Explore MDM and MAM and learn why they're both potentially important components of a mobile security strategy.
- [Instructor] We spent a lot of time talking about Azure Active Directory which is the foundation to all Microsoft's cloud services when you look at identity and, so, Azure Active Directory let's us control the who but, now, let's talk about the device that people are using to access data and applications. Another Microsoft service that ties into Azure Active Directory is one called Microsoft Intune and Microsoft Intune allow us to control both devices and applications. When we control those two elements, we can in turn control the data that exists on those devices.
There's a couple ways we can do that. We can choose to manage the entire device which is traditional mobile device management or MDM. With MDM, we apply policies to the device we can control, whether someone needs to use a pin to unlock the device or maybe they can't use the camera because the device is going to be in a secure area or something like that and, in turn, because we control the device, we also control everything that's going on inside of it. We can push applications to it. We can apply policies to some applications but the downside to this is that especially if you have a BYOD or a bring your own device strategy where people supply there own iPhone or iPad, Android whatever the case may be, they may not want you to control their device when they're paying for the device and just using it to access corporate data.
To work around this, another concept that Intune has is this concept of mobile application management or MAM. With mobile application management, we can let the device be in whatever state it's in but we don't have to worry about the data and the applications because we can still control that data, corporate data, that's in those applications without doing anything to the user's device. The nice thing about this, we can apply policy to just corporate data but everything else is left alone and with the managed applications, especially the Microsoft Office applications they're smart enough to know whether data comes from the corporate side, maybe it came in your corporate email, versus personal data that came from your personal email account.
So, even your opening a document in Word and it's just one instance of the Word application, It's smart enough to know where that data came from. Whether or not you managed the device or just the apps, it's going to depend a lot on the strategy that you have for whether or not you supply devices, whether or not people bring their own devices. Maybe you have a mix of both, you have devices that you supply that are used in specific scenarios but day to day people use their personal phones to access their email while they're mobile. So, you'll have to decide do I use MDM, mobile device management, or MAM, mobile application management or maybe a mix of both.
We talked about conditional access with Azure Active Directory where we could make decisions about where a user was coming from and whether or not they need to do things like multi-factor authentication but, when we add Intune, Intune adds this notion of compliance that it evaluates based on the policies you configure and we're going to set some of those policies up in a little bit and based on those policies we can use Azure Active Directory conditional access now not just to make a decision about who you are and maybe what network you're coming from but whether or not you're coming from a device that's considered compliant based on the policies that you define.
If the device is compliant, maybe we'll let you straight in or we could say, if the device isn't compliant, we won't let you access the data at all because maybe it's really sensitive and then we can even extend this further. There's various third parties like Citrix and Cisco, for example, who have wireless and remote access platforms that now can connect to Intune, look at that compliance state and make decisions about access to on-premises assets based on whether or not the device is known and compliant.
- Authentication options with Azure AD
- Configuring Azure AD Connect for sync and authentication
- Securing remote access with the Azure Application Proxy
- Managing apps and devices with Intune
- Building and deploying a basic Intune policy for iOS or Android
- Protecting data beyond the firewall with Azure Information Protection (AIP)
- Configuring AIP classification labels and protection
- Integrating Exchange and SharePoint with AIP
- Managing risk with Advanced Threat Analytics
- Connecting Office 365 to cloud app security