windows server 2012 r2 capabilities for byod scenario yuri diogenes senior knowledge engineer data...
TRANSCRIPT
Windows Server 2012 R2 Capabilities for BYOD ScenarioYuri DiogenesSenior Knowledge EngineerData Center, Devices & Enterprise Client – CSITeam’s Page: http://technet.microsoft.com/cloud
@yuridiogenes http://aka.ms/yuridio
Corporate Managed
What’s happening?Before
Corporate Managed
What’s happening?Now
32% of employees use two or three PCs forwork from multiple locations
FORRESTER RESEARCHTHE STATE OF WORKFORCE TECHNOLOGY ADOPTION: GLOBAL BENCHMARK 2012, FORRESTER RESEARCH, INC., APRIL 12, 2012
Unmanaged
90% of enterprises will have two or more mobile operating systems to support in 2017GARTNERGARTNER PRESS RELEASE, GARTNER SAYS TWO-THIRDS OF ENTERPRISES WILL ADOPT A MOBILE DEVICE MANAGEMENT SOLUTION FOR CORPORATE LIABLE USERS THROUGH 2017, OCTOBER 25, 2012, HTTP://WWW.GARTNER.COM/NEWSROOM/ID/2213115
Corporate Managed Unmanaged
What’s happening?Today
32% of your employees—power laptop users—access 21 different applications, while desktop users—36% of your employees—use 9.8 applications at work
FORRESTER RESEARCHTHE STATE OF WORKFORCE TECHNOLOGY ADOPTION: GLOBAL BENCHMARK 2012, FORRESTER RESEARCH, INC., APRIL 12, 2012
Mobility is the new normal
67%of the people who use a smartphone for work and 70% of people who use a tablet for work are choosing the devices themselves
905Mtablets in use for work and home globally by 2017
FORRESTER RESEARCHBRING THE BUSINESS CASE FOR A BRING-YOUR-OWN-DEVICE (BYOD) PROGRAM, FORRESTER RESEARCH, INC., OCTOBER 23, 2012
FORRESTER RESEARCH2013 MOBILE WORKFORCE ADOPTION TRENDS, FORRESTER RESEARCH, INC., FEBRUARY 4, 2013
The explosion of devices is eroding the standards-based approach to corporate IT.
Devices
Deploying and managing applications across platforms is difficult.
Apps
Today’s challenges
6
Data
Users need to be productive while maintaining compliance and reducing risk.
Users expect to be able to work in any location and have access to all their work resources.
Users
across multiple devices…
with access to apps…
in a consistent manner.
Starts with a person…
EMPLOYEE #0000000-000CONTOSO
whose identity is verified…
Devices
AppsUsers
People-centric IT
8
Enable usersAllow users to work on the devices of their choice and provide consistent access to corporate resources.
Hybrid Identity
Deliver a unified application and device management on-premises and in the cloud.
Protect your data
Help protect corporate information and manage risk.
Management. Access. Protection.
Data
Access and Information Protection
9
Protect your data
Centralize corporate information for compliance and data protection
Policy-based access control to applications and data
Hybrid Identity
Common identity to access resources on-premises and in the cloud
Enable users
Simplified registration and enrollment for BYO devices
Automatically connect to internal resources when needed
Access to company resources is consistent across devices
√
10
Challenges Solutions
Users want to use the device of their choice and have access to both their personal and work-related applications, data, and resources.
Users want an easy way to be able to access their corporate applications from anywhere.
IT departments want to empower users to work this way, but they also need to control access to sensitive information and remain in compliance with regulatory policies.
Users can register their devices, which makes them known to IT, who can then use device authentication as part of providing access to corporate resources.
Users can enroll their devices, which provides them with the company portal for consistent access to applications and data, and to manage their devices.
IT can publish access to corporate resources with conditional access based on the user’s identity, the device they are using, and their location.
Enable users
Registering and Enrolling Devices
11
IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the users identity. Multi-factor authentication can be used through Windows Azure Multi-Factor Authentication integration with Active Directory Federation Services.
Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device
Users can enroll devices which configure the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications
As part of the registration process, a new device record is created in Active Directory, establishing a link between the user and their device
Data from Windows Intune is sync with Configuration Manager which provides unified management across both on-premises and in the cloud
Web Application Proxy
AD FS
Publish access to resources with the Web Application Proxy
12
Users can access corporate applications and data wherever they are
IT can use the Web Application Proxy to pre-authenticate users and devices with multi-factor authentication through integration with AD FS
Use conditional access for granular control over how and where the application can be accessed
Active Directory provides the central repository of user identity as well as the device registration information
Web Application
Proxy
Developers can leverage Windows Azure Mobile Services to integrate and enhance their apps
Devices
Apps & Data
AD FS
Active Directory
Reverse proxy pass throughe.g. NTLM & Basic based
apps
Published applications
Restful OAuth apps
Office Forms Based Access
Claims & Kerberos web apps
AD Integrated
13
Users can sync their work data to their devices.
Users can register their devices to be able to sync data when IT enforces conditional access
IT can publish access directly through a reverse proxy (such as the Web Application Proxy, or conditional access can be enforced through integration with AD FS
IT can configure a File Server to provide Work Folder sync shares for each user to store data that syncs to their devices, including integration with Rights Management
IT can selectively wipe the corporate data from managed devices (Windows 8.1, Windows Phone 8, iOS, Android)
Devices
Apps & Data
Make corporate data available to users with Work Folders
Reverse Proxy
Web Application Proxy
Active Directory discoverability provides users Work Folders location
File Services
Domain joined devices
Active Directory
AD FS
Effective working with Remote Access
14
Can originate admin connection from
intranet
Connection tointranet is always
active
Cannot originate admin connection from intranet
VPN
DirectAccess
With DirectAccess, a users PC is automatically connected whenever an Internet connection is present.
Traditional VPNs are user- initiated and provide on-demand connectivity to corporate resources.
An automatic VPN connection provides automated starting of the VPN when a user launches an application that requires access to corporate resources.
FirewallWeb Apps
Session host
LOB Apps
Files
VDI
Video Demo
Windows 8.1 and iPad Workplace Join and Company Portal
Hybrid Identity
16
Challenges Solutions
Providing users with a common identity when they are accessing resources that are located both on-premises in a corporate environment, and in cloud-based platforms.
Managing multiple identities and keeping the information in sync across environments is a drain on IT resources.
Users have a single sign-on experience when accessing all resources, regardless of location.
Users and IT can leverage their common identity for access to external resources through federation.
IT can consistently manage identities across on-premises and cloud-based identity domains.
Delivering a seamless user authentication experience
User attributes are synchronized using DirSync including the password hash, Authentication is completed against Windows Azure Active Directory
17
DirSync
AD FS
Active Directory DirSync with
password hash sync
User attributes are synchronized using DirSync, Authentication is passed back through federation and completed against Windows Server Active Directory
Active Directory
Cloud Authentication
Federated Authentication with Single Sign-On
Multi-Factor Authentication can be configured through Windows Azure
AD FS provides conditional access to resources, Work Place Join for device registration and integrated Multi-Factor Authentication
Protecting information with multi-factor authentication
1818
1. Users attempts to login or perform an action that is subject to MFA2. When the user authenticates, the application or service performs a MFA call
3. The user must respond to the challenge, which can be configured as a txt, a phone call or using a mobile app
5. IT can configure the type and frequency of the MFA that the user must respond to
4. The response is returned to the app which then allows the user to proceed
Application authentication
e.g. Active Directory, Radius, LDAP, SQL,
Custom apps
ADFS
User
Protect your data
19
Challenges Solutions
As users bring their own devices in to use for work, they will also want to access sensitive information and have access to this information locally on the device.
A significant amount of corporate data can only be found locally on user devices.
IT needs to be able to secure, classify, and protect data based on the content it contains, not just where it resides, including maintaining regulatory compliance.
Users can work on the device of their choice and be able to access all their resources, regardless of location or device.
IT can enforce a set of central access and audit polices, and be able to protect sensitive information based on the content of the documents.
IT can centrally audit and report on information access.
√
Desktop Virtualizatio
n
Policy based access to corporate information
IT can publish resources using the Web Application Proxy and create business-driven access policies with multi-factor authentication based on the content being accessed.
IT can audit user access to information based on central audit policies.
Users can access corporate data regardless of device or location with Work Folders for data sync and desktop virtualization for centralized applications.
IT can provide a secure and familiar solution for users to access sensitive corporate data from anywhere with VDI and RemoteApp technologies.
Centralized Data
20
RD Gateway
Distributed Data
Devices
LOB AppsWeb Apps
Session host
Files
VDI
Access Policy
Protect data with Dynamic Access Control
Centrally manage access control and audit polices from Windows Server Active Directory.
Automatically identify and classify data based on content. Classification applies as files are created or modified.
Integration with Active Directory Rights Management Services provides automated encryption of documents.
Central access and audit policies can be applied across multiple file servers, with near real-time classification and processing of new and modified documents.
File classification, access policies and automated Rights Management works against client distributed data through Work Folders.
File Services
21
Active Directory
Video Demo
Work Folders with DAC and RMS
http://www.microsoft.com/en-us/server-cloud/solutions/access-information-protection.aspxhttp://www.microsoft.com/en-us/server-cloud/solutions/user-device-management.aspx
More Resources:
System Center 2012 R2 Configuration Managerhttp://technet.microsoft.com/en-us/evalcenter/hh667640.aspx?wt.mc_id=TEC_105_1_33
Windows Intunehttp://www.microsoft.com/en-us/windows/windowsintune/try-and-buy
Windows Server 2012 R2 http://www.microsoft.com/en-us/server-cloud/windows-server/windows-server-2012-r2.aspx
For More Information
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.