If you would like to read the other parts of this article series please go to:
- Getting to Know the Enterprise Mobility Suite (Part 2)
- Getting to Know the Enterprise Mobility Suite (Part 3)
- Getting to Know the Enterprise Mobility Suite (Part 4)
- Getting to Know the Enterprise Mobility Suite (Part 5)
Introduction
In today’s business world, it’s all about mobility. From clerical staffers to executive officers, company employees increasingly need to be able to work from anywhere and everywhere. Organizations are saving money by lowering the cost of office space and consequent energy bills by allowing more and more of their personnel to telecommute from home. Even managers are coordinating their teams remotely. High speed Internet connectivity and sophisticated conferencing tools enable attendance at meetings when the participants are scattered across the globe.
Microsoft’s CEO, Satya Nadella has declared the company’s new mission to be “mobile-first, cloud-first,” a new twist on the “devices and services” model touted by former CEO Steve Ballmer. It shouldn’t be surprising, then, that many of Microsoft’s new products and services are focused on the mobile workforce that has driven the consumerization of IT and the Bring Your Own Device movement.
From Microsoft’s end (and that of many other software companies), the new paradigm embraces everything-as-a-service. While the name “Enterprise Mobility Suite” might sound like a group of software programs (akin to “Office suite”), EMS – Microsoft’s new mobile device management solution – is sold as a subscription service. If your organization is moving to a more mobile, cloud-centric way of doing business, you just might want to check it out.
Components of EMS
Microsoft EMS was introduced in 2014, but at first was only available through the Enterprise agreement. In February of this year, it became available via the Open License program. EMS is actually made up of three different products, some of which were previously available separately through Open Licensing – thus the labeling as a “suite.” Here’s what you get:
- Microsoft Azure Active Directory Premium
- Microsoft Intune
- Microsoft Azure Rights Management
These are separate services that are packaged together in a subscription to EMS. You can use the different management portals to configure and manage them. You can also use the Microsoft Azure Active Directory Module for Windows PowerShell to manage Azure AD via the command line if that’s your preference.
Let’s look at each of these a little more closely. First we’ll provide an overview of each of the services, and then we’ll delve into how to deploy each in your organization.
Microsoft Azure Active Directory Premium is the more full-featured version of the Azure Active Directory service that is built to provide identity and access management in the cloud. Azure AD can be integrated with your on-premises Active Directory, with automatic sync of user attributes to the cloud directory. You have centralized management of Azure, Office 365, Dynamic CRM Online, Intune and many non-Microsoft cloud-based apps, as well. You get 99.9 (three nines) uptime in the Service Level Agreement (SLA) for enterprise-level reliability and availability.
There are two lower-level versions: Free (which comes with all Azure subscriptions and doesn’t require licensing or installation) and Basic (which adds features such as group-based access management, self-service password reset for your cloud apps and application proxy for publishing of on-premises web apps).
The Premium edition gives you everything that you get in the first two, plus self-service group management, advanced security reports and alerts, multi-factor authentication and Microsoft Identity Manager (MIM), along with password reset with write-back, meaning a self-service password reset is written back to your on-premises directory. Also included is Azure Active Directory Connect Health, with which you can monitor your on-premises AD infrastructure and receive helpful usage analytics so you can see patterns and trends in usage and performance.
Microsoft Intune has been around for a while; it was first introduced back in 2011 as a cloud-based management service that targeted small and medium businesses with up to 500 Windows computers and provides an easy-to-use web interface. Since that time, it has matured to encompass mobile device and mobile application management and integrates with System Center Configuration Manager.
Intune is used to manage PCs and mobile devices and to manage mobile applications. You can control access to Exchange and Office 365 and you can deploy certificates, email profiles, VPN profiles and wi-fi profiles to mobile devices.
In keeping with Microsoft’s new philosophy of embracing competing platforms instead of excluding them, the MDM capabilities of Intune support not only Windows and Windows Phone but also Android and iOS devices. You can implement resource access policies, remote wipe of stolen/lost devices, device lock and encryption of the data on the devices. The MAM functionalities let you deny access to specific URLs or applications, push mandated apps, and selectively wipe managed apps and data, as well as applying rights management to files. Speaking of which …
Azure Rights Management extends Active Directory Rights Management Services (RMS) – formerly Windows RMS – to the cloud. RMS first appeared in Windows Server 2003 and was renamed to AD RMS in Windows Server 2008. It was logical to bring RMS to Azure as Microsoft became more cloud-centric. Azure RMS enables you to control what users do with Office 365 files and messages that they are authorized to view or access, thus making it more difficult for them to inadvertently or deliberately share that data with other, unauthorized persons.
With RMS, you can place restrictions on the ability to copy, forward, change or print RMS-protected files, even when they’re accessed on a non-Microsoft-based device such as an iPhone or Android tablet. Azure RMS can connect to your on-premises Exchange and SharePoint servers, and when a file is saved to a location, “protect in place” ensures that the RMS protections remain with the file, even when copied to a cloud storage location that your IT department doesn’t control.
Not only does Azure RMS prevent unauthorized persons from opening or manipulating files, it also includes monitoring services that can track whether and when the authorized user(s) opened them, whether they attempted to perform any unauthorized actions such as printing or changing the document, and whether unauthorized persons attempted to open the file.
RMS has always been a very useful data protection mechanism for businesses, but deploying an RMS server hasn’t always been an easy task. Because Azure RMS is a cloud service, your organization can now take advantage of its features without the administrative overhead. You don’t even have to configure trusts with other organizations to share protected files with their users as long as they have Office 365 or Azure Active Directory.
Getting Started with EMS
Moving from concept to implementation, then, how do you deploy the Microsoft Enterprise Mobility Suite’s components in your own organization? EMS makes it easy for you to activate access to all three separate cloud services in one simple process.
After you have signed up to purchase EMS, you will receive an email (at the address you entered during the sign-up process) with instructions (depending on whether you already have a Microsoft Online Services account). If you haven’t ever purchased an Enterprise Volume license before, you have to activate the license plan. If you don’t already have a Microsoft Online Services account, you’ll need to sign up for that first. If you have an existing account, you can use use it by signing into the existing admin account.
Note that you need to sign in using the global administrator user name and password for the directory where the licenses will be activated. When the account has been successfully activated and the licenses are provisioned to your directory, you will receive a “welcome to your Enterprise Mobility Suite” email message.
Next, you’ll need to assign the new licenses (if you already have an Azure account) or if you haven’t used Azure before, you can click the Sign In link in the email message to go through the steps to access your directory. Azure uses two-factor authentication and the second factor is a mobile phone. You’ll be prompted to enter the mobile verification information (your mobile phone number) and select whether to have the service send you a text message (the default) or call you with the activation code.
You’re still not quite ready for users to use the EMS features such as rights management services. You have to manually assign the user accounts in your org licenses. You can select to which users you want to assign licenses.
From the license portal or from the welcome email message, you can access the Azure, Intune and Office 365 portals for your Azure AD Premium subscription. You can also access Windows PowerShell for managing licenses at the command line.
Summary
Microsoft Enterprise Mobility Suite builds a unified mobile management environment on three of the company’s existing technologies and integrates cloud-based services with on-premises products such as System Center Configuration Manager to extend your management capabilities to all of the devices and applications used by your workers to access company resources. In this, Part 1 of a series, we broke EMS down into its three components and provided an overview of what each one is and does and how it fits into the solution.
In Part 2, we’ll start to discuss some of the particulars of how to deploy EMS in your organization, so stay tuned.
If you would like to read the other parts of this article series please go to:
