With a new version of Windows coming down the pipe, Microsoft have started to release information about some of the key technologies you need to know a little more about. Those technologies aren’t just key to helping your users have an amazing Windows experience though. No matter what device they use these core skills for enterprise mobility will help all your users have a better experience.
Enterprise Mobility Management is a massive subject domain, subdivided into multiple solution domains to meet that holy grail of outcomes: maximize personal and organizational productivity while minimizing organizational risk (and minimizing personal privacy invasion). I include the section in parenthesis because it’s important, IT needs to respect user privacy to gain user trust.
Now is the time to invest in your “core skills” for enterprise mobility so you are at the center of your organization’s future, just like you were when you moved from Windows NT to Windows 2000…remember how you felt then? I felt pretty epic, it was a career highpoint for me!
So I decided to break it down into 10 core skills for Enterprise Mobility!
If you have a severe case of TL;DR you can just look at the pictures and skip to the bottom.
Identity, not device management, is where I think you want to begin your journey. Why? Well, it’s the cornerstone of being able to set up some sort of trust. So what are the top three things you need to know about identity in the modern world?
1 – Cloud-based Directory: Azure AD
You need to start out by understanding why you need to extend your directory to the cloud and this is where devices come in. Today’s devices move around a lot, they go everywhere. As a result, they connect to different types of networks and they can’t always work in the synchronous way we recognize with on-prem. Even if you think you don’t have a highly mobile environment, it probably has highly mobile characteristics: high latency, lossy network connections.
Maximize personal and organizational productivity while minimizing organizational risk (and minimizing personal privacy invasion).
Azure AD is designed from the ground up to work in this environment. Also, because Azure AD was born in this new world you don’t need to wait for improvements to come along – which means you can quickly take advantage of an improvement and test it when it’s in Public Preview and move to production when the feature does. With on-prem you’d have waited a couple of years, then you’d have done the paperwork to get a change window to upgrade the domain functional level.
Not having to wait means you don’t get left behind when your organization wants to try new things!
Users aren’t the only things with identity in your organization though; each device that a user enrolls also has identity and Azure AD can automatically track that information for you, as long as you’ve enabled it to. This is a critical core skill because it helps you leverage something we will come to later: Conditional Access. But this is the foundation.
2 – Cloud Based Activity Reporting
User accounts are of course much more than just about matching a password to an identity. They are also about matching other attributes, such as where and when a person works to that identity. One of the coolest things about Azure AD is that it can learn those things about your users – don’t get me wrong, Azure AD won’t learn your users’ job functions and add that to their accounts!
Azure AD will do something increadible– it will learn what your users are doing and let you know when they do something strange.
That’s why reporting is a core skill…that and the fact that your manager wants to see reports!
3 – Manage and Maintain Sync
Getting your existing users into Azure AD is the first step to setting things up correctly. Signing into Windows is something that most people are so used to doing they don’t even realize what they’re doing when they sign in. They don’t realize that being logged on means that they’ve been authenticated for a specified period (and that Windows renews it); they don’t realize that they’ve been seamlessly signed into multiple systems they use daily; file, print, email.
The first step and, therefore, one of the most critical skills is setting up and maintaining a sync relationship between your on-prem AD and Azure AD.
4 – Nurture Active Directory Federation Services
This is a super valuable core skill. Knowing how AD FS works, how to deploy, manage and troubleshoot it is a core skill for now and the future. Many organizations that use Office 365 or otherwise have connected to Azure AD use AD FS for authentication. With AD FS in place no authentication actually takes place in the cloud – you don’t need to securely synchronize password hashes – and many organizations find that comforting. Instead of Azure AD handling the sync the client is actually directed to your on-prem AD FS servers.
AD FS actually forms another massively important part of your user’s daily life though: it handles single sign on requests. When a user connects to a service that has a trust relationship with your AD FS you will be automatically allowed access if you’ve already been granted the token by another trusted broker. So, say you’ve signed into Windows, AD has issued your token. When you want to use a site secured by AD FS you pass the AD FS service the token, it trusts your AD so you get single sign on – no password prompting.
AD FS actually forms another massively important part of your user’s daily life though: it handles single sign on requests.
It is possible to get lots of AD FS style functionality without AD FS by using just Azure AD but for some advanced scenarios you’ll want the extra detail of AD FS.
There are tons of other things that I’d consider core skills for enterprise mobility related to Identity, but that’s enough to get you started, let’s move onto the topic of management.
Organizations need management capabilities for a multitude of reasons and topping that list now is security. Organizations want to maintain a level of security that will stop data breaches, or at least show that they exercised due diligence!
When we look at the world of management we can see that Windows is the most manageable OS on the planet and has the ability to tweak almost every characteristic remotely. While some want to get to that level of detail, not everyone does – so you need to have the skill of selecting the most appropriate level of management. Windows management using SCCM is pretty well-known, so while I think that’s a core skill it’s probably something you, like me, have internalized over the years.
As we moved into the mobile world a new, lighter, level of management more appropriate for BYOD scenarios that adapts to company owned scenarios developed.
5 – Mobile Device Management (MDM)
MDM is the ability to take a device, enroll it into management and then change settings at the device level. The ability to, for example, turn on encryption is something that most MDM platforms support. Microsoft has Intune for MDM and it supports doing exactly that on iOS, Samsung KNOX, Android and Windows Phone – anywhere that the device OS supports that management.
The core skill here is knowing how to translate the requirements for device level management into the MDM solution. For example when you want to protect your company data you might decide that you need to turn off the camera on all enrolled devices…but then you need to think how your users feel when they suddenly can’t, legitimately, take a picture of their kids. Angry is how they feel. So the core skill with Mobile Device Management is being able to translate what’s possible to what’s appropriate, and it will always vary.
6 – Mobile Application Management (MAM)
MAM is the exciting new area of Enterprise Mobility Management that involves managing at the application level. In the case of Microsoft Intune this is actually exceptionally cool because the product is the only product that works with Microsoft Office. As a result you can manage the iOS and Android applications for Word, Excel, PowerPoint, OneNote and OneDrive. All have the Microsoft Intune SDK integrated.
This SDK integration means you can group together those applications and allow each of them to only allow data egress to each other. More specifically, when managed, you can only open a document from SharePoint online in the managed Microsoft Word application and you can only save from Microsoft Word to OneDrive for Business. However, unlike other MAM solutions, you can opt to allow users to bring in data from anywhere.
Extending the scenario – you’re updating a business proposal in Word, saved on OneDrive for Business and you want to put in a pretty picture from Instagram. Fine! You can do that because we control data egress from the apps and optionally allow data ingress by default.
This is exactly the behavior users want and your core skill is knowing how to enable that.
7 – On Premises Integration
Integrating your identity is only one part of the solution. You might want to enable integration at the management level too, meaning productivity gains for you in IT, from a single console. Configuration Manager can control Microsoft Intune to give you a single pane of glass between your existing managed Windows, OSX and Linux devices and any mobile devices in Intune.
The core skill is knowing how to architect your solution to make this possible.
As the Enterprise Mobility Management space continues to evolve and mature, content management becomes an ever more interesting area. If you want to future proof, you need to understand the core skills for enterprise mobility that relate to content management.
8 – Conditional Access Management
When you have knowledge of a user’s identity and knowledge of the state of a device, you can start to leverage that to allow conditional access to company resources. Quite literally, this core skill is about protecting your assets.
Conditional Access allows you to set up rules that do functions such as:
- Don’t allow users in marketing access to email unless their devices are encrypted and are managed.
- Don’t allow users in sales access to OneDrive for Business unless their devices are managed and not rooted.
Conditional Access policy can become an automatic gate-keeper for your information.
9 – Rights Management
Rights management, on the other hand, is able to control what people can do with the information. RMS is the leading service in the world for this type of thing, trusted by lawyers and those who want to protect intellectual property (IP) the world over. When a file is protected with Rights Management it can be configured with rules that allow different people differing levels of access. Some can print; some can save; some can only read; and much more.
Because the rights travel with the file, either directly in the file or in the files wrapper, they will go wherever the file goes. This is great because if your users manage to avoid the system and store their files with a cloud storage provider you weren’t expecting, the information is still safe. The user is made to authenticate (to AAD, with MFA and auditing if required) each time they need access to the file – no authentication, no access. Also, the files can expire automatically after a specified period.
The core skill you need is knowing how to configure appropriate levels of rights management templates to make information protection decisions easy, or automatic, for end users.
10 – On premises integration
As always you’ll need to integrate with what you already have. In the case of Azure RMS, that means that a core skill becomes deploying new, hybrid architecture, such as the Azure RMS connector. This connector performs a “call home connection” to Azure AD and enables integration between Azure RMS and on-premises Exchange, SharePoint and file server farms.
So there you have them, my 10 core skills for Enterprise Mobility Management. If you can gain and internalize these skills you’ll get to a really successful architecture for the future and you’ll probably keep the money coming and the rent paid for a few more years. Of course you need to know how to get them…
That’s why I’ve designed this Enterprise Mobility Core Skills Jumpstart series for Microsoft Virtual Academy that I’m really excited to be the first to tell you about. Over the course of the four episodes, one each month from March to June, I’ll be taking you through the core skills for enterprise mobility that you need – LIVE!
I’m really excited by this series and joining me each month will Brad Anderson, Corporate Vice President, Enterprise Client Management and Mobility at Microsoft who’ll be explaining and showing what you can do…then myself and my far more knowledgeable co-host will break down the solution into the key skills you need to take away. Not only that but to get you started we’ll have instructor led virtual labs.
Also tell me what you’d love me to cover in the comments below – honestly you will be helping me to target this content just for you!