Embrace A Secure Mobile First Strategy

By   ISBuzz Team
Writer , Information Security Buzz | Jun 19, 2017 06:15 am PST


One of the most disruptive trends in IT, both in the consumer space and in the enterprise, has been a progression towards mobility. Whether it be employees accessing corporate data on corporate owned mobile devices or the rise of BYOD initiatives for cell phones and laptops, IT professionals in organizations large and small have to rethink the way they deliver services to their end users.

With the influx of millennials in the workplace, as well as a growing acceptance of different styles of work, enabling this type of mobility can be a competitive differentiator for acquiring and maintaining talent, as well as driver of efficiency gains in the workplace.  A mobile first, cloud first world represents a number of changes to some of the fundamental assumptions of IT, and forces IT professionals to confront a world where the traditional boundaries like the domain and the firewall no longer serve the business or user’s needs. Among the challenges that many organizations are facing are questions around maintaining control over users identities, and having visibility and control over the devices that access corporate resources. To combat these challenges, IT professionals are looking for new platforms and models of thinking to protect their data (now the most valuable asset for many organizations!), while enabling their end users to be productive in the ways that make the most sense for them. In doing so, they are searching for solutions that help them effectively balance the inherent trade-offs between mobility, access, and risk.

The Enterprise Mobility + Security Suite from Microsoft is designed with these challenges in mind. It is a collection of platforms that help IT professionals navigate and mitigate some of the most pressing problems of a mobile first world. By offering solutions that integrate with each other, as well as integrating with best in class Cloud Services like Office 365, Microsoft offers organizations of all sizes a single vendor to provide the services and functionality necessary to build a safe, secure, and productive mobile workforce. In this article, we will talk about how the Enterprise Mobility + Security Suite helps manage user identities and devices, two of the lynchpins of a mobile first IT strategy.

Azure Active Directory Premium: Your Enhanced Identity in the Cloud

The first consideration organizations often need to make as they shift from on premise to cloud-based SaaS applications is how they will manage and maintain a consistent identity for their users across a variety of third party services. While the easy distribution of SaaS products makes it easier than ever for IT departments to procure best-in-breed solutions, the fragmented nature of these platforms often means that IT and employees are stuck with the burden of maintaining and remembering multiple usernames and passwords for access. This fragmentation results not only in frustration by end users, but by a relaxing or abandonment of standard security protocols as employees create subpar passwords, or leave cubicle post-it notes to assist with application access.

Azure Active Directory Premium solves problems with fragmented identities, and offers a host of additional functionality to secure and empower end users. Built on-top of a free offering, Azure Active Directory is the identity store that underpins Microsoft cloud services such as Office 365. By integrating and synchronizing seamlessly with your on-premise active directory, using a free tool called Azure Active Directory Connect, Azure Active Directory is the first step into bringing your current identities to the cloud.

Azure Active Directory acts as a layer on top of your on-premise Active Directory, letting you take the identities and policies that you manage and maintain, and using them to access cloud services that may live in a third party providers datacenter.

Azure Active Directory Premium, one component of the Enterprise Mobility + Security Suite, extends Single-Sign-On capabilities to over 2600 SaaS applications with native published hooks into Azure Active Directory’s identity store. The same identities and passwords you use on premise can then be used to access Office 365, Salesforce, Concur, Active Directory Premium, alongside thousands of others. If the application in question does not have a natively published hook, Azure Active Directory can be made to provide access to any application that uses web-based authentication protocols like OAUTH or SAML. Additionally, Azure Active Directory Premium has SDKs that can be used to make your own Line of Business (LOB) applications compatible with Azure Active Directory.

Apart from alleviating challenges related to Single Sign-On (SSO), Azure Active Directory Premium goes further in securing corporate and third party services by providing the ability to enable Multi-Factor Authentication (MFA) for all licensed users. MFA provides the ability for a user to get a secondary challenge from a phone call, a text message, or the Azure Authenticator App, and provides an additional layer of security against compromised credentials.

Finally, Azure Active Directory Premium empowers your end users by offering Self Service Password Reset with Writeback to On-Premise. A core capability for an effective mobile strategy, Self Service Password Reset  lets your users reset their password wherever they are from whatever device they are using, secure in the knowledge that a single set of credentials will then synchronize through the system, and that same username and password will provide access to all their applications. This gets IT service departments out of the thankless business of resetting passwords, and gives invaluable functionality for your mobile workforce to access without a trouble ticket.

Combining seamless SSO, MFA, and Self Service Password Reset, Azure Active Directory is a powerful tool when considering implementing a secure mobile strategy. Using a centralized identity as the new security boundary, organizations are well placed to take advantage of other efficiencies that arise from a mobile empowered workplace.


Once a user’s identity is established and secured, the next step in implementing a mobility solution is how an organization is going to maintain visibility and control over the devices that users are going to use for access. In today’s device heavy world, there are a number of operating systems and form factors that an organization may need to contend with, from Android and iOS on mobile devices, to Windows and OSX on BYOD laptops. Additionally, because these devices are often so central to user’s lives, there needs to be a mechanism to protect and secure corporate applications and data, without impinging on the personal data that is stored on these devices.

Microsoft Intune, another part of the Enterprise Mobility + Security Suite, is Microsoft’s enterprise grade Mobile Device and Mobile Application Management platform. It is designed to help organizations manage and control the devices that have access to important applications or resources, while allowing maximum flexibility for end users to be productive on the devices that they are most comfortable with.

As talked about in the previous section, Intune sits on top of Azure Active Directory, allowing the same identity store that knows your users and applications to also provide the context for their mobile and BYOD devices. In this way the identity is further entrenched as the security boundary, with the devices that are access organizational resources being tied to a specific individual. Intune supports the management of the main drivers of mobility, iOS, Android (including Samsung Knox), and of course Windows Mobile. If an organization decides on a true BYOD workplace, Intune can also be used, with varying degrees of capability, to manage Windows 7, 8, 8.1, and 10 systems, as well as Mac OSX devices.  In addition to operating as a standalone cloud platform, Intune also can integrate with Microsoft’s main device management platform, System Center Configuration Manager, providing organizations with existing investments in on-premise device management a single pane of glass for the entirety of corporate and BYOD assets.

By providing a full scope of management capabilities for mobile and BYOD, Intune separates itself from other, more narrowing focused, device management platforms.  There are a few major parts to a fully functioned Enterprise Mobility Management Solution and one of the key components is Mobile Device Management (MDM) capabilities. With regards to MDM capabilities, Microsoft Intune offers a host of options for all major operating systems, including the ability to enforce encryption, alpha numeric PINs, and to allow or disallow things like the camera or removable storage. Intune also supports pushing Wi-Fi profiles and certificates, and preventing jailbroken devices from accessing resources.

While many organizations could benefit from a strong mobile device management policy, one of the key roadblocks in adopting these solutions is often the difficulty of deploying the technology. Here, too, Intune has an innovative solution to streamline device enrollment with Intune conditional Access. Intune Conditional Access allows IT professionals to set policies and restrictions on what type of devices are able to access corporate resources like Email (either On-Premises or in Office 365), SharePoint (Office 365 only) or Skype for Business (Office 365 only) and checks devices against those policies when a user attempts to access corporate assets. When a user attempts to access one of these services without complying with policy, the conditional access service will walk the user through device enrollment and policy remediation (i.e. adding a pin) without IT ever having to touch the device. Conditional access empowers end users to gain frictionless access to important business applications, while relieving IT of the burden of deployment, but assured in the security of the devices.

Once IT has visibility into the mobile devices in an organization, the next logical need is the ability to deploy and update critical business applications, what is known as Mobile Application Management (MAM). Here too, Intune offers a full slate of features necessary for organizations to secure applications on mobile devices. Intune has the ability to push managed applications, allow users to access and download their own managed applications in a self-service model, and update applications as administrators see fit. Intune also offers capabilities to manage data within the application itself, although those management features are heavily dependent on where the application is originating.  The most manageable applications come directly from Microsoft. By being both the MAM provider as well as the application developer, many Microsoft applications are “enlightened” with Intune capabilities and have deep integrations with Intune policies. Apps like Outlook, OneDrive for Business, and the Office 365 productivity applications are all able to communicate with Intune to offer functionality around allowing or blocking copy/paste, screen capture, and preventing backup or sharing to unauthorized applications. You can also require a user to input a PIN or corporate authentication before launching Intune enlightened applications.

For applications that are not natively enlightened, Intune offers an application wrapping capability to provide some types of enhanced functionality within the application itself. Additionally, Intune offers an Intune SDK so organizations looking to develop and deploy their own custom built applications can have access to deep integration with application management functionality.

Finally, the last important piece of a mobile management solution is the ability to retire and remove corporate data at will from enrolled devices. Intune allows for two device wiping scenarios (full wipe for lost or stolen devices) or selective wipe for users who have received a new device or who have left or been terminated from the organization. These wipe functions can be executed by IT staff, or by the end user themselves (in the case of a lost device) and by providing different levels of device retirement, end users can have more faith that the company is not going to involuntarily wipe important personal data off their devices.


The reality of a mobile first, cloud first world is already here, and organizations that can adapt to that reality quickest will be the ones most likely to succeed. While mobility brings along its own share of challenges, there are tremendous opportunities that can be unlocked by having an effective mobile strategy.

The Enterprise Mobility + Security Suite, with its focus on managing identities, devices, and applications, offers an integrated set of products that are focused on helping organizations capture these new opportunities with limited disruption of the control and security that all IT departments prize.  With a mobile strategy that includes the Enterprise Mobility + Security suite, organizations of all sizes can bring mobile productivity to end users, while continuing to secure valuable corporate assets.

[su_box title=”About John Pontius” style=”noise” box_color=”#336588″][short_info id=’102558′ desc=”true” all=”false”][/su_box]