How Microsoft is modernizing device management

Show video

Hello. Everyone and welcome to today's webinar on how Microsoft, is modernizing device management, my, name is mayan jane and i will be your host for today's session I'm a, Senior Product Marketing Manager for Microsoft Intune and I've been with Microsoft for, about a year now before. That I've spent over 10 years in the end-user computing space, in various, technical marketing roles with. Me here are Mike. And Carmichael, who will be happy to introduce themselves, let's. Start with you Mike hi. I'm Mike de Guerre I'm a senior program manager here, at Microsoft I've, been here quite a while about 17, years actually, and. Been in various roles, from data center to client etc but the last 10 years I've, been focused on client, management everything from, the release of SCCM, to. The, release. Of Intune at Microsoft, and rolling that out across the company to. Cross-platform and lately, focus on security, and in tune yeah thanks for coming over and join innocent yeah the digital security risk engineer it's doing good nice. So I'm, Carmichael Patton as, I said it was I'm a digital security risk and engineering team I'm on a team called emerging, security products, where, we focus on how. We can fill our control gaps in, our security environment, to, sort. Of fit that need where we have the the gaps there I, brought, him to Microsoft about three years ago my, focus was to actually. Look, at how we manage our non Windows environments, so how we manage Mac iOS Android, and, potentially. Even Linux in the future maybe Linux, talk. About that a little later yeah. Nice. Thank, you guys so. Before we get started with, the presentation I'd, like to let, you know that you can submit your questions, into the on, 24, dashboard, at any time during the conversation, we. Have peers ready online, to help you answer them and then we also collect, a few to discuss during, the session or up in the QA session after, the presentation. In. Case we run out of time and can't get to all your questions we, will stay behind in the studio I think all of us can stay, behind and then post them with the on-demand webinar. Session so and then in the end I think we can wrap up with some key recommendations, to get these guys started with their deployments. Definitely. Awesome. So let's kick, it off then sure. Let me kind of walk everyone through kind, of where, we're gonna head first, we'll. Talk about a little bit about our, environment kind. Of just a level set because a lot of people when they think about Microsoft, they, don't really realize how, you, know you mentioned Linux iOS Mac, Android we have a huge breadth of devices. At Microsoft, so we kind of want to walk you through the level set that then. We kind of walk want, to walk through some of the management structure what we're doing as. Well as some of the architecture, with EMS, and how we're kind of arranging, while, we're thinking today, as well. As where are we headed I think, that's part of the really key conversation, today you know where, are we headed with with. Microsoft, as an enterprise and what, are the challenges we're, seeing because I think we're a lot, similar to a lot of you guys and then, walk through how that dovetails, into EMS, because, really it comes about how are we gonna use our products the most effectively, right how are we gonna look forward, and, then, kind of talk about the modern management scenarios, that were were, you know they had deep today, that. We're driving so. With. That we'll kick it off chronological. If you want to walk us through kind, of our environment, today yeah, sure and I think one of the things you just said Mike is is really important because you. Know why we are Microsoft, we're actually just an enterprise like most other people where we we are using, Microsoft products, and trying to figure out how to do that and they're most effectively.

Some, Of the key information, we have up here we have 135, employees there to 5000, employees, and. Most of those folks have multiple, devices you know they're managing, their iPhones or their their Android devices they, have laptops, maybe they even have some other. Systems, maybe working, from home or something like that right so it's. Key to understand sort of the environment, looking. At it we have about 2.6, million transactions. Per day on our sales platforms. Of course the. 380,000, devices hitting our network per month that's, a you. Know coming in through either on-prem, plugged, into the wired the. Wire ports or in our wireless, environments, as well so, if you want to jump over the next slide let's talk a little bit about what we actually have as far as devices, sure, because, I think it's super important, for us to sort of understand you, know we aren't just Windows right like, I said I came in about three years ago because. We had a standard at the time basically said thou shalt not have and, I. Think, there was some rumors, going around about maybe some executives, that didn't like you know some of those competing fruit products I was here for those. So. You know it's understanding. That our environment isn't just, windows and you can see here this is just our management environment we have about a hundred and thousand, iOS devices I mean just think about that we have 135,000. Employees and, we. See these multiple, devices so I mean clearly the numbers don't add up when you look at a iOS and Android because, that's we because we also have vendors we have partners, that we work with that are actually leveraging our management platforms, as well to ensure. That that data that we're really wanting to protect is protected, I was, going to say just to just that on the previous slide we didn't mention the vendors but just. To be clear you know we actually have about, 230,000. People connecting. To our resources, at any given time okay so well, we have the secure hundred and thirty that we really want to focus on it's. Really about two hundred and thirty thousand, people that are actually connecting, at any given time I think. The one thing we'll also point out is we still have Windows Mobile on the list we have to work a few of those. And. I love the fact that we are our old biggest, customer almost right it almost feels, like I was sharing, with you guys earlier that being. In marketing the, stuff you guys put, out the IP showcase, white papers the webinars are a number-one asset so, people, really love the fact that we can actually eat our own or drink, our own champagne. And. And at that scale so it's amazing, fabulous job so. Uh I think what we'll do then is move, into how, we actually, are looking at this from an initiative towards, moving towards modern management. Surely. I want to let's let's kind of introduce therefore kind of key things that we're working on right now that we'll talk about first is remote users so, what, people don't realize is in. A shift of mindset, we. Made the assumption probably three years ago to. Just say look we, assume, that everyone, is going to work remote we. Want you to work remote we encourage it we tell people to work from their home office but. That changes, the construct, of how you're going to manage them if you're. Sitting at home and you're working on your PC what does that look like, does it need to be in tune enrolled can, we apply, policies. To just secure that device do. Even can we just provide a browser experience, but. But, first and foremost we, want people to have that remote experience, because whether. You want to as an enterprise or not, people are going to be connecting, from their coffee shop from. Anywhere. McDonald's. They're. Just gonna be working from anywhere well you know we're gonna get that bread Arsenault ask one of those moments where it's the 7 o'clock at night in your boss ecology and said by the way we need that slide deck that. Happens. Here. With. That we kind of have, created this internet, first and you want to just mention the zero trust network. Yeah, you. Know again sort, of as Mike said you're gonna be working from all these ubiquitous environments. It could be at home it could be at the coffee shop it could be Grandma's house and you're getting that sort of last minute request where you need to get access to something I think, for us it's, not just ensuring. That you. Have that capability to, open up office, but then entry but for sort, of moving that paradigm, to the are, you really allowed to do that on that device that you have that rolling.

Exactly, Vice and. So using, that identity is the boundary in saying okay you know mike is logged, in at this location, does, he you have access to that data and does, he have access to that data from this device so. Creating that sort of maybe, not necessarily the traditional sense of zero trust from a networking, isolation. Perspective, which is a layer of it right, but just you know the the identity, and the device health, is the other pieces of that as well and. Then, we get into how we modernize, apps so. We're. No different than anyone else if you look at our lob platform, four thousand I mean at one point we had 7,000 apps it was it was crazy we. Still have thousands. Of apps more like 4,000. Depending. On who you ask around here but. One, thing we focused on is moving all of that to the cloud now, we're modernizing everything, we're trying to but. Even, for us it's, a journey right we, have things that are enabled for on-prem and now, even from a monetization, standpoint, what we're doing is we've actually peeled, back the onion a little and we're saying look, there's certain things that need to stay on and there's, a few of those and then, there's some, things that actually need to be on the internet and most of those are moved over but. Ideally we're trying to move everything so that it's consistent with our management platform so we have the controls in place and, I think it's important you mentioned the 7000 number and that's just line of business internal, apps that we use here at Microsoft remit, some sort of an enterprise perspective, and. That number while, it isn't 7000, in the cloud I mean a lot of that has been deprecated, because it's just legacy, apps that maybe we just had lingering around for a while but, a good portion of that has actually moved up to the to the cloud today and is being run from the Azure platforms, and, I think the last number that we actually have is about 70, apps that are still sitting on pram in, an environment, whether because they're just so old and legacy but they still have that data that we need or. If they just can't monetize it for whatever reason. And it's so it's important especially we go back to the sort of that thinking, of the internet first which, is okay. Fine those apps have to stay on pram but how do I still give that experience when somebody's remote be able to access that app so. You. Got to look at the cost of that right exactly, to me it's also a cost decision, if if you're gonna modernize how, much development is that going to cost you and then, how what's, the value if, you have a 550. Person, application. Is it really worth right. You know investing, in and so, a lot, of ours have transitioned, I think power, apps for example we've, moved a ton of apps to the power apps platform and that, gets us out of kind, of the the micromanagement, of the app itself because we just put it in the container and and we're good to go don't forget to do your time away what you can do through power apps for. Your vacation right. And and I think thing. That comes up especially in our conversations, is internet, first doesn't, mean Internet only correct right a lot of people can have assumed, oh my god I have to modernizing. Means I have to abandon everything I knew that's, not true especially with Microsoft, you stay, I believe, with what you have you, just try to think of the reality, that today everything is internet first yep taking.

Care Of the fact that you also have a lot of stuff that is not yet intent on the Internet yes we have that beyond. Just those 70 applications, we have our high risk environments, right and so protecting, those with what I think publicly we call the pause. The, privileged access workstations, we. Internally we call secure access stations right so there's a workflow, that. Even goes beyond just these regular, devices, that says you have to be on a fully, managed, device that we control, the images on so it's a to your point right so not everything will be extended, to the cloud so we still have to have that gateway well, they can be remote but we know that that is an absolute, trusted device and that they're coming in from so good. Good point that kind of gets into kind of the last bullet that we'll talk a little bit more in-depth here about which is like kind of that co-manage scenario, if. You think about the sec m+ in tune there's, a lot of enterprises they, have infrastructure, costs. They have some costs that they're, basically going to be in a co-manager and state because to be honest some of their workflows don't make sense to move to the cloud and, so, just like us we're gonna co-management, state with sec amman in tune we're, gonna be there a couple years several. Years and so, I think as people. Kind, of go through this evolution. It's. Really they have to be really key on what resources need access to what other services, etc and, and. Not try to kind, of go too crazy just take, it slowly yeah exactly because, I think even you know if you think about some, of the capabilities we have to do on these devices from patching, into policy, management some of that stuff we still have to do through the legacy systems to try to bring that forward into, the the modernized, environment, right right and I think it's more of a mindset you, have the cloud first or internet first mindset, so you, you, do everything with that in mind that doesn't mean you have to just. Change. The tools as much as you have to adapt, to the new way of exactly. Servicing, which which is perfect, yes so. One of things we want to talk about is sort of what this looks like right how the workflow goes and then we actually leverage the nice slide from our partners over here to. Sort of define that we we called the identities the new boundary which is using, that user on that device and identifying, both of those to ensure that they have the access to do it so I can be in that unprivileged Network environment, and I, could be you know at Starbucks, or it you know any local. Coffee shops and I could be logging, into my machine to try to get to a word, document that I need to go edit to make sure we have the latest version, of what we're working on for IT, showcase.

So. I get that MFA check right so for us the first foremost is identifying, who you are and validating, that with that MFA, and, then we bring, in that sort of condition of the device is it healthy can it be can, it access to the data that it needs to access so you know using the various conditons through a conditional, access location. Device user, what. The application, is they're trying to access and then, if they're allowed will, let them through and I think one of the tiers also, here is sort. Of that on-prem environment, is there's also that Azure app proxy, layer - right where you, know maybe the application itself. Is, being proxy then through that to the on-prem environment, so still doing that conditional, access evaluation. On the device itself and then. Carrying that through with the layer to, ensure that they have access to the data and I, think the key here though, also is that it's a continuous check it's not just a one time you're coming in we validated, you at that one time maybe your device becomes unhealthy while that's happening oh yeah, and and so you're still connecting, but. We're doing that continuous, check to. Actually validate that that device is still healthy to connect without, having to necessarily force, a tree authentication to do that so kind. Of a nice little workflow that we've that our friends have created for us to do that on so so. I love, that you're focused on the identity, because, I think that's something that a really, clear message that, needs, to people, need to adopt right for. Four years in IT and, and, in this, industry it was protect, the device protect, the device oh the, device has to be secure we're. So, beyond the device the. Devices are pretty much secure I mean, most of us has come encrypted, whether. It's mobile whether, it's a PC. What they, come encrypted, they come set you have your policies and passwords, and everything else so. From, a security standpoint. It's. About the user and, and. The second layer is going to be about the data right, so don't. Worry about the device anymore if you're still worried about the device you. Might want to rethink that strategy because, you, really need to move beyond the device, the. Device should be agnostic, as kind, of we, talked about in the beginning if, you look at all the platforms that we have we. Have users of Microsoft on every platform, every. Every, there, are an Android they're on iOS they're on a Mac they're on a PC they're. On a surface device they're, all over the place and like that the the nuance of making sure we understand, exactly what, we're trying to protect which is that data element, to try to access with what through, whatever application. I'm trying to access it right so. Anna will talk a little bit in a, bit about how. The sort, of ecosystem EVMS comes together but, when you look at like a IP or as your information protection rules or Windows Information protection yeah, is that device allowed to access that data and is that user allowed to access that data right I mean that's sort of an your point right is do I have the identity of both of those device, and user to ensure that they can access those elements from, the device that they're on because I mean, we've, all got a phone, in our pocket and we've all got laptops, in front of us and and I think I back, in my office I've got other laptops, and back at home I've got my home PC but which, of those devices am I allowed to connect to and.

And. And the user is really the weak link in this because you could have the most secure device and the most secure Network but all it takes is a user with password one two three as their password and you've. Exposed the whole organization, so you need to go beyond, passwords, you need to go beyond, just that credential. Check to, really give security to your point exactly yeah. I think there's another webinar coming up for password, list right. And. This is kind of our. Michael's, talk a little bit about this this kind of talks about how we look at the ecosystem, right yeah, we think of it as a three-legged. Stool with, information. And said but we, can kind of walk through each, one of these pieces yeah. I think just, to your point let's let's focus on the stool for a second because the. For, us within digital security risk and engineering da sorry we, really take that approach of understanding, what the risk of the environment, is right so the platform right. So that's the platform layer and then what, we're trying what is it we're trying to protect and we've been talking about the data and that's the information protection, layer. And it I think to be clear when, we say that information, protection it's not just Microsoft, and some information right right we have access to customer data some, people have access to customer data right, so, there's there's just not just ours but it's other people's, information that we're trying to protect as well so their personal information exactly, I mean, I mean we've got a Spacey's account and user users, freak out if you try to mix that information, I think well, if there's anything that we've learned with, rolling out conditional, access for example here is people. Are, super super. Worried, about, the, separation, of your personal data versus your corporate data that's. Not clear, so. That information protection is that it's especially, when you're touching the personal device like a phone right, I think I took a picture of us before we got on here right yeah and let's say that was a picture of the family I want to make sure that you guys aren't taking that absolutely, not taking that picture right. So. So then you, know so using, that risk management. Foundation. And what are we trying to protect is the information, this Mike said we have those three legs of the stool and each, of the three legs are super important, right so the device health which we see on the rest of the slide here, we'll. Talk about and more specific, especially as we go through the slides but that didn't add any management tier right you mentioned in my UNK which is really. Understanding, what, we have to do from an identity perspective. Including mfa, on these devices to ensure. That you are who you say you are when you're on eradicating to that thing and. That you are continuing, to be who you are not just the, one-shot deal of applying. That logic but, then the really, I think for me the foundational, piece of that of, the stool here is really the data and telemetry right. Is it we have to be able to understand, not, the data that we're trying to protect but we need to be able to see who's. Using what devices how, often are they being used is it being used in a healthy way and, then just getting telemetry across, the other systems you know we'll talk again, about sort of the EMF suite but if I have advanced threat analytics looking. At all those login different login, events if, I have as, your information protection ensuring. That we are classifying, those documents in the right way but if somebody downgrades a classification why. Did they do it maybe it was you know they were actually writing a recipe for something, and. Then you know sort of everybody shermian have that spoken do they never, never, I mean I think my recipe is highly confidential personally. But. So again, if we look at the the device health portion of this slide right. Just. Look focusing on that one leg here you know again making sure that we have up-to-date operating. Systems on all of our devices and you know whether that's through the Windows Update service to update, our machines on the windows devices but, also ensuring, we have those, updates, happening on both iOS and Android and especially, now as androids, moving in towards, more, of a monthly, security patching cycle how, do we ensure that those security patches are being applied so we make sure that that device is as secure as it can be and. Then as we sort of move around the circle write malware, protection we, need them in understanding, what could be happening on that device and ensuring we have at least some visibility again to the telemetry on that device to understand if there's something there.

Encryption, You know latest apps to make sure we have those updates it kind of goes in line with the updated OS and. Then again that integrity and conditional access piece that we'll be talking about throughout this presentation so, and and how it all works, together in the sense of you're using all these signals that you're getting from different places in, one place exactly unlike. You know what I like about that stool was that it's all connected, it's not that delay it's not an Ikea box where the legs are all, over the place and you've got a figure there just to get it out like how, by. The way we do this asset in a three-legged stool works. So. Even, even the I guess tool is great I have one myself I'm a mutable us by the way I don't know if I shared that but. At the same time you, have to set it up right and if you can buy one a stool that just, is connected. To each other the legs are connected to the you have place you sit that's, what that's, how they all work together and I think that's there's something really powerful about a solution like that exactly absolutely so. Let's dive a little deeper and, and, kind of talk about kind, of the health aspect. Carmical, you mentioned a little bit about the the secure admin work set workstations, and what we're doing there. But. Really when it comes down to what is what does Microsoft's, posture, today like what do we tell people we're. Pretty much your. Device should be managed, rashon you. Know while there is mam and some other policies, that we use to apply in different scenarios really. We want your device to be enrolled now. With that it's a little bit complicated if, you. Know if I'm honest here there's. A lot of personal devices and separating, that personal information and then, like. Right now we're running into scenarios. Where there's, a lot of people where, they'll bring their personal PC, and just enroll their personal PC just. So it looks to us like a corporate asset when it's not yeah, and so I think, every, environment, I think his users just, become more accustomed to enrolling. Their device I mean we're all enrolling a device is pretty easy, settings. Work access, boom you're in I think it's you know you mentioned, ma'am and before we got started here monkey we're talking about the poll that the Intune team put out on Twitter, which. Is it's super interesting conversation because Mikey touched on a little bit which is for. Us full, device management, is really our focus if we can't trust that device is who it what it is and the, person that's using it is the person that they are. That's sort of our foundation, right but, then in order to protect, externally. The the applications, so if I'm at my house and I pull, up on, my device at home that. If I you know starting, to read an email but I want to open up the attachment, that you know it. Comes, back from a man policy and says hey no I'm sorry you, have to be managed and then it walks me through that management workflow or at least ask me if I want to be managed and on my home PC of course you know so. A. Little. Separation personally, you know but. Then I'll just, reach down into my bag and grab my work laptop and go from there right so there's I mean I think that that idea of having, that's again the foundation, of the full device management, with some of the capabilities we need to bring in and by, the way that that polls still open so if, I. Didn't. I've been plugging stuff so the next thing to plug is our Twitter, IDs so -. At my young Jedi why UNK, Jake and that's where the poll is and then we have the MS in tune at the rate ms in tune which. Also has that so. It's interesting that even if you're not blocking. It at least you can allow a restricted, access where, you're like saying okay I don't know you I don't know if you're exactly. Who you are but at the same time if there's something not super, critical, if you just checking email go, ahead what if you want to download the attachment or do something with that maybe not right exactly and that's, where that that's, where you I think you need to really look at those policies, like what are you really trying to protect right and if you have the information protection, policies, in place that, really.

Really Helps so. We're, going through a whole process here right now to basically say look how do we categorize that data and more, importantly, how do we take some of that out of the hands, of the user yeah because, let's, be honest, users, are never gonna they. Are never going to categorize, 100%, of correctly that's just not if you think that's gonna happen, that. That's not a reality so, you, need to just put those in place so that you can say look if, I'm looking at the data that's inside the SharePoint then, I can actually mark it as this. Is secure, this is high-impact. This is hbi whatever, you want to call it in your environment and then you can actually manage that accordingly so to me that's super important you mentioned hbi and just as a society, we built. You know we started working with the ad room from a shoe production team and of course we had to read change the classification, to mirror, what was there so Mike, Mike mentions the high business impact but now it's highly classified classified, and, down so by default all documents. That we create are tagged, as general right so, if you're going to open up a document and start working on it and then at on that layer then you have to sort of make that idea that, that thinking. In your mind to say you, know am i creating just a document that I want to send to my family so maybe I make that personal, or Dwight is this really business-related and how far into the business is it related great so it is it die Holly confidential, and. I know there's different tiers of what AIP means, in this environment when. You're deploying it depending on what level of, Licensing, you have but, you know of, course we're on the e5 SKU and being able to do some of the additional things that we do there right you, know creating special. Words that say you, know this code word is, is something that we need to protect so if I ever see that code word using a document wrap. Then make, sure that that's highly classified and only FTE only, this particular group of individuals, so getting into that granularity, is is something you have to be cognizant, of when you're planning that strategy around the yeah, tagging, so and. As an end user I see that myself all the time I mean when I'm working I work a lot on roadmaps so as soon as I am working on something and you, know it says obviously planning, for the roadmap it automatically, pops up this thing saying you might want to turn this into a classified or a confidential, document yeah, so I see, that working, for me every day you. Don't wanna share the full roadmap for anything. That's. A good everybody, wants to do the road map don't they yes so the goal state Mike what's that yeah let's, talk about our goal state kind of where we want ahead. The. First is we're taking a hard look at our network boundary. And so, something. Kind. Of new for us and not necessarily, new for us at Microsoft, but some programs, that we have here is we're. Trying to take, a step back you know we mentioned in the first, kind of couple slides that, were internet first and so.

I've. Talked to a lot of different companies where they're going down a similar thing to say look, if you're in a small office yeah five six, eight hundred thousand, people do. You really need your corpnet connectivity. And our. Answer is no we, actually, don't want that so, we've been peeling back that back that layer for quite a long time and, so, we just look at from the network side even, if you look at our corpnet Carmichael, you mentioned the the high risk environment, right what. We see if you if you look way in the future our high, risk environment, are the ones that gonna that are going to be on the corpnet right and so, we'll pull, that back everyone. Else you. Should really be coming from the internet there's, there's really as we move things to Azure as all the cloud services, are there is all the apps are there you. Really do not need to, be on, the internet or you don't need to be on on our corporate network and, you just mentioned how you just move to the states and I think one of the things that we've sort of it you know geolocation, sort. Of perspective we. Don't necessarily think about until. You realize you work for a global company is, the network bandwidth there are different places right so so yeah maybe I don't need you to backhaul, across, you know if you're in you, know some remote location say in Africa backhaul. To Dublin and it's, coming up revenue, to get your data right maybe, I just need you on the internet with it with a point where you're actually local, and you can get a better bandwidth better better experience, right okay I think we, have to balance that, that tier of security, versus user experience, to be right to make sure that we have. We're. Not impacting, them in a way that it makes them not able to work but, we're still, ensuring that we have that protection that moves them forward into, doing what we want to make sure that we do and, this may be a good place for you to maybe explain, a little bit more about zero trust networks, you mentioned that earlier like. What do we really it. Is, that a concept that applies here about internal, threat versus external threat you. Know and how we just treat everyone as an, outsider right even if they are internal users right, it, really comes down to you, know I said it's not just the sort of the legacy, networking, mindset, of what zero trust is where it's that that network isolation, of your environment but, it's ensuring and for us I think the way we more think about it is managed, versus unmanaged, and what's the tiers of management, that give me the right user experience, with the right security controls, on top of that right. I think what I'd like about working with Mike recently not. That I haven't liked working with you for a while is, that he. Came from the user experience team or the engine user experience team and so now that he's in security, he's bringing, that experience within, to say you, know hey guys here's, a security. Control that we have that maybe we need to make sure we understand what that full experience is so taking this list of controls that I say I have to do on these devices and applying.

That To that user experience but, again thinking. About zero trust in the way of manage forces unmanaged, that's what just you know devices, it's user experience. To you it doesn't matter where they're coming in progress right so unmanaged, versus managed I could, be managed or unmanaged on, the corpnet that. Doesn't matter your policies, will decide the, level of access that I have as an end-user right, because you know you may be maybe everything I access is an information worker or a sales Pro, if I'm out in the field everything, I'm doing is you know Dynamics 365, it's all cloud enabled, I don't have to be on prim but then there it could be we, talked about secure access workstations, which is our admin level but, maybe there's some financial data or something like that that was within Corp so I have to give that experience and again sources looking at that not just the the, network, boundaries, but the app boundaries, as well so right, and. One thing that's enabled that kind, of walking, through the the slide Terry's we, have kind, of built a robust, reporting solution and so. Using. Microsoft, tools we've been able to actually really. Develop, you, know what does it mean to look at the device to look at the health of the device to, have that reporting in the backend right because really you. Want to rely on that back-end reporting, solution, to. Drive the behavior, so. Everything, from our service operations, to the health of the app to the health of the device all of that with those checks that are in place and then. That comes to where we are today so. You think about where we're at today we. Have conditional, access released. Her. All we do on what platforms on iOS, and Android was soon to be more. But, it's, been a journey so you know I mentioned one of the just. To. Bring you guys into kind of Microsoft one, of the big challenges we had remember is the personal, verse corporate, right and. So remember, in that first slide one hundred and thirty thousand employees but the device count way higher so, what does that mean we, have a lot of people that that are vendors that, have their devices enrolled because they want to access to data yep so. That kind of has, helped modify and help drive our kind. Of conditional access model in what we're building for people so.

In. General but if we don't know you if we don't know your device, you're. Not getting access to resources that's, really. The. The point, we're driving toward and then. If you think about from, from. A next steps like where are we going from here really. I think as I, took over the conditional access epoch, for our team when I moved over a couple months ago to our security team one, thing is I think. I, hear. People talk a lot about conditional. Access and, what we're driving and so, many people think about this as a point. And time experience. And I. Think that mindset needs to shift I'm trying to shift that in our current organization, to say look conditional. Access is not the enrollment of a device, it. Is the ongoing service. You, know you, mentioned OS updates and managing, the device and all the pieces the AV that have to be on that device if. You're looking at conditional access as a service, it. Means I'm looking at the new functionality, that they're putting in Android. PQ. Whatever they're on next, and I'm, looking at the hardware that's coming out with Samsung, and other manufacturers. And I'm saying look if there's a new security, bar for, a platform, be, it Android be it iOS via Mac be at Windows then, I'm going to adopt that and, when I adopt that that means my bar just got raised so, I'm no longer gonna say for, example, older, Android devices that don't support certain, hardware backed encryption, guess. What I ratchet. Up you're, out of the network that's, a service that's not a point in time that's, a sorry you're on a little device you're. Gonna be moved off that device well I think it's a it's important, rate is because maybe, we didn't have those controls if you use again we, do have that capability now, to do minimum, OS and, even double you know manufactured, devices and stuff like that to ensure that we, are sort of again. Locking, down, to. Use that term the the device types that we're using in the environment, so which is really important and a great feature for my perspective of entrusting that device to be able to access that data and, also giving people or giving the end-user a way to remediate, that condition. Right so the a big a big, chunk of conditional. Access is not just blocking, stuff but, also saying giving. A very friendly path. To the end-user to say okay this is the reasons that you've been blocked, and this is how you can remediate yourself, and then to your point about not being point in time as the, conditions, change that's, when it will automatically. Evaluate, okay now you've remediated, what it was it was an update that you needed to do maybe you, did that update now your back-end without having to call helpdesk without having to visit the, tech link or anything like that exactly. And we've noticed our users are getting a lot more familiar with that experience. If, you think about kind of the password. List key experience, I always, relate this when I talk to people I say hey, to use online banking and they say yeah they say ok well when you use online banking you have to have a key, on the device usually, you have to view a picture or something you have to put a pin you have to have a password you, go through like three or four checks right well. Our data is just, as secure and just as important so maybe more maybe more so.

People Are getting with. Experience. The. Mocking slides are really important yes. Speaking, of which, we. Let's. Shift a little here and just talk about we kind of want to walk through the management. Architecture, this. Will be a little quicker conversation. But, in terms of configuration, manager, plus in tune so. If you think about that plus cloud experience, right where's that cloud benefit. We're. In this mode today we're, using configure, man config, manager plus in tune and we're, going to be there for several years like, any other service. And in infrastructure. We. Have costs. There, there and it serves a secure purpose so, even, as we look long term as we look at our HRE. For example you. Know we're, gonna use system, Center and use management for, those devices so. We have, in tune today that's our primary we're. Driving to, well. From a PC perspective, one of the things from. A strategy, perspective we're, moving toward is as, your, domain joined so, we're going away from classic, domain joined we've been on that road for actually a couple years yeah in. What, we have, how. Many devices even, under management we have what thirty thirty five thousand, devices in. The azure management. Stack, already so, we're, well on our way. To. That so. Essentially. We, are going with configure manager plus in tune and and. We, also want to be there to help our customers because we, see this model as the majority. Of enterprises, are gonna be in for a number of years and I think one of the good things is is it goes back to sort of that experience too right because if I am cloud enabling, users. Out in the field to do stuff having. To figure out how to get to an on-prem, Corp environment, to a B join, your device to get access to data doesn't, always work especially, we talked about sort of that field scenario, we will sort of move away from having them come all the, way across the globe to get to some you know authentication mechanism. So. Having that enabled, so I can do that out of box experience not. Necessarily because I've got my Christmas present I got the new surface pro six or whatnot but there were three years right. But. But it just even, if I had to reset, my workstation, right to your point on the sort of the service calls right if I hit reset on my Windows box because I'm having some issues but, then having that experience at that Azure Active Directory domain, join level, to, apply the conditions, that I need to apply to that device to make sure that it still has what we want, from a security perspective on it where, I don't have to be you, know again we still will have those those environments, where we need to be on prim with you, know whatever that data is whether it's the SAR or some other you know confined, device it says you still have to be there it's not to be domaine joins to have to get the policies through it through config manager too so yeah, and when I see that architecture. Slide that you just showed I mean when we talk to customers at the EBC and when we are meeting customers. All over the world it's. Not very different for them all, right that that reality of that architecture slide, is very similar. For our largest customers, and also our smaller customers just. Like it is for Microsoft so, it's a reality that we are here and they're, designing they're building the solutions, to address that reality of it will never be internet only it'll never be on.

Purim Only but it'll be a mix of the two well I like the exactly. We call it internet first because that's the first point I wanted to come through but there may be additional points so you have to come in through after race absolutely. And I think i stoled your thunder on the next slide no, no that's, all good we actually I think we touched base on quite a bit of this that, that security management, that self-service, experience. Really. More users are just getting more familiar with how to operate, and. That's one thing I wanted. People at, least our audience to think about. Traditionally. A lot, of people just from, a from, an enterprise perspective have. This of listen. I have to handhold my customer, right, I have, to handhold I have to White Glove treatment, with, everything they do what. We're finding is the reality like, azure, ad joint, we. Didn't advertise for. People. Internally, to go do that it's, not like we told the masses at Microsoft, yes, we're going to do that yes, we have a plan we're going to do that very soon here at Microsoft where everyone is by default so, we're enabling those back-end processes. To make Azure ad our first, process. But, we haven't done that yet beaten, without doing, that we. Have 35,000. People that have said look this is the way I want to go exactly, now granted, people at Microsoft are a little ambitious and they tend to do things even without us, wanting them to but. It, just proves that users. Are starting to get into that self-service. Mode yep, right they see where it is they want to go to the cloud and then, they look at the controls do I really need full corpnet. On-prem. Domain. Joins the way how you always ran exactly, and the answer, we've. Done this with a number of people internally, we. Actually have a bit of a challenge right we, have a number of people in our organ, in our user. Experience organ. In our security org where we've told them look go, go. Join your machine to in tune, put. It in a drawer put it in, workplace, join and go, test it out like, tell us what you can't do, exact. Because we're more were more. We. Want to find out what you can't do verse we, know what you can do almost everything and the answer has been yeah 99%, of their job if. They're, an information worker if their rpm they can do their job 99%, they do not, need access to corpnet which, is why, we're taking it out of those small offices, so. That's. Where we're going so I think on the next slide I think what I want to make sure we we also get to is is that it's not just in tune it's not just those conditional, access policies, but, that ecosystem, that has to be behind that in order to support what we're trying to get to right we talked about telemetry, so, we, talked about advanced threat analytics as. Your information, protection being able to tag and classify, those documents, to ensure we have the right capabilities, then. Using cloud app security to, monitor, that document, as it's going across the network like maybe, I've tagged it appropriately, but I'm trying to send it to somebody who doesn't have access to it outside the company so getting that visibility that telemetry was going, on was that yeah, I mean, I think we have a write-up on IT showcase, about a time where it was, uh not. Not necessarily like. A, threat. That they did it but it was an accident, and it was caught before it got too far out want, to see if we can dig now and I've actually that's a good point. Because, I mean there's there's times where maybe you've been working with a vendor in and, you keep, working with them but then you all of a sudden change the vendor and so you send the old one an accident, and you're like oh wait a minute I don't, think you meant to send that document to that person you just send it to because they're no longer in your tent of, responsibility, so right, but, but again using that soul that whole ecosystem as. What. Is driving this and then I think that's important, to understand, because it's, not just applying, Intune policies, it's not just conditional, access it's not just you know config manager, right, there's this there's this whole ecosystem that has to sit behind that in order to support, this and it brings us back to the stool that's.

Real Legged stool the fact that it is not just a concept it is not simply, you trying to explain it, simplifying. It but if you look at the the way the solution is designed it, is designed to, it really work together. Not just be, there so it's not a sweet for the sake of being a bundle, you're not saying oh well if you buy the EMS or you know you buy this license, it's cheaper than buying them. Standalone. Which it is but, the. Fact that they actually work, together yeah yeah. And then you really need it to work together right I mean I think that's the key and I think we've we've seen, at, least in the three years I've been here this. This enhancement, of this environment, I think maybe this story. Is. It's just how improved, we've sort of gotten because I think just looking at where we were with the vows shall not have an on Windows Device - now we're at this you, know fully, managed, ios, and android you're sensational access, 160,000, devices that if you want to access corporate, data on that device you have to be managed, i think that's to. Me that still sort of blows me away when i think about the fact that that was the first environment we were able to tackle and I think we tackled it very well so yeah, and as a relatively new end user I can attest to the fact that it's pretty pretty seamless for me like, the fact that I you, know I just come in a different company and it. All just works and now that I do, this as I learned more about our different technologies, I notice, how they're all working, together yeah, like a simple example if I may the. Fact that our internet. Access is just so seamless like, it took me months to realize that you know what I never really double-click. Anything to get into my VPN, like. When I go to my benefits, page or my slap you know what we call the Microsoft, in Israel you yep it just worked and it took me months to even realize how. Seamless. That whole experience was yep. Right well like, so Mike talked about having been understanding, of your applications, of what's available what's not available when we first started doing the internet first rollouts. We actually started blocking and only, driving people out to the Internet and a handful of offices, of which, I was in one and, you. Start seeing experiences, like I can't get to my HR data I can't do my time away right, I can't I can't actually look at how much vacation time I have to take before the end of the year so I don't lose it yeah and, then figuring, out what those experiences are to your point Mike and understanding, then how, do I actually.

Enable. The, user to actually have that experience so using things like power apps to do all of our HR systems through so I actually have that time away reporting, and the visibility, there awesome. And uh do, you mind taking a few questions now we seem to be getting idea. Doesn't. My cell one, of the interesting ones I see here is, about. The benefits of go management, so what people want to know especially, if with your own experience, yeah pros and cons, of going. Towards go management, so. The, the, huge benefit, is you don't have to kind of redo what, you've already done right so, one, of the big challenges we had so for example when we first looked at it the, very first thing we did is a policy, trip so. If you look at config manager we had literally 800. Policies, across our environment, and so we we kind of said look let's, take all those policies, we did the evaluation we use the tools from Windows and then. The next step we said is what, which of those do we want to be an MDM like, which ones do we really need right because, the I think a problem that people and this, comes back to your your mind shift right if, you. Think that moving to the cloud and moving to MDM management, and moving to that direction internet, first if, you think that's a lift and shift of all the policies, that you currently have that's. Wrong right that is the wrong way to look at it what, you really need to say is look. They're on the internet what, access do they need to resource to or. What resources do they need access to and then, what controls do I have to put in place because. Even, internally, Carmichael, and I fight this all the time with people they. Say well it, has to be like this because this is the way we did it on the domain we're. Like but they're not on the, domain and we don't well. I think when you create the FAQ, for the user experience when they're like why are you doing this to me you don't show 800, gpo's you show that standard, like this is the operating system standard, and these are the you know eight two things lead to ten things that we have to apply to that machine there's. A lot of context, behind that and it could be config, manager it could be GPO it, could be in tune policies, right. But but just showing them that set of these are the things you know kind of back to that device health slide is these, are the things we are doing on your device they require.

Be Done on your device you don't have to know what the backend of that is so having that experience sort, of at that boundary of what. Do we really then tell the users that we have do on their devices and. A second piece to that is this is what we're not doing right, liner lice well. That's the almost the more important piece a. User, feedback we got was really clear, during our iOS and Android people, are almost, more important, or more interested. In what, we're not doing yeah, so we're not looking at your photos we're not looking at your web browsing we're not checking we're not looking at your cache on the device we're not getting your password. To your hotmail. Or Outlook account about doing a full reverse wipe when you we're not you're not wiping your device stuff like that so that's super, important and that's part of the product now so I know that we actually we redid, all our product. Screens to, make that very transparent, very user friendly so, that it's not for the IT department, to have, a custom solution to, reassure users, but it's in the products absolutely, another, interesting one and I, would like to know this myself is when. Will you do you think you have, solutions. To manage even the meeting rooms like surface, hubs and things like that do, you guys have plans to manage that as well so, I think we do and so let's use surface hub as an example we actually do have policies, that we can use through in tune to manage those and I know Mike and I we working on that for a while. Kiosk, machines, to rattle and we have iPads, outside, of some office, some rooms, that actually control. Information there so there's sort, of that kiosk policy. Experience, that we can use through the same set, of tooling. That we have to. Manage those devices I think there's still some of, those additional IOT, things that we're trying to work out I mean we have a standard we have a list of things we want to be able to do on those devices but that you know kind of back to what my team does is okay. How do we actually do that working with your team the product team whether. It's you know in tune or whether it's azure IOT or, some other group to ensure that we can actually do the effective, controls, we need to do on those devices so there is work in progress for sure yeah but. I think you. Know sort of gain fundamentally, understanding, what is it that the device needs to do who's. Going to be connecting to that device and what lap occations things like that run on it so I think having that minimized hub. Experience, with a set of policies that apply to that so yeah we're doing it today yeah right and I know people like to know roadmap but that's, something that is definitely exploring. How I out, what role does really, played the enterprise because if you ask someone what is IOT the, answers, would be all over the place is really nailing down what it means to the enterprise yeah I mean you know is it just your nest almost at or is it something else, if you're really exploring, that and I think in the next few. Months we will see much more targeted, solutions. Around IOT, from the EMS in tune well and I think you're, absolutely right because I think that's one of the things even internally we struggle sometime is when I say what, is IOT if. I go talk to our corporate, real estate team IOT, is all the building management systems, it's the thermometer, the. HVAC systems, it's the elevator controls it's you, know those various things versus, if I walk down and see a heart, garden Cortana, device in somebody's office that's, doing you know hey what's my next beating or.

Something Like that right so I I think there's different experiences, depending on who you talk to and, I know when I will get my coffee pot in the morning I want to make sure it's set to the right temperature and I've got my cup of coffee when I'm walking in the door so correct but, but enabling that and you know getting kind of that trusted. Boundary, again right is okay what device devices. Do we trust to have access to what areas, of the systems right so we don't have you. Know your coffee pot talking, to the building management is highly confidential. How. Do you classify. For. Probably one last question and I see people really sort. Of doubling down on this question so I'm gonna ask you this one it's, almost asking, you again what, are some of the biggest challenges, when. You try to flip on co-management, or when you try to do this SCCM, plus, in tune is, there something you can share without. Yes. I, think maybe. Mic you can go into more details yeah I think just at a high level, it, was doing, that mind shift of, taking, SCCM, first to in tune first right, but then using config manager to still manage the policies because, I think one of things we were originally, thinking of, and and you know again maybe this is our, buddy's a little. Bit was is the challenge was maybe how do we get the full, device management in the cloud from that that layer but. We realized that there was a lot of gaps in coverage kind of back to what I was talking about with the risk management, right so if there's still these gaps how do I control those gaps we, had a tool that already existed config manager that was do a lot of that for us so bringing, that along to say I'm still, gonna do device management, with in tune but I have to have that hybrid environment, to have those controls there and I think you, know maybe even from the user experience side you can touch that a little bit but making sure that we have those yeah. One of the one of the gotchas. Perspective. That we we learned is, and. This is probably a good tidbit, for our, listeners, and people today if, you look at the application policies. That you have in config manager I mean, we we've been running config manager, since. Its inception right, so, you, think about kind of like GPO, everyone likes a GPO and they're like yeah, I have 5000 GPOs sitting, group policies, running.

And It's just a mess well. Our config manager was a little bit that way for us to be honest and so. When. We started to move to the the Plus in tune and started to migrate over, to the hybrid what. We realized is we have a lot of cleanup and so. I think what, people need to learn is you need to kind of take a step back and look at your application in your provisioning, policies, to, me that's the real lesson, exactly, that that's the real meat and potatoes of how, am I going to manage this right, because if you don't take. A step back take. A hard look at what policies, are conflicting. Or going here for. Example, look, I have an app that's for people in Ireland but yet you're publishing, it to two hundred thousand people to, everyone, because, the app owners or the admin, said oh I should just go to everyone well. How many of those can you can, you have in your environment yep, it's. A. Lot. And. While you're unplugging, things so we've got solutions like security baselines, coming in now we're into that let really help you to figure, out ok this is what I really need are youse using, the power of AI and machine learning, which was in fact another question, that I'm afraid, we won't have the time to cover today but. But, again, it points to the fact that it all works together and it's really, trying to simplify the IT person's, job and maybe, that's what you could share with us as some of the key recommendations, because we are almost at the top of the are so if you'd like to maybe, go there and leave something that people, can now use to. Go and do this themselves yeah. I mean I think for sure in it we've got the slide up on the screen. Where it's they go back into that the EMS view of use what you have licensed, or and make sure that you understand, what that is to write because I think when, I go to the executive, briefing center and I talk to customers they don't necessarily even know what they have or what they're using right or, what, they have the ability to use so, just understanding exactly what you have and what you can use and. Then applying sort of that that policy. Level mindset, to your point Mike understanding, what your existing, policies are today and then, how do you carry those forward, into, this sort of new environment, where. Can you supplement with the more modern controls, where do you still have to have those legacy, controls that you still need to in require to be on those devices right. And. Then you. Know again, I think that covers the sort of group policy mindset, to which is everybody, talked about I think you know we I've. Heard anywhere between five thousand eight thousand group policies. That. We've had to do this taping up than the day we turned on group policy and of course the guys that were originally doing it aren't, with us you know they retired, sense and so, understanding, we don't even necessarily know what some of your policies already barelly -, yeah. Yeah. And, then I think you know Mike good planning, those phases right I mean the epic that you own and. Yeah. I mean you have to take it in chunks right if. You look at conditional access for example, we, focused, on iOS and Android first. And. Now we're focusing on Mac and next, we're gonna focus on Windows Windows, is, a bit of a challenge internally. Here because if. You can imagine we run every flavor of Windows there is you. Have people running server you have people running client, you have people running n. Plus one in beta builds, you have people running legacy. Builds. Out there five eight ten years to our customers, so. You. Have to kind of build all that into. Something that's consumable, for your users yeah. And. I think what you know sort of on that legacy OS perspective. We you're actually are doing that because we're actually supporting some of our customers that are still running right - so we can't just shut those things off through policy so you can't use that anymore but, having that sort of understanding, exactly what they're being used for and then maybe creating. That sort of an environment that they can work in back to sort of the zero of trust and thing maybe they're not on the production, maybe, they're in another supporting, environment so and. Then the the the other thing kind of the last point here on educate and connect I think. From a from, a very high level you, really need to have a culture discussion. At. Your company you. Know here, at Microsoft we, are changing, the culture. Drastically. From. What it used to be it. Used to be a very entitled, conversation. No I expect I'm an administrator, I expect, I can always do this I have full access to everything that's, very different than say going, to the other end which is say a just-in-time, model, where, I provision, you only administrative, access when you need it and it's, only for two minutes so, it's a very different mind shift, and so I think people should look.

At That as well in their environment and say look, from a top-down level, what. Do we need to change from. From the culture when they even to, that point right just you know within our ios and android the. Rollout was right getting them to understand, that you don't have to be on the corporate network the, reason why you were using corp Wi-Fi was, because you were connecting, to the internet, through that and that guy knew that you didn't have to use your data on your phone mindset. Right so you, know maybe you, don't need to be on the network with your mobile, devices maybe you can be on sort of that internet, facing Wi-Fi, right so the culture is a huge one for us th

2019-02-03

Show video