B1 Intermediate US 218 Folder Collection
After playing the video, you can click or select the word to look it up in the dictionary.
Report Subtitle Errors
Welcome to Enterprise Mobility Subject Matter Expert or
SME Roundtable.
Hi, I'm Sheri Bettine and I'll be your host.
We are the IT showcase team and we love to talk to you, our customers,
about how Microsoft does IT.
Today I am here with many of our IT experts who have implemented
enterprise mobility solutions here at Microsoft.
This is your opportunity to ask direct questions of our SMEs and
receive candid answers.
We would like to learn a little bit about you too so
we are posting a question in your Skype window
on what is your biggest challenge in the enterprise mobility space?
By answering this question, you give us a little bit of information about
you that can help shape our answers.
While you're doing that, I'll ask our SMEs to introduce themselves.
And let's start with you Fergus.
>> My name is Fergus Stewart and I'm responsible for
running an application platform on end user workstations that's
designed to optimize the end user experience of all our products and
services in Microsoft IT.
We do that across not only the Windows desktop platform but
also across all of the mobile platforms.
And hopefully, during today I'll get a little bit of time to share some
of how we are doing that.
>> Hi, I'm Geoff Brock.
I'm a Senior Service Engineer in Microsoft IT Identity and
Access Management Services.
I'm primarily responsible for managing and securing all of our
authentication infrastructure, domain controllers, active directory
federation servers, the multi-factor authentication service.
And yeah, that's about it.
That's enough.
>> That's a lot.
>> [LAUGH] >> My name is Mike Degooyer,
I'm an user and end services essentially.
I am responsible for Microsoft's Intune and
system center implementation, which includes about 300,000 desktops and
about 80 to 90,000 mobile devices.
And all the services that we actually deliver and
deploy and manage from settings to
software on all of those devices across Microsoft.
>> Hi, my name is Arun Mannengal,
I'm a Senior Software Engineer at Microsoft.
My team is responsible for the design strategy and
implementation of Hyper-scale services that light up
various mobility scenarios that are critical for a business.
Coupled with machine learning and data science into those services.
>> We will make every effort in the next hour to answer
all of your questions.
However if we can't, we'll stay behind in the studio and
continue answering questions and post that extended footage along
with this video on our microsoft.com/ITShowcase site.
With that, let's get started.
First question, and you can start posting your questions now.
How are you defining cloud management today and
where do you see enterprises moving in the next several years?
Mike, how about you?
>> Sure, that's actually a really good question.
I've been meeting with a lot of companies and
talking about the definition of cloud management.
A lot of people have this misnomer.
The first thing I'll say is what it is not.
A lot of people think of cloud management as taking your entire,
say, system center infrastructure, tossing it out the window, and
going to a mobile device management solution.
That's not cloud management.
Cloud management is looking at the overall services and
where they're going.
Here's an example.
Most enterprises are gonna be in a hybrid environment, or
they'll have two solutions, right?
They'll have an MDM provider.
Be it Intune in Microsoft's product, Good, Airwatch, Mobile Iron.
And they'll have something like System Center for
their on prem management.
The reality is you have a sunken cost in
that infrastructure and such.
So you're going to have several years
where you're using both systems.
Both from an identity space,
from an application space, from an infrastructure.
You're going to be living in both worlds.
So, cloud management isn't just a toss it out and assume that your
MDM provider is going to be supporting all your devices.
There's also a realistic line that mobile device management
providers don't have the parity that you have with on prem today.
So over the next, say, two to five years,
those mobile device management providers will be filling that gap.
Intune, for example just released or is releasing, in the next month or
so publicly, their Ibiza portal.
That Ibiza portal is going to give Intune the ability to scale
to many hundreds of thousands of clients,
which if you look at the system center world.
System center has been 4, 5, 6, 7, 800,000 clients for a long time.
So you've had that capability.
So the reality is when you think about cloud management,
think of it in a service aspect first,
then think about where you're going to be putting the infrastructure and
everything behind the scenes in the next two to five years.
And to me that's the real trajectory.
It isn't just that all of the sudden your cloud management because
you have a couple policies in the cloud.
>> Okay, very good.
A question?
Do you no longer use GPOs for all of those PCs managed by Intune?
What percentage of your managed PCs are domain joined?
That may be a couple of you.
>> Yeah, I can take that one.
In terms of domain joined,
we manage about 300,000 devices through system center.
GPO or group policy is kind of interesting for us.
We use it for, I'd say, large swath changes.
We don't use it for other things like application provisioning.
So for certain policies that we want across our enterprise and
something maybe unique to us, I don't think it's so unique,
but it is different, is well, we have 300,000 devices in management.
We have another 200,000 that are over in dev labs and everyone
else in research that are not being managed by our system center suite.
So what that means is we have to use group policy for
a lot of security settings.
We have to use it for some base policy.
For things like whip or
data management, we have to use group policy.
So we kind of have a balance, but typically those 200,000
R&D we do not use things like power management,
software distribution, settings management.
We really don't do that to our development environment.
So we have to balance internally between those two here at Microsoft.
>> Okay, very good.
How many different segmentations of mobile users
that require different settings, default applications, etc.
do you support within your Intune environment?
In terms of applications today, we have about 300 or so, roughly.
The interesting thing from an application stand point and
Fergus can maybe even touch on this.
Kind of our landscape is really changing.
It's evolving very very fast.
As our listeners know,
we acquired Xamarin, which means it's now multi-platform.
So internally,
we're figuring out what strategy do we need to deploy those things.
We are using Intune to deploy multiple things,
but then a lot of the business units are still catching up to
the multi-platform scenario internally from Microsoft.
So in Intune there's about 300,000 applications within our MBM Solution
and those also spread across to our corporate environment as well.
So they're in system center and Intune because we're a hybrid.
So it doesn't matter which environment you're in,
we're going to provide the applications in both scenarios.
>> Yes, let me pick that one up.
My focus at the moment is delivering the same experience to our end users
irrespective of the platform that they're on and
the connectivity scenario that they're in.
So we should deliver, of course this is one of the things that
the cloud enables is the capability
to deliver those scenarios to our end users wherever they are.
And we are now delivering those scenarios across not
just the Windows desktop or
the Windows laptop but also using Xamarin to your point.
We're delivering this very close to the same scenarios across
mobile devices, iOS and Android.
That's something that we are finishing up
the first round of right now.
We've used Xamarin to do that.
One of the great things about it is we've been able to leverage the same
code across all of the platforms by using Xamarin for the endpoint
management capability or to develop VM endpoint management capability.
And so far so good.
We're about to go to a major scale on that.
But I see it as really, this is the key of mobility for
us at Microsoft is delivering those same scenarios irrespective of what
device you're on or how you're connected.
>> Okay, very good.
Better to have one codebase than multiple codebases across each
operating system.
>> It's a lot less to manage.
>> Right.
>> The Xamarin implementation works really well.
We've had quite a bit of experience using it now.
Ant it really pretty much does mean you can develop wants and
reuse cross multiple platforms.
>> To pick on that point about how
ensures there's a single code base for the end user experience.
Similarly, on the cloud side of things where the services are we
have capabilities now which ensure that the same services empowering
all these experiences.
Which means that you're not dealing with multiple plethora of code
bases to light up your scenarios.
You are really focusing on the kind of device that the end user has and
the kind of capability that they are producing,
rather than I have to mingle or try to deal with multiple code bases.
That helps us a lot in terms of code manageability.
And the rate at which the bugs get discovered and fixed and the agility
that brings along with it to the development process as well.
>> I think one of the tricky things though,
when you come to actually do this, is figuring out,
well how are we going to do this on the different platforms.
Some of the things that we've been used to doing for years on
the Windows desktop and the Windows laptop, when you're looking at,
well, how are we gonna deliver this scenario on iOS on a phone?
And there were a few lessons in there which are kind of generic.
Like in the way that you expose services on a much smaller device.
But there are some things that we do today on the Windows laptop that
are either not appropriate or
they just work in a very different way on any of the mobile devices.
And that's some of the interesting part of all of this,
is figuring out not so much what can I deliver, but
what should I deliver to give the user a similar productivity
experience, but on a completely different device.
And the answer is not always exactly the same as we did on Windows.
>> That sounds like a great learning.
>> Just to add on to that, Fergus, just so our viewers are aware.
One thing that I'm on a v team across both the business units that
represent kind of the distribution arm, the building, the development,
and the release of internal applications.
And we're exactly talking every week about Fergus' challenge, which is
instead of taking this huge, robust application that you've had on-prem
for years, peel it back, peel the onion back, grab the four or
five user experiences that you need from those applications.
That's what you need to provide in mobile.
>> Precisely, yep.
>> And that's it.
Don't try to give everything cuz it won't work.
>> Monolithic applications don't work on mobile.
>> They don't.
Just make it really simple and narrow it down to the three or
four key experiences you're trying to provide.
And that's what you should be focused on.
>> A common thing that we use, or the term that we use is called
the snackable scenarios which is what you like up on your mobile.
Especially for services that you want to enable mobility across.
Because traditionally there was a tendency that your application had
to do everything and the kitchen sink.
Which is a directive which is gonna fail in the new world.
Because on the mobile, the attention span,
there is a limited attention span where the user is involved.
You have to get to a scenario fast.
And do that thing In the most efficient manner,
which involves services being very lightweight and
responsive with low latency networks.
>> And that goes to the app insights.
You know which scenarios people are using the most, so
that can help inform your decision.
>> So the feedback loop is then rated through telemetry
generated from application insights as well.
So in order to identify which are the core scenarios where you want to
really invest your resources on, telemetry and data and
optics about how your application is behaving.
Is it being utilized for the same purpose?
What is the use cases where services are being utilized more enables you
to front load those services with additional hardware resources or
make them more efficient,
which overall contributes to a better user experience.
That's been our great learnings that we have encountered and
that we are implementing back into our services.
>> Very good.
Customers want to lock down applications on their mobile devices
using mobile application management.
While the solution does great when the customer uses Apple and
Android devices, there are no MAM policies for Windows Phone.
Will MAM be extended to Windows Mobile soon?
>> I'll simply say absolutely.
>> [LAUGH] >> [LAUGH] Yeah,
MAM is an interesting area, so mobile application management.
Literally, I had this discussion yesterday with the leadership team,
cuz really what you're seeing is end user sentiment.
I had another customer briefing this week where they expressed the same
thing that we're seeing customers say, and our internal users
are saying, which is I don't want you to manage my personal device.
Simply put, do not manage my device.
Now even though we know that mobile device management really separates
the data from the user, and you can absolutely separate what you do and
when you do it.
For example at IT, we don't wipe your personal device.
Microsoft IT does not do that.
However, if you were to ask our users,
they would say they are absolutely fearful that they're gonna lose
all their pictures because we wipe their device.
We don't do that.
That being said, MAM is probably going to be the next big,
large investment, from not only Windows, but
mobile device management platform.
Because this fear that people have about privacy and
data and photos and everything else, it's real.
And IT and companies are gonna adjust to it.
So Microsoft, yes, absolutely, MAM will be part of this next wave.
And in addition to that, policy management is another huge area of
investment in what they're calling Redstone 2,
which will be out in beta probably in the next couple months here for
people to consume and start testing on.
And then you'll see other mobile device management providers also
address kind of the gap.
I kind of think of it as if you think of a on-prem management,
all the security stuff you have here, MAM is kind of over here.
The bridge between the difference in MAM and
the difference in device management there's still some gaps.
Encryption here, this, that.
MAM will be and will take over all those gaps in the next year or
two years.
>> And so with MAM,
do we not do device management on the mobile side?
Do we pick one over the other or do they work together?
>> They do work together.
That's a great question because our strategy internally,
we're looking at doing both.
So the challenge we have is
on different platforms you can't control the experience completely.
So depending on, for example, what mail client you wanna use.
Well, you can lock down the mail client via EAS.
You can use MAM for the policy on, say, Outlook.
You can change that on the inbox mail client.
So MAM gives you that flexibility.
And then you have to look at what is really gonna be driving the device
management requirements.
MAM will get to the point where encryption, PIN,
data separation, all the stuff that you require for
device management today will be part of MAM in the future.
Make no mistake, that is where the product team is looking.
So while you get there, is full device management required?
Today at Microsoft, yes.
Absolutely, that's what we require.
Will it be in two years?
Check back on the next webinar in two years.
>> [LAUGH] >> It'll probably be
a different answer.
>> All right, a teaser.
[LAUGH] Okay, great.
When will we see full SCCM and
Intune hybrid support that permits moving devices between on-prem and
Intune which no longer requires us to set a primary MDM?
>> That's certainly one for you, I think, isn't it?
>> Yeah, the short answer, cuz that's a fairly technical question
is in 1610, or the release that's coming out in about 30 days,
you will have the ability to change the primary provider.
So today, for example, to educate people a little,
when you set up a device you actually designate in the back
end in the database is SCCM or Intune the primary provider?
Today at Microsoft, for example, we designate it as SCCM.
SCCM has been our primary shop.
You can actually change that to Intune coming in about 30 to 60
days, externally.
We're actually moving to the code base this weekend,
on Monday of next week so coming soon and yes.
>> Okay, yeah, great.
Great to hear.
>> Great question.
>> How are you planning on managing PowerApps?
Do we do PowerApps?
>> Yes, we do.
>> Okay.
>> Okay, and you answer it.
I'm gonna pick it up and
turn the question around a little bit once you're done.
>> Yep, sure.
So we've been in long discussions with the PowerApps team.
One of the challenges with PowerApps is management
requirements, conditional access, MAM policies.
To be honest, they haven't developed to that level yet.
With PowerAppps.
That they are going there, they know what is a requirement, and
so we are using it internally.
The lucky thing is PowerApps is actually integrated by AED, so
when you have things like you're leveraging multi-factor
authentication with AED by Jeff,
then we are actually securing it to a degree.
But we're still working out how do we integrate PowerApps,
because it isn't fully integrated into the Intune company portal.
And so you have to figure out do you want your users
to go to the PowerApps portal and launch their apps from there?
Or another solution we've actually done with PowerApps is we actually
have a wrapper that launches it within another experience.
So for example, we have an app called Employee Experience.
Employee Experience actually is multiple applications,
not just one, PowerApps or several apps within there are PowerApps.
And then, even though a person on their browser launches
the Employee Experience, they will actually see
a couple PowerApps get relaunched through the browser.
So, the user doesn't really see the backend, and
what we're doing from a management and authentication.
All they know is they're in the Employee Experience app, and
they launched it, and they're good to go.
>> This works.
>> I'm going to pick that one just a little bit, and twist the question,
if I may, just for a few moments.
I'm going to turn it around to how to manage power in apps.
And the reason I bring this up is it's a learning that we had.
And you may be watching this, and be like, yes, well I already know this.
But I've noticed that It's perhaps not common knowledge and
not obvious.
When you're developing mobile apps, and the app is on a battery powered
device, and you come to look at, well how am I gonna make the UI?
What's the UI going to look like?
One learning that I had is, use dark colors.
And there is a very good reason for that if you think about it, because,
in order to show bright white UI, requires a lot of battery of power.
And so if you make a bright white UI which might,
which we often do on the desktop, I mean if you look in most websites,
they have a white background .So the tendency would be to make a white UI
or white background in the UI and we've had a few of those.
We've got a very dark UI right now, and the reason for that as you've
probably figured out by now is in order to have a white UI you've got
to illuminate all those pixels on the screen using battery power.
What does that do the battery power over a period of time?
Well of course, probably it needs anymore it's going in the battery.
So, one thing that I've picked up, and I noticed,
of course once you read on this you see a bit of documentation on it,
and yes everybody knows it and it's obvious.
But I'm raising it here a little bit because I didn't realize it at
the beginning.
Make the UI dark.
If you look across common mobile UIs,
you'll see that they tend to be dark, and this is why.
And another learning that we had was when making mobile applications or
mobile apps, when the app is connected on WI-FI,
there's a battery drain in the communications of course.
When it switches over to cellular,
the battery drain increases significantly.
And where this really comes into play is if have an app
which remains awake and continues to do things in the background, for
example, a heartbeat, on a regular basis.
The battery cost of making the connection to the cellular tower,
bringing up the connection and then transmitting data is very,
very high.
So, if you make an app which perhaps once a minute comes up and
makes some kind of heartbeat over cellular, that's a battery disaster.
It's very easy to do.
You may think for all sorts of good reasons, what we'll do
is we'll make a regular check in on something from the mobile app.
That's a battery disaster!
The right way to do this is try to batch all of the work together.
So that when particularly on cellular and
this pertains much more to cellular than to WI_FI, wake up,
do everything that you need to do in the app.
If there is something that you might have to do in the near future,
do it now while you are awake and connected.
Then shut down the connection.
Go back to sleep.
Don't wake up again until you really need to.
I'm talking about you here as the app.
From an app design perspective, it's very, very important.
It's a huge difference in battery life
when the user is connected on cellular.
And I'm saying it because it's one of those things that it's maybe
not so obvious.
I learned it was some reading and
some experience, it can make a huge difference.
Making your app much more readily useable and friendly to your users.
And it's surprising how quickly, if you don't do this users will
figure out, this app really drains the battery quickly.
What do they do when that happens?
Do they just delete it?
>> They'll hate your app.
>> Or hate it yeah.
>> You want people to love your app right?
>> Yeah, so sorry to twist the subject matter around a little
bit there.
>> No, that's very good.
>> But it's one thing that we've learned and
I felt it might be worth sharing.
>> Sounds like a great learning.
What were the challenges migrating from Windows
12 R2ADFS to Windows Server 2016?
>> Fortunately, there wasn't too many challenges.
There's some great functionality built into Server 2016 for
anyone who made the leap from ADFS20 on server 2008 to server 2012.
There were some scripts that were included and
you could export your configuration and then import it so
it was more of a side by side migration.
With ADFS now in Server 2016,
they've adopted more of the domain controller, the active directory
model, and so they have what they call a farm functional mode now.
So when you bring a Server 2016 online,
you can integrate that into your existing ADFS 2012 R2 form and
it will behave just like a 2012 R2 ADFS server.
And then once you have all of your servers upgrade to server 2016.
>> You can then flip this farm functional mode to Server 2016 and
get all of the new functionality of Server 2016.
So it makes it much smoother.
Much more transparent to users.
We had a bit of a hiccup when we tried to make the hard cut over from
the one infrastructure stack to the second infrastructure stack,
going from 20 to server 2012.
So this way you can kick the tires.
You get the increased performance benefits out of Server 2016, and
then when you're ready to go the farm functional level you
get the new features, which they have some policy templates which is
really nice to help with the RP management, the relying parties.
And it has the full auth two stack, along with public and
confidential profiles.
So you can pretty much have parity between your Azure Active Directory
applications and your On-prem applications.
And so now, that makes it much easier to,
you can develop an app On-prem, against your ADFS server,
then move it into the cloud, up into AAD, with minimal code changes.
>> Sounds less disrupted.
Isn't it?
>> Yes.
>> So kind of quietly, you can do your upgrades.
>> Yes.
>> Great.
Next question.
Microsoft recently announced a great partnership with
a company called Lookout.
How is Microsoft integrating Lookout solution into their Enterprise
mobility storage clearly?
Do we know that?
>> We do. >> You know that? Okay.
>> Yes I do.
>> [LAUGH] >> Yeah,
actually Lookout's been a great partner with Microsoft.
The short story is internally we've been testing and
working with Lookout for probably six months.
In the next couple months,
we'll actually be requiring it as part of conditional access.
So if you think about our antivirus solution through Intune,
Intune is actually integrated with Lookout.
So you can actually have it as a deployment requirement and
ensure that Lookout gets deployed on all your Intune clients.
>> Could you tell us a little bit about Lookout?
>> Sure, Lookout for those who are new to them,
they are one of the first company, well they are that found
say the latest that iOS 9 vulnerability that came out.
The first one where it was actually a very serious mobile.
To me it was probably the first barrier that's been breached on
a mobile platform from a security standpoint.
And being able to jailbreak and take over the device with a single URL.
So a huge security risk and flaw that was found.
Lookout I was the first one to get that, and
they've been ahead of the security curve, very much integrating
databases across products for quite a long time.
So as a result we've been partnering with them.
We're integrating into with the Intune product,
you can mesh both together.
And then Lookout will actually be able to address, and even help you
with making data analytic decisions on quarantine, for example So in
the near future, you'll be able to actually use Lookout on the device.
Based upon the analytics and reporting, you'll actually be able
to quarantine what that device can and can't do.
So you'd find a device that's infected,
it's in your Intune environment.
You can actually detect that through the Lookout agent that's installed
on the device and all of a sudden we can quarantine, say,
email or something else on the device.
So we're actually right in the middle of deploying Lookout.
We actually have it on multiple devices already in our production
environment and we're extending that pretty much to all of production in
the next couple months.
So if you're one of the 20,000 iOS devices, etc., or
10,000 Android devices in our environment,
it'll be required as part of your Intune enrollment package.
So we're head high in Lookout.
>> Good, I'll use it on my device.
>> There you go.
>> Very good.
The lack of intranet connect is a big impediment to Intune adoption at
our company.
How quickly will Microsoft address this feature gap, not including
the NetScaler partnership, which is native to the Intune stack?
>> Is that you, Mike?
>> It is, I'm not sure exactly what they mean by intranet.
We deliver our Wi-Fi profiles.
We deliver a lot of the configurations,
our SCEP certificates, etc., through there.
So we're kind of meshing both internally today.
And our stack's a little, I wouldn't say unique, but
where we're driving with this and where it will become interesting for
Microsoft IT is we have a lot areas where we're removing our Corpnet
service about 50 to 70 sites over the next, say 6 to 12 months.
As we removed those corporate sites, Intunebecomes front and
center for us.
And so that on the network, off the network, Intranet, Internet.
To us,
those lines are gonna be as, try to be as transparent as possible.
So we're basically working with product teams to remove
what I see is any type of difference in segmentation between that.
Whether it be leveraging certificates, leveraging Wi-Fi
access through profiles, changing the authentication protocols you're
using in terms of how AAD is used to manage resources.
All of that is actually shifting significantly for us internally as
we literally take Corpnet away from multiple sites around the globe.
So for example, if you're in a site and you're less than 500 people at
Microsoft, the likelihood is we'll be removing Corpnet from your site.
And so, you will be Internet first.
You will be Intune facing, you be will always on VPN, etc.
So we're working on a paradigm shift for network access internally.
I don't have the specifics on NetScaler and
some of those cuz we're not using that solution internally.
>> Okay, thanks.
Next question, how much use of RMS occurs within Microsoft?
Which departments use it the most?
>> I could run with that.
We use RMS all the time.
>> Mm-hm, yes we do.
[LAUGH] >> I would say we use it not only to
encrypt and store sensitive HBI information.
We use it to prevent email storms.
So we'll have a template, RMS template, that prevents reply alls.
So, and we recently have adopted and moved to the cloud RMS solution now.
So we're hybrid.
We're using some on prem, and by primarily it's coming from Azure.
RMS now, we moved our keys up to there.
It was a long battle.
>> As upper keys, that- >> Yeah, the private keys for RMS.
>> The keys of the Kingdom?
>> Yes. >> For?
>> For RMS.
>> Okay. >> We kept those secured on premise
in black vault.
And when Azure was able to meet the requirements for
HBI, then we agreed to- >> High business value, yeah.
>> Yeah, we agreed to release the private keys to them and
so now we manage the RMS now from the cloud.
And we're working on deprecating the on premise.
So we'll be 100% [CROSSTALK] >> I'm gonna ask you the terrifying
question just in case anybody is wondering, RMS,
is Rights Management Service, is that right?
>> Yes, that's correct.
>> Bullseye, I got that one correct.
>> [LAUGH] >> So that is, we use it for
documents, spreadsheets, not just emails.
So it is, I would say probably almost every employee uses RMS.
>> Whether they know it or not.
>> Good point. [CROSSTALK] >> We are deploying RMS to them whether they
appreciate it or recognize it.
>> Yeah, yeah, good point.
>> Yes.
>> Okay, will ageless device management for PCs provide same
functionality as Intune client provides now in the future?
>> Could you repeat the question?
>> Sorry.
Will agentless device management for PCs Provide same
functionality as Intune client provides now in the future?
>> Yeah, I can take that one.
In the future, absolutely.
So agentless essentially is the MAM story or
the mobile application management story.
And to give our users an idea, we have 25,000 plus PCs that we
actually manage in our Intune environment.
So we are literally at the forefront of designing
the mobile device management strategy with the Intune team,
with the Windows team, with our team about what does that look like.
Whether it be policy management.
Whether it be parity with group policy.
Parity with MBM policy.
Parity with mobile device policy.
We're actually all in on that end with the next version of Windows.
That's a significant focus for our team and
actually I'll be working on that for the next three months.
Thank you.
[LAUGH] With our partners in Windows.
>> Can you tell us more about the new UI changes and
when that will happen more specifically our back?
I'm not sure.
UI changes?
>> I'm not sure which product, RBAC is role-based administration, but
I'm not sure which product they might be talking about.
>> Yeah, they could be Azure Active Directory and the new,
obviously portal.
>> I assume so.
>> Or that Azure.
>> Yep, I assume that's probably it.
>> Yeah, so the RBAC,
we haven't played with it very much yet, the new portal.
We've been in the old portal.
Most of our authorization, we're using custom web services to provide
that authorization level too, so during the auth and auth C process
of the user authenticating, they also go through an auth C process.
And we will, during that authentication process,
call out to these various web services, depending on what
the application is that the user's attempting to access.
And then we'll get information back from that web service and
then include that inside of the user's authentication token.
And then that gives them the authorization right.
So for now we've been relying on these services to get a more
granular role based access control.
So I don't have too much that I can offer on what the new RBAC is.
I'm sure will be looking to see how that can be
leveraged into future applications, where the fine-grained role-based
access control isn't necessary, but there is some level of role access?
Right now sometimes, I know a lot of teams sometimes have our application
whack admin, and then our application whack member and
then that's how they do their auth C.
And then based on the token that you have you get access to the admin
side of the app or you just get into the member side of the app.
And then a simple access control.
>> Okay.
Why Microsoft uses third party remote assistance software,
Teamviewer and Intune instead of the Windows
10 built remote assistant or quick access tool?
>> So from the product side, I can't tell you why.
I'm really not sure.
Obviously, the goal is to be platform agnostic for Intune.
And so we are not necessarily using it a lot internally.
Today the remote assistants piece, it's just not a tool that
we have really used for the Intune side.
>> Okay. >> This is more around product
features and so I am not sure if he can speak to that.
>> Okay, sure.
>> Yeah.
Next question, MAM only on iOS is not at parity
with Android when it comes to data protection.
Android uses open-end management
application picker without device MDM.
Intune relies on iOS MDM today for this functionality.
When can we expect to see this feature gap resolved for MAM only?
>> Yeah, that's very specific to the changes that are coming in
the product.
>> We can speak from IT's experience with the product.
>> I can speak from how we were using it, but
I can't tell you exact their product road map right now.
>> Yeah, that's not our- >> All I can say is that, is Intune
absolutely focused on parity between the two products in platforms?
Absolutely, it is, and MAM is one of their core focus areas.
And remember that the benefit with Intune is the revving every month.
So if you just continually, it's hard to stay up on, even for
me internally, it's very hard to stay up for how often its changing.
Cuz especially Android and iOS are two of their core development areas.
So every month there is core changes, so if you're not, I'd say,
look online for access to the Windows Intune Insider.
That's a monthly call they have where they talk about,
actually just put out a new blog externally where they
actually talk about a lot of this stuff.
So if you haven't researched the blogs externally for Intune and
System Center, those teams are very active now, extremely active.
It used to be kind of hard to get Intune information, to be honest.
And now they're on there every month with, here's 1611.
Yeah, we're in 1610, sorry.
We're just coming out with 1610.
>> Mm-hm, 1610-2.
>> We're always a month ahead so I get a little forward and
backward thinking.
But like the 1610, go out, get the blog, read the articles and
find out exactly what's coming.
Cuz things change very, very rapidly over there.
>> Yeah.
>> It might be worth me just adding a little note, too, for
anyone who's not familiar with that.
The term 1610 or 1611 is coming from,
here we've adopted Agile at Microsoft.
We are running everything in sprints.
Sprint length varies, my sprints are two weeks, it sounds like that
one is a month, and so 1610 would be 2016 October, do I have that right?
>> Correct.
>> Yeah, things are coming out much faster.
>> We tend to suffix that sprint length with the 1610-1-2 to note
the sprints within the month.
The things where I'm part of, we also run two biweekly sprints.
That essentially means that we have two leads coming out in a month.
>> Very good.
What pitfalls have you run into supporting Azure Domain Join,
and the reverse, what benefits have you seen?
>> Azure Domain Join has been a good win.
We will back sync those accounts, so that when they come in.
And it's primarily leveraged by contingent staff,
as well as remote people.
It's like Mike said, where we're puling the corporate network
connectivity and giving them Internet access only.
So this way they can provision their device, get the policies and
applications that they need.
And we have an object and we can secure authentication to
their device so they'll get the minimal.
They won't get GPO being a workplace joint, but
they can get the simple Intune policies.
And have access to the Azure applications and
we can secure those cloud applications to the user and
the device so we have a stronger authentication method.
>> Okay. >> Just to add on to Jeff, so
this is one thing that's near and dear to my heart cuz we worked
directly with the Windows team on creating the new Connect workflow.
So if you're not on the latest version of Windows 10 anniversary,
etc., take a look at that and
walk through the workflow, the Connect workflow.
So in previous versions of Windows 10,
there were literally 10 different ways to have a device
either joined successfully or unsuccessfully to Azure.
And so you'd either end up with devices managed, or
maybe the device is just an account, or it's kind of orphaned or such.
So one of the challenges we have internally, just to be transparent,
we readily have those 25,000 devices in Intune, of Windows PCs.
About a couple thousand of them actually joined
Intune the wrong way.
So this is all from feedback we provided back to the team.
We've been doing it this way for over a year and a half.
So when we first rolled out the Connect experience, and
this is what was fixed in the latest version of Windows, if you remember,
there was ten different ways to actually join the device.
And what do users do?
They see, join management.
Join management didn't actually fulfill the whole Azure process.
And so yes, you're Intune enrolled but
you're not Azure AD managed and it was just kind of a mess.
With the new Connect feature, if you set it up right as an enterprise,
we have it set up today if a user goes in, and
they hit the single button connect, boom, they put in their credentials.
If they're not on the corp net, they go through MFA,
cuz it hits their Azure credentials, and voila, they are done.
They get in to Intune,
they get their profiles, they get Wi-Fi access, they get VPN.
So we provision them, just boom, boom, boom, one, two, three.
Very easy and great success.
So I think that new feature and
that change is the reason why we have seen the 25,000 plus devices,
and people continue to move that direction.
And that's what's
gonna actually enable when we remove corp net, right?
>> It is real easy.
Hit Connect.
Put in your credentials.
Use MFA to authenticate.
Use the Azure app, or whatever you're using to authenticate.
You're in.
>> I love it, by the way.
>> And you're managed.
>> [LAUGH] >> And it's really, really simple.
So that's absolutely a direction we're going.
One of the pitfalls, just so you're aware out there,
you really have to try to educate the users,
because people still, today, will get confused.
They'll see in that little bar Manage My Device,
even though there's a big button that says Connect.
It's pretty hard to miss, Connect, but
then they see this little writing down here that says
enroll my device in management.
We still have users that click that, and so we're still working with
the product team actually in future releases to also change that UI so
there's a bit of a confirmation check and balance with the user.
And we're changing the language in there so that the user can also look
at it and go, did I really mean to actually enroll in a management
service like Intune or did I actually mean to just Azure AD join?
What did I really want?
So they're trying to keep that in abstract so
the user know what's going on, and they're continually refining that.
And that's great work by the Windows team for that, by the way.
>> Much simpler today.
>> Yes.
>> When can we expect to get better integration of RMS with
SharePoint Online document library templates?
And this may be a product group question,
but I'll look over at Jeff.
>> Yeah, SharePoint is not an area of expertise for me.
>> [LAUGH] Okay, so we haven't had that experience yet.
We can only speak to what we do in Microsoft IT.
>> I'm sure someone knows, it's just not us.
[LAUGH] >> Final question.
How difficult or easy is it to manage and
monitor mobility services hosted on the cloud?
>> So alluding to the aspect about telemetry and
optics that we have now into how we our services performing usage.
Because there's a symbiotic relationship between usage and
The more [INAUDIBLE] your services are, the more usage it gets.
And then that virtual cycle continues.
So that made us invest in telemetry products.
And Application Insights is a great tool to readily
incorporate that into your services.
Which gets you a lot of monitoring information, insights like
the bandwidth or the latency of the network that the user is on.
Along with if it's a mobile form factor, what is the form factor and
the resolutions that the users are running on.
So you are able to fine tune your applications, services, and
experiences according to the needs of a user base,
rather than an assumption.
So it helps you not only easily monitor,
it gives you a data-driven approach in monitoring as well.
And again, getting your investments back into areas
which will have bang for your buck, so to speak.
That has been the trend that we have been following and
we've been having great success in that as well.
Again, this also enables us to flight a lot of scenarios.
For example, in the past there would be a risk aversion to flighting
because we wouldn't necessarily gain authentic information because now we
have access to raw data that can confirm our hypothesis or
negate them.
And we can quickly turn around as well, which is also what cloud
enables as a by-product through your Dev Ops and Agile cycles are able to
do A/B testing, they're able to roll back rapidly the automation and
the allied things that come along with it,
definitely contribute a lot to enabling end user scenarios,
as opposed to going and figuring out technology issues or versions and
aspects like that, which will be interesting.
>> And it helps you figure out the optimum end user experience,
through the A/B testing.
>> And a trend that we have been seeing lately is that now that
we have reached a maturity cycle,
wherein the user experiences reached the level of optimal aspects,
we are seeing value added services being added.
For example, there is a heavy pivoting
towards user-machine learning, artificial intelligence, and data
sciences to enable more scenarios, what would be predictive scenarios.
So what this has enabled our developers is to focus more on
additional value add, so that virtual cycle,
the spiral is increasing more even so.
And that's been possible only because of the readily available
on-demand cloud compute that you can gain.
For example, if you wanted to compute on KNN based machine
learning model, the compute at disposal that is available readily.
You don't have to wait weeks or months, you could do it on demand,
spin it up, spin it down, and use that for
your applications going forward.
>> Very good.
We are near the top of our hour now, and
I do wanna ask our SMIs one final question.
What is the one tip you would like to leave our customers with today?
And we'll start with you, Arun.
>> From the application development and architecture space,
when you're focusing on mobility scenarios, we alluded
to that earlier about having bite size snackable scenarios.
Make them lightweight, because that will then show that you can use
them in other scenarios as well.
And having a process to go along with it, the agility and
the dev ops methodologies help you accelerate the adoption of these
architectural paradigms also.
Because you are able to monitor flight and validate these scenarios,
and that can lead you to machine learning,
data science, big data scenarios, which are definitely going to be
your differentiator when you want to compete in the marketplace.
Because if you do not do it, someone else is gonna do it.
So if you stay focused on agility and
the data science aspect that you can gain for your end users,
that would be a huge win for your customers.
>> Mike.
>> Given all the questions, I would say in conversations I've had
with customers lately, I would say adopt the cloud faster.
And what I mean by that is many companies I talked to,
when they talk about 0365, when they talk about Azure integration,
when they talk about mobile device management,
most of them have this kind of 18 month, 24 month horizon.
And to be honest, that's an eternity in today's world.
That is so long.
And I know this goes against the grain of 20,
30 years of IT, where it was set it and forget it, right?
Buy a machine, set it for 5 years, don't change the drivers,
don't do any of that stuff, don't mess with it.
That world is rapidly gone.
And even internally,
we are iterating extremely fast as an IT shop.
So, gone are the days where we sat on our laurels, and
we said the ma'am is a great example, a lot of questions on MAM.
We change our position on how we're gonna use MAM,
how we're gonna do it direction-wise every couple months.
It isn't like a set it and forget it, we had our policy and
now we're moving on, and then we visit a year later.
No, a couple months into it, we go hey,
this isn't working, something's new in the product.
We should look at a, b and c, and we iterate and we change.
So I know that's scary for a lot of people, but
if your company isn't there, then help drive it there.
Because if you don't, the device landscape around you will drive it.
And it's better that you as an IT be in the driver's seat
than be the recipient.
>> Yeah, great, thank you.
>> I would think since security is near and dear to my heart,
thinking about how the cloud and
identity is going to affect all of the applications as your
users move into the more mobile scenarios with MFA.
So the paradigm of the hard, crunchy shell, I'm inside,
I'm on the corporate network, the network is safe,
relatively safe as we know from experience.
[CROSSTALK] Internal networks are not always all that safe.
There were times where we thought sometimes our corporate was dirtier
than the Internet, but we had domain isolation, we got that cleaned up.
We got managed devices, and then it made the corporate network safe.
Now we're venturing out into this unsafe network again, and
that is becoming the primary transport for that.
So identity now is becoming the new firewall, if you wanna say,
or the new control plane as you access these online services and
So I think coming up with a solid identity strategy and
educating your users on using their corporate identity for
corporate work and using personal identities for
personal matters is how you're going to get the best segmentation.
Your MAM and MDM policies can do a lot to help with managing
the content on the phone, but again, that's all gonna be gated by what
identity is that user using when accessing a particular service.
And then where it really becomes tricky is things like OneDrive or
OneDrive for Business.
And your users, are they putting their documents that are work drive,
are the documents going into the OneDrive for
Business, using their business identity?
And then are they putting their home photos and personal
photos of the kids' birthday party going into their personal OneDrive?
So these are the kinds of learnings, and of course,
we can't get past thinking about MFA.
And one of the really great new features in Windows 10,
the credential guard, so
this helps mitigate past the hash and man in the middle attacks.
It virtualizes the local security process, and
it protects those credentials for only the authorized
applications and security providers can access those credentials, so
they can no longer be hijacked.
So that's a huge win that we've seen in securing our environments.
So, I think as that goes forward into the future,
that leverages TPM on the laptops.
So hopefully, mobile devices will start getting the MDM, and as we can
have hardware based protection, that will secure the devices even more.
And be able to take securing the user's credentials to the next
level, which is really difficult on the mobile devices to secure
the user's credentials.
>> Very good, and Fergus?
>> I would say that the mobile Enterprise app environment is quite
different from the Enterprise environment that we've seen in
the past.
It's a completely different setup,
and we've embraced it.
And I think it's tremendous, and I'm seeing its effects now moving back
into the work station environment, so it's not going away.
The learnings from that environment, which is tremendous being
passed back into the Enterprise work station environment.
So, adjust to it, be ready for it, and embrace it.
>> Okay, very good.
We are at the top of our hour, and I do wanna thank our SMIs for
coming out today,
taking time away from your day jobs to come talk to our customers.
It's truely an important thing.
And I wanna thank our customers for joining us today.
We truly love the questions, and the dialogue,
and the opportunity to come talk to you.
You can find this video posted at our microsoft.com/ITShowcase site,
along with a world of other documents and artifacts,
all talking about how Microsoft does IT.
We have live stream events every week.
We hope to see you back, and please bring your colleagues.
Thank you, and have a great day.
>> Thank you.
    You must  Log in  to get the function.
Tip: Click on the article or the word in the subtitle to get translation quickly!


Enterprise Mobility at Microsoft (SME Roundtable October 2016)

218 Folder Collection
鄭老貓 published on April 25, 2018
More Recommended Videos
  1. 1. Search word

    Select word on the caption to look it up in the dictionary!

  2. 2. Repeat single sentence

    Repeat the same sentence to enhance listening ability

  3. 3. Shortcut


  4. 4. Close caption

    Close the English caption

  5. 5. Embed

    Embed the video to your blog

  6. 6. Unfold

    Hide right panel

  1. Listening Quiz

    Listening Quiz!

  1. Click to open your notebook

  1. UrbanDictionary 俚語字典整合查詢。一般字典查詢不到你滿意的解譯,不妨使用「俚語字典」,或許會讓你有滿意的答案喔