Simplify management of apps & devices

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:sy="http://purl.org/rss/1.0/modules/syndication/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" > <channel> <title>Microsoft Intune &#8211; Enterprise Mobility and Security Blog</title> <atom:link href="https://blogs.technet.microsoft.com/enterprisemobility/feed/?product=microsoft-intune" rel="self" type="application/rss+xml" /> <link>https://blogs.technet.microsoft.com/enterprisemobility</link> <description>The most recent news and updates about Microsoft’s Enterprise Mobility offerings and events for enterprise technology professionals and developers.</description> <lastBuildDate>Fri, 09 Jun 2017 15:55:22 +0000</lastBuildDate> <language>en-US</language> <sy:updatePeriod>hourly</sy:updatePeriod> <sy:updateFrequency>1</sy:updateFrequency> <item> <title>The New Intune and Conditional Access Admin Consoles are GA</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/06/08/the-new-intune-and-conditional-access-admin-consoles-are-ga/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2017/06/08/the-new-intune-and-conditional-access-admin-consoles-are-ga/#respond</comments> <pubDate>Thu, 08 Jun 2017 15:00:46 +0000</pubDate> <dc:creator><![CDATA[BradAnderson]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=52547</guid> <description><![CDATA[There are a handful of topics that consistently come up whenever I meet with our customers and partners and one of the most common has to do with how to balance productivity for end users with the need for security and control of company data. The tension between these two needs is the stage <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/06/08/the-new-intune-and-conditional-access-admin-consoles-are-ga/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p>There are a handful of topics that consistently come up whenever I meet with our customers and partners and one of the most common has to do with how to balance productivity for end users with the need for security and control of company data. The tension between these two needs is the stage upon which an even bigger challenge constantly looms: Every IT team on earth being asked to do more with less at a time when technology keeps accelerating and the landscape of their own industry shifts beneath their feet.</p>&#10;<p>The request I get in these meetings is very clear and consistent: We need efficient solutions that make it easier to manage and control growing complexity; can you help us reduce the complexity we are dealing with?</p>&#10;<p><strong>This is where we bring in the good news:</strong> Managing Intune and Conditional Access together with <a href="https://blogs.technet.microsoft.com/enterprisemobility/2017/05/15/the-new-azure-ad-admin-console-is-ga/">Azure AD</a> just got a lot easier for our rapidly growing community of IT Professionals. As of today, we have reached two important milestones for Microsoft Intune and for EMS <a href="https://www.microsoft.com/en-us/cloud-platform/conditional-access">Conditional Access</a> capabilities: Both new admin experiences are now <strong>Generally Available in the Azure portal</strong>!</p>&#10;<h1><strong>Heres how Intunes redesign helps your organization</strong></h1>&#10;<p>Intunes move to the Azure portal is, in technical terms, a really big deal. Not only did the Intune console change, but all of the components of the EMS console experience have now come together. The process of migrating capabilities into the new portal was an incredible opportunity to reimagine the entire admin experience from the ground up and <strong>what we are shipping today is an expression of our unique vision for mobility management</strong> <strong>shaped by needs of our over 45K unique paying customers</strong>.</p>&#10;<p>I love the progress weve made here because <strong>Intune on Azure is great for our existing customers</strong> because they can now manage all Intune MAM and MDM capabilities in one consolidated admin experience, and they can leverage all of Azure AD seamlessly within one experience. Awesome.</p>&#10;<p>There is actually a whole lot more going on behind the scenes of the new administrative experience. Not only have the administrative experiences converged, but we also converged Intune and Azure Active Directory onto a common architecture and platform. Converging the architectures dramatically simplifies the work we do to support it, the work you do to use it, and it enables some incredible end-to-end scenarios across Identity and Enterprise Mobility Management.</p>&#10;<h1><strong>Here are the 3things you need to know about Intune on Azure:</strong></h1>&#10;<ol>&#10;<li><strong> </strong><strong>Its built to leverage Azures hyper scale<br />&#10;</strong>The Azure platform provides huge increases in elasticity and reliability for Intune, and it provides the foundation for nearly unlimited scale. The new admin experience will also run on <strong>any browser</strong> on <strong>any device</strong> form-factor. Now you can manage Intune from anywhere even from your phone!<br />&#10;The redesigned architecture and new console bring nearly unlimited scale to the service. We currently have customers that are <em>rapidly</em> growing to 100,000s of devices in a single tenant. No problem! One customers has shared that they associated a sophisticated policy to ~200,000 users and what took hours in the past was done in less than 3 minutes. Now, because this is built into the Azure console, you get all the rich role-based administration for delegation of authority.</li>&#10;</ol>&#10;<ol start="2">&#10;<li><strong> </strong><strong>Its optimized for cross-EMS workflows<br />&#10;</strong>With Intunes move to Azure and the Azure Portal, we now share a console experience with other core EMS services like Azure Active Directory and Azure Information Protection. Having the collective power of these services living side-by-side makes them more effective and easier to manage across identity and access management, MDM and MAM, and information protection workloads.<br />&#10;For example: If youve just finished creating a set of conditional access policies to control access to data using Intune in the same portal environment, youre now just a click away from adding additional app protection policies that ensure that your data is protected after its been accessed and is in use on mobile devices.<br />&#10;The Intune transition to Azure also delivers deep integration with Azure Active Directory groups, which can represent both users and devices as native, dynamically targeted groups that are fully federated with an organizations on-premises Active Directory.</li>&#10;</ol>&#10;<ol start="3">&#10;<li><strong> </strong><strong>You can simplify, automate, and integrate management with Microsoft Graph<br />&#10;</strong>Built on the <a href="https://developer.microsoft.com/en-us/graph">Microsoft Graph API</a>, the new Intune experience also opens the door for broader systems integration and automation. This means that our customers can now simplify, automate and integrate workflows across Intune and the other services they are using however they see fit. For more information about what you can do with this, I really recommend <a href="https://blogs.technet.microsoft.com/enterprisemobility/2017/03/20/microsoft-enterprise-mobility-security-and-the-microsoft-graph-api/">this post</a>. Microsoft Graph API capabilities are currently in preview; expect a GA announcement for this functionality in the coming quarter<em>.</em></li>&#10;</ol>&#10;<p>If you havent tried Intune on Azure, we invite you to jump into this new experience with us. <strong>To check it out for yourself</strong>, log into the <a href="http://portal.azure.com">Microsoft Azure portal</a> right now. Were always listening and learning from your feedback, and we want to hear what you think! Since we put this into preview in December there have been <strong>more than 100k paying and trial tenants provisioned</strong>!</p>&#10;<h1><strong>Conditional Access the new admin experience in the Azure portal</strong></h1>&#10;<p>The new conditional access admin experience is also Generally Available today. Conditional access in Azure brings rich capabilities across Azure Active Directory and Intune together in one unified console. We built this functionality after getting requests for more integration across workloads and fewer consoles. The experience were delivering today does exactly that.</p>&#10;<p>Organizations everywhere face the challenge of enabling users on an ever-expanding array of mobile devices, while the data they are tasked with protecting is moving outside of their network perimeter to cloud services and all of this happens while the severity and sophistication of attacks are dramatically accelerating. IT teams need a way to quantify the risks around the identity, device, and app being used to access corporate data while also taking into consideration the physical location and then grant or block access to corporate apps/data based upon a holistic view of risk across these four vectors. This is how you win.</p>&#10;<p>Conditional access allows you to do this and ensure that only appropriately <strong>authenticated and validated users</strong>, from the <strong>compliant devices</strong>, from <strong>approved apps</strong>, and under the <strong>right conditions</strong> have access to your companys data. The functionality at work here is technologically incredible, but its not always obvious how granular and powerful these controls really are. The new conditional access experience on Azure now makes the power of this technology crystal clear by showcasing the deep controls you have at every level in one consolidated view:</p>&#10;<p><img width="946" height="634" class="alignnone size-full wp-image-52555" alt="" src="https://msdnshared.blob.core.windows.net/media/2017/06/xxxxx.png" /></p>&#10;<p>Now you can easily step through a consolidated flow that allows you to set granular policies that define access at the <strong>user</strong>, <strong>device</strong>, <strong>app</strong> and <strong>location</strong> levels. Over the last 6 months, as I have shown this integrated experience to 100s of customers, the most common comment has been: Now I completely see what Microsoft has been talking about how Identity management/protection has needed to work with Enterprise Mobility Management to protect our data. Microsofts <a href="https://www.microsoft.com/en-us/security/intelligence">Intelligent Security Graph</a> is also integrated here, delivering a dynamic risk based assessment into the conditional access decision.</p>&#10;<p>You can also control access to resources based on a users sign-in risk via the vast data in. Once your policies are set, users operating under the right conditions are granted real-time access to apps and data <em>however</em>, as conditions change, intelligent controls kick in to make sure that your data stays secure. These controls include:</p>&#10;<ul>&#10;<li>Challenging a user with MFA to prove that they are who they say they are.</li>&#10;<li>Prompting the user to enroll their device in Intune.</li>&#10;<li>Guiding the user to make adjustments to their device to meet your orgs security requirements</li>&#10;<li>Blocking access all together or even wiping a device.</li>&#10;<li>Granting different access privileges when using a native app (Word) vs. a web app (Word Online)</li>&#10;</ul>&#10;<p>We believe Microsoft is uniquely positioned to deliver solutions that are this comprehensive and sophisticated yet remain simple to operate. With EMS, these types of functionalities are possible because were building them together, from the ground up, to deliver on our commitment for secure and mobile productivity.</p>&#10;<p>You can access the new conditional access console in the menu within both the Intune and Azure AD blades. To see this functionality in action, check out <a href="https://channel9.msdn.com/Series/Endpoint-Zone/Endpoint-Zone-with-BRad-Anderson-1703">this <em>Endpoint Zone</em> episode</a>.</p>&#10;<h1><strong>Whats Next</strong></h1>&#10;<p>Our commitment to ongoing innovation means we never stop listening, shipping and reaching for whats next. <strong>Looking ahead</strong>, well continue to release new features and enhancements at a steady pace throughout the year. From this point forward, all new Intune and conditional access features will be delivered in the new portal, so keep an eye out.</p>&#10;<p><strong>Also:</strong> Dont hesitate to let us know what you think; our dialog with customers is <strong>our most valuable development input</strong>.</p>&#10;<p>One last note: This is a really significant day for all of us. I am so pleased with the work that has been done here at Microsoft on the architecture and administrative experiences. Im happy for the team and what has been accomplished. I am so pleased with the feedback that has come in from so many customers about the richness and vibrancy of the new admin experience as well as how performant the services are. And, at the risk of sounding redundant, Im happy to hear how much this has simplified your work while delivering incredible new, unique value such as the integrated Conditional Access.</p>&#10;<p>&nbsp;</p>&#10;<p>&nbsp;</p>&#10;]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2017/06/08/the-new-intune-and-conditional-access-admin-consoles-are-ga/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>New in Intune: TeamViewer integration for Android</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/06/06/new-in-intune-teamviewer-integration-for-android/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2017/06/06/new-in-intune-teamviewer-integration-for-android/#respond</comments> <pubDate>Tue, 06 Jun 2017 21:30:04 +0000</pubDate> <dc:creator><![CDATA[Microsoft Intune Team]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=52115</guid> <description><![CDATA[Remote assistance on Android devices just got better with Intune and TeamViewers expanded integration. ]]></description> <content:encoded><![CDATA[<p>Remote assistance on Android devices just got better with Intune and TeamViewers expanded integration. With the combination of Intune and TeamViewer, your helpdesk team can now start a remote assistance session with your end users on Android devices, making it easier than ever to help users with training, support issues, or step-by-step walkthroughs of device or application usage.</p>&#10;<p>&nbsp;</p>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2017/05/TeamViewer_Image.png"><img title="TeamViewer_Image" style="float: none;padding-top: 0px;padding-left: 0px;margin-left: auto;padding-right: 0px;margin-right: auto;border: 0px" border="0" alt="TeamViewer_Image" src="https://msdnshared.blob.core.windows.net/media/2017/05/TeamViewer_Image_thumb.png" width="850" height="352" class="aligncenter" /></a></p>&#10;<p>&nbsp;</p>&#10;<p>The TeamViewer Quick Support device application can be pre-installed through Intune for a streamlined device experience. Even if the TeamViewer application isnt installed on the device, the Intune Company Portal will walk users through the process of installing the TeamViewer Quick Support application during their first remote assistance session. The integration with TeamViewer allows you to utilize all the features of TeamViewer, including chat, file transfer, and device details.</p>&#10;<p>A TeamViewer license is required to take advantage of this functionality. Please visit the <a href="https://www.teamviewer.com/en/integrations/microsoft-intune/">TeamViewer site</a> for more information about TeamViewer and licensing options, and for additional information about using Intune with TeamViewer visit our <a href="https://docs.microsoft.com/en-us/intune/device-profile-android-teamviewer">documentation page</a>.</p>&#10;]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2017/06/06/new-in-intune-teamviewer-integration-for-android/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>Microsoft Visio Viewer App now enabled with Intune MAM for iOS!</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/05/31/microsoft-visio-viewer-app-now-enabled-with-intune-mam-for-ios/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2017/05/31/microsoft-visio-viewer-app-now-enabled-with-intune-mam-for-ios/#respond</comments> <pubDate>Wed, 31 May 2017 20:00:18 +0000</pubDate> <dc:creator><![CDATA[Microsoft Intune Team]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=51815</guid> <description><![CDATA[Diagrams help visually communicate informationthey are excellent tools for demonstrating relationships between parts, simplifying complex ideas, articulating process, and explaining how things work. And they often contain sensitive company data that you want to protect. If your users are creating or viewing diagrams in their work, theyre most likely using Microsoft Visio, and if thats <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/05/31/microsoft-visio-viewer-app-now-enabled-with-intune-mam-for-ios/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p>Diagrams help visually communicate informationthey are excellent tools for demonstrating relationships between parts, simplifying complex ideas, articulating process, and explaining how things work. And they often contain sensitive company data that you want to protect.</p>&#10;<p>If your users are creating or viewing diagrams in their work, theyre most likely using Microsoft Visio, and if thats the case then this news is for youthe latest update to the Visio Viewer app now includes support for Intune MAM. Enable your users to access and interact with Visio files on iOS devices with the peace of mind that your data is protected by Intune.</p>&#10;<p>&nbsp;</p>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2017/05/image442.png"><img width="670" height="377" title="image" class="aligncenter" style="float: none;padding-top: 0px;padding-left: 0px;margin-left: auto;padding-right: 0px;margin-right: auto;border: 0px" alt="image" src="https://msdnshared.blob.core.windows.net/media/2017/05/image_thumb407.png" border="0" /></a></p>&#10;<p style="text-align: center"><em>Access and interact with your Visio diagrams on the go &#8211; process diagrams, cross functional flowcharts, network diagrams, org charts, timelines, floor layouts, UML diagram and many more.</em></p>&#10;<p>&nbsp;</p>&#10;<p>This update supports the full set of Intune MAM capabilities, including our app-level data protection policies that can be applied with or without MDM device enrollment. These app protection policies allow you to set policies that enable app encryption, app access control, app- level selective wipe and the ability to restrict actions such as copy/paste/save as. Find <a href="https://technet.microsoft.com/en-us/library/mt627825.aspx">more details on Intune MAM policies</a> in our documentation.</p>&#10;<p>The Visio Viewer app is now available for management in the Intune console and accessible in the <a href="https://itunes.apple.com/us/app/microsoft-visio-viewer-flowcharts-and-diagrams/id1139787983?mt=8">App Store</a>. Visit the <a href="https://docs.microsoft.com/en-us/intune/deploy-use/whats-new-in-microsoft-intune">Whats New in Microsoft Intune</a> page for more on this and other recent developments in Intune.</p>&#10;]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2017/05/31/microsoft-visio-viewer-app-now-enabled-with-intune-mam-for-ios/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>Breaking down EMS Conditional Access: Part 3</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/05/26/breaking-down-ems-conditional-access-part-3/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2017/05/26/breaking-down-ems-conditional-access-part-3/#respond</comments> <pubDate>Fri, 26 May 2017 20:15:15 +0000</pubDate> <dc:creator><![CDATA[Enterprise Mobility Team]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=51995</guid> <description><![CDATA[This post is the third of a three-part series detailing Conditional Access from Microsoft Enterprise Mobility + Security. Today we are re-publishing the third installment with the white paper Protect your data at the front door with conditional access. Through this blog series, weve taken a closer look at conditional access with Enterprise Mobility + <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/05/26/breaking-down-ems-conditional-access-part-3/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p><em>This post is the third of a three-part series detailing </em><a href="https://www.microsoft.com/en-us/cloud-platform/conditional-access"><em>Conditional Access</em></a><em> from Microsoft Enterprise Mobility + Security. Today we are re-publishing the third installment with the white paper </em><a href="https://info.microsoft.com/EMS-Conditional-Access-Whitepaper.html"><em>Protect your data at the front door with conditional access</em></a><em>.</em></p>&#10;<p>Through this blog series, weve taken a closer look at conditional access with Enterprise Mobility + Security and the innovations that can help you define and inform your policies with different layers of controls for <a href="https://blogs.technet.microsoft.com/enterprisemobility/2016/10/31/breaking-down-ems-conditional-access-part-1/">user/location, applications</a>, and <a href="https://blogs.technet.microsoft.com/enterprisemobility/2017/01/05/breaking-down-ems-conditional-access-part-2/">devices</a>. Most of the scenarios weve discussed have addressed user-based vulnerabilities, but its important to take into consideration the broader threat landscape and its complex risks.</p>&#10;<h3>Risk-based conditional access</h3>&#10;<p>Although attacks are increasingly sophisticated, each one leaves revealing traces, a calling card. This data can be used to find patterns that will help us protect against attacks. But processing such tremendous volume is no small taskso we got to work. Every month we update more than 1 billion PCs, service more than 450 billion authentications, and analyze more than 200 billion emails for malware and malicious websites. We see just about every kind of attack there is, and we push the data directly into our <a href="https://www.microsoft.com/en-us/security/intelligence">Microsoft Intelligent Security Graph</a>.</p>&#10;<p>The graph pulls together all of the telemetry and signals that come in from the hundreds of cloud services operated by Microsoft, extensive and ongoing research, and data from partnerships with industry leaders and law enforcement organizations. This graph is unique to Microsoft. We apply our machine learning and data analytics to identify suspicious and anomalous activities that characterize modern sophisticated attacks. The graph makes it possible for us to deliver recommendations and automated actions that protect, detect, and respond across different attack vectors.</p>&#10;<p>You can use the Microsoft Intelligence Graph to inform your conditional access policies to protect against risk events by blocking access when risk is detected.</p>&#10;<h3>Leaked credentials</h3>&#10;<p>Microsoft security researchers search for credentials that have been posted on the dark web, which usually appear in plain text. Machine learning algorithms compare these credentials with Azure Active Directory credentials and report any match as leaked credentials.</p>&#10;<h3>Impossible travel or atypical locations</h3>&#10;<p>Machine intelligence detects when two sign-ins originate from different geographic locations within a window of time too short to accommodate travel from one to the other. This is a pretty good indicator that a bad actor succeeded in logging on.</p>&#10;<p>Machine intelligence also flags sign-ins at atypical locations by comparing them against past sign-ins of every user. Sign-ins from familiar devices or sign-ins from or near familiar locations will pass.</p>&#10;<h3>Sign-ins from potentially infected devices</h3>&#10;<p>The Microsoft Intelligent Security Graph maintains a list of IP addresses known to have been in contact with a bot server. Devices that attempt to contact resources from these IP addresses are possibly infected with malware and are therefore flagged.</p>&#10;<h3>Sign-ins from anonymous IP addresses</h3>&#10;<p>People who want to hide their devices IP address, often with malicious intent, frequently use anonymous proxy IP addresses. A successful sign-in from an anonymous IP address is flagged as a risky event. If the risk score is medium, a risk-based conditional access policy can require MFA as additional proof of identity.</p>&#10;<h3>Sign-ins from IP addresses with suspicious activity</h3>&#10;<p>Multiple failed sign-in attempts that occur over a short period of time, across multiple user accounts, and that originate from a single IP address, also trigger a risk event. Traffic patterns that match those of IP addresses used by attackers are a strong indication that accounts are either already compromised or will be very soon, although the traffic pattern may also originate from an IP address shared with multiple devices via a router or similar device.</p>&#10;<h2>Beyond access control</h2>&#10;<p>Microsoft Enterprise Mobility + Security (EMS) delivers innovative security technologies that provide a holistic, <a href="http://download.microsoft.com/download/E/C/7/EC78FF06-02BB-4DFD-9EBB-CADB66BB594F/Microsoft_Identity Driven Security_Datasheet_EN_US.pdf">identity-driven approach</a> to mobility, identity, and security in a mobile-first, cloud-first world.</p>&#10;<p>While our risk-based conditional access helps protect your data at the front door, EMS also gives you visibility into user, device, and data activity on-premises and in the cloud, and includes solutions that allow you to protect your corporate data from user mistakes with stronger controls and enforcement.</p>&#10;<p>&nbsp;</p>&#10;<h4>To get a full picture of conditional access from EMS, <a href="https://info.microsoft.com/EMS-Conditional-Access-Whitepaper.html">download our white paper today</a>.</h4>&#10;]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2017/05/26/breaking-down-ems-conditional-access-part-3/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>Get Intune PowerShell samples for Microsoft Graph API</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/05/15/get-intune-powershell-samples-for-microsoft-graph-api/</link> <pubDate>Mon, 15 May 2017 16:00:49 +0000</pubDate> <dc:creator><![CDATA[Microsoft Intune Team]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[Office 365]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=51425</guid> <description><![CDATA[In a recent blog post, you saw how the Microsoft Graph API enables you to automate workflows, access data, and integrate your applications using a single endpoint for Intune, Azure Active Directory, and Office 365. ]]></description> <content:encoded><![CDATA[<p>In a <a href="https://blogs.technet.microsoft.com/enterprisemobility/2017/03/20/microsoft-enterprise-mobility-security-and-the-microsoft-graph-api/">recent blog post</a>, you saw how the <a href="https://developer.microsoft.com/en-us/graph/">Microsoft Graph API</a> enables you to automate workflows, access data, and integrate your applications using a single endpoint for Intune, Azure Active Directory, and Office 365. Microsoft Graph API gives you access to Intune data such as configuration profiles, mobile applications, conditional access policies, and more &#8211; but in a programmatic way.</p>&#10;<p>&nbsp;</p>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2017/05/Microsoft-Graph-API.png"><img width="843" height="577" title="Microsoft Graph API" class="aligncenter" style="float: none;padding-top: 0px;padding-left: 0px;margin-left: auto;padding-right: 0px;margin-right: auto;border-width: 0px" alt="Microsoft Graph API" src="https://msdnshared.blob.core.windows.net/media/2017/05/Microsoft-Graph-API_thumb.png" border="0" /></a></p>&#10;<p>&nbsp;</p>&#10;<p>A lot of our customers were excited to get started with Microsoft Graph API, and we would like to give you a jump start. Weve put a set of PowerShell sample scripts in Github for you: <a href="https://github.com/microsoftgraph/powershell-intune-samples">https://github.com/microsoftgraph/powershell-intune-samples</a>. These sample scripts demonstrate how you can use Microsoft Graph API to create or update mobile applications, compliance policy, RBAC roles, and configuration profiles among other common tasks.</p>&#10;<p>To get started, visit <a href="https://github.com/microsoftgraph/powershell-intune-samples">Github</a>, ensure you have all the prerequisites installed (check out readme.md), and that youre using a test tenant. Then give the scripts a try and let us know what you think!</p>&#10;<p>Note: The Intune and Azure AD APIs are available in preview now as part of the Microsoft Graph API beta and will be generally available later in 2017.*For a closer look, check out the documentation on how to use <a href="https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/intune_graph_overview">Intune</a> and <a href="https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api">Azure Active Directory</a> APIs.</p>&#10;<hr />&#10;<p><em>*Use of a Microsoft online service requires a valid license. Therefore, accessing EMS, Microsoft Intune, or Azure Active Directory Premium features via Microsoft Graph API requires paid licenses of the applicable service and compliance with Microsoft Graph API Terms of Use.</em></p>&#10;]]></content:encoded> </item> <item> <title>Updates to Microsoft Intune on Microsoft Azure</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/04/19/updates-to-microsoft-intune-on-microsoft-azure/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2017/04/19/updates-to-microsoft-intune-on-microsoft-azure/#comments</comments> <pubDate>Wed, 19 Apr 2017 16:00:36 +0000</pubDate> <dc:creator><![CDATA[Microsoft Intune Team]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=50805</guid> <description><![CDATA[Empowering not only your employees, but also you to be more productive is one of the main goals for us.]]></description> <content:encoded><![CDATA[<p><em>This post is authored by Simon May, Principal Program Manager, Intune CXP.</em></p>&#10;<p>Empowering not only your employees, but also you to be more productive is one of the main goals for us. Ability to manage your mobility ecosystem from virtually any device and any browser, managing increasingly larger numbers of devices and apps, a modern micro-services cloud architecture, enterprise-grade APIs, reporting and automation support, unified admins experience for all of Enterprise Mobility + Security (EMS), and Role Based Access Controls (RBAC). These are all things that thousands of our customers have been asking us for. We are now delivering it to you.</p>&#10;<p>&nbsp;</p>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2017/04/One-console.-One-set-of-APIs.-Limitless-possibilities.png"><img width="863" height="558" title="One console. One set of APIs. Limitless possibilities." class="aligncenter" style="float: none;padding-top: 0px;padding-left: 0px;margin-left: auto;padding-right: 0px;margin-right: auto;border-width: 0px" alt="One console. One set of APIs. Limitless possibilities." src="https://msdnshared.blob.core.windows.net/media/2017/04/One-console.-One-set-of-APIs.-Limitless-possibilities._thumb.png" border="0" /></a></p>&#10;<p>&nbsp;</p>&#10;<p>More than half of Intune tenants have been already migrated to our new Azure micro-services based infrastructure, delivering the experiences described above. Our team is working diligently to migrate the remaining customers, taking the utmost care as they do.</p>&#10;<h2>Streamlined management of core EMS workflows across Azure AD and Intune</h2>&#10;<p>Personally, I find <a href="https://www.microsoft.com/en-us/cloud-platform/conditional-access">Conditional Access</a> to be one of the most amazing features of EMS. We are continually told by our customers how good our access management experience is architecturally and practically. End users like the guided route to compliance, and IT can trust that the right users are granted or denied access based upon a combination of device, network location, risk, and other factors. We heard from many customers that it is not optimal to manage access, and thus risk, to company data from multiple places, the Azure AD console and the Intune Silverlight console.</p>&#10;<p>We listened and significantly improved the experience.</p>&#10;<p>Theres now a single experience in the Azure portal to express how I want to govern the level of risk that Ill accept granularly. I can require devices I trust coming from networks trust dont to need MFA, while not requiring MFA from devices I trust on networks I trust.</p>&#10;<h2>Harness the Microsoft Graph for simplicity, automation, and integration</h2>&#10;<p>Weve had phenomenal feedback from early adopters about the work that our team has done with the <a href="https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/intune_graph_overview">Microsoft Graph API</a>. Now a single API spans Office 365, Azure AD, Intune, and other Microsoft cloud services. You can leverage this API for complex reporting through <a href="https://powerbi.microsoft.com/">PowerBI</a> and other big data or analytics services to build custom dashboards for your business. IT admins are always looking for ways to save time and automate repetitive admin tasks. The Microsoft Graph API enables you to do just that.</p>&#10;<h2>Manage devices, users and groups with nearly unlimited scale</h2>&#10;<p>Following your tenants migration, Intune will use groups in Azure AD for user and device management and to apply policy. This reduces admin overhead since groups dont need to be built in two places. For example if you have an <strong>Engineering </strong>group in Azure AD that you use to assign SaaS apps in Azure AD and use to configure access to a SharePoint site, you can now use that exact same group to apply policy to your devices and apps in Intune. Not only that but you now have the power of <a href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-manage-groups">Dynamic groups</a> in Azure AD at your disposal to create groups based on simple or even complex queries of device and user information.</p>&#10;<p>Of course, your company could well have more than one IT admin and the level of experience and, lets face it trust, you put in those admins differs. Now you have granular Role Based Access Control that lets you enable or disable administrative capabilities depending upon the role a person has. One company Im working with allows their <strong>Help desk</strong> staff to lock a users device, but they dont want that employee to be able to do something destructive wipe the device. For that only a <strong>Help desk manager</strong> can initiate the request.</p>&#10;<p>There is a huge amount of information to unpack and understand for your organization. To help you out, Craig Marl, Principal Program Manager and I took to Microsoft Mechanics, where Im asking the kinds of questions you might ask to understand more; Craig has the answers. Of course, if you have more questions, just ask below or you can ask me on twitter <a href="https://twitter.com/simonster">@simonster</a>.</p>&#10;<div class="video-container"><iframe width="500" height="281" src="https://www.youtube.com/embed/FpkCI6xmsE4?feature=oembed" frameborder="0" allowfullscreen></iframe></div>&#10;<p>&nbsp;</p>&#10;]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2017/04/19/updates-to-microsoft-intune-on-microsoft-azure/feed/</wfw:commentRss> <slash:comments>7</slash:comments> </item> <item> <title>New EMS + Skycure integration helps ensure devices are risk free before accessing corporate resources</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/03/27/new-ems-skycure-integration-helps-ensure-devices-are-risk-free-before-accessing-corporate-resources/</link> <pubDate>Mon, 27 Mar 2017 15:00:45 +0000</pubDate> <dc:creator><![CDATA[Microsoft Intune Team]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=49385</guid> <description><![CDATA[Today were thrilled to announce the general availability of our integration with Skycure, a leader in the mobile threat defense space. ]]></description> <content:encoded><![CDATA[<p>Today were thrilled to announce the general availability of our integration with <a href="https://www.skycure.com/">Skycure</a>, a leader in the mobile threat defense space. The integration between Skycure and Microsoft Enterprise Mobility + Security gives organizations more confidence that devices are risk-free and secure before users access corporate resources.</p>&#10;<p>Mobile devices can be susceptible to sophisticated threats under the guise of seemingly harmless scenarios that end users execute on their devices. For example, connecting to a coffee shop Wi-Fi access point could open the users device to a man-in-the-middle attack. Installing a seemingly harmless app could expose the user to malware that can exploit platform vulnerabilities or access the camera without their knowledge. Skycures real-time mobile threat protection leverages a public app for guaranteed user privacy and simple maintenance, plus global crowd-sourced intelligence to ensure protection from zero day threats. The solution is designed to proactively protect against all mobile threat vectorsmalware, network-based risks, and OS and app vulnerability risksto help you identify and remediate these risks before they become a problem.</p>&#10;<p>This integration makes it easy for you to apply Skycures threat detection as an additional input into Intunes device compliance settings, giving Intune dynamic control over access to corporate resources and data based on Skycures real-time analysis. Once a threat is detected, Skycure immediately applies on-device protections and notifies Intune to enforce device status changes and conditional access controls to ensure that corporate data stays protected.</p>&#10;<p>&nbsp;</p>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2017/03/EMS-Skycure-Graph.png"><img title="EMS Skycure Graph" style="float: none;padding-top: 0px;padding-left: 0px;margin-left: auto;padding-right: 0px;margin-right: auto;border: 0px" border="0" alt="EMS Skycure Graph" src="https://msdnshared.blob.core.windows.net/media/2017/03/EMS-Skycure-Graph_thumb.png" width="878" height="440" class="aligncenter" /></a></p>&#10;<p align="center"><em>Skycure and Intune work together to make sure only low risk, compliant devices can access corporate resources.</em></p>&#10;<p>&nbsp;</p>&#10;<p>Visit our <a href="https://docs.microsoft.com/en-us/intune/deploy-use/skycure-mobile-threat-defense-connector">documentation site</a> for more details on how to deploy and use Skycure with Intune.</p>&#10;<p>You can read more about how <a href="https://www.skycure.com/blog/skycure-microsoft-integrate-mtd-ems-defend-mobile-threats/">Skycure defends against mobile threats</a>.</p>&#10;<hr />&#10;<p><em>Note that any necessary licenses for Skycure products must be purchased separately from Intune and/or EMS licenses.</em></p>&#10;]]></content:encoded> </item> <item> <title>Microsoft Enterprise Mobility + Security and the Microsoft Graph API</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/03/20/microsoft-enterprise-mobility-security-and-the-microsoft-graph-api/</link> <pubDate>Mon, 20 Mar 2017 19:54:11 +0000</pubDate> <dc:creator><![CDATA[Andrew Conway]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=49035</guid> <description><![CDATA[Across the more than forty thousand customers that Enterprise Mobility + Security (EMS) serves today, theres a notable diversity in how they organize their IT resources to enable mobile productivity for their workforce. Each customer uniquely defines their mobile strategy and IT structure through a series of choices based on the strategic needs of their <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/03/20/microsoft-enterprise-mobility-security-and-the-microsoft-graph-api/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p>Across the more than forty thousand customers that <a href="https://blogs.technet.microsoft.com/enterprisemobility/2016/07/07/introducing-enterprise-mobility-security/">Enterprise Mobility + Security (EMS)</a> serves today, theres a notable diversity in how they organize their IT resources to enable mobile productivity for their workforce. Each customer uniquely defines their mobile strategy and IT structure through a series of choices based on the strategic needs of their business. Customers may choose to manage their mobility solutions internally while others choose to work with a managed service provider to manage on their behalf. Regardless of the structure, our goal is to enable IT to easily design processes and workflows that allow them to be more empowered and efficient.</p>&#10;<p>As the Microsoft Intune and Azure Active Directory admin experiences come together in Azure, were taking an important step forward in our ability to offer EMS customers more choices and capability. Built on the <a href="https://developer.microsoft.com/en-us/graph">Microsoft Graph API</a>, the new Intune and Azure AD experience on Azure opens a new set of possibilities for our customers and partners to simplify, automate, and integrate their workloads.</p>&#10;<p>Microsoft Graph API connects developers to the data that drives productivity mail, calendar, contacts, documents, directory, devices, and more. It serves as a single interface where Microsoft services can be reached through a set of REST APIs. With our shift to Azure and the Microsoft Graph API, customers now have the choice to manage the administration and operation of Intune and Azure AD services in the new Azure console or through the Microsoft Graph API. The scenarios that the Microsoft Graph API enable are expansive we expect the value to you and all our customers to center on three core benefits:</p>&#10;<h2>Simplicity</h2>&#10;<p>Microsoft Graph API is accessible through several platforms and tools, including REST- based API endpoints, and most popular programming and automation platforms (.NET, JS, iOS, Android, PowerShell). Resources (user, group, device, application, file) and policies can be queried through this API, and formerly difficult or complex questions can be addressed via straightforward queries. For example, you can use the Graph APIs to check the compliance state of all your Intune- managed devices and feed this data into your existing reporting system, enabling a simple, yet powerful, reporting experience across your organization.</p>&#10;<h2>Automation</h2>&#10;<p>The Microsoft Graph API allows you to connect different services and automate workflows and processes between them. For example, you could connect your HR system with the Microsoft Graph APIs to automate the provisioning of mobile devices when youre onboarding a new employee, and set up automation to retire and wipe a device as employees leave the company. If you are a service provider managing the environment of multiple customers at once, you could use these capabilities to automate the onboarding of tenants, populating them with default policies and implementing industry-specific templates. All this can be set up to happen automatically without ever opening a management console.</p>&#10;<h2>Integration</h2>&#10;<p>The Microsoft Graph API can send detailed device and application information to other IT asset management or reporting systems. You could build custom experiences which call our APIs to configure Intune and Azure AD controls and policies and unify workflows across multiple services. For example, a help desk organization might build a custom solution that incorporates Intune functionality into their console, allowing them to manage device and application policies in a unified way alongside other helpdesk tasks. You can even connect with PowerBI and other analytics services to create custom dashboards and reports based on Office 365, Intune, and Azure AD data from the Microsoft Graph API.</p>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2017/03/Microsoft-Graph-API-is-the-gateway-for.jpg"><img width="873" height="186" title="Microsoft Graph API is the gateway for" class="aligncenter" style="float: none;padding-top: 0px;padding-left: 0px;margin-left: auto;padding-right: 0px;margin-right: auto;border: 0px" alt="Microsoft Graph API is the gateway for" src="https://msdnshared.blob.core.windows.net/media/2017/03/Microsoft-Graph-API-is-the-gateway-for_thumb.jpg" border="0" /></a></p>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2017/03/Supported-Platforms.jpg"><img width="872" height="147" title="Supported Platforms" class="aligncenter" style="float: none;padding-top: 0px;padding-left: 0px;margin-left: auto;padding-right: 0px;margin-right: auto;border: 0px" alt="Supported Platforms" src="https://msdnshared.blob.core.windows.net/media/2017/03/Supported-Platforms_thumb.jpg" border="0" /></a></p>&#10;<p>The new <a href="https://blogs.windows.com/windowsexperience/2017/01/24/announcing-intune-education-new-windows-10-pcs-school-starting-189/#2h4ooD2KbRBHuix3.97">Intune for Education</a> experience and the OneDrive for Business console, where Intune app protection policies are now built in directly, are both great examples of new experiences that are made possible because of Intune and Azure AD being built on the Microsoft Graph API. Were also working directly with several partners who are starting to explore whats possible with our APIs in preview. Its exciting to see the ideas they come up with around how these capabilities will improve their processes and workflows, and the custom solutions they will enable.</p>&#10;<p>The Intune and Azure AD APIs are available in preview now as part of the Microsoft Graph API beta and will be generally available later in 2017.*For a closer look, check out the documentation on how to use <a href="https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/intune_graph_overview">Intune</a> and <a href="https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api">Azure Active Directory</a> APIs.</p>&#10;<hr />&#10;<p><em>*Use of a Microsoft online service requires a valid license. Therefore, accessing EMS, Microsoft Intune, or Azure Active Directory Premium features via Microsoft Graph API requires paid licenses of the applicable service and compliance with Microsoft Graph API Terms of Use. </em></p>&#10;]]></content:encoded> </item> <item> <title>Microsoft Teams is now generally available &#8212; and MAM enabled on iOS and Android!</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/03/14/microsoft-teams-is-now-generally-available-and-mam-enabled-on-ios-and-android/</link> <pubDate>Tue, 14 Mar 2017 15:30:00 +0000</pubDate> <dc:creator><![CDATA[Microsoft Intune Team]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[MAM]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=48785</guid> <description><![CDATA[Great news &#8211; today Microsoft announced the general availability of Microsoft Teams! Were excited to share this huge milestone and announce that the updated Microsoft Teams apps are now enabled with Intune MAM capabilities, so you can empower your teams to work freely across devices, while ensuring that conversations and corporate data is protected at <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/03/14/microsoft-teams-is-now-generally-available-and-mam-enabled-on-ios-and-android/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p>Great news &#8211; today Microsoft announced the <a href="https://blogs.office.com/2017/03/14/microsoft-teams-rolls-out-to-office-365-customers-worldwide/">general availability of Microsoft Teams</a>! Were excited to share this huge milestone and announce that the updated Microsoft Teams apps are now enabled with Intune MAM capabilities, so you can empower your teams to work freely across devices, while ensuring that conversations and corporate data is protected at every turn. The Microsoft Teams apps supports the <a href="https://docs.microsoft.com/en-us/intune/deploy-use/create-and-deploy-mobile-app-management-policies-with-microsoft-intune">Intune MAM app-level data protection</a> with or without MDM device enrollment. Look for them in the <a href="https://play.google.com/store/apps/details?id=com.microsoft.teams">Google Play</a> and <a href="https://itunes.apple.com/us/app/microsoft-teams/id1113153706?mt=8">iOS App</a> stores today.Support for Microsoft Teams in the Intune admin console is currently being rolled out.</p>&#10;<p>Microsoft Teams is a chat-based workspace in Office 365 that brings together people, conversations, and content in a fresh new way that takes the work out of collaboration and makes it easy for teams to stay on the same page and achieve more. Microsoft Teams goes way beyond chat, giving you easy access to the tools your people depend on everyday Word, Excel, PowerPoint, OneNote, SharePoint and Power BI &#8211; are all built-in, so youre never more than a click away from getting things done. And its customizable, allowing you to create a workspace that fits the unique needs of every team.</p>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2017/03/Microsoft-Teams.png"><img title="Microsoft Teams" style="float: none;padding-top: 0px;padding-left: 0px;margin-left: auto;padding-right: 0px;margin-right: auto;border: 0px" border="0" alt="Microsoft Teams" src="https://msdnshared.blob.core.windows.net/media/2017/03/Microsoft-Teams_thumb.png" width="771" height="435" class="aligncenter" /></a></p>&#10;<p>With the Teams apps for iOS and Android, work gets done anywhere &#8211;you can collaborate with partners and contribute to projects, even on the go.</p>&#10;<p><a href="https://technet.microsoft.com/en-us/library/mt627825.aspx">Heres a great article</a> if youre looking for more details on Intune MAM policies. Visit the <a href="https://docs.microsoft.com/en-us/intune/deploy-use/whats-new-in-microsoft-intune">Whats new in Microsoft Intune</a> page for more on these and other recent developments in Intune.</p>&#10;<h3>Additional Resources</h3>&#10;<ul>&#10;<li><a href="https://microsoftintune.uservoice.com/?WT.mc_id=Blog_Intune_Announce_PCIT">Submit feedback and suggestions to the Intune engineering team</a></li>&#10;<li><a href="http://technet.microsoft.com/library/jj676587.aspx?WT.mc_id=Blog_Intune_Announce_PCIT">Find technical resources for Intune in the TechNet library</a></li>&#10;<li><a href="https://www.microsoft.com/en-us/server-cloud/enterprise-mobility/ems-trial.aspx?WT.mc_id=Blog_Intune_Announce_PCIT">Sign up for a free trial of Microsoft Intune</a></li>&#10;<li><a href="https://blogs.technet.microsoft.com/b/microsoftintune/rss.aspx?WT.mc_id=Blog_Intune_Announce_PCIT">Subscribe to the Intune blog RSS feed</a></li>&#10;</ul>&#10;]]></content:encoded> </item> <item> <title>Conditional Access “limited access” policies for SharePoint are in public preview!</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/03/09/conditional-access-limited-access-policies-for-sharepoint-are-in-public-preview/</link> <pubDate>Thu, 09 Mar 2017 17:00:23 +0000</pubDate> <dc:creator><![CDATA[Alex_SimonsMS]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[Android]]></category> <category><![CDATA[Conditional Access]]></category> <category><![CDATA[Identity-driven Security]]></category> <category><![CDATA[iOS]]></category> <category><![CDATA[Office 365]]></category> <category><![CDATA[Security]]></category> <category><![CDATA[SharePoint]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=48725</guid> <description><![CDATA[Howdy folks, Enabling productivity while securing data is the fine line IT pros walk today, and having the right tools to do it makes it that much easier. In the past, employees working from their personal devices was a recipe for leaked data. But not anymore! Working with the SharePoint team, we&#8217;ve created a great <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/03/09/conditional-access-limited-access-policies-for-sharepoint-are-in-public-preview/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p>Howdy folks,</p>&#10;<p>Enabling productivity while securing data is the fine line IT pros walk today, and having the right tools to do it makes it that much easier. In the past, employees working from their personal devices was a recipe for leaked data.</p>&#10;<p>But not anymore! Working with the SharePoint team, we&#8217;ve created a great new feature in the conditional access experience that I think you&#8217;re going to love: the ability to limit a user&#8217;s ability to download, print and sync based on the state of their device.</p>&#10;<p>To tell you more about it, I&#8217;ve invited one of my program managers, Nitika Gupta, to write a blog, which you&#8217;ll find below. Read up, try things out, and let us know what you think!</p>&#10;<p>Best regards,</p>&#10;<p>Alex Simons (Twitter: <a href="https://twitter.com/Alex_A_Simons">@Alex_A_Simons</a>)</p>&#10;<p>Director of Program Management</p>&#10;<p>Microsoft Identity Division</p>&#10;<p>&#8212;-</p>&#10;<p>Hi folks,</p>&#10;<p>I&#8217;m Nitika Gupta, a Program Manager in the Identity Security and Protection team at Microsoft. Today we are announcing the public preview of a feature that will enhance security for SharePoint and OneDrive access while still helping maintain productivity.</p>&#10;<p>Microsoft Intune and Azure Active Directory conditional access provides the ability to grant or block access to resources based on device state. This helps organizations ensure content doesn&#8217;t get on to a machine that isn&#8217;t encrypted, locked, secure from malware, etc. This is an important aspect of securing company data.</p>&#10;<p>Unfortunately, not all devices can be managed. Sometimes people need to work from home computers, personal devices, or shared machines that aren&#8217;t enrolled. Until now, this meant losing productivity by denying access to SharePoint altogether or allowing unsecured download of content. Because of this, IT admins struggle to find the balance when configuring policies to prevent data leakage of corporate resources while ensuring that employees remain productive.</p>&#10;<p>But what if we could have great user productivity and maintain a great security posture? That&#8217;s what the Secure, Productive Enterprise is all about and why <strong>I am thrilled to announce the public preview of the &#8220;<em>Limited Access to SharePoint and OneDrive&#8221;</em> feature!</strong> Now you can allow access to SharePoint and OneDrive from an unmanaged device by granting browser-only access with download, print, and sync disabled. Users can stay productive, and you can be assured that when they sign off, no data is leaked onto the unmanaged device.</p>&#10;<p>Let me show you how it works in Azure AD Conditional Access and SharePoint!</p>&#10;<h2>Getting started</h2>&#10;<p>Configuring limited browser-only access to SharePoint and OneDrive is an easy two-step process. See our <a href="https://aka.ms/spolimitedaccessdocs">limited access documentation</a> for more detailed instructions.</p>&#10;<ol>&#10;<li>&#10;<div>First <a href="https://portal.azure.com/">create an Azure AD Conditional access policy</a> for SharePoint that applies only to browser client apps with &#8220;use app enforced restrictions&#8221; as the session control.</div>&#10;<p><img class="aligncenter" alt="" src="https://msdnshared.blob.core.windows.net/media/2017/03/030917_0059_Conditional1.png" /></p>&#10;<p>Tip: To prevent users from going around the browser policy and accessing resources from mobile and desktop applications on unmanaged devices, we recommend enabling Azure AD conditional access policy. This enables access from mobile and desktop apps only from a compliant or domain joined device.</li>&#10;<li>Next, go to <strong>device access </strong>in the SharePoint admin center and select the checkbox to &#8220;Allow limited access (web-only, without the Download, Print, and Sync commands)&#8221;</li>&#10;</ol>&#10;<p><img alt="" src="https://msdnshared.blob.core.windows.net/media/2017/03/030917_0059_Conditional2.png" /></p>&#10;<p>Note: It can take up to 15 minutes for policy changes to take effect.</p>&#10;<h2>End user experience</h2>&#10;<p>When accessing SharePoint and OneDrive from devices that are not compliant or domain joined, end users will see a warning banner explaining why their experience is limited.</p>&#10;<p><img class="aligncenter" alt="" src="https://msdnshared.blob.core.windows.net/media/2017/03/030917_0059_Conditional3.png" /></p>&#10;<h2>Feedback</h2>&#10;<p>We would love to hear your feedback! If you have any suggestions for us, questions, or issues to report, please leave a comment at the bottom of this post, or tweet with the hashtag #AzureAD.</p>&#10;<p>Thanks,</p>&#10;<p>Nitika Gupta</p>&#10;<p>@_nitika_gupta</p>&#10;]]></content:encoded> </item> </channel> </rss>