Simplify management of apps & devices

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:sy="http://purl.org/rss/1.0/modules/syndication/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" > <channel> <title>Microsoft Intune &#8211; Enterprise Mobility and Security Blog</title> <atom:link href="https://blogs.technet.microsoft.com/enterprisemobility/feed/?product=microsoft-intune" rel="self" type="application/rss+xml" /> <link>https://blogs.technet.microsoft.com/enterprisemobility</link> <description>The most recent news and updates about Microsoft’s Enterprise Mobility offerings and events for enterprise technology professionals and developers.</description> <lastBuildDate>Thu, 09 Mar 2017 17:00:24 +0000</lastBuildDate> <language>en-US</language> <sy:updatePeriod>hourly</sy:updatePeriod> <sy:updateFrequency>1</sy:updateFrequency> <item> <title>Conditional Access “limited access” policies for SharePoint are in public preview!</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/03/09/conditional-access-limited-access-policies-for-sharepoint-are-in-public-preview/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2017/03/09/conditional-access-limited-access-policies-for-sharepoint-are-in-public-preview/#respond</comments> <pubDate>Thu, 09 Mar 2017 17:00:23 +0000</pubDate> <dc:creator><![CDATA[Alex_SimonsMS]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[Android]]></category> <category><![CDATA[Conditional Access]]></category> <category><![CDATA[Identity-driven Security]]></category> <category><![CDATA[iOS]]></category> <category><![CDATA[Office 365]]></category> <category><![CDATA[Security]]></category> <category><![CDATA[SharePoint]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=48725</guid> <description><![CDATA[Howdy folks, Enabling productivity while securing data is the fine line IT pros walk today, and having the right tools to do it makes it that much easier. In the past, employees working from their personal devices was a recipe for leaked data. But not anymore! Working with the SharePoint team, we&#8217;ve created a great <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/03/09/conditional-access-limited-access-policies-for-sharepoint-are-in-public-preview/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p>Howdy folks,</p>&#10;<p>Enabling productivity while securing data is the fine line IT pros walk today, and having the right tools to do it makes it that much easier. In the past, employees working from their personal devices was a recipe for leaked data.</p>&#10;<p>But not anymore! Working with the SharePoint team, we&#8217;ve created a great new feature in the conditional access experience that I think you&#8217;re going to love: the ability to limit a user&#8217;s ability to download, print and sync based on the state of their device.</p>&#10;<p>To tell you more about it, I&#8217;ve invited one of my program managers, Nitika Gupta, to write a blog, which you&#8217;ll find below. Read up, try things out, and let us know what you think!</p>&#10;<p>Best regards,</p>&#10;<p>Alex Simons (Twitter: <a href="https://twitter.com/Alex_A_Simons">@Alex_A_Simons</a>)</p>&#10;<p>Director of Program Management</p>&#10;<p>Microsoft Identity Division</p>&#10;<p>&#8212;-</p>&#10;<p>Hi folks,</p>&#10;<p>I&#8217;m Nitika Gupta, a Program Manager in the Identity Security and Protection team at Microsoft. Today we are announcing the public preview of a feature that will enhance security for SharePoint and OneDrive access while still helping maintain productivity.</p>&#10;<p>Microsoft Intune and Azure Active Directory conditional access provides the ability to grant or block access to resources based on device state. This helps organizations ensure content doesn&#8217;t get on to a machine that isn&#8217;t encrypted, locked, secure from malware, etc. This is an important aspect of securing company data.</p>&#10;<p>Unfortunately, not all devices can be managed. Sometimes people need to work from home computers, personal devices, or shared machines that aren&#8217;t enrolled. Until now, this meant losing productivity by denying access to SharePoint altogether or allowing unsecured download of content. Because of this, IT admins struggle to find the balance when configuring policies to prevent data leakage of corporate resources while ensuring that employees remain productive.</p>&#10;<p>But what if we could have great user productivity and maintain a great security posture? That&#8217;s what the Secure, Productive Enterprise is all about and why <strong>I am thrilled to announce the public preview of the &#8220;<em>Limited Access to SharePoint and OneDrive&#8221;</em> feature!</strong> Now you can allow access to SharePoint and OneDrive from an unmanaged device by granting browser-only access with download, print, and sync disabled. Users can stay productive, and you can be assured that when they sign off, no data is leaked onto the unmanaged device.</p>&#10;<p>Let me show you how it works in Azure AD Conditional Access and SharePoint!</p>&#10;<h2>Getting started</h2>&#10;<p>Configuring limited browser-only access to SharePoint and OneDrive is an easy two-step process. See our <a href="https://aka.ms/spolimitedaccessdocs">limited access documentation</a> for more detailed instructions.</p>&#10;<ol>&#10;<li>&#10;<div>First <a href="https://portal.azure.com/">create an Azure AD Conditional access policy</a> for SharePoint that applies only to browser client apps with &#8220;use app enforced restrictions&#8221; as the session control.</div>&#10;<p><img class="aligncenter" alt="" src="https://msdnshared.blob.core.windows.net/media/2017/03/030917_0059_Conditional1.png" /></p>&#10;<p>Tip: To prevent users from going around the browser policy and accessing resources from mobile and desktop applications on unmanaged devices, we recommend enabling Azure AD conditional access policy. This enables access from mobile and desktop apps only from a compliant or domain joined device.</li>&#10;<li>Next, go to <strong>device access </strong>in the SharePoint admin center and select the checkbox to &#8220;Allow limited access (web-only, without the Download, Print, and Sync commands)&#8221;</li>&#10;</ol>&#10;<p><img alt="" src="https://msdnshared.blob.core.windows.net/media/2017/03/030917_0059_Conditional2.png" /></p>&#10;<p>Note: It can take up to 15 minutes for policy changes to take effect.</p>&#10;<h2>End user experience</h2>&#10;<p>When accessing SharePoint and OneDrive from devices that are not compliant or domain joined, end users will see a warning banner explaining why their experience is limited.</p>&#10;<p><img class="aligncenter" alt="" src="https://msdnshared.blob.core.windows.net/media/2017/03/030917_0059_Conditional3.png" /></p>&#10;<h2>Feedback</h2>&#10;<p>We would love to hear your feedback! If you have any suggestions for us, questions, or issues to report, please leave a comment at the bottom of this post, or tweet with the hashtag #AzureAD.</p>&#10;<p>Thanks,</p>&#10;<p>Nitika Gupta</p>&#10;<p>@_nitika_gupta</p>&#10;]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2017/03/09/conditional-access-limited-access-policies-for-sharepoint-are-in-public-preview/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>Update 1702 for Configuration Manager Technical Preview Branch – Available Now!</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/27/update-1702-for-configuration-manager-technical-preview-branch-available-now/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/27/update-1702-for-configuration-manager-technical-preview-branch-available-now/#comments</comments> <pubDate>Mon, 27 Feb 2017 19:00:42 +0000</pubDate> <dc:creator><![CDATA[Yvette O'Meally]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=47535</guid> <description><![CDATA[Hello everyone! We are happy to let you know that update 1702 for the Technical Preview Branch of System Center Configuration Manager has been released. Technical Preview Branch releases give you an opportunity to try out new Configuration Manager features in a test environment before they are made generally available. This months new preview features <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/02/27/update-1702-for-configuration-manager-technical-preview-branch-available-now/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p>Hello everyone! We are happy to let you know that update 1702 for the Technical Preview Branch of System Center Configuration Manager has been released. Technical Preview Branch releases give you an opportunity to try out new Configuration Manager features in a test environment before they are made generally available. This months new preview features include:</p>&#10;<ul>&#10;<li><strong>Azure Active Directory Domain Services support </strong> You can install a ConfigMgr site on an Azure virtual machine that is connected to <a href="https://go.microsoft.com/fwlink/?linkid=842178"><u>Azure Active Directory Domain Services</u></a>, and use the site to manage other Azure virtual machines connected to the same domain.</li>&#10;<li><strong>Improvements for in-console search </strong> Based on User Voice feedback, we have added several improvements to in-console search, including searching by Object Path, preservation of search text and preservation of your decision to search sub-nodes.</li>&#10;<li><strong>Windows Update for Business integration </strong> You can now implement Windows Update for Business assessment results as part of Conditional Access compliance policy conditional rules.</li>&#10;<li><strong>Customize high-risk deployment warning </strong> You can now customize the Software Center warning when running a high-risk deployment, such as a task sequence to install a new operating system. The default string regarding data may not apply in scenarios like in-place upgrade.</li>&#10;<li><strong>Close executable files at the deadline when they would block application installation</strong> &#8211; If executable files are listed on the Install Behavior tab for a deployment type and the application is deployed to a collection as required, then a more intrusive notification experience is provided to inform the user, and the specified executable files will be closed automatically at the deadline.</li>&#10;</ul>&#10;<p>This release also includes the following improvements for customers using System Center Configuration Manager connected with Microsoft Intune to manage mobile devices:</p>&#10;<ul>&#10;<li><strong>Non-Compliant Apps Compliance Settings </strong>&#8211; Add iOS and Android applications to a non-compliant apps rule in a compliance policy to trigger conditional access if the devices have those applications installed.</li>&#10;<li><strong>PFX Certificate Creation and Distribution and S/MIME Support</strong> &#8211; Admins can create and deploy PFX certificates to users. These certificates can then be used for S/MIME encryption and decryption by devices that the user has enrolled.</li>&#10;<li><strong>Android for Work Support </strong>&#8211; You can now manage <a href="https://enterprise.google.com/android/"><u>Android for Work</u></a> devices. This enables you to enroll devices, approve and deploy apps, and configure policies for Android for Work devices.</li>&#10;</ul>&#10;<p>Update 1702 for Technical Preview Branch is available in the Configuration Manager console. For new installations please use the 1610 baseline version of Configuration Manager Technical Preview Branch <a href="https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview"><u>available on TechNet Evaluation Center</u></a>.</p>&#10;<p>We would love to hear your thoughts about the latest Technical Preview! To provide feedback or report any issues with the functionality included in this Technical Preview, please use <a href="https://connect.microsoft.com/ConfigurationManagervnext/Feedback"><u>Connect</u></a>. If theres a new feature or enhancement you want us to consider for future updates, please use the <a href="http://configurationmanager.uservoice.com/"><u>Configuration Manager UserVoice site</u></a>.</p>&#10;<p>Thanks,</p>&#10;<p>The System Center Configuration Manager team</p>&#10;<p><strong>Configuration Manager Resources:</strong></p>&#10;<p><a href="https://docs.microsoft.com/sccm/core/get-started/technical-preview"><u>Documentation for System Center Configuration Manager Technical Previews </u></a></p>&#10;<p><a href="https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview"><u>Try the System Center Configuration Manager Technical Preview Branch</u></a></p>&#10;<p><a href="https://docs.microsoft.com/sccm/"><u>Documentation for System Center Configuration Manager </u></a></p>&#10;<p><a href="https://social.technet.microsoft.com/Forums/en-US/home?category=ConfigMgrCB"><u>System Center Configuration Manager Forums </u></a></p>&#10;<p><a href="https://aka.ms/cmcbsupport"><u>System Center Configuration Manager Support</u></a></p>&#10;<p><a href="https://www.microsoft.com/en-us/download/details.aspx?id=42645"><u>Download the Configuration Manager Support Center</u></a></p>&#10;]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/27/update-1702-for-configuration-manager-technical-preview-branch-available-now/feed/</wfw:commentRss> <slash:comments>4</slash:comments> </item> <item> <title>Webinar: On-premises conditional access with EMS and NetScaler</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/27/webinar-on-premises-conditional-access-with-ems-and-netscaler/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/27/webinar-on-premises-conditional-access-with-ems-and-netscaler/#comments</comments> <pubDate>Mon, 27 Feb 2017 19:00:26 +0000</pubDate> <dc:creator><![CDATA[Microsoft Intune Team]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=48035</guid> <description><![CDATA[The demand for a modern mobile user experience isnt just a matter of conveniencepeople do their best work when they have the freedom to access their corporate email and documents from anywhere, on any device. But increasing freedom and mobility also raises the stakes for IT requiring you to balance the need to protect your <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/02/27/webinar-on-premises-conditional-access-with-ems-and-netscaler/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p>The demand for a modern mobile user experience isnt just a matter of conveniencepeople do their best work when they have the freedom to access their corporate email and documents from anywhere, on any device. But increasing freedom and mobility also raises the stakes for IT requiring you to balance the need to protect your corporate data with the expectations and needs of your users.</p>&#10;<p><strong>Join us for a free one-hour webinar</strong> with Citrix NetScaler Unified Gateway expert Akhilesh Dhawan and David Randall, from Microsoft Intune to learn about a product integration between Microsoft EMS and Citrix NetScaler that provides on-premises conditional access to corporate resources and data.</p>&#10;<p>The integration of Citrix NetScaler Unified Gateway with Microsoft Enterprise Mobility + Security lets you:</p>&#10;<ul>&#10;<li>Give your employees the highly productive mobile experience they expect.</li>&#10;<li>Ensure that only the right users on compliant devices have access to your corporate data and resources.</li>&#10;</ul>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2017/02/EMS_NetScaler.png"><img title="EMS_NetScaler" style="float: none;padding-top: 0px;padding-left: 0px;margin-left: auto;padding-right: 0px;margin-right: auto;border: 0px" border="0" alt="EMS_NetScaler" src="https://msdnshared.blob.core.windows.net/media/2017/02/EMS_NetScaler_thumb.png" width="800" height="329" /></a></p>&#10;<p>The live webinar is taking place on March 1, 2017 at 11 AM PT.</p>&#10;<p><a href="https://citrix.webcasts.com/starthere.jsp?ei=1135309&amp;sti=microsoft">REGISTER NOW to learn more about this integration and to see how it works!</a></p>&#10;]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/27/webinar-on-premises-conditional-access-with-ems-and-netscaler/feed/</wfw:commentRss> <slash:comments>2</slash:comments> </item> <item> <title>Microsoft Intune 2016 &#8211; a year in review</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/01/19/microsoft-intune-2016-a-year-in-review/</link> <pubDate>Thu, 19 Jan 2017 19:00:45 +0000</pubDate> <dc:creator><![CDATA[Microsoft Intune Team]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=46055</guid> <description><![CDATA[Where you are today is not where you will be tomorrow. Things change fast these days. Regardless of your industry, youre always in motion evolving and adapting to the shifting needs of your business and workforce. Intune gives you a diverse set of tools for managing your complex mobile environment and empowering a workforce <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/01/19/microsoft-intune-2016-a-year-in-review/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p>Where you are today is not where you will be tomorrow. Things change fast these days. Regardless of your industry, youre always in motion evolving and adapting to the shifting needs of your business and workforce. Intune gives you a diverse set of tools for managing your complex mobile environment and empowering a workforce on the move. Intunes innovative combination of mobile application and device management options gives you flexibility in how you manage and secure mobile productivity.</p>&#10;<h3>Delivering ongoing innovation from the cloud</h3>&#10;<p>Our cloud service model gives you many advantages. It eliminates the need to plan, purchase, and maintain on-premises hardware and infrastructure, lowering costs and making your day-to-day management experience much easier.</p>&#10;<p>For the Intune team, the cloud makes it possible for us to innovate on an ongoing basis. Each month we release new features and product updates designed to help you empower your users to be productive, all while protecting the massive amounts of data flowing through your mobile ecosystem. And because Intune is always up to date, theres no need for a cumbersome deployment process for you to manage.</p>&#10;<p>Theres always something new in Intune. Check out our <a href="https://sway.com/C28XZnaiWRRA0UjW">Intune 2016 year in review</a> to see a list of features, innovations, and product news that we released in 2016.</p>&#10;<p><a href="https://sway.com/C28XZnaiWRRA0UjW"><img width="1024" height="316" title="Microsoft Intune 2016 timeline" style="float: none;padding-top: 0px;padding-left: 0px;margin-left: auto;padding-right: 0px;margin-right: auto;border: 0px" alt="Microsoft Intune 2016 timeline" src="https://msdnshared.blob.core.windows.net/media/2017/01/Microsoft-Intune-2016-timeline.png" border="0" /></a></p>&#10;<p>And be sure to <a href="https://twitter.com/MSFTMobility">follow us on Twitter</a> and check back here for product updates throughout 2017. If theres a feature or update that you want us to consider, please add it to our <a href="https://microsoftintune.uservoice.com/forums/291681-ideas">User Voice conversation</a>.</p>&#10;<h3></h3>&#10;<h3>Additional resources:</h3>&#10;<ul>&#10;<li>Visit the <a href="https://docs.microsoft.com/en-us/intune/deploy-use/whats-new-in-microsoft-intune">Whats New in Microsoft Intune</a> page for more on recent developments in Intune.</li>&#10;<li><a href="https://microsoftintune.uservoice.com/?WT.mc_id=Blog_Intune_Announce_PCIT">Submit feedback and suggestions to the Intune engineering team</a></li>&#10;<li><a href="https://docs.microsoft.com/intune">Find technical resources on the Intune docs site</a></li>&#10;<li><a href="https://blogs.technet.microsoft.com/enterprisemobility/feed/?product=microsoft-intune">Subscribe to the Intune blog RSS feed</a></li>&#10;</ul>&#10;]]></content:encoded> </item> <item> <title>Breaking down EMS Conditional Access: Part 2</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/01/05/breaking-down-ems-conditional-access-part-2/</link> <pubDate>Thu, 05 Jan 2017 16:00:25 +0000</pubDate> <dc:creator><![CDATA[Enterprise Mobility Team]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=45505</guid> <description><![CDATA[This post is the second in a three-part series detailing Conditional Access from Microsoft Enterprise Mobility + Security. Today, the typical employee connects an average of four devices to their corporate network. Usually theyre connecting from their own mobile device or PC, but thats not always the case. Maybe they use their daughters iPad in <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/01/05/breaking-down-ems-conditional-access-part-2/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p><i>This post is the second in a three-part series detailing </i><a href="https://www.microsoft.com/en-us/cloud-platform/conditional-access"><i>Conditional Access</i></a><i> from Microsoft Enterprise Mobility + Security.</i></p>&#10;<p>Today, the typical employee connects an average of four devices to their corporate network. Usually theyre connecting from their own mobile device or PC, but thats not always the case. Maybe they use their daughters iPad in a pinch, or log on from a friends house, or use a hotel kiosk to connect. You might be OK with allowing access in some cases, but in other circumstances you may want to provide access only to certain employees, only to specific data, or only from known and compliant devices.</p>&#10;<p>Device-based conditional access from Microsoft Enterprise Mobility + Security (EMS) helps you make sure that only compliant mobile devices and PCsthose that meet the standards youve sethave access to corporate data.</p>&#10;<h2>Device Compliance</h2>&#10;<p>Device compliance policies help you protect company data by making sure the devices used to access your data or sensitive apps comply with your specific requirements or standards. Administrators can set these policies to enforce device compliance requirements before users attempt to access company resources. These can include settings for device enrollment, domain join, passwords and encryption, as well for the OS platform running on the device.</p>&#10;<p>You can use <a href="https://docs.microsoft.com/en-us/intune/deploy-use/introduction-to-device-compliance-policies-in-microsoft-intune">compliance policy settings</a> in Microsoft Intune to create a set of rules for and to evaluate the compliance of employee devices. When devices don&#8217;t meet the conditions set in the policies, the end user is guided though the process of enrolling the device and fixing the issue that prevents the device from being compliant.</p>&#10;<p><a href="https://docs.microsoft.com/en-us/intune/deploy-use/restrict-access-to-email-and-o365-services-with-microsoft-intune">Conditional access policies</a> are a set of rules that can restrict or allow access to a specific service based on whether the user meets the requirements you define. When you use a conditional access policy in combination with a device compliance policy, only users with compliant devicesin addition to any other rules youve setwill be allowed to access the service. Since both policies are applied at the user level, any device from which the user tries to access services will be checked for compliance.</p>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2017/01/Conditional-Access-Policy-Scenario.png"><img width="790" height="463" title="Conditional Access Policy Scenario" class="aligncenter" style="float: none;padding-top: 0px;padding-left: 0px;margin-left: auto;padding-right: 0px;margin-right: auto;border: 0px" alt="Conditional Access Policy Scenario" src="https://msdnshared.blob.core.windows.net/media/2017/01/Conditional-Access-Policy-Scenario_thumb.png" border="0" /></a></p>&#10;<p align="center"><em>In this scenario, IT has applied a policy that blocks unmanaged devices from accessing and opening files stored on OneDrive for Business. Devices need to be enrolled first, before the location can be accessed.</em></p>&#10;<h2>EMS + Lookout, providing additional mobile endpoint security</h2>&#10;<p><a href="https://www.lookout.com/about/partners/microsoft">Lookouts deep integration with EMS</a> gives you real-time visibility into mobile device risks, including advanced mobile threats and app data leakage, which can inform your conditional access policies. Lookout provides visibility across all three mobile risk vectors: app-based risks (such as malware), network-based risks (such as man-in-the-middle attacks), and OS-based risks (such as malicious OS compromise).</p>&#10;<p>The integration between Lookout and EMS makes it easy to apply this threat intelligence to your conditional access policies. If a device is found to be non-compliant due to a mobile risk identified by Lookout, access is blocked and the user is prompted to resolve the issue with one-step guidance from Lookout before they can regain access. <em>Note that Lookout licenses must be purchased separately from EMS.</em></p>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2017/01/EMS-Intune-Lookout.png"><img width="850" height="351" title="EMS Intune Lookout" class="aligncenter" style="float: none;padding-top: 0px;padding-left: 0px;margin-left: auto;padding-right: 0px;margin-right: auto;border: 0px" alt="EMS Intune Lookout" src="https://msdnshared.blob.core.windows.net/media/2017/01/EMS-Intune-Lookout_thumb.png" border="0" /></a></p>&#10;<h2>Device-based conditional access to on-premises resources</h2>&#10;<p>EMS conditional access capabilities help you to secure access to both your cloud and on-premises resources. Our customers often manage broad and complex networks, so with that in mind, weve built partnerships with popular network access providers such as Cisco ISE, Aruba ClearPass, and Citrix NetScaler. Now you can extend your Intune conditional access capabilities to work with these networks.</p>&#10;<p>Partner network providers can implement checks for Intune-managed and compliant devices as a requirement before allowing user access through either your wireless or virtual private network. When you <a href="https://docs.microsoft.com/en-us/intune/deploy-use/restrict-access-to-networks">extend device compliance policies to network providers</a>, you can ensure that only managed and compliant devices will be able to connect to your on-premises corporate network.</p>&#10;<p>EMS offers you some great access simplifications: you can still enable <a href="https://docs.microsoft.com/en-us/enterprise-mobility-security/solutions/protect-on-premises-data-with-intune">secure access to on-premises</a> applications without VPNs, DMZs, or on-premises reverse proxies by leveraging the Azure Active Directory Application Proxy. Best of all, all of this can be done without installing or maintaining additional on-premises infrastructure or opening your company firewall to route traffic through it. Conditional access capabilities will work for this scenario as well.</p>&#10;<h2>Additional Resources</h2>&#10;<ul>&#10;<li><a href="https://blogs.technet.microsoft.com/enterprisemobility/2016/10/31/breaking-down-ems-conditional-access-part-1/">Breaking down EMS Conditional Access: Part 1</a></li>&#10;<li><a href="https://microsoftintune.uservoice.com/?WT.mc_id=Blog_Intune_Announce_PCIT">Submit feedback and suggestions to the Intune engineering team</a></li>&#10;<li><a href="https://docs.microsoft.com/en-us/enterprise-mobility-security/solutions/protect-office365-data-with-intune">Read more about device based conditional access on the Intune docs site</a></li>&#10;<li><a href="https://blogs.technet.microsoft.com/enterprisemobility/feed/?product=microsoft-intune">Subscribe to the Intune blog RSS feed</a></li>&#10;<li>Follow us on <a href="https://twitter.com/MSFTMobility">Twitter</a></li>&#10;</ul>&#10;]]></content:encoded> </item> <item> <title>Conditional Access now in the new Azure portal</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2016/12/15/conditional-access-now-in-the-new-azure-portal/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2016/12/15/conditional-access-now-in-the-new-azure-portal/#comments</comments> <pubDate>Thu, 15 Dec 2016 18:00:09 +0000</pubDate> <dc:creator><![CDATA[Enterprise Mobility Team]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[Conditional Access]]></category> <category><![CDATA[Identity-driven Security]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=45175</guid> <description><![CDATA[The digital transformation thats affecting every organization brings new challenges for IT, as they strive to empower their users to be productive while keeping corporate data secure in an increasingly complex technology landscape. Microsoft Enterprise Mobility + Security (EMS) provides a unique identity-driven security approach to address these new challenges at multiple layers and to <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2016/12/15/conditional-access-now-in-the-new-azure-portal/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p>The digital transformation thats affecting every organization brings new challenges for IT, as they strive to empower their users to be productive while keeping corporate data secure in an increasingly complex technology landscape. Microsoft Enterprise Mobility + Security (EMS) provides a unique identity-driven security approach to address these new challenges at multiple layers and to provide you with a more holistic and innovative approach to security one that can protect, detect, and respond to threats on-premises as well as in the cloud.</p>&#10;<p>Risk-based conditional access is a critical part of our identity-driven security story. It ensures that only the right users, on the right devices, under the right circumstances have access to your sensitive corporate data. Conditional access allows you to define policies that provide contextual controls at the user, location, device, and app levels, and it also takes risk information into consideration (powered by the vast data in Microsofts <a href="https://www.microsoft.com/en-us/security/intelligence">Intelligent Security Graph</a>). As conditions change, natural user prompts ensure only the right users on compliant devices can access sensitive data, providing you the control and protection you need to keep your corporate data secure while allowing your people to do their best work from any device.</p>&#10;<p>This is an area where we are constantly innovating to bring you the most secure and easy-to-use solution, and today were announcing several improvements to Conditional Access in EMS:</p>&#10;<ol>&#10;<li><strong>Risk-based access policies per application</strong>. <a href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection">Leverage machine learning on a massive scale</a> to provide real-time detection and automated protection. Now you can use this data to build risk-based policies per application.</li>&#10;<li><strong>Greater flexibility to protect applications</strong>. Set multiple policies per application or set and easily roll out global rules to protect all your applications with a single policy.</li>&#10;<li>All these capabilities are now available in a <strong>unified administrative experience on the Azure portal</strong>. This makes it even easier to create and manage holistic conditional access policies to all your applications.</li>&#10;</ol>&#10;<p>These new <a href="https://www.microsoft.com/en-us/cloud-platform/conditional-access">conditional access</a> capabilities provide more flexible and powerful policies to enable productivity while ensuring security. Additionally, the new admin experience unifies conditional access workloads across Intune and Azure AD.</p>&#10;<p>If you are an Intune customer using the existing browser-based console or the Configuration Manager console, or an Azure AD customer using the classic Azure portal, you can now preview the new Conditional Access policy interface in the Azure portal.</p>&#10;<p><a href="https://aka.ms/cacontrols">Get started with these Conditional Access capabilities</a> or read on to learn a bit more about Conditional Access with EMS.</p>&#10;<h2>Overview</h2>&#10;<p>A Conditional Access policy is simply a statement about<br />&#10;<strong>When the policy should apply</strong> (called <strong>Conditions</strong>), and<br />&#10;<strong>What the action or requirement should be</strong> (called <strong>Controls</strong>).</p>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2016/12/Conditional-access-policy.png"><img width="169" height="480" title="Conditional access policy" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border: 0px" alt="Conditional access policy" src="https://msdnshared.blob.core.windows.net/media/2016/12/Conditional-access-policy_thumb.png" border="0" /></a></p>&#10;<h3>Conditions (When the policy should apply)</h3>&#10;<p>Conditions are the things about a login that dont change during the login, and are used to decide which policies should apply. Azure AD supports the following Conditions:</p>&#10;<ol>&#10;<li><strong>Users/Groups</strong> are the users/groups in the directory that the policy applies to.</li>&#10;<li><strong>Cloud apps</strong> are the services the user accesses that you want to secure.</li>&#10;<li><strong>Client app</strong> is the software the user is employing to access cloud app.</li>&#10;<li><strong>Device platform</strong> is the platform the user is signing in from.</li>&#10;<li><strong>Location</strong> is the IP-address based location the user is signing in from.</li>&#10;<li><strong>Sign-in risk</strong> is the likelihood that the sign-in is coming from someone other than the user.</li>&#10;</ol>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2016/12/Conditions-preview.png"><img width="378" height="480" title="Conditions preview" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border: 0px" alt="Conditions preview" src="https://msdnshared.blob.core.windows.net/media/2016/12/Conditions-preview_thumb.png" border="0" /></a></p>&#10;<p><a href="https://aka.ms/caconditions">Our documentation provides further details on how to set the conditions</a>.</p>&#10;<h3>Controls (What the action or requirement should be)</h3>&#10;<p>Controls are the additional enforcements that are put in place by the policy (such as do a Multi-factor authentication challenge) that will be inserted into the login flow. Azure AD supports the following controls:</p>&#10;<ol>&#10;<li><strong>Block access </strong></li>&#10;<li><strong>Multi-factor authentication</strong></li>&#10;<li><strong>Compliant device</strong></li>&#10;<li><strong>Domain Join</strong></li>&#10;</ol>&#10;<p>You can select individual controls or all of them.</p>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2016/12/Controls-preview.png"><img width="400" height="508" title="Controls preview" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border: 0px" alt="Controls preview" src="https://msdnshared.blob.core.windows.net/media/2016/12/Controls-preview_thumb.png" border="0" /></a></p>&#10;<p>To learn more about how to get started with controls, you can read a <a href="https://aka.ms/cacontrols">detailed documentation article</a>.</p>&#10;<p>Were really excited about the wide range of scenarios that this new experiences lights up and hope you find it useful. As always, were looking forward to your feedback.</p>&#10;]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2016/12/15/conditional-access-now-in-the-new-azure-portal/feed/</wfw:commentRss> <slash:comments>5</slash:comments> </item> <item> <title>New capabilities coming to Microsoft Enterprise Mobility + Security (EMS)</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2016/12/07/new-capabilities-coming-to-microsoft-enterprise-mobility-security-ems/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2016/12/07/new-capabilities-coming-to-microsoft-enterprise-mobility-security-ems/#comments</comments> <pubDate>Wed, 07 Dec 2016 17:00:59 +0000</pubDate> <dc:creator><![CDATA[Andrew Conway]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=44305</guid> <description><![CDATA[As 2016 draws to a close, we would like to thank you for choosing Microsoft Enterprise Mobility + Security (EMS) to protect and secure your employees as you continue to digitally transform your organizations. More than 37,000 customers and over half of the Fortune 500 have now chosen EMS. With EMS we continue to build <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2016/12/07/new-capabilities-coming-to-microsoft-enterprise-mobility-security-ems/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p>As 2016 draws to a close, we would like to thank you for choosing Microsoft Enterprise Mobility + Security (EMS) to protect and secure your employees as you continue to digitally transform your organizations. More than 37,000 customers and over half of the Fortune 500 have now chosen EMS.</p>&#10;<p>With EMS we continue to build on identity at the core of the solution to maximize your employees productivity while at the same time providing the necessary capabilities across security, management of devices and apps, and information protection to ensure that your critical company data is protected. Today we are expanding these capabilities even further with:</p>&#10;<ul>&#10;<li><a href="https://aka.ms/aadptablogpost">Pass-through authentication with Azure Active Directory</a>, available today in preview, enables secure single sign-on to cloud resources without requiring syncing of passwords to the cloud, or modification to existing on-premises network infrastructure.</li>&#10;<li><a href="https://blogs.technet.microsoft.com/enterprisemobility/2016/12/07/public-preview-of-intune-on-azure">Microsoft Intunes new Admin Console in Azure</a>, rolling out in preview, makes setting up integrated security and management scenarios across EMS services even easier.</li>&#10;<li><a href="https://aka.ms/aip-december-release">Azure Information Protection updates</a> that provide even greater flexibility and security for protecting data at the file level. These updates include support formore file types, integration with your on-premises encryption key network, and new options for creating classification and protection policies.</li>&#10;</ul>&#10;<p>Heres more on these new capabilities and how our customers will benefit from these innovations:</p>&#10;<p><a href="https://aka.ms/aadptablogpost">Pass-through authentication with Azure Active Directory</a></p>&#10;<p>Pass-through authentication now in preview, lets users securely login to cloud resources by validating their password against their on-premises Active Directory more easily than ever. This feature allows customers that cannot or do not want to store passwords in the cloud (even encrypted ones) to onboard Azure Active Directory and Office 365 without having to modify their corporate network infrastructure and install products such as Active Directory Federation Services (AD FS) or similar third party federation solutions. Pass-through authentication is set up via the Azure AD Connect admin experience as the second option for authentication along with Password Sync and AD FS.</p>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2016/12/Azure-Active-Directory-Connect-User-Sign-in.png"><img width="640" height="451" title="Azure Active Directory Connect User Sign in" class="aligncenter" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border: 0px" alt="Azure Active Directory Connect User Sign in" src="https://msdnshared.blob.core.windows.net/media/2016/12/Azure-Active-Directory-Connect-User-Sign-in_thumb.png" border="0" /></a></p>&#10;<p>Additionally, with this new update, both Pass-through authentication and Password Synchronization authentication options will now provide seamless single sign-on to Azure AD connected applications from Windows devices.</p>&#10;<p><a href="https://blogs.technet.microsoft.com/enterprisemobility/2016/12/07/public-preview-of-intune-on-azure">Preview of Microsoft Intune Admin Console in Azure</a></p>&#10;<p>The new Intune admin experience on Azure begins rolling out in public previewfor new and test tenants. The new console, built in Azure, provides powerful and integrated management of core EMS security solutions, such as conditional access to corporate resources based on device, users or risk, allowing for set up and management of policies between Intune and Azure Active Directory. This new admin experience makes it easier than ever to protect tens of thousands of mobile devices.</p>&#10;<p><a href="https://aka.ms/aip-december-release">Azure Information Protection updates</a></p>&#10;<p>Protecting data at the file level throughout its lifecycle, from creation to sharing to tracking and revocation, regardless of where it is stored or accessed, is a key priority for our customers and a unique part of the EMS solution. Since the <a href="https://blogs.technet.microsoft.com/enterprisemobility/2016/10/04/azure-information-protection-is-now-generally-available/">release of Azure Information Protection in October</a> we have been listening to customer feedback and are releasing several new capabilities. Below are a few of the highlights:</p>&#10;<ul>&#10;<li>Give end users more focused classification and protection options with policies based on group membership.</li>&#10;<li>Support for more non-Office file types and bulk labelling of data at rest.</li>&#10;<li>Integrate protection with on-premises keys with <a href="https://blogs.technet.microsoft.com/enterprisemobility/2016/08/10/azure-information-protection-with-hyok-hold-your-own-key/">Hold Your Own Key (HYOK).</a></li>&#10;</ul>&#10;<h4>Enterprise Mobility + Security Customer Stories</h4>&#10;<p>As more and more customers are choosing EMS, we wanted to share with you some examples of recent customers who have been deploying and using it successfully:</p>&#10;<ul>&#10;<li><a href="https://customers.microsoft.com/en-US/story/whole-foods-takes-natural-next-step-to-protect-applications-in-the-cloud">Whole Foods</a> is embracing identity-driven security with EMS to protect applications</li>&#10;<li><a href="https://customers.microsoft.com/en-US/story/avanade-balances-data-security-and-employee-privacy-with-microsoft-intune">Avanade</a> balances data security and employee privacy with EMS</li>&#10;</ul>&#10;<p>Get started with your own <a href="https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security-trial">Enterprise Mobility + Security deployment</a>.</p>&#10;]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2016/12/07/new-capabilities-coming-to-microsoft-enterprise-mobility-security-ems/feed/</wfw:commentRss> <slash:comments>2</slash:comments> </item> <item> <title>Public preview of Intune on Azure</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2016/12/07/public-preview-of-intune-on-azure/</link> <pubDate>Wed, 07 Dec 2016 17:00:14 +0000</pubDate> <dc:creator><![CDATA[Microsoft Intune Team]]></dc:creator> <category><![CDATA[Announcements]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=44225</guid> <description><![CDATA[Get ready for a whole new Intune experience. In early 2017 we will begin migrating our Intune admin experience onto the Azure portal, allowing for powerful and integrated management of core EMS workflows on a modern service platform thats extensible using Graph APIs.Using the Microsoft Graph APIs to configure Intune controls and policies still requires <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2016/12/07/public-preview-of-intune-on-azure/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p>Get ready for a whole new Intune experience. In early 2017 we will begin migrating our Intune admin experience onto the <a href="http://portal.azure.com"><u><span style="color: #0563c1">Azure portal</span></u></a>, allowing for powerful and integrated management of core EMS workflows on a modern service platform thats extensible using <a href="https://graph.microsoft.io/en-us/docs/api-reference/beta/intune_graph_overview"><u><span style="color: #0563c1">Graph APIs</span></u></a>.Using the Microsoft Graph APIs to configure Intune controls and policies still requires that the Intune service is correctly licensed by the customer.</p>&#10;<p>In advance of the general availability of this portal for all Intune tenants, were excited to announce that we will begin rolling out a preview of this new admin experience later this month to select tenants. When your tenant is ready for preview, you will be notified through the current Intune console.</p>&#10;<h3>For existing Intune customers</h3>&#10;<p>The new Intune admin experience in the Azure portal will use the already announced new grouping and targeting functionality. When your existing tenant is migrated to the new grouping experience you will also be migrated to preview the new admin experience on your tenant. Well be migrating existing tenants over the next few months, you will be notified when your tenant is ready for use on the new Azure portal.In the meantime, read up on the new <a href="https://docs.microsoft.com/en-us/intune-azure"><span style="margin: 0px;color: #0078d7;font-family: 'Segoe UI',sans-serif;font-size: 11.5pt"><u>documentation located here</u></span></a>.</p>&#10;<p>If you have any questions about the timeline for your tenants migration, contact our migration team at <a><span style="margin: 0px;color: #0078d7;font-family: 'Segoe UI',sans-serif;font-size: 11.5pt">intunegrps@microsoft.com</span></a>.</p>&#10;<p>Visit the <a href="https://docs.microsoft.com/en-us/intune/deploy-use/whats-new-in-microsoft-intune"><u>Whats New in Microsoft Intune</u></a> page for more on these and other recent developments in Intune.</p>&#10;<p>&nbsp;</p>&#10;<h4>Additional resources:</h4>&#10;<ul>&#10;<li><a href="https://microsoftintune.uservoice.com/?WT.mc_id=Blog_Intune_Announce_PCIT">Submit feedback and suggestions to the Intune engineering team</a></li>&#10;<li><a href="https://docs.microsoft.com/en-us/intune-azure">Find technical resources about this preview on the Intune docs site</a></li>&#10;<li><a href="https://blogs.technet.microsoft.com/enterprisemobility/feed/?product=microsoft-intune">Subscribe to the Intune blog RSS feed</a></li>&#10;<li>Follow us on <a href="https://twitter.com/MSIntune">Twitter</a></li>&#10;</ul>&#10;]]></content:encoded> </item> <item> <title>New in Intune: More conditional access, App SDK updates, and Android for Work!</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2016/11/22/new-in-intune-more-conditional-access-app-sdk-updates-and-android-for-work/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2016/11/22/new-in-intune-more-conditional-access-app-sdk-updates-and-android-for-work/#comments</comments> <pubDate>Tue, 22 Nov 2016 17:00:25 +0000</pubDate> <dc:creator><![CDATA[Microsoft Intune Team]]></dc:creator> <category><![CDATA[Announcements]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=43796</guid> <description><![CDATA[A lot of teams ramp down at the end of the year, shifting into holiday hibernation mode for the final stretch. But not us. Were still pushing at full speed, dedicated to delivering more value to you in the remainder of 2016. If youre already making the shift into holiday mode, we suggest you bookmark <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2016/11/22/new-in-intune-more-conditional-access-app-sdk-updates-and-android-for-work/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p>A lot of teams ramp down at the end of the year, shifting into holiday hibernation mode for the final stretch. But not us. Were still pushing at full speed, dedicated to delivering more value to you in the remainder of 2016. If youre already making the shift into holiday mode, we suggest you bookmark this page because youll want to read about all these new features and improvements in Intune when youre back from the break and gearing up for 2017. And please check back next month for news on our final update of the year.</p>&#10;<h2>More conditional access goodness:</h2>&#10;<p><a href="https://www.microsoft.com/en-us/cloud-platform/conditional-access">Conditional access</a> is one of the signature experiences from Microsoft Enterprise Mobility + Security, bringing together the power of Intune and Azure Active Directory Premium to allow you to define policies that provide contextual control at the user, location, device and app levels. This rich set of features gives you the control you need to ensure your corporate data is secure, while giving your users the experience they expect in todays world. Were excited to announce these new features that further expand our conditional access capabilities to mobile applications and Windows PCs:</p>&#10;<ul>&#10;<li><strong>Conditional access for mobile apps<br />&#10;</strong>This update allows you to restrict access to Exchange Online from only apps that are enabled with Intunes mobile application protection policies, such as Outlook. If youve been looking for a way to block access to Exchange Online from built-in mail clients or other apps, look no further.</li>&#10;<li><strong>Conditional access for Windows PCs</strong><br />&#10;You can now create conditional access policies through the Intune admin console to block Windows PCs from accessing <a href="https://docs.microsoft.com/en-us/intune/deploy-use/restrict-access-to-exchange-online-with-microsoft-intune">Exchange Online</a> and <a href="https://docs.microsoft.com/en-us/intune/deploy-use/restrict-access-to-sharepoint-online-with-microsoft-intune">SharePoint Online</a>. You can also create conditional access policies to block access to Office desktop and universal applications.</li>&#10;</ul>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2016/11/Conditional-Access-Overview.png"><img title="Conditional Access Overview" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border: 0px" border="0" alt="Conditional Access Overview" src="https://msdnshared.blob.core.windows.net/media/2016/11/Conditional-Access-Overview_thumb.png" width="777" height="267" class="aligncenter" /></a></p>&#10;<h2>Intune App SDK now supports MAM without device enrollment</h2>&#10;<p>Last year, we released the Intune App SDK for iOS and Android. The SDK enables developers to easily build data protection and app management features into mobile apps, allowing admins to manage these apps via Microsoft Intune. For existing line-of-business applications, we created an Intune App Wrapping Tool which allows you to add app management without making code changes.</p>&#10;<p>A few months ago, we took it a step further, releasing a <a href="https://blogs.technet.microsoft.com/enterprisemobility/2016/04/27/announcing-intune-app-sdk-support-for-xamarin-cordova/">Cordova plugin and Xamarin component</a> based on our SDK that makes it simpler for cross-platform mobile developers using Cordova and Xamarin to incorporate Intunes mobile application protection controls into their standard development process.</p>&#10;<p>Today, we are happy to announce that all our SDK tools have been updated to support MAM without enrollment scenarios. Whether youre a big power player creating apps the world knows and loves, or an in-house developer creating LOB apps to fit the unique needs of your team, theres never been a better time to use our SDK.</p>&#10;<p>You can download the Intune App SDK, App Wrapping Tool, Cordova plugin, and Xamarin component <a href="https://github.com/msintuneappsdk">here on Github</a>.</p>&#10;<h2>Android for Work now generally available</h2>&#10;<p>Thanks to those of you who took part in <a href="https://blogs.technet.microsoft.com/enterprisemobility/2016/09/12/microsoft-intune-support-for-android-for-work/">our public preview</a>. Today, were pleased to announce the General Availability of our Android for Work support. Theres loads of information to help you get started <a href="https://docs.microsoft.com/en-us/intune/deploy-use/set-up-android-for-work">on our docs site</a>.</p>&#10;<p>Visit the <a href="https://docs.microsoft.com/en-us/intune/deploy-use/whats-new-in-microsoft-intune">Whats New in Microsoft Intune</a> page for more on these and other recent developments in Intune.</p>&#10;<h3>Additional resources:</h3>&#10;<ul>&#10;<li><a href="https://microsoftintune.uservoice.com/?WT.mc_id=Blog_Intune_Announce_PCIT">Submit feedback and suggestions to the Intune engineering team</a></li>&#10;<li><a href="https://docs.microsoft.com/intune">Find technical resources on the Intune docs site</a></li>&#10;<li><a href="https://blogs.technet.microsoft.com/enterprisemobility/feed/?product=microsoft-intune">Subscribe to the Intune blog RSS feed</a></li>&#10;<li>Follow us on <a href="https://twitter.com/MSIntune">Twitter</a></li>&#10;</ul>&#10;]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2016/11/22/new-in-intune-more-conditional-access-app-sdk-updates-and-android-for-work/feed/</wfw:commentRss> <slash:comments>1</slash:comments> </item> <item> <title>Breaking down EMS Conditional Access: Part 1</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2016/10/31/breaking-down-ems-conditional-access-part-1/</link> <pubDate>Mon, 31 Oct 2016 16:04:04 +0000</pubDate> <dc:creator><![CDATA[Enterprise Mobility Team]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=42325</guid> <description><![CDATA[This post is the first in a 3-part series detailing Conditional Access from Microsoft Enterprise Mobility + Security. The way your employees interact with their devices, apps, and corporate data has changed with the adoption of mobility and cloud services. While users have become more productive, the new norm of mobile productivity requires innovative tools <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2016/10/31/breaking-down-ems-conditional-access-part-1/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p><em>This post is the first in a 3-part series detailing <a target="_blank" href="https://www.microsoft.com/en-us/cloud-platform/conditional-access">Conditional Access</a> from Microsoft Enterprise Mobility + Security.</em></p>&#10;<p>The way your employees interact with their devices, apps, and corporate data has changed with the adoption of mobility and cloud services. While users have become more productive, the new norm of mobile productivity requires innovative tools that flex and flow to protect corporate data while giving your end users the best possible experience across their devices, wherever they are.</p>&#10;<p>In a <a target="_blank" href="https://blogs.technet.microsoft.com/enterprisemobility/2016/09/27/protect-your-data-at-the-front-door-with-conditional-access-from-enterprise-mobility-security/">recent post</a>, we kicked off a discussion about how conditional access from Microsoft Enterprise Mobility + Security helps you safeguard your sensitive corporate data in this mobile-first environment. Today, well take that conversation one step deeper and explore the conditional parameters that can be used at the application, user, and location layers. Well cover device and risk-based conditional access in an upcoming post. Before getting started, its important to note that these layers are deeply connected and work together to deliver on our <a target="_blank" href="https://www.youtube.com/watch?v=CKRVndKZyfI">larger identity-driven security vision</a> for this discussion, though, we will assess them separately.</p>&#10;<p><img width="800" height="271" class="size-full wp-image-42326 aligncenter" alt="EMS_ConditionalAccess_1" src="https://msdnshared.blob.core.windows.net/media/2016/10/EMS_ConditionalAccess_11.png" /></p>&#10;<h2>Application</h2>&#10;<p>Cloud apps are gateways to lots of different types of information. While you may want to allow easy access to some apps, there are likely others which contain highly sensitive information where you want to control access to them with more rigor. When you consider the various scenarios that exist when accessing applications, its clear you need more than a one-size-fits-all approach to app-level control. Thats why weve designed our application-based conditional access in a way that allows you to choose which policies to apply to which apps.</p>&#10;<p>You can set a policy that defines the conditions of an apps access based on the sensitivity you define for it. For example, you can block access to an application from unknown locations, or require Multi-Factor Authentication, which can be required every time an app is accessed or required based on the location its being accessed from. These policies can be applied to any cloud (SaaS) or on-premises app protected by Azure Active Directory, including their rich, mobile or browser-based clients.</p>&#10;<h2>User</h2>&#10;<p>Azure Active Directory Premiums advanced capabilities in identity and access management are at the heart of EMSs identity-driven security story, and are the foundation that all our conditional access capabilities are built on. When setting conditional access policies, youll typically want to define which group of users you want various policies to apply to.</p>&#10;<p>EMS conditional access approach leverages the power of Azure AD Premium to make it easy for you to assign multiple conditions (at the location, application, device, and risk levels) to all users or multiple security groups. You can also specifically exclude groups from being affected by conditional access policies.</p>&#10;<h2>Location</h2>&#10;<p>Location-based conditions allow you to define a set of trusted IP addresses, and allow access only from them. If a user attempts to access corporate assets from an unknown network, you can define what happens next by setting specific controls that either challenge the user with Multi-Factor Authentication (MFA) or block access entirely. And of course, you can define which user groups these polices will affect.</p>&#10;<h2>Bringing it all together</h2>&#10;<p>Now lets check out a scenario that shows conditional access policy working at the user, location, and application layers.</p>&#10;<p><figure id="attachment_42535" style="width: 1024px" class="wp-caption aligncenter"><img width="1024" height="601" class="wp-image-42535 size-large" alt="ems_conditional-access-_user" src="https://msdnshared.blob.core.windows.net/media/2016/10/EMS_Conditional-Access-_user-1024x601.png" /><figcaption class="wp-caption-text">Because this app provides access to highly sensitive data, IT has applied a location-based conditional access policy that blocks users when they are working from an untrusted location. Marketing is one of the many security groups this policy is applied to.</figcaption></figure></p>&#10;<p>For more scenarios that show conditional access in action, visit our new <a target="_blank" href="https://www.microsoft.com/en-us/cloud-platform/conditional-access">conditional access web experience</a>.</p>&#10;<h2>Next up</h2>&#10;<p>Over the next month well take a closer look at two other vital layers of our conditional access story: device- and risk-based conditions. Be sure to visit our blog regularly, or <a target="_blank" href="https://twitter.com/MSFTMobility">follow us on Twitter</a> to make sure you dont miss these upcoming installments of this series on conditional access. In the meantime, here are three important resources that will tell you more about what were delivering with conditional access:</p>&#10;<ul>&#10;<li><a target="_blank" href="https://myignite.microsoft.com/videos/2837">Ignite session recording: Conditional access for mobile devices</a></li>&#10;<li><a target="_blank" href="https://myignite.microsoft.com/videos/2842">Ignite session recording: Identity protection in action</a></li>&#10;<li><a target="_blank" href="https://docs.microsoft.com/en-us/intune/deploy-use/restrict-access-to-email-and-o365-services-with-microsoft-intune">Intune conditional access documentation technical docs</a></li>&#10;</ul>&#10;]]></content:encoded> </item> </channel> </rss>