Index
Symbols
2008 IDC (International Data Corporation) study, 1
2014 IDG Enterprise CITE (Consumerization of IT in the Enterprise) study, 1–2
A
access, data
choosing right deployment topology, 141–143
monitoring access to resources, 145–147
leveraging on-premises resources, 127–135
Web Application Proxy, 130–131
Windows Server Dynamic Access Control, 128–129
access levels (devices), 11
access management benefits, hybrid identity implementation, 58–59
Activate button, turning on directory synchronization, 37
activation
Azure RMS Tool, 152
directory synchronization in Azure AD, 61
Active Directory Federation Services. See AD FS
activity logs, Azure AD Premium, 30
Add A New Rights Policy Template dialog box, 154
Add Software wizard, 113
AD FS (Active Directory Federation Services)
Farm page (Azure AD Connect Wizard), 65–66
planning/designing hybrid identity solution, 55–56
sign-in page
planning/designing hybrid identity solution, 56
Admin Console, Policy workspace, 84
Advanced Encryption Standard (AES), 135
AES (Advanced Encryption Standard), 135
A Host records, 55
alerts
Microsoft Intune monitoring capabilities, 175–176
Allow A Server To Utilize The Connector page (Azure RMS Connector Administrator Tool), 162
analysis of data, troubleshooting EMS, 189
Android devices
deploying email profile configuration policies, 109
anomalous activity reports, Azure AD Premium, 29–30
APN certificate signing request file, 103
APNs (Apple Push Notification service) certificates, 78, 103
AppContainer, Windows Phone security model, 13
Apple Configurator, 86
Apple Push Certificates Portal, 103
Apple Push Notification service (APNs) certificates, 78, 103
Application log, Event Viewer, 203
applications (apps)
challenges of enabling enterprise mobility, 2–4
data access and protection diagram, 150
design strategies for mobile workforces, 12–13
solution diagram for hybrid identity, 51
Application Settings, Mobile Device Security Policy, 100
application usage reports, 30, 174
apps (applications)
challenges of enabling enterprise mobility, 2–4
data access and protection diagram, 150
design strategies for mobile workforces, 12–13
solution diagram for hybrid identity, 51
Apps section, Company Portal, 81
Assign Custom Rights page, creating custom templates, 156–157
auditing conditional expressions, 129
autonomy (persona distribution), 10
accessing SaaS applications, 32–33
Azure Active Directory Synchronization Services (Azure AD Sync), 43–45
Azure Active Directory Sync Services Wizard, 43
Azure AD (Microsoft Azure Active Directory), 27
directory synchronization, 36–38
source of authority, 36
disabling user access, 184
monitoring capabilities, 172–174
preparing service for directory integration, 60–61
Azure AD App and Attribute Filtering (optional feature, Azure AD Sync), 44
Azure AD Connect Wizard, 45-47
enabling SSO (Single Sign-On), 64–70
Getting Started page, 46
planning/designing hybrid identity solution, 57–58
troubleshooting Azure AD Premium, 191–192
Azure AD Premium
self-service group management, 33–34
self-service password management, 34–35
user access, SaaS (Software-as-a-Service) applications, 32–33
Azure Multi-Factor Authentication, 30–32
security reports and alerts, 28–30
Azure AD Sync (Azure Active Directory Synchronization Services), 43–45
Azure AD Sync Scheduler task (Task Scheduler Library), 69
Azure Management Portal
activation of Azure RMS Tool, 152
creating custom templates, 154–156
Azure Multi-Factor Authentication, 30–32
Azure Rights Management Administration Tool, installation, 151
Azure Rights Management Services. See Azure RMS; RMS
Azure RMS (Azure Rights Management Services), 135–147
configuring templates, 153–159
choosing right deployment topology, 141–143
monitoring access to resources, 145–147
templates, 135
integrating DAC feature, 133–134
integration with Work Folders, 166–168
leveraging for data protection, 151
monitoring capabilities, 179–180
Azure RMS connector webpage, 162
B
BitLocker technology, 134
branding
adding company branding, Microsoft Azure Management Portal, 70–71
customizing Company Portal, 98
Bring Your Own Device (BYOD) devices
monitoring
continuous monitoring and incident response, 169–170
incidence response plans, 170–171
leveraging EMS to monitor resources, 171–180
leveraging EMS to respond to a security incident, 180–186
Microsoft Device Strategy Framework, 7–9
Bring Your Own Key (BYOK) capability, Azure RMS, 135, 142
built-in capabilities, data protection, 134–135
BYOD (Bring Your Own Device) devices
monitoring
continuous monitoring and incident response, 169–170
incidence response plans, 170–171
leveraging EMS to monitor resources, 171–180
leveraging EMS to respond to a security incident, 180–186
Microsoft Device Strategy Framework, 7–9
BYOD Design Considerations Guide, 4
BYOK (Bring Your Own Key) capability, Azure RMS, 135, 142
C
central access policies, 128–129
Certificate Compliance Reports (Microsoft Intune), 177
certificates
APNs (Apple Push Notification service), 78, 103
CLCs (Client Licensor Certificates), 140
code-signing (Symantec), 78
publicly trusted X509 v3 SSL, 56
SLCs (Server Licensor Certificates), 140
challenges
BYOD (Bring Your Own Devices) scenarios, 5–7
enabling mobile workforces, 2–4
check compliance option, Company Portal app, 196
CheckPoint survey (2014), 5
choose your own device (CYOD) scenario, 8
CITE (Consumerization of IT in the Enterprise), 2014 study, 1–2
claims-aware FCI, 128
CLCs (Client Licensor Certificates), 140
client access validation, 166
Client Licensor Certificates (CLCs), 140
client-side RMS, troubleshooting, 199–201
closure documentation, troubleshooting EMS, 190
cloud identity, Azure AD Premium, 27–28
Cloud Policy Settings, Mobile Device Security Policy, 100
cloud services
data access and protection diagram, 150
disabling user access, 184
solution diagram for hybrid identity, 51
troubleshooting EMS, 191
cloud topology, Azure RMS, 141
cmdlets
Connect-AadrmService, 200
GenConnectorConfig, 163
Get-AadrmConfiguration, 200
Get-AADRMTemplate, 200
Get-AADRMTemplateProperty, 201
Import-Module AADRM, 200
Set-AdfsGlobalWebContent, 72
Set-AdfsWebTheme, 72
Update-WebApplicationProxyDeviceRegistration, 131
CNAME records, 56
code-signing certificates (Symantec), 78
code-signing Company Portal, 104
company-owned devices, monitoring
continuous monitoring and incident response, 169–170
incidence response plans, 170–171
leveraging EMS to monitor resources, 171–180
leveraging EMS to respond to a security incident, 180–186
Company Portal
check compliance option, 196
company terms and conditions, 83
preparing Microsoft Intune for enrollment, 106–107
usage terms and conditions, 108
Microsoft Intune service configuration, 98–99
Complete Action dialog box, 118
compliance policies, 88
Microsoft Intune service enrollment, 109–110
planning/designing device management solution, 101–102
computer inventory management, 91
Computer Inventory Reports, Microsoft Intune, 91
computers
configuration policies, 87
Conditional Access Control, 129
Conditional Access For Exchange Online Policy, 102
conditional access policies, 88–90
Microsoft Intune service enrollment, 110–112
planning/designing device management solution, 102
conditional expressions
auditing, 129
permissions and, 129
Confidential template (Azure RMS), 154
Confidential View Only template (Azure RMS), 153
Configuration Manager, 77
common mobile device settings, 85–86
computers, 87
iOS devices, 86
Microsoft Intune service enrollment, 109
planning/designing device management solution, 100–101
Windows devices, 86
configuring
applying custom templates to a document, 157–159
compliance policies, 88
conditional access policies, 88–89
Exchange ActiveSync policies, 90–91
File Server to use Azure RMS, 163
Mobile Device Security Policy, 85
synchronization filtering, 68–69
users/groups for synchronization, 62–63
Windows DNS name resolution, 79
Connect-AadrmService cmdlet, 200
connector (Azure RMS)
planning/designing data protection solution, 159–168
configuring file classification, 163–165
configuring File Server, 163
integration of Azure RMS with Work Folders, 166–168
validating client access, 166
Consumerization of IT in the Enterprise (CITE), 2014 study, 1–2
contact information, customizing Company Portal, 98
Contact IT section, Company Portal, 81
containerization (required capability), 10
continuous monitoring of devices, 169–170
corporate network
data access and protection diagram, 150
solution diagram for hybrid identity, 50
CSS (Customer Service and Support), 142
Customer Service and Support (CSS), 142
Customization section, Company Portal, 82
customization via policy (required capability), 10
customizing
adding company branding, Microsoft Azure Management Portal, 70–71
Microsoft Intune service configuration, 98–99
preparing Microsoft Intune for enrollment, 106–107
usage terms and conditions, 108
custom templates (Azure RMS)
applying to a document, 157–159
CYOD (choose your own device) scenario, 8
D
DAC (Dynamic Access Control)
integrating with AD RMS, 133–134
leveraging for data protection, 128–129
data analysis, troubleshooting EMS, 189
data collection, troubleshooting EMS, 189
data governance, 13
data protection
choosing right deployment topology, 141–143
monitoring access to resources, 145–147
challenges of enabling enterprise mobility, 2–4
design strategies for mobile workforces, 13–14
configuring Azure RMS templates, 153–159
planning/designing solution, 151–153
leveraging on-premises resources, 127–135
Web Application Proxy, 130–131
Windows Server Dynamic Access Control, 128–129
understanding EMS solution, 21–23
Deactivate button, turning off directory synchronization, 37
default AD FS sign-in page, 56
default Device Enrollment Policy, 80
default enrollment profile, Microsoft Intune service, 106
defense-in-depth strategy, data protection, 127
deployment
Mobile Device Security Policy, 108
policies (device management), 83–91
compliance policies, 88
conditional access policies, 88–90
Exchange ActiveSync policies, 90
design
data protection solution, 151–153
leveraging Azure RMS, 151
preparing the environment, 151–153
device management solution, 97–105
Microsoft Intune service configuration, 97–99
Mobile Device Management enrollment, 102–105
enabling mobile workforces, 9–15
hybrid identity solution, 51
Microsoft Azure Access Panel, 52–53
Microsoft Azure Management Portal, 51–52
on-premises environment, 53–54
SSO (Single Sign-On) components, 54–60
deskbound information worker (user profile), 9
Detected Software Reports (Microsoft Intune), 176
detection
security phase, 170
Device Capability Settings, Mobile Device Security Policy, 100
Device Enrollment dialog box, 115
Device History Reports (Microsoft Intune), 177
Device Registration Service, 131
devices
access levels, 11
challenges of enabling enterprise mobility, 2–4
data access and protection diagram, 150
design strategies for mobile workforces, 10–12
management, 75
external device enrollment dependencies, 112–114
full and selective wipes, 92–93
implementation goals, 96
planning/designing solution for implementation, 97–105
preparing Microsoft Intune service for enrollment, 105–112
Managed By Exchange ActiveSync, 89
Managed By Microsoft Intune And Exchange ActiveSync, 89
Managed By Microsoft Intune, 89
monitoring
continuous monitoring and incident response, 169–170
incidence response plans, 170–171
leveraging EMS to monitor resources, 171–180
leveraging EMS to respond to a security incident, 180–186
registration, 131
required capabilities, 10
solution diagram for hybrid identity, 50
dialog boxes
Add A New Rights Policy Template, 154
Complete Action, 118
Device Enrollment, 115
Manage Mobile Devices, 76
Microsoft Intune report export, 178
Retire Device confirmation, 93
Select Containers (Synchronization Service Manager), 69
Set Up Service To Service Connector, 111
Upload The APNs Certificate, 112
View Policy Issues, 88
Warning, 116
directory synchronization, 36–38
preparing Azure AD service for, 60–61
preparing on-premises environment for, 61–64
directory sync, 40
directory sync with password sync, 40
directory sync with SSO, 40
multiforest directory sync with SSO, 41
source of authority, 36
directory sync scenario (directory integration), 40
directory synchronization, 36–38
activating in Azure AD, 61
forcing action and verifying success, 69–70
directory sync with password sync scenario (directory integration), 40
directory sync with SSO scenario (directory integration), 40
disabling user access, 184
DNS CNAME records, 104
DNS name resolution, configuring, 79
domain synchronization, Microsoft Azure Management Portal, 60
Dynamic Access Control (DAC)
integrating with AD RMS, 133–134
leveraging for data protection, 128–129
E
Email Policy Settings, Mobile Device Security Policy, 100
email profile configuration policies
Microsoft Intune service enrollment, 109
EMS (Enterprise Mobility Suite)
embracing mobile workforce scenario, 24–26
leveraging response to security incidents, 180–186
prevention, 181
leveraging to monitor resources, 171–180
Azure AD monitoring capabilities, 172–174
Microsoft Azure RMS monitoring capabilities, 179–180
Microsoft Intune monitoring capabilities, 175–179
troubleshooting
cloud services, 191
tools, 190
where to find information, 190
understanding EMS solution, 17–23
MDM (Mobile Device Management), 20–21
enabling
mobile workforces, 1
BYOD (Bring Your Own Devices) scenarios, 4–7
configuring synchronization filtering, 68–69
forcing directory synchronization and verifying success, 69–70
encryption of data, 13
End-User License Agreement page (Rights Management Connector Setup Wizard), 160
enrollment, devices, 76–83, 114–125
custom company terms and conditions, 83
device management prerequisites, 78–79
external device enrollment dependencies, 112–114
conditional access policies, 110–112
creating default enrollment profile, 106
customizing Company Portal, 106–107
customizing usage terms and conditions, 108
deploying email profile configuration policies, 109
deploying Mobile Device Security Policy, 108
service configuration, 98
setting MDM authority, 105–106
Mobile Device Management, 102–105
iOS devices, 103
Windows Phone 8.0, 104
Mobile Device Management authority, 76–77
profiles, 80
Enterprise IT, enabling mobile workforces
BYOD (Bring Your Own Devices) scenarios, 4–7
Enterprise Mobility Suite. See EMS
environment preparation, data protection solution, 151–153
Event Viewer, Application log, 203
Exchange ActiveSync policies, 90, 135
Exchange Hybrid Deployment (optional feature, Azure AD Sync), 44
Exchange Online, conditional access policies, 89
Exchange on-premises, conditional access policies, 89–90
executive (user profile), 9
external device enrollment dependencies, 112–114
F
factory reset option, Company Portal, 93
FCI (File Classification Infrastructure), 128
Federal Information Processing Standards (FIPS)-compliant Hardware Security Modules (HSMs), 135
Fiddler, 190
fields, Azure RMS log files, 180
field worker (user profile), 9
file classification
File Classification Infrastructure (FCI), 128
File Classification Infrastructure (FCI), 128
File Server, configuring to use Azure RMS, 163
File Server Resource Manager (FSRM)
configuring file management tasks, 164–165
downloading GetConnectorConfig.ps1 tool, 163
enabling, 159
FIM (Forefront Identity Manager), 27, 68
Forefront Identity Manager (FIM), 27, 68
formats, PFILE, 140
FSRM (File Server Resource Manager)
configuring file management tasks, 164–165
downloading GetConnectorConfig.ps1 tool, 163
enabling, 159
G
Gartner study (2013), 5
GenConnectorConfig cmdlet, 163
generic files, data protection, 136
Get-AadrmConfiguration cmdlet, 200
Get-AADRMTemplate cmdlet, 200
Get-AADRMTemplateProperty cmdlet, 201
Get Started With Rights Management Quick Start page, creating custom templates, 154
Getting Started page (Azure AD Connect Wizard), 46
gMSA (Group Managed Service Account), 66
goals
device management implementation, 96
hybrid identity implementation, 49–50
governance (data), 13
Group Managed Service Account (gMSA), 66
groups
activity logs, 30
configuring for synchronization, 62–63
self-service management, 33–34
Groups Activity report (Azure AD), 174
H
HR (Human Resources), creating enterprise mobility strategy, 6–7
Human Resources (HR), creating enterprise mobility strategy, 6–7
hybrid identity, 27
Azure Access Panel, user self-services, 32–35
accessing SaaS applications, 32–33
self-service group management, 33–34
self-service password management, 34–35
Azure AD Premium
security reports and alerts, 28–30
Azure Multi-Factor Authentication, 30–32
device management, 96
directory synchronization, 36–38
source of authority, 36
implementation
enabling SSO (Single Sign-On), 64–70
identity and access management benefits, 58–59
planning and designing solution, 51
preparing Azure AD service for directory integration, 60–61
preparing on-premises environment for directory integration, 61–64
understanding EMS solution, 18–19
hybrid topology, Azure RMS, 141
I
IDC (International Data Corporation), 2008 study, 1
identity management benefits, hybrid identity implementation, 58–59
identity synchronization, 37
implementation
data protection
configuring Azure RMS templates, 153–159
planning/designing solution, 151–153
device management, 95
external device enrollment dependencies, 112–114
goals, 96
planning/designing solution, 97–105
preparing Microsoft Intune service for enrollment, 105–112
hybrid identity
enabling SSO (Single Sign-On), 64–70
identity and access management benefits, 58–59
planning and designing solution, 51
preparing Azure AD service for directory integration, 60–61
preparing on-premises environment for directory integration, 61–64
Import-Module AADRM cmdlet, 200
incidence response plans, monitoring devices, 169–171
Installation Of Microsoft Rights Management Connector Completed page (Rights Management Connector Setup Wizard), 160–161
Installing Microsoft Rights Management Connector page (Rights Management Connector Setup Wizard), 160–161
integrated applications, Azure AD Premium, 30
International Data Corporation (IDC), 2008 study, 1
iOS devices
configuration policies, 86
deploying email profile configuration policies, 109
device management prerequisites, 78
diagnostic information dialog box, 198
external device enrollment dependencies, 112–113
Mobile Device Management enrollment considerations, 103
Irregular Sign In Activity report (Azure AD), 173
IT department, enterprise mobility strategy, 6–7
K
Kerberos authentication support, 128
Key Management Service (KMS), 135
KMS (Key Management Service), 135
L
legal department, enterprise mobility strategy, 6–7
License Installation Reports (Microsoft Intune), 177
License Purchase Reports (Microsoft Intune), 177
limitations, DirSync, 42
line of business (LOB) apps, 78
LOB (line of business) apps, 78
M
Managed By Exchange ActiveSync devices, 89
Managed By Microsoft Intune And Exchange ActiveSync devices, 89
Managed By Microsoft Intune devices, 89
external device enrollment dependencies, 112–114
full and selective wipes, 92–93
implementation goals, 96
planning/designing solution for implementation, 97–105
preparing Microsoft Intune service for enrollment, 105–112
Manage Mobile Devices dialog box, 76
MDM authority (Mobile Device Management authority)
Microsoft Intune service configuration, 97
preparing Microsoft Intune service for enrollment, 105–106
MDM (Mobile Device Management), 10
device enrollment, 76–77, 102–105
iOS devices, 103
Windows Phone 8.0, 104
as part of the solution to device management, 97
understanding EMS solution, 20–21
MDM authority
Microsoft Intune service configuration, 97
preparing Microsoft Intune service for enrollment, 105–106
methodology, troubleshooting EMS, 187–190
MFA (multi-factor authentication), 30–31
Microsoft Azure Access Panel, planning hybrid identity solution, 52–53
Microsoft Azure Active Directory. See Azure AD
Microsoft Azure Management Portal
domain synchronization, 60
planning hybrid identity solution, 51–52
Microsoft Azure RMS Connector Administrator Tool, 161
Microsoft Connectivity Analyzer tool, 192–193
Microsoft Customer Service and Support (CSS), 142
Microsoft Device Strategy Framework, 7–9
Microsoft Intune
device management, 75
full and selective device wipes, 92–93
monitoring capabilities, 175–179
preparing service for enrollment, 105–112
conditional access policies, 110–112
creating default enrollment profile, 106
customizing Company Portal, 106–107
customizing usage terms and conditions, 108
deploying email profile configuration policies, 109
deploying Mobile Device Security Policy, 108
setting MDM authority, 105–106
Company Portal customization, 98–99
device enrollment profiles, 98
Mobile Device Management authority, 97
terms and conditions, 99
Microsoft Intune Center, 87
Microsoft Intune Company Portal URLs, customizing Company Portal, 82
Microsoft Intune Online Connector for Online Exchange, 111–112
Microsoft Intune report export dialog box, 178
Microsoft Intune Setup Wizard, 124–125
Microsoft Online Services Directory Synchronization tool. See DirSync
Microsoft Rights Management Connector Setup Wizard, 159–160
Microsoft RMS Administrator Credentials page (Microsoft Rights Management Connector Setup Wizard), 160
Microsoft Threat Modeling Tool, 14
mobile device inventory management, 91–92
Mobile Device Inventory Reports (Microsoft Intune), 177
Mobile Device Management authority (MDM authority)
Microsoft Intune service configuration, 97
preparing Microsoft Intune service for enrollment, 105–106
Mobile Device Management (MDM), 10
device enrollment, 76–77, 102–105
iOS devices, 103
Windows Phone 8.0, 104
as part of the solution to device management, 97
understanding EMS solution, 20–21
MDM authority
Microsoft Intune service configuration, 97
preparing Microsoft Intune service for enrollment, 105–106
Mobile Device Security Policy
configuring, 85
deployment, 108
settings, 100
mobile worker (user profile), 9
mobile workforces
embracing enterprise mobility scenarios, 24–26
enabling, 1
BYOD (Bring Your Own Devices) scenarios, 4–7
monitoring
devices
continuous monitoring and incident response, 169–170
incidence response plans, 170–171
leveraging EMS to monitor resources, 171–180
leveraging EMS to respond to a security incident, 180–186
Multi-Factor Authentication app, 31
multi-factor authentication (MFA), 30–31
multiforest directory sync with SSO scenario (directory integration), 41
MyDevices section, Company Portal, 81
N
name resolution
Network Monitor, 190
New Sync Share Wizard, 167–168
Noncompliance Apps Reports (Microsoft Intune), 177
O
OMA-URI (Open Mobile Alliance Uniform Resource Identifier) policies, Windows devices, 87
Online Connector for Online Exchange (Microsoft Intune), 111–112
on-premises environment
directory integration with Azure AD, 35–47
source of authority, 36
leveraging resources for data protection, 127–135
Web Application Proxy, 130–131
Windows Server Dynamic Access Control, 128
planning/designing hybrid identity solution, 53–60
Microsoft Azure Access Panel, 52–53
Microsoft Azure Management Portal, 51–52
on-premises environment, 53–54
SSO (Single Sign-On) components, 54–60
preparing for directory integration, 61–64
syncing AD with Azure AD to enable SSO, 39
Open Mobile Alliance Uniform Resource Identifier (OMA-URI) policies, Windows devices, 87
Optional Features page, Microsoft Azure Active Directory Sync Services Wizard, 44
organization units (OUs), configuring users/groups for synchronization, 62–63
OUs (organization units), configuring users/groups for synchronization, 62–63
P
Password Reset Activity report (Azure AD), 174
password reset registration activity logs/reports, 30, 174
Password Synchronization (optional feature, Azure AD Sync), 44
Password Write-Back (optional feature, Azure AD Sync), 44
passwords
password sync, 40
reset activity log, 30
self-service management, 34–35
perimeter network
data access and protection diagram, 150
solution diagram for hybrid identity, 50
permissions, conditional expressions and, 129
PFILE format, 140
pfile (protected file) encapsulation, 136
PhoneFactor, 31
planning
data protection solution, 151–153
leveraging Azure RMS, 151
preparing the environment, 151–153
device management solution, 97–105
Microsoft Intune service configuration, 97–99
Mobile Device Management enrollment, 102–105
hybrid identity solution, 51
Microsoft Azure Access Panel, 52–53
Microsoft Azure Management Portal, 51–52
on-premises environment, 53–54
SSO (Single Sign-On) components, 54–60
plan of action, troubleshooting EMS, 189
PL (Publishing License), 140
policies
creating Enterprise Mobility Strategy, 6–7
deployment (device management), 83–91
compliance policies, 88
conditional access policies, 88–90
Exchange ActiveSync policies, 90
Mobile Device Security Policy, 108
planning/designing device management solution, 100–102
conditional access policies, 102
configuration policies, 100–101
Policy workspace, Admin Console, 84
Prerequisites, device management, 78–79
prevention
security incidents, 181
security phase, 170
profiles
users, 9
protected file (pfile) encapsulation, 136
protection of data
choosing right deployment topology, 141–143
monitoring access to resources, 145–147
challenges of enabling enterprise mobility, 2–4
design strategies for mobile workforces, 13–14
implementation
configuring Azure RMS templates, 153–159
planning/designing solution, 151–153
leveraging on-premises resources, 127–135
Web Application Proxy, 130–131
Windows Server Dynamic Access Control, 128–129
understanding EMS solution, 21–23
PTXT extensions, 136
publicly trusted X509 v3 SSL certificates, 56
Publishing License (PL), 140
publishing on-premises apps, 130–131
Q
quickconfig command (WinRM), 192–193
R
reaction
security phase, 170
Reactivate button, turning on directory synchronization, 38
Ready To Install Microsoft Rights Management Connector page (Microsoft Rights Management Connector Setup Wizard), 160
registration, devices, 131
Registry Editor, 158
remote information worker (user profile), 9
reports
Azure AD Premium, 173, 182-183
Microsoft Intune monitoring, 176–179
Require Device Encryption policy, Exchange ActiveSync Mailbox Policies users, 135
Retire Device confirmation dialog box, 93
Return of Investment (ROI), 1
Review Options page (Azure AD Connect Wizard), 67
Rights Management Services. See Azure RMS; RMS
Rights Management Sharing App, 140
rights-protected documents, 139–140
risk mitigation
design strategies for mobile workforces, 14–15
understanding EMS solution, 22–23
RMS (Azure Rights Management Services), 135–147
configuring templates, 153–159
choosing right deployment topology, 141–143
monitoring access to resources, 145–147
templates, 135
integrating DAC feature, 133–134
integration with Work Folders, 166–168
leveraging for data protection, 151
monitoring capabilities, 179–180
ROI (Return of Investment), 1
running reports, Azure AD Premium Reports, 28
S
SaaS (Software-as-a-Service) applications, user access, 32–33
scenarios, directory integration, 39–41
directory sync, 40
directory sync with password sync, 40
directory sync with SSO, 40
multiforest directory sync with SSO, 41
SCEP (System Center 2012 Configuration Manager and Endpoint Protection), 77
scope of integration, planning/designing hybrid identity solution, 54
security
data protection
configuring Azure RMS templates, 153–159
leveraging on-premises resources, 127–135
planning/designing solution, 151–153
leveraging EMS response, 180–186
prevention, 181
monitoring devices
continuous monitoring and incident response, 169–170
incidence response plans, 170–171
leveraging EMS to monitor resources, 171–180
leveraging EMS to respond to a security incident, 180–186
reports, Azure AD Premium, 28–30
security identifiers (SIDs), 129
Select Containers dialog box (Synchronization Service Manager), 69
Select Users And Groups page, creating custom templates, 155
Select Your Solution page (Azure AD Connect Wizard), 65
self-service features, Azure Access Panel, 32–35
Server Licensor Certificates (SLCs), 140
service configuration, Microsoft Intune, 97–99
Company Portal customization, 98–99
device enrollment profiles, 98
Mobile Device Management authority, 97
terms and conditions, 99
Service Level Agreements (SLAs), 12
service-to-service connector, Microsoft Intune, 89
Set-AdfsGlobalWebContent cmdlet, 72
Set-AdfsWebTheme cmdlet, 72
settings, Mobile Device Security Policy, 85, 100
Set Up Service To Service Connector dialog box, 111
shift towards mobile workforces, 1–2
sideloading, 78
SIDs (security identifiers), 129
sign-in behaviors, anomalous activity reports, 29
Sign Ins After Multiple Failures report (Azure AD), 182
Sign Ins From IP addresses With Suspicious Activity report (Azure AD), 173
Sign Ins From Multiple Geographies report (Azure AD), 183
Sign Ins From Possibly Infected Devices report (Azure AD), 173
Single Sign-On (SSO), 33
adding organization’s public domain, 39
configuring synchronization filtering, 68–69
forcing directory synchronization and verifying success, 69–70
planning/designing hybrid identity solution, 54–60
AD FS, 55
AD FS sign-in page, 56
SLAs (Service Level Agreements), 12
SLCs (Server Licensor Certificates), 140
Software-as-a-Service (SaaS) applications, user access, 32–33
solution diagram
hybrid identity implementation, 50–51
device management implementation, 96–97
source of authority, directory integration, 36
Specify Domain For Federation page (Azure AD Connect Wizard), 67
Specify Federation Server Credentials page (Azure AD Connect Wizard), 66
Specify Federation Service Account page (Azure AD Connect Wizard), 66
SSO (Single Sign-On), 33
adding organization’s public domain, 39
configuring synchronization filtering, 68–69
forcing directory synchronization and verifying success, 69–70
planning/designing hybrid identity solution, 54–60
AD FS, 55
AD FS sign-in page, 56
strategies, design strategies for mobile workforces, 9–15
supportability (devices), 12
support contact information, customizing Company Portal, 98
Symantec, code-signing certificates, 78
synchronization
configuration policies, 101
Synchronization Service Manager, 69
System Center 2012 Configuration Manager and Endpoint Protection (SCEP), 77
System Center Configuration Manager 2012, 77
T
Task Scheduler Library, Azure AD Sync Scheduler task, 69
technical worker (user profile), 9
Template Distribution Web Service, 200
templates, configuring, 153–159
tenant key topology, Azure RMS, 141
terms and conditions
customizing Company Portal, 83-84, 108
Microsoft Intune service configuration, 99
Terms and Conditions Reports
Company Portal, 83
Microsoft Intune, 177
Third Era of Enterprise IT, 1
threat mitigation
design strategies for mobile workforces, 14–15
understanding EMS solution, 22–23
Threat Modeling Tool, 14
directory synchronization, 41–47
troubleshooting EMS, 190
troubleshooting EMS
cloud services, 191
tools, 190
where to find information, 190
two-factor authentication, 30–31
U
Update Reports (Microsoft Intune), 176
Update-WebApplicationProxyDeviceRegistration cmdlet, 131
Upload The APNs Certificate dialog box, 112
UPNs (User Principal Names), 39
planning/designing hybrid identity solution, 53–54
usage terms and conditions, customizing Company Portal, 108
user access
disabling, 184
SaaS (Software-as-a-Service) applications, 32–33
User Principal Names (UPNs), 39
planning/designing hybrid identity solution, 53–54
user profiles, 9
users
Azure Access Panel self-services, 32–35
challenges of enabling enterprise mobility, 2–4
configuring for synchronization, 62–63
data access and protection diagram, 150
design strategies for mobile workforces, 9–10
solution diagram for hybrid identity, 50
Users With Anomalous Sign In Activity report (Azure AD), 174, 182
V
validation
client access, 166
results, troubleshooting EMS, 189
vendor-agnostic approach to BYOD, 4
verifying public domains, 60–61
viewing Azure AD Premium reports, 28
View Policy Issues dialog box, 88
VLSC (Volume Licensing Service Center), 78
Volume Licensing Service Center (VLSC), 78
W
Warning dialog box, 116
Web Application Proxy
leveraging for data protection, 130–131
planning/designing hybrid identity solution, 55–56
Welcome page
Azure AD Sync, 43
Windows 8.1 computers, enrollment, 123–125
Windows devices
configuration policies, 86
deploying email profile configuration policies, 109
device management prerequisites, 79
external device enrollment dependencies, 113
Windows Phone 8.0
device management prerequisites, 79
external device enrollment dependencies, 113–114
Mobile Device Management enrollment considerations, 104
Windows Phone 8.0, enrollment, 121–123
Windows Phone OMA-URI (Open Mobile Alliance Uniform Resource Identifier) policies, 87
Windows Phone Open Mobile Alliance Uniform Resource Identifier (OMA-URI) policies, 87
Windows Phone security model, AppContainer, 13
Windows Remote Management (WinRM) functionality, 191
Windows Server Dynamic Access Control, 128–129
WinRM (Windows Remote Management) functionality, 191
wiping compromised devices, 186
wizards
Add Software wizard, 113
Azure AD Connect Wizard, 46, 57
enabling SSO (Single Sign-On), 64–70
Getting Started page, 46
planning/designing hybrid identity solution, 57–58
troubleshooting Azure AD Premium, 191–192
Azure Active Directory Sync Services Wizard, 43
Microsoft Intune Setup Wizard, 124–125
Microsoft Rights Management Connector Setup Wizard, 159–160
New Sync Share Wizard, 167–168
Work Folders
data protection at user device location, 131–135
integration with Azure RMS, 166–168
WS-Management protocol, 192
X
X509 v3 SSL certificates, 56
Y
Your Template Has Been Added Quick Start page, creating custom templates, 155