Modernization Hub

Modernization and Improvement
How Microsoft is modernizing device management

How Microsoft is modernizing device management

(music)>>Hello everyone, and
welcome to today’s webinar on how Microsoft is
modernizing device management. My name is Mayunk Jain, and I will be your host
for today’s session. I’m a Senior Product Marketing
Manager for Microsoft Intune, and I’ve been with Microsoft
for about a year now. Before that, I’ve spent over 10 years in the end user computing space in various technical marketing roles. With me here are Mike and Carmichael who will be happy to introduce themselves. Let’s start with you Mike.>>Hi, Mike DeGooyer, I’m a Senior Program
Manager here at Microsoft. I’ve been here quite a while
about 17 years actually, and been in various roles from
data center to client, etc. But the last 10 years, I’ve been focused on client management, everything from the release of SCCM to the release of Intune at Microsoft and rolling that out across the company to cross platform and lately
focused on security in Intune.>>Yeah, thanks for coming
over and joining us–>>Yeah.>>The digital security
risk and engineering Team.>>It’s been good.
>>Nice.>>I’m Carmichael Patton. As I said I’m on a digital security risk and engineering team. I’m on a team called
Emerging Security Products where we focus on how we
can fill our control gaps in our security environment
to sort of fit that need where we have the gaps there. I came to Microsoft about three years ago. My focus was to actually
look at how we manage our non-Windows environments. So how we manage Mac, iOS, Android. and potentially even
Linux in the future maybe.>>Linux, we’ll talk
about that a little later. (laughing)>>Think so.
>>Nice.>>Thank you guys. So before we get started
with the presentation I’d like to let you
know that you can submit your questions into the ON24 dashboard at any time during the conversation. We have peers ready online
to help you answer them. And then we also collect a few to discuss during the session or
in the Q&A session after the presentation. In case we run out of time and can’t get to all your questions. We will stay behind in the studio. I think all of us can stay behind and then post them with
the On-demand webinar.>>Yeah, for sure.>>So, and then in the
end I think we can wrap up with some key recommendations
to get these guys started with their deployments.>>Definitely.>>Awesome. So let’s kick it off then.>>Sure. Let me kind of walk
everyone through kind of where we’re gonna head first. We’ll talk about a little
bit about our environment, kind of just a level set. Because a lot of people when
they think about Microsoft, they don’t really realize how, you know, you mentioned
Linux, iOS, Mac, Android. We have a huge breadth
of devices at Microsoft so we kind of want to walk
you through to level set that. Then we kinda wanna walk through some of the management
structure in what we’re doing. As well as some of the
architecture with EMS and how we’re kind of arranging
what we’re thinking today. As well as where are we headed? I think that’s part of the
really key conversation today. Where are we headed with
Microsoft as an enterprise? And what are the challenges we’re seeing? ‘Cause I think we’re a lot
similar to a lot of you guys. And then walk through how
that dovetails into EMS. ‘Cause really it comes
about how are we gonna use our products the
most effectively, right? How are we gonna look forward? And then kind of talk about
the modern management scenarios that we’re, you know, head deep today. That we’re driving. So with that we’ll kick it off. Carmichael, if you wanna walk us through kind of, our environment today.>>Yeah sure. And I think one of
things you just said Mike is really important because, you know, while we are Microsoft, we’re actually just an enterprise
like most other people. Where we are using Microsoft products and trying to figure out how to do that in their most effective way. Some of the key information
we have up here. We have about 135,000 employees. And most of those folks
have multiple devices. You know, they’re managing their iPhones or their Android devices. They have laptops, maybe they
even have some other systems. Maybe working from home or
something like that, right. So it’s key to understand,
sort of, the environment. Looking at it, we have about 2.6 million transactions per day on our
sales platforms, of course. The 380,000 devices hitting
our network per month. That’s coming in through either on-prem plugged into the wire ports, or in our wireless environments as well. So if you want to jump
over to the next slide let’s talk a little bit
about what we actually have as far as devices.>>Sure.>>Because I think it’s super
important for us to sort of understand, you know, we
aren’t just Windows, right? I mean like I said I came
in about three years ago. Because we had a standard at
the time that basically said, thou shalt not have. And I think there was some
rumors going around about maybe some executives that didn’t like some of those competing fruit products.>>I was here for those. (all laughing)>>So you know, it’s
understanding that our environment isn’t just Windows and you can see here, this is just our managed environment. We have about 100,000 iOS devices. I mean, just think about that. We have 135,000 employees, and we see these multiple devices. So clearly the numbers don’t add up when you look at iOS and Android. Because we also have vendors. We have partners that we work with, that are actually leveraging
our management platforms as well, to ensure that that
data that we’re really wanting to protect is protected.>>I was gonna say just
that on the previous slide we didn’t mention the vendors, but just to be clear, you
know, we actually have about 230,000 people
connecting to our resources at any given time.>>Exactly.>>So while we have the secure 130, that we really want to focus on, it’s really about 230,000 people that are actually connecting
at any given time.>>I think the one thing
we’ll also point out is we still have Windows
Mobile on the list that we have to worry about, too.>>We have to have
a few of those. (laughing)>>And I love the fact that we are our own biggest customer almost, right? It almost feels like, I was
sharing with you guys earlier, that being in marketing,
the stuff you guys put out, the IT Showcase Whitepapers, the webinars, are our number one asset. So people really love the
fact that we can actually eat our own or drink our own champagne. I think that’s the right word. (laughing)>>Is that the new one?
Drink our champagne.>>And at that scale. So it’s amazing, fabulous job.>>So, I think what we’ll
do then is let’s move into how we actually are looking
at this from an initiative towards moving towards modern management.>>Sure I wanna, let’s kind of introduce, there
are four kind of key things that we’re working on right now, that we’ll talk about. First is remote users. So what people don’t realize
is in a shift of mindset, we made the assumption
probably three years ago, to just say look we assume that everyone is gonna work remote. We want you to work remote. We encourage it. We tell people to work
from their home office. But that changes the construct of how you’re going to manage them. If you’re sitting at home and
you’re working on your PC, what does that look like? Does it need to be Intune enrolled? Can we apply policies to
just secure that device? Can we just provide a browser experience? But first and foremost, we want people to have that remote experience. Because whether you want
to as an enterprise or not, people are gonna be connecting
from their coffee shop, from anywhere, McDonald’s. They’re just gonna be
working from anywhere.>>Well you know, we’re gonna get that Brett Arsenault ask one of those moments, where it’s seven o’clock at night, and your boss calls you
and said, by the way we need that slide deck. (all laughing)>>That happens here. With that we kind of have
created this Internet-first, and you wanna just mention
the Zero Trust Network?>>Yeah I think, you know, again sort of, as Mike said,
you’re gonna be working from all these ubiquitous environments. It could be at home, it
could be a coffee shop, it could be at grandma’s house, and you’re getting that,
sort of, last minute request where you need to get access to something. I think for us it’s not just ensuring that you have that
capability to open up Office, but for moving that paradigm
to the, are you really allowed to do that on that
device that you have, right?>>And how are we controlling what’s on that device?
>>Exactly. And so using that
identity as the boundary, in saying okay, you know Mike
is logged in at this location. Does he have access to that data? And does he have access to
that data from this device? So creating that, sort
of, maybe not necessarily in the traditional sense of Zero Trust from a networking isolation perspective, which is a layer of it. But just the identity
and the device health is the other piece of that as well.>>And then we get into,
how do we modernize apps? So we’re no different than anyone else. If you look at our LOB platform, 4,000, I mean at one point we
had 7,000 apps, it was crazy. We still have thousands
of apps more like 4,000, depending on who you ask around here. But one thing we’ve focused on is moving all of that to the Cloud. Now re-modernizing everything? We’re trying to. But even for us it’s a journey, right? We have things that are
enabled for on-prem. And now even, from a
modernization standpoint, what we’re doing is we’ve
actually peel back the onion a little and we’re saying,
look there’s certain things that need to stay on-prem, and there’s a few of those. And then there’s some
things that actually need to be on the internet and
most of those are moved over. But ideally we’re trying
to move everything so that it’s consistent with
our management platform. So we have the controls in place.>>And I think it’s important
you mentioned the 7,000 number and that’s just
line-of-business internal apps that we use here at Microsoft, right?>>Right.>>Some sort of an enterprise perspective. And that number, while it
isn’t 7,000 in the Cloud, I mean a lot of that has been deprecated because of just legacy apps, that maybe we just have
lingering around for a while. But a good portion of
that has actually moved up to the Cloud today and is being run from the Azure platforms. And I think the last number
that we actually have is about 70 apps that
are still sitting on-prem in an environment whether
because they’re just so old and legacy but they still
have that data that we need. Or if they just can’t modernize
it for whatever reason. And so it’s what’s important especially we go back to the sort of
thinking of the Internet-first which is okay fine those
apps have to stay on-prem but how do I still give that experience when somebody is remote to be
able to access that app, so.>>You got to look at
the cost of that right?>>Exactly.>>To me it’s also a cost decision. If you’re going to modernize,
how much development is that gonna to cost you? And then how, what’s the value? If you have a 550 person
application is it really worth,>>Right.
>>you know, investing in. and so a lot of ours have transitioned I think Power Apps for example. We’ve moved a ton of apps
to the Power Apps platform and that gets us out of
kind of micromanagement of the app itself ’cause we
just put it in the container and we’re good to go.>>Don’t forget to do your time away which you can do through Power
Apps for your vacation.>>You’re right. (all laughing) And I think of a theme that comes up especially in our
conversations is Internet-first doesn’t mean internet only.>>Correct.
>>Right.>>So a lot of people
kind of assume oh my God I have to modernizing
means I have to abandon everything I knew that’s not true, especially with Microsoft. You stay I believe with what you have. You just tried to think of the reality that today everything is Internet-first. Taking care of the fact that
you also have a lot of stuff that is not yet entered on the internet.>>Yes we have to be beyond
just those 70 applications we have our high risk environments. And so protecting those with what I think publicly we call them the PAWs, the Privilege Access Workstations. We internally we call
Secure Access Workstations. So there’s a workflow
that even goes beyond just these regular
devices that says you have to be on a fully managed device that we control the images on. So to your point right. So not everything will be
extended to the Clouds. We still have to have that gateway
where they can be remote but we know that that is
an absolute trusted device that they’re coming in from. So good point.>>That kind of gets into
kind of the last bullet that we’ll talk a little
bit more in depth here about which is like kind of
that co-managed scenario. If you think about the SCCM plus Intune there’s a lot of enterprises, they have infrastructure costs, they have some cost that they’re basically gonna be in a co-management
state because to be honest some of their workflows don’t make sense to move to the Cloud. And so it just like us we’re
in a co-management state with SCCM and Intune. We’re gonna be there a couple
of years, several years. And so I think as people kind
of go through this evolution it’s really they have to be
really key on what resources need access to what
other services et cetera. And not try to kind of go too
crazy just take it slowly.>>Yeah exactly. ‘Cause I think even if you think about some of the capabilities we
have to do on these devices from patching to policy management some of that stuff we
still have to do through the legacy systems to
try to bring that forward into the modernized environment, right?>>And I think
it’s more of a mindset. You have the Cloud first or
the Internet-first mindset. So you you do everything with that in mind that doesn’t mean you have
to just change the tools as much as you have to adapt
to the new way of servicing which just perfect yes.>>So one of things
we wanted to talk about is sort of what this looks like. How the workflow goes,
and we actually leveraged the next slide from
our partners over here. To sort of define that,
we called the identities the new boundary which is
using that user on that device and identifying both
of those to ensure that they have the access to do it. So I can be in that
unprivileged network environment and I could be, you know, at Starbucks or at any local coffee shops and I could be logging into my machine to try to get to a Word
document that I need to go edit so make sure we have the latest version of what we’re working on for IT Showcase. So I get that MFA check right. So for us, the first
foremost is identifying who you are and validating
that with that MFA. And then we bring in that sort
of condition of the device. Is it healthy? Can it access the data
that it needs to access so you know using the various conditions through conditional access,
location, device, user, what the application is
they’re trying to access. And then if they’re allowed
we’ll let them through. And I think one of the tiers also here is sort of that on-prem
environment, is there’s also that Azure App Proxy layer to right where, you know, maybe
the application itself is being proxied then through that to the on-prem environment. So still doing that
conditional access evaluation on the device itself and
then carrying that through with the layer to ensure that
they have access to the data. And I think the key here
though, also is that it’s a continuous check. It’s not just a one time you’re coming in and we’ve validated you at that one time maybe the device becomes
unhealthy while it’s happening. And so you’re still
connecting but we’re doing that continuous check to
actually validate that that device is still healthy
to connect without having to necessarily force that
re-authentication to do that. So kind of a nice little workflow that our friends have created
for us to do that on so.>>So I love that you’re
focused on the identity. ‘Cause I think that’s something
that a really clear message people need to adopt right? For years in IT and in this industry it was protect the device,
protect the device. Oh the device has to be secure. We’re so beyond the device. The devices are pretty much secure. I mean most devices come encrypted whether it’s mobile, whether it’s a PC they come encrypted, they come
set, you have your policies and passwords and everything else. So from a security standpoint, it’s about the user
and in the second layer it’s gonna about the data. So, don’t worry about the device anymore. If you’re still worried about the device you might want to rethink that strategy ’cause you really need to
move beyond the device. The device should be agnostic as we’ve talked about in the beginning. If you look at all the
platforms that we have, we have users of Microsoft
on every platform. They’re on Android, they’re on iOS, they’re on the Mac, they’re on the PC, they’re on a surface device
they’re all over the place.>>And I like the nuance of making sure we understand exactly what
we’re trying to protect which is that data element
that they’re trying to access through whatever application they’re trying to access it, right? So and then we’ll talk
a little bit in a bit about how the sort of ecosystem,
maybe MS, comes together. But when you look at like AIP or Azure Information Protection rules or Windows Information Protection. Is that device allowed
to access that data? And is that user allowed
to access that data, right? I mean that’s sort of
to your point, right? Do I have the identity of
both of those device and user to ensure that they can
access those elements? From the device that they’re on Because, I mean we’ve all
got a phone in our pocket and we’ve all got laptops in front of us and I think back in my
office I’ve got other laptops and back at home I’ve got my home PC, but which of those devices am I allowed to connect
to and I connect to, so.>>All of them. (all laughing) In one way or another.
>>In one way or another.>>And the user is really the weak link in this because you could
have the most secure device and the most secure network. But all it takes is a
user with password 123 as their password. And you’ve exposed the whole organization. So you need to go beyond passwords, you need to go beyond
just that credential check to really give security to your point.>>Yeah I think there’s
another webinar coming up for password less right. (laughing) If there isn’t we should schedule that.>>Pluggign in everything they’ve got. (all laughing)>>And this is kind of, Carmichael will talk a
little bit about this. This kind of talks about how
we look at the ecosystem right? We think of it as a three-legged stool with information it set, but
we can kind of walk through each one of these pieces.>>Yeah I think,
just to your point, let’s focus on the stool for a second. Because for us within
Digital Security Risk and Engineering DSRE, we
really take that approach of understanding what the
risk of the environment is.>>Right that’s the platform layer.>>Right, so
that’s the platform layer. What is it we’re trying to protect? And we’ve been talking about the data that’s the information
protection layer, in it I think to be clear when we say
that information protection it’s not just Microsoft
information, right? ‘Cause we have access to customer data but some people have
access to customer data. So there’s there’s just not just ours but it’s other people’s information that we’re trying to protect as well.>>Also their personal information.>>Exactly. (all talking)>>Users freak out if you
try to mix that information. I think if there’s
anything that we’ve learned with rolling out conditional
access for example here is, people are super worried about the separation of your personal data versus your corporate data. That’s not clear. So that information
protection is absolutely.>>Especially when you’re touching their personal device like a phone right. I’ve taken it I took
a picture of us before we got on here right. And let’s say that was
a picture of the family I want to make sure that
you guys aren’t taking that. Or we are not taking that picture, right? So, then you know, so using
that risk management foundation and what are we trying to
protect is the information as Mike said we have those
three legs of the stool. And each of the three legs
are super important, right? So the device health which we see on the rest of the slide here. We’ll talk about in more specific especially as we go through the slides but the identity management tier, right, you mentioned it Mayunk. Which is really understanding
what we have to do from an identity perspective, including MFA on these devices. to ensure that you are who you say you are when you’re authenticating
through that thing. And that you are continuing
to be who you are not just the one shot deal
of applying that logic. But then the really, I think for me, the foundational piece of
that, of the stool here, is really the data and telemetry. If we have to be able to understand not the data that we’re trying to protect but we need to be able to
see who’s using what devices. How often are they being used? Is it being used in a healthy way? And then just getting telemetry
across the other systems and we’ll talk again about
sort of the EMF suite but if I have advanced ran analytics looking at all those logging events. If I have Azure Information Protection ensuring that we are
classifying those documents in the right way but if somebody downgrades a classification. Why did they do it? They were actually writing
a recipe for something and then, you know, sort of making sure.>>People are never
making so many classifications, do they?>>They have never. I mean I think my recipe is
highly confidential personally. (all laughing) So again if we look at
the device health portion of the slide, right? Just look focusing on that one leg here you know, again making sure that we have up to date operating systems on all of our devices. You know, whether that’s through the Windows Update Service to update our machines
on the Windows devices. But also ensuring we have
those updates happening on both iOS and Android. And especially now as
Android’s moving in towards more of a monthly security patching cycle. How do we ensure that
those security patches are being applied? So we make sure that that device
is as secure as it can be. And then as we sort of move
around the circle right? Malware protection and understanding
what could be happening on that device and ensuring we
have at least some visibility into the telemetry on that device to understand if there’s something there. Encryption you know latest
apps to make sure we have those updates that kind of goes
in line with the updated OS. And then again that integrity
and conditional access piece that we’ll be talking about
throughout this presentation.>>And how it all works together in the sense of you’re
using all these signals that you’re getting from
different places in one place.>>Exactly.>>Unlike, you know, what
I like about that stool was that it’s all connected. It’s not an Ikea box where the legs are all over the place, and you got to figure it out
like how do I make the stool.>>By the way, we did test and
a three legged stool works. (all laughing)>>So even the Ikea stool is great. I have one myself, I’m
new to the US, by the way, I don’t know if I shared that. But at the same time you
have to set it up right. And if you can buy one a
stool that just is connected to each other, the legs are
connected to the place you sit. That’s how they all work together, and I think that’s
something really powerful about a solution like that.>>Exactly.
>>Absolutely. So let’s dive a little deeper and kind of talk about
kind of the health aspect. Carmichael you mentioned
a little bit about the secure admin workstations and what we’re doing there. But really when it comes down to what is Microsoft’s posture today? Like what do we tell people? We’re pretty much a your
device should be managed shop. You know, while there is MAM and some other policies
that we use to apply in different scenarios. Really we want your device to be enrolled. Now with that it’s a
little bit complicated. If I’m honest here, there’s a lot of personal
devices in separating that personal information. And then like right now
we’re running into scenarios where there’s a lot of people where they’ll bring their personal PC and just enroll their personal PC just so it looks to us like a
corporate asset when it’s not. And so I think every environment, I think as users just
become more accustomed to enrolling their device. I mean enrolling device
is pretty easy, Settings, Work Access, boom, you’re in.>>I think it’s a, you
know, you mentioned MAM, and before we got started here Mayunk, you were talking about the poll that the Intune Team put out on Twitter.>>Right.>>Which is a super
interesting conversation ’cause Mike you touched on a little bit, which is for us full device management is really our focus. If we can’t trust that
device is what it is. And the person that’s using it
is the person that they are. That’s sort of our foundation, right? But then in order to protect
externally the application. So if I’m at my house and I
pull up OWA on my device at home that if I you know
starting to read an email but I want to open up the attachment that you know it’s comes
back from a MAM policy and says hey no I’m sorry
you have to be managed. And then it walks me through
that management workflow or at least ask me if I want to be managed and at my home PC.>>Of course you know.>>So. (laughing) I like a little separation
personally you know. But then the I’ve just
reach down into my bag and grab my my work
laptop and go from there. There’s I mean I think that
that idea of having this again the foundation of
the full device management with some of the capabilities
we need to bring in and by the way that the polls still open so if you do want it go to the Twitter account.
>>It’s open yes.>>I’ve been plugging stuff. So the next thing to
plug is our Twitter IDs. So mine @mayunkj, MAYUNKJ
and that’s where the poll is and then you have the MSIntune @msIntune which also has that. So it’s interesting
that even if you’re not blocking it at least you can
allow it restricted access where you’re like saying okay. I don’t know you. I don’t know if you’re
exactly who you are. But at the same time if
there’s something not super critical if you’re just
checking email, go ahead. But if you want to download the attachment or do something with that maybe not.>>And that’s where I think you need to really look at those policies, like what are you really
trying to protect?>>Right.>>And if you have the
information protection policies in place that really, really helps. So we’re going through a
whole process here right now to basically say look, how
do we categorize that data? And more importantly how
do we take some of that out of the hands of the user? Because let’s be honest
users are never gonna, they are never going to categorize 100% of the data
correctly that’s just not. If you think that’s gonna
happen that’s not a reality. So you need to just put those in place so that you can say look if I’m looking at the data that’s inside the SharePoint then I can actually
market as this is secure. This is high impact. This is HBI whatever you want to call it in your environment. And then you can actually
manage that accordingly. So to me that’s super important.>>You mentioned HBI just as an aside we built you know we’ve
been sort of working with the Azure Information Protection Team and of course we had to
change the classification to mirror what was there. So Mike mentions the High Business Impact but now it’s highly classified,
classified and down. So by default all documents that we create are tagged as general, right? So if you’re going to open up a document and start working on it and then on that layer, then you have to sort of make that idea that thinking in your mind to say you know, am I creating
just a document that I want to send to my family? So maybe I make that personal. Is this really business related and how far into the
business is it related? So is it highly confidential? And I know there’s different
tiers of what AIP means in this environment. When you’re deploying it
depending on what level of licensing you have. But you know of course
we’re on the E5 skew, and being able to do some
of the additional things that we do there. You know creating special words that say you know this code word is something that we need to protect. So if I ever see that code
word used in a document then make sure that
that’s highly classified and only FTE, only this
particular group of individuals. So getting into that granularity
is something you have to be cognizant of when you’re planning that strategy around the tagging so.>>And as an end user I see
that myself all the time. I mean when I work, I
work a lot on Roadmaps. So as soon as I’m working on something and you know it says obviously,
planning for the Roadmap, it automatically pops
up this thing saying, you might want to turn
this into classified or a confidential document. So I see that working for me every day. (laughing)>>You don’t want to
share the full Roadmap for intent with the world? (all laughing)>>When it’s ready, right? When it’s ready.
>>Not yet.>>When it’s ready yes.
When it’s ready.>>That’s a good idea.>>Everybody want’s to know
the Roadmap don’t they?>>Yes, So the goal
state Mike what’s that?>>Yeah let’s talk about
our goal state kind of where we want to head. The first is, we’re taking a hard look at our network boundary. And so something kind of new for us, not necessarily new for us at Microsoft but some programs that we have here. Is we’re trying to take a step back. You know we mentioned in the first kind of couple of slides
that we’re Internet-first. And so I’ve talked to a
lot of different companies where they’re going down a similar thing to say look if you’re in a small office you have five, six, 800, 1000 people. Do you really need your
CorpNet connectivity. And our answer is no. We actually don’t want that. So we’ve been peeling
that that back that layer for quite a long time. And so we just look at
from the network side even if you look at our CorpNet, Carmichael, you mentioned the the high risk environment, right? What we see if you look way in the future our high risk environments
are the ones that are gonna be on the CorpNet. And so we’ll pull that back, everyone else you should really be
coming from the internet. There’s really as we move things to Azure as all the
Cloud services are there, as all the apps are there. You really do not need
to be on the internet. Or You don’t need to be on
on our corporate network.>>You just mentioned now
you just moved to the States and I think one of from a geo
location sort of perspective we don’t necessarily think about until you realize you
work for a global company is the network bandwidth
that are different places. So maybe I don’t need
you to backhaul across. You know if you’re in some remote location say in Africa, backhaul to Dublin And then coming in to Redmond to get your data. Maybe I just need you on the internet with a point where you’re actually local and you can get a better bandwidth a better experience, right? At the end of the today,
I think we have to balance that tier of security versus
user experience to you right to make sure that we have we’re not impacting them
in a way that it makes them not able to work but
we’re still ensuring that we have that protection that moves them forward
into doing what we wanna make sure that we do.>>And this might a good place for you to maybe explain a little bit more about Zero Trust Networks. You mentioned that earlier. Is that a concept that applies here about internal threat
verses external threat. You know and how we just
treat everyone as an outsider. Even if they are internal users.>>It really comes down to you know I said it’s not just the sort of
the legacy networking mindset of what Zero Trust is where
it’s that network isolation of your environment. But it’s ensuring, and
for us I think the way we more think about it is
managed verses unmanaged. And what’s the tiers of
management that give me the right user experience with
the right security controls on top of that, right? I think what I like
about working with Mike recently, not that I haven’t liked working with you for a while.>>We’ve been working
together for a long time.>>He came from the User Experience Team or the End User Experience Team. And so now that he’s in security he’s bringing that experience with him. To say you know hey guys
here’s a security control that we have that maybe
we need to make sure we understand what that
full experience is. So taking this list of controls that I say I have to do on these
devices and applying that to that user experience but
again thinking about Zero Trust in the way of managed verses unmanaged. That’s not just you know devices
it’s user experience too.>>And It doesn’t matter where
they’re coming in from, right? So unmanaged verses
managed, I could be managed or unmanaged on the
CorpNet that doesn’t matter your policies will decide
the level of access that I have as an end user.>>Right, ’cause you know maybe everything I access as an information worker or a sales pro if I’m out
in the field everything I’m doing is you know Dynamics 365. It’s all Cloud enabled. I don’t have to be on-prem there could be. We talked about Secure Access Workstations which is our admin level. But maybe there’s some financial data or some like that that was within Corp. So I had to give that experience again, so where it’s looking at that not just the the network boundaries, but the app boundaries as well. So, right.>>And one thing that enabled that kind of walking through the slide here is we have kind of built a robust reporting solution. And so using Microsoft
tools we’ve been able to actually really develop you know, what does it
mean to look at the device? To look at the health of the device? To have that reporting in the back end. ‘Cause really you want
to rely on that back end reporting solution to drive the behavior. So everything from our service operations to the health of the app,
to the health of the device all of that with those
checks that are in place. And then that comes to where we are today. So you think about we’re at today. We have conditional access released.>>We do on what platform?>>On iOS and Android, soon to be more. but it’s been a journey. So you know I mentioned
one of the just to bring you guys into kind of Microsoft. One of the big challenges we had remember is the personal versus corporate. Right?
>>Right.>>And so remember in that
first slide, 130,000 employees. But the device count way higher. So what does that mean? We have a lot of people
that that are vendors that have their devices enrolled because they want access to data. So that kind of has helped
modify and helped drive our kind of conditional access model in what we’re building for people. So in general, but if we don’t know you, if we don’t know your device, you’re not getting access to resources. That’s really the point
we’re driving toward. And then if you think
of it from a next steps, like where are we going from here? Really, I think as I took over the conditional access EPIC for our team when I moved
over a couple of months ago, to our security team. One thing is, I think, I hear people talk a lot
about conditional access in what we’re driving. And so many people think about this as a point in time experience. And I think that mindset needs to shift. I’m trying to shift that
in our current organization to say look, conditional access is not the enrollment of a device. It is the ongoing service. You know, you mentioned OS
updates in managing the device and all the pieces the AV that
have to be on that device. If you’re looking at
conditional access as a service. It means I’m looking at
the new functionality that they’re putting in Android P, Q, whatever they’re on to next. And I’m looking at the
hardware that’s coming out with Samsung and other manufacturers. And I’m saying look if
there is a new security bar for a platform be it Android, be it iOS, be it Mac, be it Windows, then I want to adopt that. And when I adopt that that
means my bar just got raised. So I’m no longer gonna say for example, older Android devices that don’t support certain
hardware-backed encryption. Guess what? I ratchet up, you’re out of the network. That’s a service, that’s
not a point in time. That’s a sorry you’re on an old device. You’re gonna be moved off that device.>>Well, I think that’s important, right? Because maybe we didn’t
have those controls a few years ago in Intune and we do have that capability now to do minimum OS and even to be you know manufacturer devices and stuff like that to ensure that we are again locking down to use that term the device types that we’re using in the environment. So which is really important
and a great feature from a perspective of
entrusting that device to be able to access that data.>>And also giving people
or giving the end user a way to remediate that condition. A big chunk of conditional access, is not just blocking
stuff, but also saying, giving a very friendly
path to the end user to say okay, this is the
reasons that you’ve been blocked and this is how you
can remediate yourself. And then to your point about
not being point in time as the conditions change, that’s when it will
automatically evaluate. Okay now you’ve remediated what it was an update that
you needed to do maybe. You did that update, now
you’re back in without having to call help desk, without having to visit the tech link or anything like that.>>Exactly.>>And we’ve noticed our users are getting a lot more familiar with that experience. If you think about kind of the
password list key experience. I always relate this when I talk to people I say, “Hey, do you use online banking?” And they say “yeah.” I say, “Okay well, when
you use online banking “you have to have a key on the device.” Usually you have to view
a picture or something you have to put a pin. You have to have a password. You go through like three
or four checks, right? Well, our data is just as
secure and just as important.>>Maybe more.
>>Maybe more. So, people are getting familiar with that experience right.>>The marketing slides
are really important.>>Yes.
>>Yes. (all talking)>>Let’s shift a little
here and just talk about we’re kind of wanna walk through the management architecture. This will be a little quicker conversation but in terms of Configuration
Manager plus Intune. So if you think about that
plus Cloud experience. Where is that Cloud benefit? We’re in this mode today. We’re using Config Manager plus Intune and we’re gonna be there for several years like any other service and infrastructure. We have costs they are there and it serves a secure purpose. So even as we look long term as we look at our HRE
environment, for example. We’re gonna use System
Center and use management for those devices. So we have Intune today,
that’s our primary. Well from a PC perspective,
one of the things from a strategy perspective,
we’re moving toward is Azure domain joined. So we’re going away from
classic domain joined. We’ve been on that road for
actually a couple of years. And what we have how many devices? Even under management we
have what 35,000 devices in the Azure management stack already. So we’re well on our way to that. So essentially we are going with Configure Manager plus Intune. And we also wanna be there
to help our customers ’cause we see this model as
the majority of enterprises are gonna be in for a number of years.>>And I think one of the
good things is it’s goes back to sort of that experience too, right? Because if I am Cloud enabling
users out in the field to do stuff, having to figure
out how to get to an on-prem Corp environment to AD join your device to get access to data,
doesn’t always work. Especially we talked about
sort of that field scenario we will in sort of move
away from having them come all the way across the
globe to get to some authentication mechanism. So having that enabled so I can do that out-of-box experience. Not necessarily ’cause I’ve
got my Christmas present I got the new Surface Pro 6 or whatnot.>>And every three years you will.>>Right. Even if I had to reset
my workstation, right?>>Right.>>To your point on, sort
of, the service calls. If I hit reset on my Windows box because I’m having some issues. But then having that experience at that Azure Active Directory Domain join level, to apply the conditions that I
need to apply to that device, to make sure that it still
has what we want from a security perspective on it. Where I don’t have to be
you know again we still have those environments where
we need to be on-prem with you know whatever that data is whether that’s the or
some other confined device that says you still have to be there, it still to be to be domain-joined, still have to get the policies
through Config Manager.>>Yeah, when I see
that architectures slide that you just showed. I mean when we talked
to customers at the EBC and when we’re meeting
customers all over the world. It’s not very different
for them that reality of that architecture slide is very similar for our largest customers. And also our smaller customers just like it is for Microsoft. So it’s a reality that we’re here and they’re designing,
they’re building the solutions to address that reality of it
will never be internet only, it will never be on-prem only, but it’ll be a mix of the two.>>Well I like that, exactly,
we call it Internet-first because that’s the first
point that we wanted to come through, but there
may be additional points that you have to come in through after.>>Absolutely.>>And I think I stole your
thunder on the next slide.>>No that’s all good, I think we touched base
on quite a bit of this that security management,
that self-service experience. Really more users are
just getting more familiar with how to operate. And that’s one thing I
wanted people at least our audience to think about. Traditionally a lot of people
just from an enterprise perspective have this of listen, I have to hand-hold my customer. I have to hand-hold, I have
to white-glove treatment with everything they do. What we’re finding is the reality like Azure AD joined, we didn’t advertise for people internally to go do that. It’s not like we told
the masses at Microsoft yes we’re going to do that, yes we have a plan we’re gonna do that very soon here at Microsoft
where everyone is by default. So we’re enabling those back-end processes to make Azure AD our first process but we haven’t done that yet. Meeting without doing
that we have 35,000 people that have said look this
is the way I want to go.>>Exactly.>>Now granted people at Microsoft are a little ambitious
and they tend to do things even without us wanting them
to but it just proves that users are starting to get
into that self-service mode. They see where it is they
wanna go to the Cloud and then they look at the controls. Do I really need full CorpNet, on-prem, Domain joins, the way iO is always ran. And the answer we’ve done this with a number of people internally. We actually have a bit
of a challenge, right? We have a number of people in our org and in our user experience org and in our security org. Where we’ve told them
look go join your machine to Intune, put it in Azure
or put it in workplace join and go test it out. Like tell us what you can’t do ’cause we want to find out what you can’t do verse, we know what you can
do, almost everything. And the answer has been
yeah 99% of their job if they’re an information
worker, if they’re a PM, they can do their job 99%. They do not need access to CorpNet. Which is why we’re taking it
out of those small offices. So that’s where we’re going.>>So I think on the next slide, I think what I want to make sure
we also get to is is that it’s not just Intune. And it’s not just those
conditional access policies but that ecosystem that
has to be behind that in order to support what
we’re trying to get to, right? We talked about telemetry
so, we talked about Advanced Threat Analytics,
Azure Information Protection. Being able to tag and
classify those documents to ensure we have the right capabilities. Then using Cloud App Security
to monitor that document as it’s going across the network. Like, maybe I’ve tagged it appropriately, but I’m trying to send it to somebody who doesn’t have access
to it outside the company. So getting that visibility, that telemetry to see what
was going on with that. I mean, I think we have a
write-up on IT Showcase, about a time where it
was not not necessarily, like, a threat that they did it, but it was an accident and it was caught before it got too far out. We’ll have to see if we can
dig that one up, actually. That’s a good point, ’cause I mean there’s times where maybe you’ve
been working with a vendor, and you keep working with them, but then you all of a
sudden change the vendor. And so you send the old one an accident and you’re like, oh wait a minute, I don’t think you meant
to send that document to that person you just send it to, ’cause they’re no longer in your tent of responsibilities, so. But again using that
sole that whole ecosystem as what is driving this and then I think that’s important to
understand because it’s not just applying Intune policies. It’s not just conditional access. It’s not just you know Config Manager. There’s this whole ecosystem
has to sit behind that in order to support this.>>And it brings us back to the stool the three legged stool. The fact that it is not just a concept it is not simply you trying
to explain it, simplifying it but if you look at the
the way the solution is designed, it is designed
to really work together. And not just be there so it’s not a suite for the sake of being a bundle. You’re not saying okay if you buy the EMS or you know you buy this
license it’s cheaper than buying them standalone. Which it is, but the fact that
they actually work together.>>Yeah, and then you really
need it to work together. I mean I think that’s the key and I think we’ve seen at least in the
three years I’ve been here. This enhancement of this environment I think maybe this story
is is just how improved we’ve sort of gotten ’cause I think just looking at where we were with the thou shall not have
a non-Windows Device, to now we’re at this, you
know, fully managed iOS and Android, transitional access.
>>160,000 of them, boom.>>Yeah, 160,000 devices that if you want to access corporate data on that device, you have to be managed. I think that’s to me that
still sort of blows me away when I think about the fact
that that was the first environment we were able to tackle and I think we tackled it very well.>>And as a relatively new end user I can attest to the fact that
it’s pretty seamless for me. Like the fact that I you
know I just come in different company and it all just works. And now that I do this
as I learn more about our different technologies I notice how they’re all working together. Like a simple example, if I
may, the fact that our intranet access is just so seamless,
like, it took me months to realize that, you
know, what I never really double-click anything to get into my VPN. Like when I go to my benefits page or my you know, what we
call the Microsoft MSW, it just worked. And it took me months to
even realize how seamless that whole experience was.>>Well like so Mike talked
about having an understanding of your applications, of what’s available, what’s not available. When we first started
doing the Internet-first roll outs we actually started blocking and only driving people
out to the internet and a handful of offices
of which I was in one. And you start seeing experiences like I can’t get to my HR data. I can’t do my time away. I can’t actually look at how
much vacation time I have to take before the end of
the year so I don’t lose it. And then figuring out
what those experiences are to your point Mike and understanding then, how do I actually enable
the user to actually have that experience? So using things like
Power Apps to do all of our HR systems through. So I actually have that
time a way reporting and the visibility there.>>Awesome, and do you mind
taking a few questions now?>>Yeah, please.>>We seem to be getting
them by the dozen.>>Love to.>>One of the interesting ones I see here is about the benefits of co-management. So what people want to know especially if in your own experience pros and cons of going towards Co-management.>>So the the huge
benefit is you don’t have to kind of redo what you’ve already done. So one of the big challenges we had so for example, when
we first looked at it. The very first thing we
did is a policy true-up. So if you look at Config
Manager we had literally 800 policies across our environment. And so we we kind of said look, let’s take all those policies, we did the evaluation, we
used the tools from Windows. And then the next step we
said, is which of those do we want to be an MDM? Like which ones do we really need? I think a problem that people and this comes back to
your mind shift, right? If you think that moving to the Cloud and moving to MDM management and moving that direction Internet-first. If you think that’s a lift
and shift of all the policies that you currently have, that’s wrong.>>Right.>>That is the wrong way to look at it. What you really need to say is look, they’re on the Internet, what access do they need to resource
to or what resources do they need access to? And then what controls do
I have to put in place? Because even internally Carmichael and I fight this all the time with people. They say “Well, it has to be like this “because this is the way
we did it on the domain.” We’re like but they’re not on the domain and we don’t want them on the domain.>>When I think when you create the FAQ for the user experience when they’re like why are you doing this to me? You don’t show 800 GPO’s
you show that standard like this is the operating system standard and these are the you
know eight to 10 things that we have to apply to that machine. There’s a lot of context behind that and it could be Config Manager, it could be GPO, it could
be Intune policies, right? But just showing them that
set of these are the things you know kind of back to
that device health slide is these are the things we
are doing on your device and require be done on your device, you don’t have to know what
the back end of that is. So having that experience
sort of at that boundary of what do we really
then tell the users that we have to do on their devices? That’s a good point.>>And a second piece to that is, this is what we’re not
doing on your device.>>Well, that’s the almost
the more important piece. (all laughing)>>The user feedback
we got was really clear during our iOS and Android. People are almost more important or more interested in
what we’re not doing. So we’re not looking at your photos, we’re not looking at your web browsing. We’re not looking at
your cache on the device. We’re not getting your password to your Hotmail or Outlook account.>>We’re not doing a full
device wipe when you leave.>>We’re not wiping your
device stuff like that so that’s super important.>>And that’s part of the product now so I know that we actually we re-did all our product screens to make that very transparent, very user friendly so that it’s not for the IT department to have a custom solution to reassure users, but
it’s in the products.>>Absolutely.>>Another interesting one and I would like to
know this myself is when do you think you have solutions to manage even the meeting
rooms like Surface Hubs and things like that? Do you guys have plans
to manage that as well?>>So I think we do and
so let’s use Surface Hub as an example we actually do have policies that we can use through
Intune to manage those and I know Mike and I we
worked on that for a while. Kiosk machines too, right? And we have iPads outside of some office, some rooms that actually
control information there. So there’s sort of that
kiosk policy experience that we can use through
the same set of tooling that we have to manage those devices. I think there’s still some of those additional IOT things that we’re trying to work out. I mean we have a standard
we have a list of things we want to be able to do on those devices but you know getting kind
of back to what my team does is okay, how do we actually do that? Working with your team, the product team. Whether it’s you know Intune
or whether it’s Azure IOT or some other group to ensure
that we can actually do the effective controls we
need to do on those devices. So there is work in progress for sure. But I think you know sort of again, fundamentally understanding
what is it that the device needs to do? Who’s gonna be connecting to that device? And what applications,
things like that, run on it. So I think having that minimized hub experience with a set of
policies that apply to that.>>We’re doing it today.>>Right, and I know
people like to know Roadmap but that’s something that
is definitely exploring how what role does IOT really
play in the enterprise? Because if you ask someone, what is IOT? The answers would be all over the place. So really nailing down what
it means to the enterprise. I mean you know is it
just your Nest thermostat, or is it something else? We are really exploring that and I think in the next few months we will see much more
targeted solutions around IOT from the EMS Intune.>>Well, and I think
you’re absolutely right. Because I think that’s one of the things even internally we struggle
some time is when I say what is IOT? If I go talk to our corporate
real estate team IOT is all the building management systems. It’s the thermometers in the rooms.>>The HVACs, yep.>>The HVAC systems. It’s the elevator controls. It’s you know, those various things versus if I walk down and see
a Harmon Kardon Cortana device in somebody’s office. That’s doing you know,
hey what’s my next meeting or something like that, right? So I think there’s different experiences depending on who you talk to and I know when I will get my
coffee pot in the morning I wanna make sure it’s set
to the right temperature, and I’ve got my cup of coffee when I’m walking in the door, so.>>Right.>>But enabling that and
you know getting kind of to that trusted boundary
again right, is okay, but what of those devices
do we trust to have access to what areas of the systems, right? So we don’t have you know
your coffee pot talking to the building management system.>>Highly confidential.>>Exactly, how do you
classify those, right?>>And we have time for
probably one last question and I see people really
sort of doubling down on this question. So I’m gonna ask you this one. It’s almost asking you
again what are some of the biggest challenges
when you try to flip on co-management or when you try to do this SCCM plus Intune? Is there something you can
share without marketing it?>>Yes, I think one of the things, and maybe Mike, you can
go into more details. I think just at a high level it was doing that mind shift of taking SCCM first to Intune first, right? But then using Config Manager
to still manage the policies. ‘Cause I think one of
things we were originally thinking of and again
maybe this is our buddies a little bit was is the challenge was maybe how do we get the
full device management in the Cloud from that that layer. But we realized that there
was a lot of gaps in coverage kind of back to what I was talking about with the risk management, right? So there’s still these gaps
how do I control those gaps. We had a tool that already
existed Config Manager that was doing a lot of that for us. So bringing that along to say I’m still gonna do device
management with Intune, but I have to have that hybrid environment to have those controls there. And I think you know maybe even from the user experience
side you can touch that a little bit but making
sure that we have those.>>Yeah one of the one of
the gotchas perspective that we we learned is and this is probably a good tidbit for our
listeners and people today. If you look at the application policies that you have in Config Manager. I mean we’ve been running Config Manager since its inception right? So you think about kind of like GPO everyone likes a GPO and they’re like yeah I have 5000 GPOs
sitting group policies running and it’s just a mess. Well, our Config Manager
was a little bit that way for us to be honest. And so when we started to
move to the the Plus Intune and started to migrate over to the hybrid. What we realized is we
have a lot of clean up. And so I think what
people need to learn is you need to kind of take a step back and look at your application,
your provisioning policies. To me that’s the real lesson.>>Exactly.>>That’s the real meat and potatoes of how am I gonna manage this? Because if you don’t take a step back, take a hard look at what
policies are conflicting or going here. For example, look I have an app that’s for people in Ireland, but yet you’re publishing
it to 200,000 people, to everyone, because the app owners or the admin said, “Oh, I
should just go to everyone.” Well, how many of those can
you have in your environment?>>A lot.
>>A lot, too many. (all laughing)>>And while you’re unplugging things so we’ve got solutions
like security baselines coming in now with Intune
that let really help you to figure out okay this
is what I really need using the power of AI
and machine learning. Which was in fact another question that I’m afraid we won’t have the time to cover today. But again it points to the fact that it all works together
and it’s really trying to simplify the IT person’s job. And maybe that’s what
you could share with us as some of the key recommendations because we are almost
at the top of the hour so if you’d like to maybe go there and leave something
that people can now use to go and do this themselves.>>Yeah I mean I think for sure, and I think we’ve got the
slide up on the screen where it’s go back into that EMS view, of use what you have licensed for, and make sure that you understand
what that is too, right? ‘Cause I think when I go to the Executive Briefing Center and I talk to customers
they don’t necessarily even know what they have or what they’re using, right? Or what they have the ability to use. So just understanding
exactly what you have and what you can use. And then applying sort of
that policy-level mindset to your point Mike, understanding what your existing policies are today. And then how do you carry those forward into this sort of new environment? Where can you supplement with
the more modern controls? Where do you still have to
have those legacy controls that you still need to and
require to be on those devices? And then you know again I think that covers the sort of group
policy mindset too which is.>>Yeah we’ve talked about that.>>I’ve heard
anywhere between 5,000, 8,000 group policies. (laughing) That we’ve had to do from the day we turned on group policy,
and of course the guys that were originally
doing it aren’t with us, they’ve retired since. So understanding we don’t
even necessarily know what some of those group policies are.>>And again, you’re not alone.>>Yeah exactly. And then I think Mike, the
planning those phases, right? I mean the EPIC that you own.>>Yeah I mean you have
to take it in chunks, right? If you look at conditional access for example we focused
on iOS and Android first. And now we’re focusing on Mac and next we’re gonna focus on Windows. Windows is it a challenge internally here because if you can imagine we run every flavor of Windows there is. You have people running server, you have people running client. You have people running N
plus one in beta builds. You have people running legacy builds. Out there five, eight, 10
years for our customers. So, you have to kind of
build all that into something that’s consumable for your users.>>Yeah and I think
what you know sort of on that legacy OS perspective we
you’re actually doing that because we’re actually
supporting some of our customers that are still running
that too so we can’t just shut those things
off through policies and say you can’t use that anymore. But having that sort of understanding exactly what they’re being used for. And then maybe creating
that sort of an environment that they can work in back
to sort of the Zero Trust and thing. Where maybe they’re not on
the production environment maybe they’re in another
supporting environment.>>And then the other thing kind of the last point here on
educate and connect. I think from a from a very high level you really need to have
a culture discussion at your company. You know here at Microsoft
we are changing the culture drastically from what it used to be. It used to be a very entitled conversation no I expect I’m an administrator. I expect I can always do
this, I have full access to everything that’s very different than say going to the other end which is say a just-in-time model. Where I provision you
only administrative access when you need it and it’s
only for two minutes. So it’s a very different mind shift and so I think people should look at that as well in their environment and say look from a top-down level, what do we need to change
from from the culture.>>Well they even to that point right just even within our iOS and Android the rollout was right getting them to understand that you don’t have to be on the corporate network. The reason why you were using CorpWi-Fi was because you were connecting to the internet through that and that gave you that you didn’t have to use your data on your phone mindset. So, you know maybe you don’t
need to be on that network with your mobile devices. Maybe you can be on sort of that internet facing Wi-Fi too, right. So that the culture is a huge one for us that we had to get past.>>In fact that question came in as you were talking about that. About what advice from your experience will you give to work with the old guard? You know that person
entered that in quotes. How do you go about proving this and introducing it as a pilot. Because I’m sure it wasn’t all you know roses and champagne when you
were trying to introduce this through such a large organization. So any tips you can share on that?>>So I think it kind of going back to when we were first talking about the iOS and Android rolling out. I think it’s important to first understand what the security
policies are and work that out within your own environment. So within the SRE we
made sure we understood in partnership with our
End User Support Organization when Mike was over there at the time. Understanding exactly what
that meant to apply those before we went forward with it and that already builds
your then resource kit for your FAQs and things like that to say here’s what we are expecting to see or what the types of questions you get. I think then it’s then
reaching out to some people you’re happy with and honestly when we started doing the testing is we noticed that just even within the Office suite of apps on those devices there were some issues. So rolling it to those engineering teams to have them see the
experience of working with us. Now that’s a benefit maybe
our customers can’t have but when they deploy this they can feel like we actually had to go through that, so we’ve pushed that to our Office team and partnered with them to ensure that the experience was good right. So I think within your own environment if there’s people that you work with on a day to day or if you have an application that you have to make
sure critically works on those devices work with
that team onboard them first. Make sure that they
understand the experience that’s about to happen
in that application. Because all the other
piece of that is it then allows them to build the
muscle to help support their customers. When that application has issues when they’re trying to enroll too.>>I like that so I mean have an FAQ handy that can address the sort
of mainstream questions and then work with probably the more critical team first. So that you get the hard
piece out rather than maybe go for the low-hanging
fruit of doing it for the least.>>Which is the opposite
of how we typically. (all laughing and talking.) For years it oh go for the easy wins first and then kind of build harder. And then you end up with
this long tail of five, 10, 20,000 people with an
exception or something like that. We took the opposite approach and said let’s go to the hard stuff first. Let’s fix that and then
all the other stuff is gonna fall in line.>>Yeah and I think just
one one last thought on that is ’cause I know we’re about to run out of time here, is privacy. Make sure you can work
with your legal teams and then figure out
exactly what you need can and can’t do and understand
on the devices, too.>>Excellent points. I mean a lot of this has been
really educational for me even though I do this for a living and I’ve been working with you for so long and I hope you guys had a great time and you learned something completely new. The on-demand version of this webinar will be posted soon to So that’s IT showcase. Where you can also find
the related content like case studies, blogs
and upcoming webinars. I already shared our
Twitter handle with you so if you’d like to interact with us there’s a MSIntune the Twitter handle. And then if you want to just
review some of the concepts that they share today you should do that on the on-demand webinar. Send us questions if
you have more questions and then join us for future webinars where we can answer more of your questions and make sure to bring your
colleagues with you as well. So thank you so much. Thank you Mike. Thank you Carmichael good and
have a great day everyone. (music)>>Hello again and welcome
to the extended Q and A session for the How Microsoft is Modernizing Device Management Webinar. We’ve received many great
questions during our webinar and wanted to make sure that we address as many of them as possible. So let’s get started, with me here are again Mike and Carmichael. So I’m going to throw
some questions at you and then maybe you guys
can help me answer them.>>Excellent.>>I’m so happy there’s
a lot of questions.>>I know bring them on, that’s good. (all laughing)>>So the first question I have here is how is AI artificial intelligence or machine learning
implemented in the product? Do you guys have any experience with that?>>Probably the easiest example is the user use of the Graph API. So pretty much we’ve migrated almost all our reporting solutions from the Intune perspective over to Graph. So, if you remember Graph came up what about a year ago
in February, I think so. And once it did that
we actually moved most of our reporting solutions to a Graph API. And so, now it’s just
ingrained into what we do. So if we need any new data we pull it into our data lake. We use Graph API we pull it in and then we evaluate on that data. And we’ve even used some
of the different analytics. So depending on the license you’re at, so for the Office telemetry, and the Windows telemetry,
depending on what settings you’re using right? We’ve actually been using that telemetry for example, in our Office product. We actually used it and we said we have a
ton of versions of Office in our environment like
ridiculous amounts of versions. And so we said look let’s
look at the AI capabilities and build out the story. And we didn’t just look at versioning we’re actually looking at the behavior and we’re actually using the the AI to say what’s the behavior
on specific builds? And then we can actually
make a determination what we should do on
those builds using that AI to make a determination
for the best experience for our internal users.>>And I brought back up the the EMS slide that we love to use from you guys. Because I think to Mike’s point with the telemetry when you have it things like Advanced Threat Analytics and then applying sort of
that telemetry ingestion. So I can apply some machine learning to that to make a determination. I remember talking to a
customer one time they were like hey, we turn on a ATA, and all sudden we had a
whole bunch of alerts. Because our users were globally traveling it this you know the
Superman scenario, right? And it wasn’t necessarily
because their user was actually doing that
it’s because resources were globally dispersed. So applying some of that learning to your model to say okay if my database is in Singapore and my user’s in, you know, India. Ensuring that that doesn’t seem like a login event happens here, but the login event on O365 is happening over here,
it’s the same event. So I’m getting that correlation of using that machine learning. And I want to make sure
we have that distinction between AI and machine learning, right? Because AI could do some additional things but there’s that layer of
machine learning itself that needs to be applied through those telemetry gathering
sources too, right? Because there is a bit of a distinction between what is AI and
what is machine learning. And then the one of
the most important ones sort of again, from the
security perspective, would be that Advanced Threat Analytics or the Advanced Threat Protection. Right, so that that malware in that EDR sort of detection on most devices when we go back to the
health of the device. Is ensuring that we have
that machine learning, that artificial intelligence, that’s looking at all the events that are occurring from sort of, that layer of security protection, and making that determination
on health of the device so. I think there’s definitely places that plays not just within their own ecosystems but in the
ecosystems we support for them to apply that logic so.>>Yeah and what if
somebody doesn’t know that all of this stuff is available to all users or and all customers I mean. So things like Graph API. It really exposes everything that we do the entire Intune product
is available through the Graph API. So you as an IT administrator
or as an IT organization can build the same tools or whatever you want using all
of those graphic designers. So it’s nothing it’s not a secret sauce that we have here everything that we do you can replicate up yourself. And there are blogs and
articles that talk about that. So I think that was a
pretty important question so thank you for asking and thank you for answering that one. Switching gears a little bit towards a more of a management question. So this is asked by someone who says currently there is not a way for Intune to change machine association without resetting the device. Is there a plan to make this easier when devices move around? (all laughing)>>Well, so there’s also a
flip side of that scenario too which is the multi-user scenario, right? So if I have a device
that has multiple users that have to log into it. And I think there is experiences that we’re working on because even
with our own environment, we have to support that and Windows flow for business with Azure Active Directory are really trying to figure
out what that works for, right? I don’t know if that’s necessarily Intune that’s managing it. Right, because that identity piece is AAD and that’s
that’s a great distinguishing thing we have to do here. Is there’s multi layers and
we don’t necessarily talk about the AAD layer of it. But AAD really what’s doing
the conditional access right. So identifying the user making sure that they have access to that device and access to the data. So I think there are, like I said, there are workflows
that we are working out to try to get sort of
that multi-user device tenancy on that so I don’t know if you have more information
on that Mike or not.>>No, I mean I think
you covered most of that.>>And I think that’s a
good kind of a Roadmap type of for discussion it’s not it’s something that we’ve heard a few times there are definitely security reasons why we do it that way. But then there are management reasons why we could make it a little bit better and that’s something definitely what..>>There are things like
device groups that are coming. That have already been
worked on and announced in both Azure and in Intune that’s actually gonna enable some of that separation. So we are actually looking at that in terms of how do we put device policies on specific device groups
based upon specific attributes? So if a device changes well,
the device group would change ergo the policy would change. And so we are starting to build out those workflows internally and that’s a work in progress for us over the next six to eight months.>>I think some of the programs like the Apple DEP program and the Device Enrollment Program and the Android For Work that’s coming as well as even our
own autopilot scenarios where we’re embedding the sort of that device identity into the system. And then being able to manage
the device, is sort of that distinguishing factor,
aside from just the user. I think that’s one of the things that we sort of lose sight of is the, I’m done with this device, now I want
to hand to somebody else kind of things. When they log into it
what does that experience look like?>>Right, right. Yes and I believe we also have this user-less device concept now. So if you’re really
talking about just a device that is used to be on a retail shop floor, where there is nothing personal about that experience. You know, you’re not checking email, there’s not calendars. So then you do have a way to enroll it as a device and there
is no user associated with that at all.>>We’ve talked about the Hub experience.>>Right, exactly.>>And the Kiosk devices
that we have today.>>The Kiosk devices.>>We have 500 of those
across the globe today.>>Wow.
>>That we’re managing.>>Which we are actually managing?>>Yeah.>>Wow. Okay.>>When you come to a Microsoft
Building, when you log in those are all Intune managed.>>I did not know that awesome.>>When you want to request
a shuttle between building.>>All right.>>That’s Intune.>>And that is amazing again, a very..>>I think it’s a good distinction though, because I think we focus
again and I’m happy that Mike came over and join
me on the security side. So I think we maybe have
taken a bit of a security approach to this topic today. But understanding device management does definitely play a role in that and then what is that sort of TCO at the end of the day that
when we apply that logic to its perimeter of controls
that we need to establish. You know we talked about the scenarios of being able to sort of
dismantle infrastructure and globally global offices because we’re making
their experience better by putting them on to
the internet directly. But giving the rights let
level security controls. So they don’t have to backhaul through you know another location
to come back to the US to get access to data. So I think you know understanding that some of the things we
talked about in the closing of our session was that
those recommendations of understanding what you have
and what you have licensed ’cause that’s another piece
of that management puzzle whether you get that TCO is. If you have this list of things and maybe you’re not in the right or maybe you’re not in the
highest level tier of EMS and you know the fact is
sort of the marketing. But you have access to
a lot of these things just at the base level of EMS. I’d talk to people about
Azure Information Protection a lot and the capabilities you get there. Even if you just had the
default out of the box AIP experience which you get that baseline of at the base of a EMS. Just applying that logic and getting that learning value out of that, right? And you talked about just teaching people or that culture change of getting people to understand what it
means to start tagging your documents and what not, right? So maybe you aren’t able to auto-tag them, but just teaching them and
getting that culture shift in mindset of what it means to be at the different classification levels. And I think that’s a great way to start and just sort of get the mindset shift that culture change that you need in your environment is
to start at that baseline of just experience. And I think that’s when we
talk about device management it’s almost experience management. We really have to talk about because it’s understanding how
they’re accessing the data and we talked about that a lot. Which is you know maybe
they just need to come in from OWA but we don’t need to give them a full experience through Office Web Apps. We just need to give them the email ’cause that’s really
what they’re there for is to check their email
’cause somebody said I sent you an email I need
you to check it kind of thing.>>Or look at their calendar.>>Or calendar.
>>More often.>>That’s what I was
telling somebody other day like the first thing I do before I go to bed as I look at my calendar to make sure what clothes
I’m wearing for the next day. So I don’t show up with the wrong shirt for this session. (all laughing)>>And again I’ve mentioned this earlier but I’m, as an end-user, I always find it to be one of the least
intrusive IT experiences at Microsoft. So even though I know that a
lot of things are controlled and you’re providing me that secure shell to work in on a day-to-day
basis I almost forget that there is technology
that I am dealing with. Or I have to remember that
this is what I am allowed to do and this is what I’m not because I know the system will take care of it. If sharing something that I’m not supposed to it will block me I don’t have to think about it as much.>>I chuckle a little bit
because when I started about three years ago
the enrollment experience was much different for enrolling a device. (all talking and laughing)>>I’m thinking of our friend Clay Taylor who’s now on the product side and the floor-to-ceiling
maps they created of the workflow for enrollment. Just to describe what that process was instead of you know having
a PowerPoint on there you literally would walk
into the conference rooms with these sheets of paper and unrolled it would roll down on the
floor it was pretty funny.>>That’s what gives
him street cred today. And now he starts every
EBC with that story so that’s how he gets his street cred so that wasn’t a waste. (all laughing) Talking about stories in
fact the next question is about is from a person who
says “I’m one of the people “who likes to read and study before I do.” So they’re saying the Microsoft
environment is so huge I would like to see the big picture and how the different
services fit together so I have a two-fold question. The person has a two-fold question. “Where can I go to get
that detail overview “to understand how things interact. “And then where to get
the detailed knowledge “on a service and how to implement it.”>>So this is a great question ’cause you know we’ve
sort of been reevaluating Zero Trust networking and
what we’re doing with it in the last few months. So like this person that
asked this question, I was doing a bunch of research to see what that really meant through the product, marketing stuff. So we have an internal
resource that we can go to look at a lot of the Roadmaps and just the way you guys describe things on the product side. And there’s a cybersecurity
reference architecture. I would suggest looking at that I think one of the things
that I like about that is that it gives the entire ecosystem from a security perspective and again it’s my area of focus. So it actually shows
you not just the device and the user but the application tiers, the Azure, you’re back
end, your data center. It shows that whole architecture of what you really need
to be thinking about when you’re applying this. ‘Cause it’s again it’s not
just Intune and a device it’s this whole architecture
you have to apply around it. One of the things I also found was the I think you guys shared
this publicly, is there’s a sort of Zero Trust
with conditional access, PDF that sort of shows that at more of a contextual layer for a customer to understand. What the conditional access workflow is for that Zero Trust? And you know I would be remiss without mentioning our IT Showcase
friends and the work that we do there and a lot of
documentation out there.>>And I believe we can show the links to that you have that
a couple of slides down I don’t know if you want to put that up.>>And it’ll, sorry but I know even so Carmichael Patton on LinkedIn I’ve got a few documents
that we published through the IT Showcase there. There’s a document called
Cloud Connected Client. Which is the summary name of that ’cause it’s actually a longer name. That talks a lot about sort
of the future state of what we’ve been envisioning
from the Zero Trust that my team put together about a year ago and we have some other
documentation out there on this topic specifically. As well and it’s on the resource side and I think we just pulled up
here for you to look at so.>>And I think from a
management point of view we’ve also been very
transparent in sharing some of the challenges that we went through. So I remember Brad
Anderson, who’s our CVP, he did a series of blogs that spoke about, how did we internally go from being a very on-prem managed even product and service, to being a
globally-scalable Cloud seller?>>And that’s a good point
because I think actually Brad and Brett Arsenault, the CISO, just did a in-zone YouTube.>>Oh there’s a platform, must watch.>>That, yeah, I think
Brett even mentioned that we’re the second-largest
Mac shop in the world. So back to sort of our device ecosystem.>>And it’s and it’s true I
mean I was personally surprised to know but when you explain why we are such a big Mac shop, it’s not at all surprising.>>Yeah it’s actually good points so I don’t know if we
really talked about that because when we go into
that user experience and being able to manage those devices. We support applications
being built on those device until the culture change. What I’ve been impressed
with just in the three years I’ve been here and of
course I came in after Satya was already the CEO. But we have gone from this
point of everything as Windows, everything is developed on Windows. Everything has to be
Windows to you know what if you’re building an
Office experience on a Mac. You should be on a Mac and understand what that experience looks like.>>Absolutely.>>If you’re building
it for iOS, for Android you need to understand
what that experience is. And I think that culture itself of the be sort of getting the
engineering teams to ramp up and understand that you doing these things you should be experiencing that. But then we have to be able
to enable the back end of that to ensure that we
have the right controls on those devices from
a security perspective. But I think just that culture change that we touched on
earlier is a huge piece that we need to be mindful of.>>Excellent and with
an excellent question I think that really you
know hit at the heart of this conversation. I think it’s time to wrap up. Thank you Mike and Carmichael again. Thank you to our audience
for these amazing questions you know, keep them coming, and I believe now we can wrap up. I hope to see you again
on the next webinar. Thank you everyone, bye bye.
>>Thank you. (music)

Leave a Reply

Your email address will not be published. Required fields are marked *