$30 off During Our Annual Pro Sale. View Details »

Quinto Evento 08-03-2023 Di Mam ce n'è uno solo...

Quinto Evento 08-03-2023 Di Mam ce n'è uno solo...

In questa sessione si parla delle funzionalità di MAM di Intune e del nuovo Microsoft Tunnel for Mobile.

Speakers:
- Marco Moioli (Microsoft)
- Davide Salsi (MVP)

Intune Italian User Group

March 10, 2023
Tweet

More Decks by Intune Italian User Group

Other Decks in Technology

Transcript

  1. Di MAM ce n’è uno solo…
    Davide Salsi (MVP)
    Marco Moioli (Microsoft)

    View Slide

  2. Marco
    • Cloud Solution Architect @ Microsoft
    • Lavoro con i partner italiani su tematiche di
    Security, Identity e Compliance
    • Co-Founder Microsoft Intune Italian User Group,
    Microsoft Security Italian User Group, Azure
    Virtual Desktop & Windows 365 Italian User
    Group

    View Slide

  3. Davide
    • User Endpoint Solution Architect @ 4wardPRO
    • Design e implementazione di soluzioni per la
    gestione ed il provisioning degli endpoint
    • Microsoft MVP, Enterprise Mobility
    • Co-Founder Microsoft Intune Italian User Group

    View Slide

  4. Agenda
     Overview
     Novità Microsoft Intune
     Protezione delle applicazioni
    aziendali
     Accesso alle risorse con Microsoft
    Tunnel

    View Slide

  5. The world of today
    72%
    of organizations reported increased
    complexity within their IT environment
    over the past two years. 2
    68%
    of organizations have experienced
    one or more endpoint attacks that
    compromised data and/or their IT
    infrastructure. 1
    Complex IT management
    Growing Security Risks Economic Uncertainty
    75%
    of organizations are pursuing security
    vendor consolidation in 2022, up from
    29% in 2020. 3
    1. “The Third Annual Study on the State of Endpoint Security Risk, ” Ponemon Institute, January 2020.
    2. Solarwinds IT trends report, June 2022
    3. Gartner Survey Shows 75% of Organizations Are Pursuing Security Vendor Consolidation in 2022, Press Release, September 2022

    View Slide

  6. People are working in more places, with more flexibility and more devices
    How do you secure your
    endpoint estate?
    How do you reduce
    complexity of IT
    workloads?
    How do you ensure
    protection, while enabling
    workforce flexibility and
    productivity?
    Technology must keep us connected and productive while reinforcing our security posture
    in an increasingly sophisticated and complex world.

    View Slide

  7. Microsoft is recognized as a leader for UEM tools
    2022 Gartner® Magic Quadrant™ for Unified
    Endpoint Management Tools
    2023 OMDIA UNIVERSE

    View Slide

  8. Microsoft Intune Plan 1
    Computer
    management
    Mobile device
    management
    Mobile application
    management
    Microsoft Intune

    View Slide

  9. Microsoft Intune Suite
    New Microsoft Intune Suite helps simplify security solutions - Microsoft Security Blog

    View Slide

  10. Microsoft Intune Suite
    New Microsoft Intune Suite with Privilege Management, Advanced Analytics, Remote Help & App VPN

    View Slide

  11. App protection policies

    View Slide

  12. Microsoft Intune app
    protection policies
    Microsoft Intune
    iOS/iPadOS devices (iPhones, iPads, iPods)*
    Android devices
    Windows devices
    [iOS] [Android] [Windows]
    Personal
    Corporate
    Other
    apps
    Device
    Storage
    Personal Data
    Corporate Data

    View Slide

  13. What do app protection policies provide?
    Additional data
    protection for
    existing LoB apps
    without a need to
    update the apps.
    Data protection
    Ability to wipe
    corporate data from
    devices while leaving
    personal data alone.
    Wipe
    Audit reports Use of audit reports
    for tracking issues
    and remedial
    actions.
    Data separation Separation between
    personal and
    corporate data
    without requiring
    employees to switch
    environments or
    apps.

    View Slide

  14. What do app protection policies provide?
    Multi-identity awareness
    Targets protection ONLY to
    corporate account
    Personal and unmanaged accounts
    aren’t affected
    Data protection
    Encrypts corporate data
    Controls data transfer mechanisms
    between managed and unmanaged
    apps
    Controls transfer of web content
    Selective wipe of corporate data –
    whether it be admin, user, or offline
    initiated
    Access requirements
    Controls access to corporate data via
    PIN, biometrics, or credentials
    Provides inactivity timers
    Conditional launch
    Validates device health:
    Jailbreak/Rootkit, mobile threat
    defense
    Validates OS variables like OS version,
    Android patch version
    Validates app variables like app
    version or SDK version
    Validates device model or
    manufacturer

    View Slide

  15. App protection policies for
    unmanaged devices
    App protection policies
    App protection policies
    Intune SDK Microsoft Intune protected apps
    Intune App Wrapping Tool Intune SDK
    Personal
    Corporate
    Other
    apps
    Device
    Storage
    Personal Data
    Corporate Data
    Intune MAM Service
    MAM policies

    View Slide

  16. App protection policies for managed devices
    App protection policies (APP) can work on
    managed devices protecting selected public
    applications* or line-of-business (LoB)
    applications**
    APP are provided to the device by MEM Intune
    Mobile Application Management (MAM)
    dervice
    Mobile Device Management (MDM) of the
    device can be done by MEM Intune or 3rd party
    Intune SDK Microsoft Intune protected apps
    Intune App Wrapping Tool Intune SDK
    Personal
    Corporate
    Other
    apps
    Device
    Storage
    Personal Data
    Corporate Data
    Intune MAM Service
    MAM policies
    MDM policies
    MDM
    (Intune or 3rd party)

    View Slide

  17. App protection policies delivery to the device
    [iOS]
    In the iOS, each app is sandboxed, and cross-process usage is prevented
    Office and Edge apps have the full Intune SDK embedded
    Other apps can have Intune SDK embedded too (and many do)
    Authenticator app is required for conditional access scenarios
    [Android]
    Android allows cross-process execution
    Company Portal app (CP) includes the Intune SDK
    Apps include a stub SDK
    Enables an architecture where some SDK changes can be made (e.g., FIPS,
    256-bit encryption) without requiring any changes to the apps
    Company Portal handles Conditional Access scenarios

    View Slide

  18. Data protection
    Data protection settings in the app protection
    policy determines how corporate data can be
    processed on the devices and in the apps to
    which the policy was applied
    Data Transfer section determines
     Backups of corporate data
     Sending corporate data to other apps
     Copying corporate data to other locations
     Transferring telecommunication data to dialer apps
     Restrictions on cut / copy / paste user activities
     Use of third party / approved keyboards
    Encryption section determines encryption of corporate
    data stored on the device device by the app
    Functionality section determines
     Syncing corporate contacts
     Printing corporate data
     Web transfers to other apps
     Restricting data notification

    View Slide

  19. Data protection:
    Example 1 – restricting cut / copy / paste
    Restrict cut, copy, and paste between apps
    Specify restrictions on data cut or copied from or
    pasted to apps protected with an app protection
    policy
    All apps
    Blocked
    Policy managed apps
    Policy managed apps with paste in
    Cut and copy character limit for any app
    Number of characters of corporate data that may
    be cut or copied
    Microsoft
    Endpoint
    Manager with
    app protection
    policy
    All apps
    Policy managed
    apps
    Policy managed apps
    with paste in
    Blocked

    View Slide

  20. Data protection:
    Example 2 – notifications
    Org data notifications
    Specify how corporate data is shared using OS
    notifications for corporate accounts by apps
    protected with an app protection policy
    Blocked
    Blocked org data
    Allow
    Microsoft
    Endpoint
    Manager with
    app protection
    policy
    Blocked Blocked org Data Allow

    View Slide

  21. Access requirements
    Access requirements settings of an app protection
    policy determine what a user needs to provide to
    access apps to which the policy was applied
    PIN for access settings enforce use of an App PIN and
    provide ability to set
     Requirements for an App PIN (type, complexity, length)
     Use of biometrics instead of an App PIN
     Lifetime of an App PIN
     Use of an App PIN versus a Device PIN
    Work or school credentials for access setting allows the
    use of corporate credentials instead of (or additionally to)
    an App PIN
    Recheck the access requirements setting defines how
    often a user is prompted for an App PIN or corporate
    credentials when using an app

    View Slide

  22. Access requirements:
    Examples of ‘PIN for access’ and ‘PIN reset after number of days’ settings
    App protection policy →
    Access requirements →
    PIN for access → Require
    App protection policy →
    Access requirements → PIN
    reset after number of days

    View Slide

  23. Use of an app-level PIN versus a device-level PIN
    App protection policy enforces an app-level PIN for access to apps to which the policy is applied
    • [iOS] Each app has its own App PIN
    • [Android] The App PIN is shared by all MEM-managed apps
    Device-level PIN (aka “Device passcode”) protects access to the whole device
    • It can be enforced through configuration policies on device enrolled to Microsoft Endpoint Manager
    When both app-level PIN and device-level PIN are enforced by Microsoft Endpoint Manager, then the App PIN when device PIN is set setting in Access
    Requirements can be used to define if an App PIN is still needed to access the app protected by the App Protection Policy
    App-level Device-level

    View Slide

  24. Conditional launch
    Conditional launch settings of an app protection policy are conditions with criteria (values)
    of either app or device-based on which user access to the app on the device is decided, as
    well as what actions should be taken if these conditions are met.
    App conditions section determines
    • Maximum allowed attempts to enter App PIN
    • Grace period for running the app offline
    • Minimum version of the app
    • [iOS] Minimum version of the Intune SDK
    Device conditions section determines
     Access from jailbroken/rooted devices
     Minimum version of the OS
     [Android] Minimum patch version
     [iOS] Model of the device
     [Android] Manufacturer(s) of the device
     [Android] SafetyNet device attestation
     [Android] Require threat scan on apps
     [Android] Minimum version of Company Portal app
     Maximum threat level allowed for the device

    View Slide

  25. Conditional launch:
    Example 1 - Jailbroken/Rooted setting
    App Protection Policy → Conditional
    Launch → Jailbroken/Rooted → Block

    View Slide

  26. Conditional launch:
    Example 2 - Block and Wipe actions
    [iOS]
    App Protection Policy →
    Conditional launch →
    Device model → Block
    [Android]
    App Protection Policy →
    Conditional launch → Device
    manufacturer → Wipe

    View Slide

  27. MAM Tunnel

    View Slide

  28. Modern Work
    On-premises

    View Slide

  29. Microsoft Tunnel
    Supporto multi-
    piattaforma
    MDM/MAM
    Easy Setup

    View Slide

  30. Componenti
    Componente
    Microsoft Intune Soluzione che gestisce il Tunnel Gateway e i dispositivi
    Azure Active Directory Soluzione utilizzata per l’autenticazione
    Server Linux Piattaforma su cui è in esecuzione il container (Podman o Docker)
    Container Motore dove è in esecuzione il Tunnel Gateway e il management agent
    Management Agent Agent utilizzato per applicare le configurazioni necessarie sul Tunnel Gateway
    Authentication Plugin Plugin utilizzato per l’autenticazione con Azure Active Directory
    Certificato pubblico Certificato utilizzato per l’encryption del canale di comunicazione tra il server Tunnel e i device
    IP/FQDN pubblico Indirizzo IP pubblico o FQDN pubblico con il quale viene esposto il servizio Microsoft Tunnel

    View Slide

  31. Architettura

    View Slide

  32. Requisiti
    Requirements/Feature Android iOS
    App - Company Portal (non necessario sign-in)
    - Defender for Endpoint
    - Nessuna app necessaria
    Funzionalità
    - Per-app VPN
    - Device wide VPN
    - Auto-launch: avvio automatico VPN
    all’avvio dell’app
    - Per-app VPN
    - Auto-launch: avvio automatico VPN
    all’avvio dell’app
    - No Device wide VPN
    - Supporto per utilizzo Trusted Root
    CA interna
    Requisiti per LOB app
    - Intune App SDK
    - Integrazione Microsoft Authentication
    Library (MSAL) integration
    - Intune App SDK
    - Integrazione Microsoft
    Authentication Library (MSAL)
    - Tunnel for MAM SDK
    Microsoft Edge
    - Identity switch: VPN si avvia quando si
    utilizza un account aziendale e si
    disconnette quando si utilizza un account
    personale o in modalità In-Private
    - Supporto Device-wide e Per-App VPN
    - Identity switch: VPN si avvia
    quando si utilizza un account
    aziendale e si disconnette quando
    si utilizza un account personale o in
    modalità In-Private

    View Slide

  33. Demo

    View Slide

  34. View Slide

  35. Troubleshooting
    mst-cli command-line tool

    View Slide

  36. Link utili Intune MAM
    What is app management in
    Microsoft Intune? | Microsoft
    Learn
    Supported Microsoft Intune
    apps | Microsoft Learn
    Tunnel
    Microsoft Tunnel for Mobile
    Application Management |
    Microsoft Learn
    Monitor Microsoft Tunnel |
    Microsoft Learn

    View Slide