Share via

Enterprise Mobility + Security: Survival Guide

  • Article

Enterprise Mobility + Security is Microsoft’s offering that provides an agile, comprehensive set of mobility and security solutions enabling a pathway to mobility and the cloud.   

This article will introduce how Enterprise Mobility + Security fit into today's landscape with an increasingly mix and match the environment of devices, applications and platforms and being able to manage this cohesively and securely.   This will provide a detailed explanation of what EMS includes, the different versions along with additional resources.

Enterprise Mobility + Security was originally known as the Enterprise Mobility Suite but was renamed as the product evolved.  Enterprise Mobility + Security is still abbreviated as EMS.

Enterprise Mobility + Security Themes

Many IT departments large and small increasingly have to support a more diverse workforce, that can work from any location on any device.  This presents new challenges from traditional IT that requires a better approach.  Here are some scenarios that Enterprise Mobility + Security covers:

  • Context-aware security, only using the best security when it’s most needed 
  • Supporting a wider range of devices including Bring Your Own Device (BYOD) all from one console 
  • With more apps and platforms to support than ever, provide unified access all with a single username and password using single-sign-on 
  • Protect documents wherever they end up (copied, forwarded, uploaded) while retaining control with options to revoke and track  

Microsoft Enterprise Mobility + Security bring together a raft of solutions that work together to control, protect and enable new ways of working, that goes much further than traditional solutions like Mobile Device Management.

Market Position 

In June 2016 Microsoft announced Gartner had recognized what was still called Enterprise Mobility Suite as a visionary in the related Magic Quadrant:

"We are pleased to announce that Gartner has recognized Microsoft with a visionary placement for Microsoft Intune and the Enterprise Mobility Suite in the Enterprise Mobility Management Magic Quadrant. This is a dynamic market and we are excited to see this recognition for the innovation that we are driving for our customers and partners."

Also announced was the huge market growth: 

"EMS now has more than 27,500 unique paying customers, and, when you examine the public numbers of net new customer adds over the last 2 quarters, it becomes clear just how dramatically EMS is outgrowing others in the market".  Separately, Microsoft stated "more than 1/3 of the Fortune 500 now onboard" with Enterprise Mobility + Security.

As well as this, Gartner placed Microsoft with Azure Active Directory as leaders in the Identity and Access Management as a Service Magic Quadrant. 

What is Enterprise Mobility + Security?

Microsoft describes Enterprise Mobility + Security as an “Identity-driven security solution that offers a holistic approach to the security challenges in this mobile-first, cloud-first era. Our technologies not only help you protect your organization but also identify breaches before they cause damage.”

At its essence Enterprise Mobility + Security is a bundle of products that are brought together and licenced with a single per-user based subscription.   These products come under these three headings: 

Identity and Access Management

  • Azure Active Directory Premium
  • Multi-factor Authentication 
  • Microsoft Identity Manager

**Device and App Management **

  • Microsoft Intune
  • System Center Configuration Manager 

**Information Protection + Security **

  • Azure Information Protection
  • Advanced Threat Analytics
  • Cloud App Security

Enterprise Mobility + Security E3 vs E5

Enterprise Mobility + Security can be licenced either as the E3 or E5 versions.  Here are the differences between EMS E3 vs E5:

The original Enterprise Mobility Suite became Enterprise Mobility + Security E3.  EMS E5 comes with these additional features:

  • Azure Active Directory Premium P2 adds Identity Protection and Privileged Identity Management
  • Azure Information Protection Premium P2 adds automated data classification and Hold Your Own Key support
  • Microsoft Cloud App Security

Enterprise Mobility + Security is also available as part of the Secure Productive Enterprise bundle, which also includes Office 365 and Windows 10 Enterprise. 

Components

This section is an index of the solutions that are a part of Enterprise Mobility + Security.

Advanced Threat Analytics

Microsoft describes Advanced Threat Analytics (ATA) as an on-premises cybersecurity product that helps companies identify advanced persistent threats before they can cause damage.  It is designed to help customers protect their organization from advanced targeted attacks by doing the following:

  • It detects advanced security threats fast via behavioral analytics that leverage Machine Learning
  • Allows organizations to adapt to the changing nature of cyber-security threats with a technology that is continuously learning
  • Zero in on the most important security factors using a simplified attack timeline
  • Reduces false positive fatigue and raises red flags only when needed
  • ATA also helps to identify known malicious attacks, security issues, and risks and presents all of this information in an easy-to-consume, and simple-to-drill-down, social media-like feed.

Additional Information

What is Advanced Threat Analytics?

Advanced Threat Analytics Datasheet

Demos and Presentations

Learn how Microsoft Advanced Threat Analytics combats persistent threats Microsoft Ignite 2016

Azure Active Directory Premium

Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud based directory and identity management service. Azure AD comes as a free service with Office 365, Microsoft Dynamics CRM Online and other Microsoft services.  Azure Active Directory Premium adds several features that are only available as part of a paid edition.

These are some of the features included in both Premium (P1 and P2) Editions meaning they are in both EMS E3 and E5:

  • Self-Service Group and app Management plus Dynamic Groups
  • Self-Service Password Reset
  • Multi-Factor Authentication (Cloud and On-premises (MFA Server))
  • Microsoft Identity Manager
  • Cloud App Discovery
  • Azure AD Connect Health

These following features are only available in the Premium P2 Edition, that comes with EMS E5:

  • Identity Protection
  • Privileged Identity Management

Additional Information

Demos and Presentations

Azure AD Identity Protection

Azure AD Identity Protection is included with Azure AD Premium P2 which comes with Enterprise Mobility + Security E5.   Microsoft provides more detail about AzureAD Identity Protection:

AzureAD Identity Protection goes further than traditional monitoring and reporting tools, based on risk events, Identity Protection calculates a user risk level for each user, enabling administrators to configure risk-based policies to automatically protect the identities of an organization.

These risk-based policies, in addition to other conditional access controls provided by Azure Active Directory and EMS, can automatically block or offer adaptive remediation actions that include password resets and multi-factor authentication enforcement.

Additional Information

Azure Active Directory Identity Protection documentation

Demos and Presentations

Intelligent identity protection with Azure AD Microsoft Mechanics

Azure Information Protection

Azure Information Protection is a solution to protect documents and emails, ensuring the contents can only be seen by the intended recipients.  Even if the documents are forwarded or saved to another location they won't be accessible by anyone else.  Documents can be protected by Azure Rights Management (RMS), which encrypts documents.  This protection stays with documents and access is verified every time the document is opened.  Access can be tracked and revoked as well. Policy-driven labels can be applied to documents to classify different types of data eg public, general, confidential, top secret with the Azure Information Protection client.

These are some of the features included in both Premium (P1 and P2) Editions meaning they are in both EMS E3 and E5:

  • Manual document classification and consumption of classified documents
  • Protection for Microsoft Exchange Online, Microsoft SharePoint Online, and Microsoft OneDrive for Business content
  • Bring Your Own Key (BYOK) 
  • Document tracking and revocation
  • Custom templates, including departmental templates

These following features are only available in the Premium P2 Edition, that comes with EMS E5:

  • Automated data classification and administrative support for automated rule sets
  • Hold Your Own Key (HYOK) 

Additional Information

Demos and Presentations

Azure Multi-Factor Authentication

With Microsoft cloud services like Office 365 and Dynamics 365, users can access them from anywhere but if the only measure that is protecting access is a password, this is susceptible to hacking.  Passwords can be easily intercepted, via malware, over public WiFi or by using untrusted devices.   Multi-Factor Authentication (MFA) requires users to not only specify their password but to prove they are who they say they are. This works by users having something in their possession that provides additional authentication with:

  • Something you know (typically a password)
  • Plus something you has (a trusted device that is not easily duplicated, like a phone)

This is Microsoft's implementation of two-factor authentication (2FA) also known as 2-Step Verification as Google calls it or with Twitter they call it login verification. Multi-Factor Authentication is available to all Office 365 customers and Azure administrators at no additional cost.  As part of Azure AD Premium, that's included with EMS E3 and E5, Azure Multi-Factor Authentication is included with the full version that has additional features.   

Azure Multi-Factor Authentication works with mobile apps, phone calls, or text messages to verify the login.

Additional Resources 

What is Azure Multi-Factor Authentication?

Multi-factor Authentication Documentation

Azure AD Privileged Identity Management

Azure AD Privileged Identity Management is included with Azure AD Premium P2 which comes with Enterprise Mobility + Security E5. 

Administrators will sometimes perform day to day activities with an account that has full privileges.  This presents a considerable risk as these accounts become a high-value target for attackers and when compromised could be used to damage an organization with data exfiltration as just one example.  Azure AD Privileged Identity provides "just in time" administration, so administrators can have elevated rights when they need them and standard rights for the rest of the time.  Features include:

  • See which users are Azure AD administrators
  • Enable on-demand, "just in time" administrative access to Microsoft Online Services like Office 365 and Intune
  • Get reports about administrator access history and changes in administrator assignments
  • Get alerts about access to a privileged role

Additional Information

What is Azure AD Privileged Identity Management

Cloud App Security

Microsoft describes Cloud App Security as:

"The solution provides a set of capabilities to help companies design and enforce a process for securing cloud usage; from discovery and investigation capabilities to granular control and protection. It is easy to deploy, setup and use and provides out-of-the-box value immediately, as well as rich tutorials for unlocking advanced capabilities."

The Cloud App Security framework provides:

  • Cloud Discovery: Discover all cloud use in an organization, including Shadow IT reporting and control and risk assessment.
  • Data Protection: Monitor and control data in the cloud by gaining visibility, enforcing DLP policies, alerting and investigation.
  • Threat Protection: Detect anomalous use and security incidents. Use behavioral analytics and advanced investigation tools to mitigate risk and set policies and alerts to achieve maximum control over network cloud traffic.

Cloud App Security is only available in the EMS E5 edition.

Additional Information

What is Cloud App Security

Microsoft Cloud App Security is generally available

Cloud App Security Release Notes

Cloud App Security datasheet

Demos and Presentations

Get visibility, data control and threat protection with Microsoft Cloud App Security Microsoft Ignite 2016

Learn how to deploy and manage Microsoft Cloud App Security Microsoft Ignite 2016

Discover & Control SaaS Application Usage with Microsoft Cloud App Security Microsoft Ignite Australia 2017

Introducing Microsoft Cloud App Security Microsoft Mechanics

Microsoft Intune

Microsoft Intune is a cloud-based device management platform that can manage mobile devices such as smartphones, tablets as well as conventional laptops and PCs. Mobile applications can be managed and protected.  Here is an overview of features:

  • Manage the mobile devices that the workforce uses to access company data
  • Manage the mobile apps used by the workforce users
  • Protect the company information by helping to control the way that the workforce accesses and shares it
  • Ensure devices and apps are compliant with company security requirements

Intune can manage company-owned devices as well as for BYOD (Bring your own device).   Intune offers PC management features including software deployment and inventory, as well as malware protection.  Intune can extend the management reach of devices that often don't come into the office or would be more difficult to manage otherwise.

Microsoft Intune can be used either as a standalone service or in a hybrid mode with System Center Configuration Manager.  Intune with System Center Configuration Manager lets organizations manage all of their devices through a single console.  Microsoft promote this as a capability only they can offer: 

"This provides that single pane of glass for managing all your devices (PC’s, phones, tablets, etc.). This is a unique capability that is only being delivered by Microsoft. The combination of ConfigMgr and Intune is the only solution that provides the full solution for managing all the versions of Windows, as well as all mobile devices."

**Additional Resources **

What is Intune?

Choose between Microsoft Intune standalone and hybrid with System Center Configuration Manager

Intune Datasheet

What's new in Microsoft Intune

Demos and Presentations

See what's new in mobile application management with Microsoft Intune Microsoft Ignite 2016

Manage your mobile devices and apps with System Center Configuration Manager and Microsoft Intune Microsoft Ignite 2016

What’s new in Mobile Application Management with Microsoft Intune Microsoft Mechanics 

System Center Configuration Manager

System Center Configuration Manager is a comprehensive platform to manage devices.   Features include software deployment, software updates, OS deployments remote control, inventory and reporting.   

Microsoft Intune grants rights to use Configuration Manager, so that makes it a part of EMS as a result.  This is outlined in the Microsoft Intune Licensing Datasheet:

"Microsoft Intune is a user based subscription service. It is licensed per user per month allowing up to 5 devices per user. Intune includes on-premises use rights for System Center 2012 Configuration Manager (ConfigMgr) Client Management License (CML) & System Center 2012 Endpoint Protection (SCEP) Client Management License (CML)."

**Additional Resources **

Introduction to System Center Configuration Manager

System Center Configuration Manager datasheet

What's new in hybrid MDM

Enterprise Mobility + Security Resources 

There is comprehensive EMS documentation on the docs.microsoft.com platform.  The main landing page is: 

/en-us/enterprise-mobility-security/

The documentation covers all the individual components as well as a scenario section including getting started guides.  The Resources page on the EMS product page has many useful documents including case studies, best practices, guides and industry reports as well as on-demand webinars.  Track Enterprise Mobility developments with the Cloud Platform roadmap that includes recently available features, public previews and new features in development.

Blogs and Twitter

The primary blog to follow is the official 'Enterprise Mobility and Security Blog' site which is frequently updated and is an essential resource.  It's possible to filter based on product/services, solutions and the type of content that is of interest.  RSS feeds are supported either for all posts or based on the filters applied.   

These are official Twitter accounts of Microsoft visionaries and influencers involved in Enterprise Mobility: 

Dan Plastina @DanPlastina

Simon May @simonster

Alex Simons @Alex_A_Simons

Julia White @julwhite

Brad Anderson @Anderson

Andrew Conway @aconway1100

Support

Getting support for Enterprise Mobility + Security is done through the Office 365 Portal and Azure portal.  Support is included for Enterprise Mobility + Security and EMS customers with Azure support plans can log calls through the Azure Portal.

Support for Azure Active Directory Premium, Azure Information Protection, and Intune is available through the Office 365 portal including phone support.  Here are some of the categories when raising a new service request listed under Mobile device management section in the portal:

Microsoft list these forums for additional EMS help:

Azure Active Directory support forum

Intune support forum

Azure Information Protection support forum (external Yammer network)

The 'Enterprise Mobility + Security Support FAQs' has further information.

Training and The Ops Team

The Microsoft Virtual Academy (MVA) has some Enterprise Mobility + Security training courses that will be of interest to IT Pros.  This is free online, on-demand training and includes the Enterprise Mobility Core Skills strand with:

  • Azure Active Directory Core Skills
  • Azure Rights Management Services Core Skills
  • Microsoft Intune and System Center Configuration Manager Core Skills

The 'Enterprise Mobility at Microsoft' course provides behind the scenes look at how Microsoft support its 180,000 internal users.  There are older courses that might still be of interest including 'Identity and Access Management' and 'Taming Android and iOS with Enterprise Mobility Suite'.  A more recent, highly recommended course that comes with 16 modules is 'Deploying Microsoft Enterprise Mobility Suite'.

As well as this MVA training, Microsoft has a regular show on Channel 9 called 'The Ops Team', which frequently covers Enterprise Mobility as well as broader topics for IT Pros:

"Weekly show where 4 Technical Evangelists specializing in IT Operations get together to give you the deets on their 4 areas of expertise: Microsoft Azure/Cloud, On-Premises technologies, Enterprise Mobility / Windows and DevOps"

Labs and Certification 

Microsoft provides instructions on how to create an EMS dev/test environment in Azure.  It starts with a base configuration, then building an Office 365 dev/test environment and finally adding an EMS dev/test environment:

Microsoft offers a Microsoft Certified Solutions Expert (MCSE): Mobility certification that maps to some elements of EMS.  It builds on the Microsoft Certified Solutions Associate (MCSA) Windows 10 certification with an elective exam including '696 - Administering System Center Configuration Manager and Intune'.

Microsoft Tech Community

The Microsoft Tech Community includes a dedicated Enterprise Mobility + Security community to discuss several different parts of EMS with these spaces (forums) available:

The best place to discuss Multi-Factor Authentication (MFA) would be the Identity & Authentication space in the Office 365 community but the Security + Identity space from the Azure community is also available.  Finally, there is the Azure Active Directory space, which includes Azure AD Premium discussions.

More generally, there are presentation slides and videos from Microsoft Ignite, some of which have been linked to in the components section but there are much more available.  This can be found in the Events section and the Microsoft Ignite Content space.  Use the "Search this space" option to find particular topics of interest.  

Separately to this, there are the many related presentations from Microsoft Ignite Australia 2017, that are hosted on Channel 9.