Microsoft Mobility and Security for Enterprise Architects

Home , Microsoft Mobile, Microsoft Office, Windows Mobile, Xamarin

Microsoft Mobility What IT architects need to know about mobility with Microsoft cloud services and Security for and platforms Enterprise Architects

This topic is 1 of 4 in a series 1 2 3 4

Enable productivity and collaboration from anywhere while protecting data and applications Microsoft provides broad support for mobile productivity with support for applications and rich features for controlling access to your organization s assets.

Microsoft mobile apps for business Developing your own mobile apps Microsoft produces a number of business class mobile apps for Use the Mobile Apps feature of Azure App Service to build engaging productivity. See page two for featured applications. iOS, Android, and Windows apps or cross-platform Xamarin or Cordova (Phonegap) apps for your customers and business. With an Office 365 for business subscription, you get mobile apps that help you get more done from your favorite device while keeping your  Broadcast push with customer data secured. Use Intune Mobile Application Management to apply segmentation additional security when using these mobile applications.  Enterprise single sign-on with Active Directory  Autoscale to support millions of devices Skype for Business, Yammer, OneNote, and more apps for business  Apps can work offline and sync are also available. Get the full list of apps and learn how to set them  Social integration with Facebook, up on your devices. Twitter, Google Dynamics CRM also includes apps for phones and tablets.

Cloud App Security for SaaS apps Mobile access to on-prem applications

Microsoft Cloud App Security is a comprehensive service that provides Microsoft Azure Active Directory Application Proxy lets you publish deeper visibility, comprehensive controls, and improved protection for applications, such as web-based apps inside your private network and your cloud applications. provides secure access to users outside your network. You can protect on-premises applications with the same requirements as other cloud- App discovery Identify all cloud applications in your based applications with MFA, device requirements, and other network—from all devices—and evaluate conditional access requirements. risk scoring and ongoing risk assessment and analytics. No agents required. Application Proxy Azure AD Data control Approve apps. Set granular controls and policies for data sharing and DLP. Connector Connector On-premises network Threat protection Identify high-risk usage, security incidents, and detect abnormal user behavior to App App prevent threats.

Managing access to cloud-based applications and data from mobile devices Microsoft provides a range of capabilities you can use to control access to applications and data from mobile devices. Enterprise Mobility + Security (EMS)

Office 365 Azure AD Premium Microsoft Intune Azure Information Protection

Basic capabilities for Office Control access to Controls for managing Encryption, classification, labeling, 365 applications applications based on user mobile applications, identity, and authorization policies accounts and groups devices, and PCs applied to email and files Multi-factor authentication for Office Multi-factor authentication with user, Mobile application policies (MAM) for Previously Azure Rights Management 365 applications. location, and device-based rules for mobile devices. (RMS). Basic controls for access to Exchange SaaS applications in your Device-based management, Protect targeted data sets with RMS Online and SharePoint Online. environment. configuration compliance, and policies. All file types are supported. Basic Mobile Device Management Advanced protection with risk-based conditional access. Protection stays with files no matter (MDM) capabilities. adaptive access control. Deploy apps and manage apps to where they go. Single sign-on to all SaaS mobile devices and PCs. Support for on-premises services, as applications in your environment. well as Office 365.

September 2016 © 2016 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at [email protected]. Microsoft Mobility What IT architects need to know about mobility with Microsoft cloud services and Security for and platforms Enterprise Architects

This topic is 2 of 4 in a series 1 2 3 4

Featured apps for mobile devices

Microsoft Office apps Review, edit, analyze and present with a consistent and familiar user Extra features on your Windows phone and Windows tablet with interface optimized for use on your mobile device. Core editing is free Office 365 for consumers on devices with screen sizes smaller than 10.1". Enhancing information rights management in Word, Excel and Extra features on your iPad* and iPhone with Office 365 PowerPoint mobile apps Extra features on your Android tablet and phone with Office 365 Azure RMS requirements: Applications

Excel PowerPoint Outlook Word

OneNote Office Lens Type, hand write, draw, and clip things from the web to get down your Office Lens trims, enhances, and makes pictures of whiteboards and thoughts into your notebook. Use OneNote's flexible canvas to place docs readable. You can use Office Lens to convert images to PDF, content anywhere you want. You can even scan hand written notes or Word and PowerPoint files, and you can even save images to pages straight into OneNote then make them searchable. OneNote or OneDrive. https://www.onenote.com/ Office Lens comes to iPhone and Android Install OneNote on a mobile phone or device

Continued on next page OneDrive mobile app Use the same app for your business and personal accounts. Add Configure Data Loss Prevention Policy Tips for OneDrive mobile apps. additional accounts. Documents stored in OneDrive for Business are scanned for sensitive information and evaluated against company policies configured in Set up OneDrive for Business on your phone or tablet Office 365. Included with Office 365 E3 and E5 plans.

Skype for Business mobile app Add Skype for Business inside your Connect with your team anywhere using clients across Windows, Mac, mobile apps iOS, and Android or bring remote participants into meeting spaces of all sizes with Skype for Business. The Skype for Business App SDK Preview is now available for download. This new SDK enables developers to seamlessly integrate Download Skype for Business across all your devices instant messaging, audio and video experiences into their custom iOS and Android applications.

Office Delve for Android Use Delve to see what you and your colleagues are working on across Office 365. Based on who you work with and how you work together, Delve suggests documents that are relevant to you. Key features:  Discover new information  Find documents through people  Get back to documents you re working on In Delve you ll only see content that has been shared with you. This means that your colleagues won t see your private documents, and you won t see theirs. IMPORTANT: You can only use this app if your organization uses Office 365 and Delve.

Continued on next page SharePoint mobile app Yammer mobile app Navigate SharePoint sites, view links to sites your organization has Stay on top of conversations, post updates, and collaborate with your marked as important, view people profiles and search for people, sites team no matter where in the world you are. and documents. Getting started with the SharePoint mobile app Available from the Download the Yammer app Apple App Store starting June 2016. Android and Windows versions will follow. Also: Use a mobile device to work with SharePoint Online sites

Office 365 Admin app Microsoft Remote Desktop

Manage Office 365 from anywhere. With the Microsoft Remote Desktop The Office 365 Admin app allows app, you can connect to a remote PC you to receive notifications, add and your work resources from users, reset passwords, create almost anywhere. support requests, and more, when you re on the go. Google Play (Android)

Learn about and download the app Apple Store

Microsoft Store

Dynamics CRM for phones and tablets Keep track of your contacts, leads, and activities on the go with the Dynamics CRM Developers: Build Your Own Mobile Apps for Microsoft Dynamics CRM for phones and Microsoft Dynamics CRM for Windows, iOS, and Android tablets apps. You get the same intuitive experience on both your phone and tablet.

This topic is 3 of 4 in a series 1 2 3 4

Mobile app development

With the Mobile Apps feature of Azure App Service, you can rapidly build engaging cross-platform and native apps for iOS, Android, Windows, or Mac; store app data in the cloud or on-premises; authenticate users; send push notifications; or add your custom backend logic in tag">C# or Node.js.

Azure App Service is a fully managed Platform as a Service (PaaS) offering for professional developers that brings a rich set of capabilities to web, mobile and integration scenarios. Mobile Apps in Azure App Service offer a highly scalable, globally available mobile application development platform for Enterprise Developers and System Integrators.

Build native and cross Connect to your enterprise Build offline-ready apps Push Notifications to platform apps systems with data sync millions in seconds

Build native iOS, Android, and Windows With Mobile Apps you can add corporate Make your mobile workforce productive Engage your users and customers with apps or cross-platform Xamarin or sign on in minutes, and connect to your by building apps that work offline and use instant push notifications on any device, Cordova (Phonegap) apps. Take enterprise on-premises or cloud Mobile Apps to sync data in the personalized to their needs, sent when advantage of App Service using native resources. background when connectivity is present the time is right. SDKs. with any of your enterprise data sources or SaaS APIs.

App Service Mobile Apps capabilities and documentation Click on each box for more information

Try it out and Get started Develop Deploy Manage Monitor Optimize and learn more enrich

Build a mobile app Create a mobile Work with a .NET Deployment Work with offline in seconds without Management basics Monitoring basics app backend options data signing up

What are Mobile Add offline sync to Work with a Node.js Deploy using Configure a custom Enable diagnostic Authenticating Apps? your app backend Powershell domain name logging users

Deploy to staging App Services vs. Add authentication Develop Android Scale your Troubleshoot with Send push slots and swap into Mobile Apps to your app apps application Visual Studio notifications production

Add push Develop Cordova Continuous Backup your Sync images using notifications to your apps deployment application blob storage app

Restore your Control global Develop HTML/ application from traffic with Traffic JavaScript apps backup Manager

Access on-premises Develop iOS apps resources

Develop Windows and Xamarin apps

Add Skype for Client and server Business to your versioning mobile app

This topic is 4 of 4 in a series 1 2 3 4

Controlling access to applications and protecting data on mobile devices

For more information, see Controlling Access to Office 365 and Access control capabilities by product Protecting Content on Devices

Office 365 Azure AD Premium Microsoft Intune

Exchange Online — Configure basic Single sign-on to all SaaS applications in Send a wipe request. BYOD password policies for Outlook Web Access your environment. Configure mobile application management (not enrolled) (OWA). Multi-factor authentication (MFA) — Enable (MAM) policies per platform (without SharePoint Online — Configure basic per user. enrolling devices): policies for external access to SharePoint Conditional access policies — Configure per  iOS sites. application. Policies can vary between  Android applications. Common policies are listed Choose which applications to apply a policy below. to and then configure policy rules. Example Multi-factor authentication and location settings for iOS: based access rules:  Prevent iTunes, iCloud backups  Apply rules to all users or specific  Allow app to transfer data to other apps groups  Allow app to receive data from other apps  Prevent Save As  Require multi-factor authentication  Restrict cut, copy, and paste with other apps  Require multi-factor authentication  Restrict web content to display in the when not at work Managed Browser  Block access when not at work  Encrypt app data Applications that can be configured for  Disable contacts sync conditional access using Azure AD Premium  Require PIN for access (with additional include: settings)  Require corporate credentials for access  Microsoft Power BI  Block managed apps from running on  Exchange Online jailbroken or rooted devices  SharePoint Online  Recheck the access requirements (timeout  Yammer and offline grace period)  Outlook Groups  Offline interval (days) before app data is  Skype for Business wiped  Other SaaS apps in your environment These settings also apply to Company that are configured for Azure AD single Owned Devices. sign-on

Enrolled Enroll devices and configure basic access Device based conditional access rules rely on Manage more device platforms and types: controls: Intune compliance policies and apply to Android, iOS, Mac OS X, Windows phones devices  Requirements for passwords, login enrolled devices. These can be applied to and desktops. Block access from attempts, lock timeout, and wipe after the same set of applications listed above. unsupported devices. sign-in failures Device based access rules (Preview): Deploy apps, including LOB apps.  Require encryption  All devices must be compliant  Prevent jail broken or rooted devices Configure finer-grain control of access to  Report violations  Only selected devices must be corporate resources by configuring policies. compliant, other devices will be allowed Types of policies: Additional security policies: access  Configuration — manage security  Require encrypted backup o Android settings and features on devices.  Block cloud backup o iOS  Device compliance — Define rules and  Block document synchronization o Windows Mobile o Windows settings that a device must comply with.  Block screen capture  Conditional access — Secure access to  Block video conferences on device  Application enforcement: email and other services, depending on  Block sending diagnostic data from o For browser and native applications conditions that you specify. devices o For only native applications Policies are typically used in combination.  Block access to application store For example, define compliance policies and  Require password when accessing then define conditional access policies that application store require compliance.  Block connection with removable storage Conditional access policies are defined by  Block Bluetooth connection application:  Dynamics CRM Online  Exchange Online  SharePoint Online & OneDrive for Business Continued on next page  Skype for Business Online Capability support for mobile platforms and applications Microsoft continues to enhance support for mobile platforms and applications. Check the official product documentation for updates. These capabilities require device enrollment

Office 365 basic Office 365 MFA Azure AD Premium Intune MAM policies Office 365 MDM basic Azure AD Premium Intune device access policies for MFA. Enabled by user for mobile apps controls device-based access management and Exchange Online and account. Location- rules. Configured per conditional access SharePoint Online based rules for MFA SaaS app policies apply per SaaS app

Android        iOS        Mac OS X    * Windows Phone       Windows desktop       Other platforms   

Restrictions Only applies to Office If MFA is not enabled Unsupported Unsupported Unsupported 365 applications for a user, the platforms are platforms are platforms can be application-based unrestricted. unrestricted. blocked MFA policies don't * Mac OS X is apply to the user and supported for device their access is not policies but not for affected. conditional access.

Applications Exchange Online Exchange Online Microsoft Power BI Microsoft Dynamics Application support Microsoft Power BI Dynamics CRM Online CRM varies by platform SharePoint Online SharePoint Online Exchange Online Exchange Online Exchange Online Outlook Groups Supported devices Outlook Groups SharePoint Online SharePoint Online Exchange On- and applications Managed Browser premises OneDrive for Business Yammer Yammer Skype for Business SharePoint Online & Skype for Business Outlook Groups Outlook Groups OneDrive for Business Online Excel Skype for Business Skype for Business Skype for Business Client applications Online Outlook Online Online Other SaaS apps in PowerPoint Other SaaS apps in your environment your environment Word that are configured that are configured for Azure AD single OneNote for Azure AD single sign-on sign-on Remote Desktop On-premises On-premises applications you Microsoft SharePoint applications you publish using Azure OneDrive publish using Azure AD Application Proxy AD Application Proxy Yammer

Testing access management capabilities in a lab environment You can evaluate and test all of these features in a test lab environment. Click on each box to link to the test lab guide. See all test lab guides.

To evaluate and test capabilities in a lightweight environment, use these Test Lab Guides.

1 Office 365 dev/test 2 Office 365 and EMS 3 MAM policies for your 4 Enroll and manage iOS environment dev/test environment Office 365 and EMS and Android devices Setup an Office 365 E5 Add an Enterprise dev/text environment with Intune trial subscription Mobility suite (EMS) Create MAM policies for Enroll and manage trial subscription iOS and Android devices these devices remotely

To evaluate and test capabilities with simulation of enterprise identity synchronization, use these Test Lab Guides.

1 Base configuration test 2 Office 365 dev/test 3 DirSync for your Office 4 Office 365 and EMS 5 MAM policies for your 6 Enroll and manage iOS environment environment 365 dev/test dev/test environment Office 365 and EMS and Android devices Create a simplified Setup an Office 365 E5 environment Add an Enterprise dev/text environment with Intune intranet running Azure trial subscription Run Azure AD Connect Mobility suite (EMS) Create MAM policies for Enroll and manage infrastructures with a for directory trial subscription iOS and Android devices these devices remotely domain controller synchronization