-day-trial-of-microsoft-intune
Resources
19
Deployment ConsiderationsMobile Device Management
Azure Rights Managementaka.ms/AzureRightsManagement
MPN Microsoft Intunehttps://partner.microsoft.com/en-us/solutions/microsoft-intune
TechNet: How to Manage Mobile Devices by Using Configuration Manager and Microsoft Intunehttp://technet.microsoft.com/library/jj884158.aspx
TechNet: Streamlined Management for Mobile Devices and Computers in a Hybrid Environmenthttp://technet.microsoft.com/library/dn582037.aspx
TechNet: Manage Mobile Devices and PCs from the Cloudhttp://technet.microsoft.com/en-us/library/dn715906.aspx
TechNet: Use Microsoft Intune to Manage Personal Deviceshttp://technet.microsoft.com/library/dn646978.aspx
TechNet: Microsoft Intune and System Center 2012 Configuration Managerhttp://technet.microsoft.com/library/dn646980.aspx
Microsoft Pinpointhttp://pinpoint.microsoft.com
Microsoft Partner Networkhttps://mspartner.microsoft.com/
Peer to Peer Networking through the International Association of Microsoft Channel Partners (IAMCP)http://www.iamcp.org/
20
SAMSOFTWARE ASSET MANAGEMENTLicensing Considerations
Mobile Device Management
The Consumerization of IT covers a broad set of scenarios including mobile device use, multi-device use, and the BYOD trend. With this irreversible megatrend, no “one size fits all” solution exists for consumerization. This challenges enterprises while they attempt to balance flexibility and user productivity with management, security, and cost. It’s important to understand how Microsoft licensing can help customers meet this challenge.
A decade ago was an era of desktop standardization before devices and cloud computing exploded onto the market. Then, software was typically installed locally on a user’s single PC and licensed by device. This made sense because it was the easiest option for organizations to license and manage their software. Today, with pervasive consumerization, users often have more than one device and expect to work from anywhere at any time. Microsoft responded to these needs with user-centric enhancements to licensing for device management, building on existing licensing and making new consumerization scenarios easier to license and manage, while giving organizations the flexibility to adopt mixed on-premises and cloud environments.
Decisions about licensing are organizationally-dependent, since financial calculations, typical workloads of remote employees, device constraints, privacy constraints (for BYOD), and the maturity of an IT asset management program all play a contributing factor in the decision. When talking with your customers about their licensing, be sure to take their business situation, goals, and objectives into account.
Impact of Mobile Devices on Software LicensingThe shift from a world with predominantly on-premises, corporate owned devices to one where devices are just as likely to be mobile as on-premises, and are often personally-owned, may complicate software licensing. The corresponding shift to a cloud-based software as a service (SaaS) model can help to mitigate this complication, but to help ensure that any devices accessing organizational resources are properly licensed, it is best to carefully consider additional factors specific to mobile and BYOD use.
For example, a Gartner webinar, “The Impact of BYOD on Software Asset Management on Software Licensing and IT Asset Management” provides this software licensing checklist: • Clearly define the following terms:
० User० Device० Territory० Access० In-use० Authentication
• Can a personal license be used for business purposes and vice versa?
• How many devices does the license cover?• Does the license metric allow for concurrent usage?• Are employees educated on click-wrap license acceptance policy?• How are the licenses going to be managed? Is there an easier way?
To help ensure that any devices accessing organizational resources are properly licensed, it is best to carefully consider additional factors specific to mobile and BYOD use.
21
Licensing ConsiderationsMobile Device Management
Unified Device Management with User Based LicensingConsumerization brings new IT considerations, especially for management. Many enterprises have implemented strong management policies, tools, and automation focused on their on-premises IT. This tightly controlled approach is not optimized for dynamic, highly mobile, and multi-device environments. The Microsoft model for IT management combines on-premises and cloud capabilities so that organizations can choose the implementation that fits their needs and adjust over time.
Customers have chosen between user and device client access licenses (CAL) for many years, and most customers have made that decision based solely on cost. For example, if an organization employs more people than PCs, it made sense to adopt device based CALs to minimize CAL license costs. Today, consumerization is altering the economics for many organizations. As more users have multiple devices accessing corporate IT, the case for adopting user CALs increases. Beyond the CAL license cost calculation are other important considerations: ease of management and compliance. User based licensing, including user CALs, can be easier to forecast, budget, and adjust in a dynamic, multi-device environment than trying to track every device – particularly if some devices are brought in by the user.
Every organization is different, and the decision to select user vs. device-based licenses will vary, since financial calculations, typical workloads of remote employees, device constraints, privacy constraints (for BYOD), and the maturity of the organization’s IT asset management program must all be taken into account.
Microsoft IntuneThe Microsoft cross-platform, multi-device cloud management service, Microsoft Intune, is available via a user based licensing model and as an optional, affordable subscription that can be added to the System Center components within the CAL suites. Customers can continue to centralize their management and administration on System Center, and use Microsoft Intune to flexibly manage a wide variety of devices, whether they are company-owned or running a Windows or non-Windows operating system. A Microsoft Intune user subscription covers up to five devices, catering for light to extreme device use. Note that Windows Phone 8 devices and Windows RT tablets can be managed through Microsoft Intune, in addition to non-Windows operating systems.
Enterprise customers can easily license these management products and services through their Enterprise Agreement. As a result, they will see increased value from their CAL Suites. The unified management approach combining on-premises with cloud based options and the associated licensing, is unique to Microsoft and addresses a wide range of consumerization management needs.
SKU Definition AvailabilityMicrosoft Intune User Subscription License (USL) including Microsoft
Intune online service, System Center Configuration Manager and Endpoint Protection in a single SKU.
Enterprise Agreement (EA), EA Subscription (EAS)
Microsoft Intune Add-on for System Center Configuration Manager and System Center Endpoint Protection (per user)
User Subscription License (USL) for Microsoft Intune online service available as an add-on for existing System Center Configuration Manager and System Center Endpoint Protection customers.
EA, EAS, and Enrollment for Education Solutions (EES)
22
Licensing ConsiderationsMobile Device Management
Microsoft Online Subscription Program The Microsoft Online Subscription Program (MOSP) is designed specifically for organizations with less than 250 users. With MOSP, customers can easily subscribe, manage, and deploy Microsoft Intune services online. For subscription information, please visit http://www.microsoft.com/en-us/server-cloud/products/microsoft-intune/buy.aspx.
Microsoft Open Program Microsoft Intune is available in Open, Open Value, and Open Value Subscriptions (OVS). It is sold as 1 year subscription without any limitation on the number of users. To learn more about the Open program, please visit http://www.microsoft.com/licensing/licensing-options/open-license.aspx.
Enterprise Mobility Suite Microsoft Intune is also available as a component of Microsoft’s Enterprise Mobility Suite (EMS). EMS is the comprehensive cloud solution to address a customer’s consumerization of IT, BYOD, and SaaS challenges. The suite is the most cost effective way to acquire all of the included cloud services:
• Microsoft Azure Active Directory Premium
• Microsoft Intune
• Microsoft Azure Rights Management
• Windows Server Client Access License (CAL)*
• System Center Configuration Manager Client Management License (CML)*
The Enterprise Mobility Suite is available through Microsoft’s Enterprise Volume Licensing Programs. More information is available at http://www.microsoft.com/en-us/server-cloud/products/enterprise-mobility-suite/buy.aspx.
* Windows Server CAL and System Center Configuration Manager CML are included in the full User Subscription License of EMS.
Microsoft Enterprise Agreement for Windows Client There are several ways to license a BYOD for Windows Client in an Enterprise Agreement (EA)
• True-Up in EA with Windows Software Assurance
• True-Up in EA with Virtual Desktop Access
• Roaming Use Rights
• Companion Subscription License
• Windows SA Per User (Add-On or full User Subscription License)
To assist in determining which licensing scenarios is most cost-effective for the customer’s needs, consider the following:
• Determine if a device is a qualified device
• Become familiar with the above licensing scenarios
• Know if the user of the identified device is the primary user of another device that is covered by the EA
• Find out if the identified BYOD is able to run Windows Professional locally
• Understand the user needs in regards to running Windows Professional locally or virtually
• Know if the device will be used to access Virtual Desktop Infrastructure (VDI)
23
Licensing ConsiderationsMobile Device Management
• Know whether the device will be used for these purposes on the organization’s premises (if unknown, the conservative licensing approach would assume it will be)
• Consider multiple designs in the approach to licensing the BYOD to find the optimal solutions for the customer
FAQsQ) Is System Center Configuration Manager or System Center Endpoint Protection included with Microsoft Intune?
A) Microsoft Intune includes the use rights for System Center Configuration Manager and System Center Endpoint Protection. Microsoft Intune Add-on for System Center Configuration Manager and System Center Endpoint Protection is also available if you already own System Center Configuration Manager and System Center Endpoint Protection.
Q) If I purchase Microsoft Intune or the Microsoft Intune Add-On (Microsoft Intune Add-on for System Center Configuration Manager and System Center Endpoint Protection - per user) under my Enterprise Agreement, can I manage x86 PCs?
A) Yes. However, any x86 PC that is managed (either by System Center Configuration Manager or Microsoft Intune) is a qualified device under the terms of your Enterprise Agreement and must be appropriately licensed.
System Center 2012 R2 System Center 2012 R2 client management and security solutions are available through three individual licensing options:
• System Center 2012 R2 Configuration Manager
• System Center 2012 R2 Endpoint Protection
• System Center 2012 R2 Client Management Suite
Customers can also access these offerings at a significant discount through Microsoft’s client access license suites (Core CAL and Enterprise CAL).
Planning for System Center 2012If your customers are planning to deploy System Center 2012 R2, either through upgrades or new licenses, please remember:
• Renewing Software Assurance (SA) is the best way to protect investments and provide access to new versions as well as Deployment Planning Services and technical assistance.
• Select the optimal edition of System Center 2012 R2 based on virtualization rights:
० Datacenter Edition for highly virtualized private clouds
० Standard Edition for lightly or non-virtualized private clouds
• Core CAL and Enterprise CAL Suites will continue to be the most cost effective way to purchase client management products.
Download the System Center 2012 R2 Licensing Datasheet for more information.
24
Licensing ConsiderationsMobile Device Management
Gartner Webinar: The Impact of BYOD on Software Licensing and IT Asset Managementhttp://my.gartner.com/portal/server.pt?open=512&objID=202&mode=2&PageID=5553&ref=webinar-rss&resId=2187016
Microsoft Intune How To Buyhttp://www.microsoft.com/en-us/server-cloud/products/microsoft-intune/buy.aspx
Microsoft Intune Licensing Datasheethttp://download.microsoft.com/download/D/4/2/D42CE308-E111-44D1-BC05-8DD220F71F46/Microsoft_Intune_Licensing_Datasheet.pdf
Microsoft Open Programhttp://www.microsoft.com/licensing/licensing-options/open-license.aspx
Enterprise Mobility Suite Pricing and Licensing Overviewhttp://www.microsoft.com/en-us/server-cloud/products/enterprise-mobility-suite/buy.aspx
Licensing Brief - Microsoft Licensing for the Consumerization of IThttps://www.microsoft.com/en-gb/Licensing/learn-more/brief-consumerization-it.aspx
Microsoft System Center 2012 R2 How To Buyhttps://www.microsoft.com/en-us/server-cloud/products/system-center-2012-r2/Purchasing.aspx
Microsoft System Center 2012 R2 Licensing Datasheethttp://download.microsoft.com/download/B/4/A/B4A98A4E-2F43-489D-8761-5362C8C2C328/System_Center_2012_R2_Licensing_Datasheet.pdf
Resources
25
SAMSOFTWARE ASSET MANAGEMENTSAM Policies
Mobile Device Management
Developing policies for Mobile Device Management that enable people-centric IT is critical to assure data protection in a mobile environment. This is an area where you can add significant value for your customers, since in many cases, management policies for mobile devices—particularly user-owned smart phones—lag policies for more traditional computing assets. Polices should be based upon an assessment of the impact to the business, since not all risks can be managed. Focus first on high business impact policies, working then through medium and low impact.
BYOD ConsiderationsOrganizations that allow employees to bring devices to work should have a well-defined BYOD policy and mechanisms to enforce it. When creating these policies, consider: • How much control does the organization want to maintain over employee-owned devices, which can range from
treating devices as if they were corporate assets to assuming no control over the devices themselves?• What constitutes acceptable use of corporate IT resources on mobile devices?• What data and apps can users access?• What are the minimum security controls that are required?• How are devices authenticated?• Under what circumstances can the organization wipe the device, and what impact will this have on the user’s
personal information? • How are data at rest and data in motion protected?• How are policies enforced to ensure they are applied consistently?
BYOD ConsiderationsHere are suggestions about the types of policies and procedures that should be evaluated to determine if they are appropriate to add to a customer’s mobile device management program: • Make sure that devices are registered before they connect to
the company network. This allows network administrators to detect unauthorized devices on the network.
• Require logon protection via a PIN or passphrase. If workers deal with sensitive data, require complex passphrases, not just four-digit PINs.
• Require that data stored on a device be encrypted. Full device encryption is best, but if that isn’t feasible, all business data should be stored in encrypted folders on the device.
• The ability to remotely enable/disable device peripherals and related controls should be established. • The levels of access granted to users should be based on their roles and responsibilities in the organization. IT can
partly enforce access control policies with information from a centralized directory, such as Active Directory.• Require that employees who want to use their personally-owned devices undergo training to ensure they understand
the policies and safe mobile practices and can recognize signs that their devices have been compromised.
Example policy: The IT department reserves the right to approve accessibility or refuse connectivity for any personal devices that do not meet security and software requirements as defined by corporate policy.
26
SAM PoliciesMobile Device Management
• Employees that want to use a personal device for work purposes and require corporate access for email and network connectivity must allow the IT department to track the device for licensing purposes. Further, if the device is lost or stolen then the IT department can wipe the device to prevent the loss of corporate or proprietary information.
• Consider whether to establish an approved list or an unapproved list to control what apps are allowed on the devices. The first is more restrictive; only those apps on the list are allowed. The latter lists apps that are not allowed.
• Update hardware and apps to the latest version to mitigate the risk of someone exploiting a known vulnerability.• Determine if there is a need to develop a policy to cover geo-fencing, or the ability to enforce policies based on the
geographic location of the device. • Keep in mind government regulations, licensing requirements, and industry standards that apply to the business.
Health care providers, for example, must comply with the Health Insurance Portability and Accountability Act, which requires measures to protect patient data. Encrypting sensitive data at rest and data in motion is essential.
• Financial services industries must protect confidential customer information under the Gramm-Leach-Bliley Act, but they and other public companies are also required to protect the integrity of financial reporting data under the Sarbanes-Oxley Act.
Evaluating Existing PoliciesIf the customer has existing Mobile Device Management policies in place, help them to evaluate their policies by determining key changes, and any additional safeguards that would need to be added to address new risks:• Has their risk profile changed?
० Are more employees using mobile apps to access corporate data?० Are more employees using their own devices?
• How has the environment changed?० What new devices, operating systems, and apps are being used?० Are there changes in access or usage patterns?० What new threats have been discovered? The Microsoft Security Intelligence Report (SIR) is an excellent reference point. It analyzes the threat landscape of exploits, vulnerabilities, and malware using data from Internet services and over 600 million computers worldwide.
• Have new technologies been introduced?० What new security features are now available in devices?० What new security technologies exist?
Example policy: IT management and appropriate stakeholders will conduct an annual review of MDM policies and procedures to support ongoing MDM best practices. Further, a process should be defined for handling devices that are not within MDM compliance.
If you are conducting a follow-on Mobile Device Management SAM Engagement, be sure to carefully review existing policies to adapt them to a changing environment, and to help increase your customer’s maturity level with respect to mobile security.
27
SAM PoliciesMobile Device Management
Security Awareness TrainingWhen it comes to educating employees about best practices for using their mobile devices, communicating mobile security and BYOD security policies should occur prior to implementation and then again on an ongoing basis. BYOD policies will likely include compromises that the user will have to accept in order to use their device at work, such as agreeing to a “right to wipe” provision, or requirements around data storage and encryption. Users should be very clear about the policies up front, so there are no surprises about what they are agreeing to. The training should clearly communicate the right ways to deal with sensitive information on personal devices.
The message will need to be delivered in different ways, and it is best that this is done iteratively over time. Recommend to the customer that they consider a multi-prong approach, such as emails, newsletters, posters, lunch and learn events, or similar communications in addition to standard training sessions. When the message is delivered in multiple ways on a regular basis, there is a much better chance that employees will take it seriously. Be sure the training includes guidance on topics like:• Regularly update device operating systems and applications.• Report devices used to access the business network that have been lost or stolen. • Discourage the use of personal email accounts for business purposes.• Before downloading an app, particularly a free one, consider app access rights since they may require the user to
share personal and possibly corporate data.
One important point to add is that many organizations require all employees, contractors, or others who regularly access corporate resources using mobile devices to sign a statement confirming that they received, read, and understand the policy as a way of reinforcing the message.
Example policy: All employees using mobile devices that connect to the corporate network must use secure mobile device management procedures. Password and security requirements for personal devices must be adhered to or connectivity privileges may be revoked.
SAM Across the OrganizationA discussion about how new SAM policies will be implemented is important. Management should become involved as stakeholders in the implementation and follow-through of SAM processes to ensure that these policies become part of the natural cycle of business for the organization.
Customers should define their internal SAM processes, procedures, and policies, including clear expectations of roles and responsibilities. Policies should include the desired attitude and behavior from an overall organizational perspective, to help ensure all controls are in place and communicated clearly to all involved in the process.
• Realize that SAM spans people, processes, and tools in order to sustainably manage licenses.
• Look at the Microsoft Operations Framework and follow it consistently as a standard best practice.
• Understand and implement a process framework within the organization.
• Incorporate SAM results as a part of governance reports.
• Understand what software tags are and how they are becoming increasingly important. ISO/IEC 19770-2 outlines the parameters for tagging software to optimize its identification and management. Governments are starting to add a requirement for software tags in procurement requisitions, and new Microsoft products include software tags.
• Take steps to ensure all outside teams, such as vendors and contractors, understand the organization’s SAM policies and procedures.
28
SAM PoliciesMobile Device Management
SAM Standards and FrameworksInternational Organization for Standardization (ISO)The comprehensive international standard for Software Asset Management aligned to IT service management is ISO/IEC 19770-1:2012 SAM Processes. This vendor-independent standard can benefit your customers in many ways and is supported by much of the IT industry, including Microsoft.
BASIC STANDARDIZED RATIONALIZED DYNAMICSAM Throughout Organization
Project Manager assigned but SAM roles & responsibilities not defined
Direct SAM responsibility is identified throughout organization
Each functional group actively manages SAM
SAM responsibilities defined in job descriptions across organization
SAM Improvement Plan
No SAM development or communication plan
SAM plan is defined and approved
SAM Improvement is demonstrated
SAM goals part of executive scorecard; reviewed regularly
Hardware & Software Inventory
No centralized inventory or < 68% assets in central inventory
> 68% - 95% of assets in inventory
> 95% - 98% of assets in Inventory
> 99% of assets in inventory
Accuracy of Inventory Manual inventory; no discovery tools
Inventory sources reconciled annually
Inventory sources reconciled quarterly
Dynamic discovery tools provide near real-time deployment details
License Entitlement Records
Procurement manages contracts; not accessed by IT managers
Complete entitlement records exist across organization
Entitlement records reconciled with vendor records
SAM entitlement system interfaces with vendor entitlement to track usage
Periodic Evaluation IT operations managed on ad-hoc basis
Annual sign-off on SAM reports
Quarterly sign-off on SAM reports
System reconciliations and ITAM report available on demand
SAM Operations Mgmt & Interfaces
SAM not considered part of M&A risk plan and company integration
Operations manages separate asset inventories
Operations manages associated asset inventory
All business units follow the same strategy, process & technology for SAM
Acquisition Process Assets purchased on a per project basis; without a review of current availability
Software purchases use approved vendors
Software purchases based on deployment/entitlement reconciliation
All purchases are made using a pre-defined asset catalog; based on metered usage
Deployment Process Assets deployed by end-users in distributed locations; no centralized IT
Only approved software is deployed
Software deployment reports are accessible to stakeholders
Software is dynamically available to users on demand
Retirement Process Software is retired with hardware and is not harvested or reassigned
Unused software is harvested (where the license allows) and tracked within a centrally controlled inventory
Centrally controlled inventory of harvested licenses is maintained & available for reuse. Deployment & license records are updated
Automated process w/ centralized control & tracking of all installed software, harvest options, internal reassignment and disposal
SAM Optimization Model – Maturity Levels
SAM Optimization Model (SOM) The SAM Optimization Model is a framework developed by Microsoft that is aligned with Microsoft Infrastructure Optimization (IO). SOM enables partners and customers to evaluate SAM effectively and objectively, and manage the life cycle of software assets with vision, policies, procedures, and tools. SOM provides an established set of criteria to help you make consistent SAM assessments and recommendations. Using this model, your organization can conduct a SAM evaluation to determine how effectively your customer is managing software assets. You can use the results of the evaluation to offer guidance and create a road map to visualize the benefits and savings at each stage of SAM optimization.
29
SAM PoliciesMobile Device Management
Microsoft Security Intelligence Report (SIR)www.microsoft.com/security/sir
ISO/IEC 19770www.iso.org
International Organization for Standardization (ISO) SAM StandardsISO/IEC 19770-5:2015 - Information technology — Software asset management — Part 5: Overview and vocabularyISO/IEC 19770-2:2015 - Information technology — Software asset management — Part 2: Software identification tagISO/IEC 19770-1:2012 - Information technology — Software asset management — Part 1: Processes and tiered assessment of conformance
BSA SAM Advantage Course Aligned to ISO/IEC 19770-1 SAM Standardhttp://www.bsa.org/anti-piracy/bsa-sam-solutions
Resources
SAM Optimization Model & ISO SAM
MS SOM Dynamic ISO SAM Tier 4
MS SOM Rationalized
ISO SAM Tier 3
MS SOM Standardized
ISO SAM Tier 2
MS SOM Basic
ISO SAM Tier 1
Long-term focus
Subsequent focus
Initial focus
3)
2)
1)
Largely Equivalent
Largely Equivalent
The SAM Optimization Model framework serves as the foundation and guidance for preparing to implement an effective SAM program that supports alignment with ISO standards. The ISO standard outlines the requirements and certifications recommended for a comprehensive SAM program. Essentially, Microsoft SOM focuses more on how to implement an effective SAM program and the ISO SAM standard focuses on what to implement for comprehensive SAM. Adopting both frameworks will help ensure that customers accurately and strategically implement and manage a successful ongoing SAM practice.