(music)
>> Hello everyone, and welcome to today's webinar
on how Microsoft is modernizing device management.
My name is Mayunk Jain,
and I will be your host for today's session.
I'm a Senior Product Marketing Manager for Microsoft Intune,
and I've been with Microsoft for about a year now.
Before that, I've spent over 10 years
in the end user computing space
in various technical marketing roles.
With me here are Mike and Carmichael
who will be happy to introduce themselves.
Let's start with you Mike.
>> Hi, Mike DeGooyer,
I'm a Senior Program Manager here at Microsoft.
I've been here quite a while about 17 years actually,
and been in various roles from data center to client, etc.
But the last 10 years,
I've been focused on client management,
everything from the release of SCCM
to the release of Intune at Microsoft
and rolling that out across the company
to cross platform and lately focused on security in Intune.
>> Yeah, thanks for coming over and joining us--
>> Yeah.
>> The digital security risk and engineering Team.
>> It's been good. >> Nice.
>> I'm Carmichael Patton.
As I said I'm on a digital security risk
and engineering team.
I'm on a team called Emerging Security Products
where we focus on how we can fill our control gaps
in our security environment to sort of fit that
need where we have the gaps there.
I came to Microsoft about three years ago.
My focus was to actually look at how we manage
our non-Windows environments.
So how we manage Mac, iOS, Android.
and potentially even Linux in the future maybe.
>> Linux, we'll talk about that a little later.
(laughing)
>> Think so. >> Nice.
>> Thank you guys.
So before we get started with the presentation
I'd like to let you know that you can submit
your questions into the ON24 dashboard
at any time during the conversation.
We have peers ready online to help you answer them.
And then we also collect a few to discuss
during the session or in the Q&A session
after the presentation.
In case we run out of time and can't get
to all your questions.
We will stay behind in the studio.
I think all of us can stay behind
and then post them with the On-demand webinar.
>> Yeah, for sure.
>> So, and then in the end I think we can wrap up
with some key recommendations to get these guys started
with their deployments.
>> Definitely.
>> Awesome.
So let's kick it off then.
>> Sure.
Let me kind of walk everyone through kind of
where we're gonna head first.
We'll talk about a little bit about our environment,
kind of just a level set.
Because a lot of people when they think about Microsoft,
they don't really realize how,
you know, you mentioned Linux, iOS, Mac, Android.
We have a huge breadth of devices at Microsoft
so we kind of want to walk you through to level set that.
Then we kinda wanna walk through
some of the management structure in what we're doing.
As well as some of the architecture with EMS
and how we're kind of arranging what we're thinking today.
As well as where are we headed?
I think that's part of the really key conversation today.
Where are we headed with Microsoft as an enterprise?
And what are the challenges we're seeing?
'Cause I think we're a lot similar to a lot of you guys.
And then walk through how that dovetails into EMS.
'Cause really it comes about how are we gonna
use our products the most effectively, right?
How are we gonna look forward?
And then kind of talk about the modern management scenarios
that we're, you know, head deep today.
That we're driving.
So with that we'll kick it off.
Carmichael, if you wanna walk us through
kind of, our environment today.
>> Yeah sure.
And I think one of things you just said Mike
is really important because, you know,
while we are Microsoft,
we're actually just an enterprise like most other people.
Where we are using Microsoft products
and trying to figure out how to do that
in their most effective way.
Some of the key information we have up here.
We have about 135,000 employees.
And most of those folks have multiple devices.
You know, they're managing their iPhones
or their Android devices.
They have laptops, maybe they even have some other systems.
Maybe working from home or something like that, right.
So it's key to understand, sort of, the environment.
Looking at it, we have about 2.6 million
transactions per day on our sales platforms, of course.
The 380,000 devices hitting our network per month.
That's coming in through either on-prem
plugged into the wire ports,
or in our wireless environments as well.
So if you want to jump over to the next slide
let's talk a little bit about what we actually
have as far as devices.
>> Sure.
>> Because I think it's super important for us to sort of
understand, you know, we aren't just Windows, right?
I mean like I said I came in about three years ago.
Because we had a standard at the time that basically said,
thou shalt not have.
And I think there was some rumors going around about
maybe some executives that didn't like
some of those competing fruit products.
>> I was here for those.
(all laughing)
>> So you know, it's understanding that our environment
isn't just Windows and you can see here,
this is just our managed environment.
We have about 100,000 iOS devices.
I mean, just think about that.
We have 135,000 employees,
and we see these multiple devices.
So clearly the numbers don't add up
when you look at iOS and Android.
Because we also have vendors.
We have partners that we work with,
that are actually leveraging our management platforms
as well, to ensure that that data that we're really wanting
to protect is protected.
>> I was gonna say just that on the previous slide
we didn't mention the vendors,
but just to be clear, you know, we actually have
about 230,000 people connecting to our resources
at any given time.
>> Exactly.
>> So while we have the secure 130,
that we really want to focus on,
it's really about 230,000 people
that are actually connecting at any given time.
>> I think the one thing we'll also point out
is we still have Windows Mobile on the list
that we have to worry about, too.
>> We have to have a few of those. (laughing)
>> And I love the fact that we are
our own biggest customer almost, right?
It almost feels like, I was sharing with you guys earlier,
that being in marketing, the stuff you guys put out,
the IT Showcase Whitepapers, the webinars,
are our number one asset.
So people really love the fact that we can actually
eat our own or drink our own champagne.
I think that's the right word. (laughing)
>> Is that the new one? Drink our champagne.
>> And at that scale.
So it's amazing, fabulous job.
>> So, I think what we'll do then is let's move
into how we actually are looking at this from an initiative
towards moving towards modern management.
>> Sure I wanna,
let's kind of introduce, there are four kind of key things
that we're working on right now,
that we'll talk about.
First is remote users.
So what people don't realize is in a shift of mindset,
we made the assumption probably three years ago,
to just say look we assume that everyone
is gonna work remote.
We want you to work remote.
We encourage it.
We tell people to work from their home office.
But that changes the construct of
how you're going to manage them.
If you're sitting at home and you're working on your PC,
what does that look like?
Does it need to be Intune enrolled?
Can we apply policies to just secure that device?
Can we just provide a browser experience?
But first and foremost, we want people
to have that remote experience.
Because whether you want to as an enterprise or not,
people are gonna be connecting from their coffee shop,
from anywhere, McDonald's.
They're just gonna be working from anywhere.
>> Well you know, we're gonna get that
Brett Arsenault ask one of those moments,
where it's seven o'clock at night,
and your boss calls you and said, by the way
we need that slide deck.
(all laughing)
>> That happens here.
With that we kind of have created this Internet-first,
and you wanna just mention the Zero Trust Network?
>> Yeah I think, you know, again
sort of, as Mike said, you're gonna be working
from all these ubiquitous environments.
It could be at home, it could be a coffee shop,
it could be at grandma's house,
and you're getting that, sort of, last minute request
where you need to get access to something.
I think for us it's not just ensuring
that you have that capability to open up Office,
but for moving that paradigm to the, are you really
allowed to do that on that device that you have, right?
>> And how are we controlling
what's on that device? >> Exactly.
And so using that identity as the boundary,
in saying okay, you know Mike is logged in at this location.
Does he have access to that data?
And does he have access to that data from this device?
So creating that, sort of, maybe not necessarily
in the traditional sense of Zero Trust
from a networking isolation perspective,
which is a layer of it.
But just the identity and the device health
is the other piece of that as well.
>> And then we get into, how do we modernize apps?
So we're no different than anyone else.
If you look at our LOB platform,
4,000, I mean at one point we had 7,000 apps, it was crazy.
We still have thousands of apps more like 4,000,
depending on who you ask around here.
But one thing we've focused on
is moving all of that to the Cloud.
Now re-modernizing everything?
We're trying to.
But even for us it's a journey, right?
We have things that are enabled for on-prem.
And now even, from a modernization standpoint,
what we're doing is we've actually peel back the onion
a little and we're saying, look there's certain things
that need to stay on-prem,
and there's a few of those.
And then there's some things that actually need
to be on the internet and most of those are moved over.
But ideally we're trying to move everything
so that it's consistent with our management platform.
So we have the controls in place.
>> And I think it's important you mentioned the 7,000 number
and that's just line-of-business internal apps
that we use here at Microsoft, right?
>> Right.
>> Some sort of an enterprise perspective.
And that number, while it isn't 7,000 in the Cloud,
I mean a lot of that has been deprecated
because of just legacy apps,
that maybe we just have lingering around for a while.
But a good portion of that has actually moved up
to the Cloud today and is being run
from the Azure platforms.
And I think the last number that we actually have
is about 70 apps that are still sitting on-prem
in an environment whether because they're just so old
and legacy but they still have that data that we need.
Or if they just can't modernize it for whatever reason.
And so it's what's important especially
we go back to the sort of thinking of the Internet-first
which is okay fine those apps have to stay on-prem
but how do I still give that experience
when somebody is remote to be able to access that app, so.
>> You got to look at the cost of that right?
>> Exactly.
>> To me it's also a cost decision.
If you're going to modernize, how much development
is that gonna to cost you?
And then how, what's the value?
If you have a 550 person application is it really worth,
>> Right. >> you know, investing in.
and so a lot of ours have transitioned
I think Power Apps for example.
We've moved a ton of apps to the Power Apps platform
and that gets us out of kind of micromanagement
of the app itself 'cause we just put it in the container
and we're good to go.
>> Don't forget to do your time away which
you can do through Power Apps for your vacation.
>> You're right.
(all laughing)
And I think of a theme that comes up
especially in our conversations is Internet-first
doesn't mean internet only.
>> Correct. >> Right.
>> So a lot of people kind of assume oh my God
I have to modernizing means I have to abandon
everything I knew that's not true,
especially with Microsoft.
You stay I believe with what you have.
You just tried to think of the reality
that today everything is Internet-first.
Taking care of the fact that you also have a lot of stuff
that is not yet entered on the internet.
>> Yes we have to be beyond just those 70 applications
we have our high risk environments.
And so protecting those with what
I think publicly we call them the PAWs,
the Privilege Access Workstations.
We internally we call Secure Access Workstations.
So there's a workflow that even goes beyond
just these regular devices that says you have
to be on a fully managed device
that we control the images on.
So to your point right.
So not everything will be extended to the Clouds.
We still have to have that gateway where they can be remote
but we know that that is an absolute trusted device
that they're coming in from.
So good point.
>> That kind of gets into kind of the last bullet
that we'll talk a little bit more in depth here
about which is like kind of that co-managed scenario.
If you think about the SCCM plus Intune
there's a lot of enterprises,
they have infrastructure costs,
they have some cost that they're basically
gonna be in a co-management state because to be honest
some of their workflows don't make sense
to move to the Cloud.
And so it just like us we're in a co-management state
with SCCM and Intune.
We're gonna be there a couple of years, several years.
And so I think as people kind of go through this evolution
it's really they have to be really key on what resources
need access to what other services et cetera.
And not try to kind of go too crazy just take it slowly.
>> Yeah exactly.
'Cause I think even if you think about
some of the capabilities we have to do on these devices
from patching to policy management
some of that stuff we still have to do through
the legacy systems to try to bring that forward
into the modernized environment, right?
>> And I think it's more of a mindset.
You have the Cloud first or the Internet-first mindset.
So you you do everything with that in mind
that doesn't mean you have to just change the tools
as much as you have to adapt to the new way of servicing
which just perfect yes.
>> So one of things we wanted to talk about
is sort of what this looks like.
How the workflow goes, and we actually leveraged
the next slide from our partners over here.
To sort of define that, we called the identities
the new boundary which is using that user on that device
and identifying both of those to ensure that
they have the access to do it.
So I can be in that unprivileged network environment
and I could be, you know, at Starbucks
or at any local coffee shops
and I could be logging into my machine
to try to get to a Word document that I need to go edit
so make sure we have the latest version
of what we're working on for IT Showcase.
So I get that MFA check right.
So for us, the first foremost is identifying
who you are and validating that with that MFA.
And then we bring in that sort of condition of the device.
Is it healthy?
Can it access the data that it needs to access
so you know using the various conditions
through conditional access, location, device, user,
what the application is they're trying to access.
And then if they're allowed we'll let them through.
And I think one of the tiers also here
is sort of that on-prem environment, is there's
also that Azure App Proxy layer to right
where, you know, maybe the application itself
is being proxied then through that
to the on-prem environment.
So still doing that conditional access evaluation
on the device itself and then carrying that through
with the layer to ensure that they have access to the data.
And I think the key here though, also is that
it's a continuous check.
It's not just a one time you're coming in
and we've validated you at that one time
maybe the device becomes unhealthy while it's happening.
And so you're still connecting but we're doing
that continuous check to actually validate that
that device is still healthy to connect without having
to necessarily force that re-authentication to do that.
So kind of a nice little workflow
that our friends have created for us to do that on so.
>> So I love that you're focused on the identity.
'Cause I think that's something that a really clear message
people need to adopt right?
For years in IT and in this industry
it was protect the device, protect the device.
Oh the device has to be secure.
We're so beyond the device.
The devices are pretty much secure.
I mean most devices come encrypted
whether it's mobile, whether it's a PC
they come encrypted, they come set, you have your policies
and passwords and everything else.
So from a security standpoint,
it's about the user and in the second layer
it's gonna about the data.
So, don't worry about the device anymore.
If you're still worried about the device
you might want to rethink that strategy
'cause you really need to move beyond the device.
The device should be agnostic
as we've talked about in the beginning.
If you look at all the platforms that we have,
we have users of Microsoft on every platform.
They're on Android, they're on iOS,
they're on the Mac, they're on the PC,
they're on a surface device they're all over the place.
>> And I like the nuance of making sure
we understand exactly what we're trying to protect
which is that data element that they're trying
to access through whatever application
they're trying to access it, right?
So and then we'll talk a little bit in a bit
about how the sort of ecosystem, maybe MS, comes together.
But when you look at like AIP
or Azure Information Protection rules
or Windows Information Protection.
Is that device allowed to access that data?
And is that user allowed to access that data, right?
I mean that's sort of to your point, right?
Do I have the identity of both of those device and user
to ensure that they can access those elements?
From the device that they're on
Because, I mean we've all got a phone in our pocket
and we've all got laptops in front of us
and I think back in my office I've got other laptops
and back at home I've got my home PC,
but which of those devices
am I allowed to connect to and I connect to, so.
>> All of them.
(all laughing)
In one way or another. >> In one way or another.
>> And the user is really the weak link
in this because you could have the most secure device
and the most secure network.
But all it takes is a user with password 123
as their password.
And you've exposed the whole organization.
So you need to go beyond passwords,
you need to go beyond just that credential check
to really give security to your point.
>> Yeah I think there's another webinar coming up
for password less right. (laughing)
If there isn't we should schedule that.
>> Pluggign in everything they've got.
(all laughing)
>> And this is kind of,
Carmichael will talk a little bit about this.
This kind of talks about how we look at the ecosystem right?
We think of it as a three-legged stool
with information it set, but we can kind of walk through
each one of these pieces.
>> Yeah I think, just to your point,
let's focus on the stool for a second.
Because for us within Digital Security Risk
and Engineering DSRE, we really take that approach
of understanding what the risk of the environment is.
>> Right that's the platform layer.
>> Right, so that's the platform layer.
What is it we're trying to protect?
And we've been talking about the data
that's the information protection layer, in it I think
to be clear when we say that information protection
it's not just Microsoft information, right?
'Cause we have access to customer data
but some people have access to customer data.
So there's there's just not just ours
but it's other people's information
that we're trying to protect as well.
>> Also their personal information.
>> Exactly.
(all talking)
>> Users freak out if you try to mix that information.
I think if there's anything that we've learned
with rolling out conditional access for example here
is, people are super worried
about the separation of your personal data
versus your corporate data.
That's not clear.
So that information protection is absolutely.
>> Especially when you're touching
their personal device like a phone right.
I've taken it I took a picture of us before
we got on here right.
And let's say that was a picture of the family
I want to make sure that you guys aren't taking that.
Or we are not taking that picture, right?
So, then you know, so using that risk management foundation
and what are we trying to protect is the information
as Mike said we have those three legs of the stool.
And each of the three legs are super important, right?
So the device health which
we see on the rest of the slide here.
We'll talk about in more specific
especially as we go through the slides
but the identity management tier, right,
you mentioned it Mayunk.
Which is really understanding what we have to do
from an identity perspective,
including MFA on these devices.
to ensure that you are who you say you are
when you're authenticating through that thing.
And that you are continuing to be who you are
not just the one shot deal of applying that logic.
But then the really, I think for me,
the foundational piece of that, of the stool here,
is really the data and telemetry.
If we have to be able to understand
not the data that we're trying to protect
but we need to be able to see who's using what devices.
How often are they being used?
Is it being used in a healthy way?
And then just getting telemetry across the other systems
and we'll talk again about sort of the EMF suite
but if I have advanced ran analytics
looking at all those logging events.
If I have Azure Information Protection
ensuring that we are classifying those documents
in the right way but if somebody
downgrades a classification.
Why did they do it?
They were actually writing a recipe for something
and then, you know, sort of making sure.
>> People are never making so many classifications,
do they?
>> They have never.
I mean I think my recipe is highly confidential personally.
(all laughing)
So again if we look at the device health portion
of the slide, right?
Just look focusing on that one leg here
you know, again making sure that
we have up to date operating systems
on all of our devices.
You know, whether that's through
the Windows Update Service
to update our machines on the Windows devices.
But also ensuring we have those updates happening
on both iOS and Android.
And especially now as Android's moving in towards
more of a monthly security patching cycle.
How do we ensure that those security patches
are being applied?
So we make sure that that device is as secure as it can be.
And then as we sort of move around the circle right?
Malware protection and understanding what could be happening
on that device and ensuring we have at least some visibility
into the telemetry on that device
to understand if there's something there.
Encryption you know latest apps to make sure we have
those updates that kind of goes in line with the updated OS.
And then again that integrity and conditional access piece
that we'll be talking about throughout this presentation.
>> And how it all works together
in the sense of you're using all these signals
that you're getting from different places in one place.
>> Exactly.
>> Unlike, you know, what I like about that stool
was that it's all connected.
It's not an Ikea box
where the legs are all over the place,
and you got to figure it out like how do I make the stool.
>> By the way, we did test and a three legged stool works.
(all laughing)
>> So even the Ikea stool is great.
I have one myself, I'm new to the US, by the way,
I don't know if I shared that.
But at the same time you have to set it up right.
And if you can buy one a stool that just is connected
to each other, the legs are connected to the place you sit.
That's how they all work together,
and I think that's something really powerful
about a solution like that.
>> Exactly. >> Absolutely.
So let's dive a little deeper
and kind of talk about kind of the health aspect.
Carmichael you mentioned a little bit about
the secure admin workstations
and what we're doing there.
But really when it comes down
to what is Microsoft's posture today?
Like what do we tell people?
We're pretty much a your device should be managed shop.
You know, while there is MAM
and some other policies that we use to apply
in different scenarios.
Really we want your device to be enrolled.
Now with that it's a little bit complicated.
If I'm honest here,
there's a lot of personal devices in separating
that personal information.
And then like right now we're running into scenarios
where there's a lot of people
where they'll bring their personal PC
and just enroll their personal PC
just so it looks to us like a corporate asset when it's not.
And so I think every environment,
I think as users just become more accustomed
to enrolling their device.
I mean enrolling device is pretty easy, Settings,
Work Access, boom, you're in.
>> I think it's a, you know, you mentioned MAM,
and before we got started here Mayunk,
you were talking about the poll
that the Intune Team put out on Twitter.
>> Right.
>> Which is a super interesting conversation
'cause Mike you touched on a little bit,
which is for us full device management
is really our focus.
If we can't trust that device is what it is.
And the person that's using it is the person that they are.
That's sort of our foundation, right?
But then in order to protect externally the application.
So if I'm at my house and I pull up OWA on my device at home
that if I you know starting to read an email
but I want to open up the attachment
that you know it's comes back from a MAM policy
and says hey no I'm sorry you have to be managed.
And then it walks me through that management workflow
or at least ask me if I want to be managed
and at my home PC.
>> Of course you know.
>> So. (laughing)
I like a little separation personally you know.
But then the I've just reach down into my bag
and grab my my work laptop and go from there.
There's I mean I think that that idea of having this
again the foundation of the full device management
with some of the capabilities we need to bring in
and by the way that the polls still open
so if you do want it
go to the Twitter account. >> It's open yes.
>> I've been plugging stuff.
So the next thing to plug is our Twitter IDs.
So mine @mayunkj, MAYUNKJ and that's where the poll is
and then you have the MSIntune @msIntune
which also has that.
So it's interesting that even if you're not
blocking it at least you can allow it restricted access
where you're like saying okay.
I don't know you.
I don't know if you're exactly who you are.
But at the same time if there's something not
super critical if you're just checking email, go ahead.
But if you want to download the attachment
or do something with that maybe not.
>> And that's where I think you need
to really look at those policies,
like what are you really trying to protect?
>> Right.
>> And if you have the information protection policies
in place that really, really helps.
So we're going through a whole process here right now
to basically say look, how do we categorize that data?
And more importantly how do we take some of that
out of the hands of the user?
Because let's be honest users are never gonna,
they are never going to categorize
100% of the data correctly that's just not.
If you think that's gonna happen that's not a reality.
So you need to just put those in place
so that you can say look if I'm looking
at the data that's inside the SharePoint
then I can actually market as this is secure.
This is high impact.
This is HBI whatever you want to call
it in your environment.
And then you can actually manage that accordingly.
So to me that's super important.
>> You mentioned HBI just as an aside
we built you know we've been sort of working
with the Azure Information Protection Team
and of course we had to change the classification
to mirror what was there.
So Mike mentions the High Business Impact
but now it's highly classified, classified and down.
So by default all documents that we create
are tagged as general, right?
So if you're going to open up a document
and start working on it and then on that layer,
then you have to sort of make that idea
that thinking in your mind to say
you know, am I creating just a document that
I want to send to my family?
So maybe I make that personal.
Is this really business related
and how far into the business is it related?
So is it highly confidential?
And I know there's different tiers of what AIP means
in this environment.
When you're deploying it depending on what level of
licensing you have.
But you know of course we're on the E5 skew,
and being able to do some of the additional things
that we do there.
You know creating special words that say
you know this code word is something that
we need to protect.
So if I ever see that code word used in a document
then make sure that that's highly classified
and only FTE, only this particular group of individuals.
So getting into that granularity is something you have
to be cognizant of when you're planning
that strategy around the tagging so.
>> And as an end user I see that myself all the time.
I mean when I work, I work a lot on Roadmaps.
So as soon as I'm working on something
and you know it says obviously, planning for the Roadmap,
it automatically pops up this thing saying,
you might want to turn this into classified
or a confidential document.
So I see that working for me every day.
(laughing)
>> You don't want to share the full Roadmap
for intent with the world?
(all laughing)
>> When it's ready, right?
When it's ready. >> Not yet.
>> When it's ready yes. When it's ready.
>> That's a good idea.
>> Everybody want's to know the Roadmap don't they?
>> Yes, So the goal state Mike what's that?
>> Yeah let's talk about our goal state kind of
where we want to head.
The first is, we're taking a hard
look at our network boundary.
And so something kind of new for us,
not necessarily new for us at Microsoft
but some programs that we have here.
Is we're trying to take a step back.
You know we mentioned in the first
kind of couple of slides that we're Internet-first.
And so I've talked to a lot of different companies
where they're going down a similar thing
to say look if you're in a small office
you have five, six, 800, 1000 people.
Do you really need your CorpNet connectivity.
And our answer is no.
We actually don't want that.
So we've been peeling that that back that layer
for quite a long time.
And so we just look at from the network side
even if you look at our CorpNet,
Carmichael, you mentioned the
the high risk environment, right?
What we see if you look way in the future
our high risk environments are the ones that are gonna
be on the CorpNet.
And so we'll pull that back, everyone else
you should really be coming from the internet.
There's really as we move things
to Azure as all the Cloud services are there,
as all the apps are there.
You really do not need to be on the internet.
Or You don't need to be on on our corporate network.
>> You just mentioned now you just moved to the States
and I think one of from a geo location sort of perspective
we don't necessarily think about
until you realize you work for a global company
is the network bandwidth that are different places.
So maybe I don't need you to backhaul across.
You know if you're in some remote location
say in Africa, backhaul to Dublin
And then coming in to Redmond
to get your data.
Maybe I just need you on the internet
with a point where you're actually local
and you can get a better bandwidth
a better experience, right?
At the end of the today, I think we have to balance
that tier of security versus user experience to you right
to make sure that we have
we're not impacting them in a way that it makes them
not able to work but we're still ensuring that
we have that protection
that moves them forward into doing what we wanna
make sure that we do.
>> And this might a good place for you
to maybe explain a little bit more about
Zero Trust Networks.
You mentioned that earlier.
Is that a concept that applies here
about internal threat verses external threat.
You know and how we just treat everyone as an outsider.
Even if they are internal users.
>> It really comes down to you know I said
it's not just the sort of the legacy networking mindset
of what Zero Trust is where it's that network isolation
of your environment.
But it's ensuring, and for us I think the way
we more think about it is managed verses unmanaged.
And what's the tiers of management that give me
the right user experience with the right security controls
on top of that, right?
I think what I like about working with Mike
recently, not that I haven't liked working
with you for a while.
>> We've been working together for a long time.
>> He came from the User Experience Team
or the End User Experience Team.
And so now that he's in security
he's bringing that experience with him.
To say you know hey guys here's a security control
that we have that maybe we need to make sure
we understand what that full experience is.
So taking this list of controls that I say
I have to do on these devices and applying that
to that user experience but again thinking about Zero Trust
in the way of managed verses unmanaged.
That's not just you know devices it's user experience too.
>> And It doesn't matter where they're coming in from, right?
So unmanaged verses managed, I could be managed
or unmanaged on the CorpNet that doesn't matter
your policies will decide the level of access that
I have as an end user.
>> Right, 'cause you know maybe everything
I access as an information worker
or a sales pro if I'm out in the field everything
I'm doing is you know Dynamics 365.
It's all Cloud enabled.
I don't have to be on-prem there could be.
We talked about Secure Access Workstations
which is our admin level.
But maybe there's some financial data
or some like that that was within Corp.
So I had to give that experience again,
so where it's looking at that not
just the the network boundaries,
but the app boundaries as well.
So, right.
>> And one thing that enabled that kind of
walking through the slide here is we have
kind of built a robust reporting solution.
And so using Microsoft tools we've been able
to actually really develop
you know, what does it mean to look at the device?
To look at the health of the device?
To have that reporting in the back end.
'Cause really you want to rely on that back end
reporting solution to drive the behavior.
So everything from our service operations
to the health of the app, to the health of the device
all of that with those checks that are in place.
And then that comes to where we are today.
So you think about we're at today.
We have conditional access released.
>> We do on what platform?
>> On iOS and Android, soon to be more.
but it's been a journey.
So you know I mentioned one of the just to bring
you guys into kind of Microsoft.
One of the big challenges we had remember
is the personal versus corporate.
Right? >> Right.
>> And so remember in that first slide, 130,000 employees.
But the device count way higher.
So what does that mean?
We have a lot of people that that are vendors
that have their devices enrolled because
they want access to data.
So that kind of has helped modify and helped drive
our kind of conditional access model
in what we're building for people.
So in general, but if we don't know you,
if we don't know your device,
you're not getting access to resources.
That's really the point we're driving toward.
And then if you think of it from a next steps,
like where are we going from here?
Really, I think as I took over
the conditional access EPIC
for our team when I moved over a couple of months ago,
to our security team.
One thing is, I think,
I hear people talk a lot about conditional access
in what we're driving.
And so many people think about this
as a point in time experience.
And I think that mindset needs to shift.
I'm trying to shift that in our current organization
to say look, conditional access
is not the enrollment of a device.
It is the ongoing service.
You know, you mentioned OS updates in managing the device
and all the pieces the AV that have to be on that device.
If you're looking at conditional access as a service.
It means I'm looking at the new functionality
that they're putting in Android P, Q,
whatever they're on to next.
And I'm looking at the hardware that's coming out
with Samsung and other manufacturers.
And I'm saying look if there is a new security bar
for a platform be it Android,
be it iOS, be it Mac, be it Windows,
then I want to adopt that.
And when I adopt that that means my bar just got raised.
So I'm no longer gonna say
for example, older Android devices
that don't support certain hardware-backed encryption.
Guess what?
I ratchet up, you're out of the network.
That's a service, that's not a point in time.
That's a sorry you're on an old device.
You're gonna be moved off that device.
>> Well, I think that's important, right?
Because maybe we didn't have those controls
a few years ago in Intune
and we do have that capability now
to do minimum OS and even to be you know
manufacturer devices and stuff like that
to ensure that we are again locking down
to use that term the device types that
we're using in the environment.
So which is really important and a great feature
from a perspective of entrusting that device
to be able to access that data.
>> And also giving people or giving the end user a way
to remediate that condition.
A big chunk of conditional access,
is not just blocking stuff, but also saying,
giving a very friendly path to the end user
to say okay, this is the reasons that you've been blocked
and this is how you can remediate yourself.
And then to your point about not being point in time
as the conditions change,
that's when it will automatically evaluate.
Okay now you've remediated what
it was an update that you needed to do maybe.
You did that update, now you're back in without having
to call help desk, without having to visit
the tech link or anything like that.
>> Exactly.
>> And we've noticed our users are getting
a lot more familiar with that experience.
If you think about kind of the password list key experience.
I always relate this when I talk to people
I say, "Hey, do you use online banking?"
And they say "yeah."
I say, "Okay well, when you use online banking
"you have to have a key on the device."
Usually you have to view a picture or something
you have to put a pin.
You have to have a password.
You go through like three or four checks, right?
Well, our data is just as secure and just as important.
>> Maybe more. >> Maybe more.
So, people are getting familiar
with that experience right.
>> The marketing slides are really important.
>> Yes. >> Yes.
(all talking)
>> Let's shift a little here and just talk about
we're kind of wanna walk through
the management architecture.
This will be a little quicker conversation
but in terms of Configuration Manager plus Intune.
So if you think about that plus Cloud experience.
Where is that Cloud benefit?
We're in this mode today.
We're using Config Manager plus Intune
and we're gonna be there for several years
like any other service and infrastructure.
We have costs they are there
and it serves a secure purpose.
So even as we look long term
as we look at our HRE environment, for example.
We're gonna use System Center and use management
for those devices.
So we have Intune today, that's our primary.
Well from a PC perspective, one of the things
from a strategy perspective, we're moving toward
is Azure domain joined.
So we're going away from classic domain joined.
We've been on that road for actually a couple of years.
And what we have how many devices?
Even under management we have what 35,000 devices
in the Azure management stack already.
So we're well on our way to that.
So essentially we are going with
Configure Manager plus Intune.
And we also wanna be there to help our customers
'cause we see this model as the majority of enterprises
are gonna be in for a number of years.
>> And I think one of the good things is it's goes back
to sort of that experience too, right?
Because if I am Cloud enabling users out in the field
to do stuff, having to figure out how to get to an on-prem
Corp environment to AD join your device
to get access to data, doesn't always work.
Especially we talked about sort of that field scenario
we will in sort of move away from having them come
all the way across the globe to get to some
authentication mechanism.
So having that enabled
so I can do that out-of-box experience.
Not necessarily 'cause I've got my Christmas present
I got the new Surface Pro 6 or whatnot.
>> And every three years you will.
>> Right.
Even if I had to reset my workstation, right?
>> Right.
>> To your point on, sort of, the service calls.
If I hit reset on my Windows box
because I'm having some issues.
But then having that experience at that
Azure Active Directory Domain join level,
to apply the conditions that I need to apply to that device,
to make sure that it still has what we want from
a security perspective on it.
Where I don't have to be you know again we still have
those environments where we need to be on-prem
with you know whatever that data is
whether that's the or some other confined device
that says you still have to be there,
it still to be to be domain-joined,
still have to get the policies through Config Manager.
>> Yeah, when I see that architectures slide
that you just showed.
I mean when we talked to customers at the EBC
and when we're meeting customers all over the world.
It's not very different for them that reality
of that architecture slide is very similar
for our largest customers.
And also our smaller customers
just like it is for Microsoft.
So it's a reality that we're here
and they're designing, they're building the solutions
to address that reality of it will never be internet only,
it will never be on-prem only,
but it'll be a mix of the two.
>> Well I like that, exactly, we call it Internet-first
because that's the first point that we wanted
to come through, but there may be additional points
that you have to come in through after.
>> Absolutely.
>> And I think I stole your thunder on the next slide.
>> No that's all good,
I think we touched base on quite a bit of this
that security management, that self-service experience.
Really more users are just getting more familiar
with how to operate.
And that's one thing I wanted people at least
our audience to think about.
Traditionally a lot of people just from an enterprise
perspective have this of listen,
I have to hand-hold my customer.
I have to hand-hold, I have to white-glove treatment
with everything they do.
What we're finding is the reality like
Azure AD joined, we didn't advertise
for people internally to go do that.
It's not like we told the masses at Microsoft
yes we're going to do that,
yes we have a plan we're gonna do that
very soon here at Microsoft where everyone is by default.
So we're enabling those back-end processes
to make Azure AD our first process
but we haven't done that yet.
Meeting without doing that we have 35,000 people
that have said look this is the way I want to go.
>> Exactly.
>> Now granted people at Microsoft
are a little ambitious and they tend to do things
even without us wanting them to but it just proves that
users are starting to get into that self-service mode.
They see where it is they wanna go to the Cloud
and then they look at the controls.
Do I really need full CorpNet, on-prem,
Domain joins, the way iO is always ran.
And the answer we've done this with
a number of people internally.
We actually have a bit of a challenge, right?
We have a number of people in our org
and in our user experience
org and in our security org.
Where we've told them look go join your machine
to Intune, put it in Azure or put it in workplace join
and go test it out.
Like tell us what you can't do
'cause we want to find out
what you can't do verse,
we know what you can do, almost everything.
And the answer has been yeah 99% of their job
if they're an information worker, if they're a PM,
they can do their job 99%.
They do not need access to CorpNet.
Which is why we're taking it out of those small offices.
So that's where we're going.
>> So I think on the next slide, I think
what I want to make sure we also get to is is that
it's not just Intune.
And it's not just those conditional access policies
but that ecosystem that has to be behind that
in order to support what we're trying to get to, right?
We talked about telemetry so, we talked about
Advanced Threat Analytics, Azure Information Protection.
Being able to tag and classify those documents
to ensure we have the right capabilities.
Then using Cloud App Security to monitor that document
as it's going across the network.
Like, maybe I've tagged it appropriately,
but I'm trying to send it to somebody
who doesn't have access to it outside the company.
So getting that visibility,
that telemetry to see what was going on with that.
I mean, I think we have a write-up on IT Showcase,
about a time where it was not not necessarily,
like, a threat that they did it,
but it was an accident and it was caught
before it got too far out.
We'll have to see if we can dig that one up, actually.
That's a good point, 'cause I mean
there's times where maybe you've been working with a vendor,
and you keep working with them,
but then you all of a sudden change the vendor.
And so you send the old one an accident
and you're like, oh wait a minute,
I don't think you meant to send that document
to that person you just send it to,
'cause they're no longer in your
tent of responsibilities, so.
But again using that sole that whole ecosystem
as what is driving this and then I think
that's important to understand because it's not
just applying Intune policies.
It's not just conditional access.
It's not just you know Config Manager.
There's this whole ecosystem has to sit behind that
in order to support this.
>> And it brings us back to the stool
the three legged stool.
The fact that it is not just a concept
it is not simply you trying to explain it, simplifying it
but if you look at the the way the solution
is designed, it is designed to really work together.
And not just be there so it's not a suite
for the sake of being a bundle.
You're not saying okay if you buy the EMS
or you know you buy this license it's cheaper than buying
them standalone.
Which it is, but the fact that they actually work together.
>> Yeah, and then you really need it to work together.
I mean I think that's the key and I think
we've seen at least in the three years I've been here.
This enhancement of this environment
I think maybe this story is is just how improved
we've sort of gotten 'cause I think
just looking at where we were with
the thou shall not have a non-Windows Device,
to now we're at this, you know, fully managed iOS
and Android,
transitional access. >> 160,000 of them, boom.
>> Yeah, 160,000 devices that if you want
to access corporate data on that device,
you have to be managed.
I think that's to me that still sort of blows me away
when I think about the fact that that was the first
environment we were able to tackle
and I think we tackled it very well.
>> And as a relatively new end user
I can attest to the fact that it's pretty seamless for me.
Like the fact that I you know I just come in different
company and it all just works.
And now that I do this as I learn more about
our different technologies I notice
how they're all working together.
Like a simple example, if I may, the fact that our intranet
access is just so seamless, like, it took me months
to realize that, you know, what I never really
double-click anything to get into my VPN.
Like when I go to my benefits page
or my you know, what we call the Microsoft MSW,
it just worked.
And it took me months to even realize how seamless
that whole experience was.
>> Well like so Mike talked about having an understanding
of your applications, of what's available,
what's not available.
When we first started doing the Internet-first
roll outs we actually started blocking
and only driving people out to the internet
and a handful of offices of which I was in one.
And you start seeing experiences
like I can't get to my HR data.
I can't do my time away.
I can't actually look at how much vacation time I have
to take before the end of the year so I don't lose it.
And then figuring out what those experiences are
to your point Mike and understanding then,
how do I actually enable the user to actually
have that experience?
So using things like Power Apps to do all of
our HR systems through.
So I actually have that time a way reporting
and the visibility there.
>> Awesome, and do you mind taking a few questions now?
>> Yeah, please.
>> We seem to be getting them by the dozen.
>> Love to.
>> One of the interesting ones I see here
is about the benefits of co-management.
So what people want to know especially
if in your own experience pros and cons
of going towards Co-management.
>> So the the huge benefit is you don't have
to kind of redo what you've already done.
So one of the big challenges we had
so for example, when we first looked at it.
The very first thing we did is a policy true-up.
So if you look at Config Manager we had literally
800 policies across our environment.
And so we we kind of said look,
let's take all those policies,
we did the evaluation, we used the tools from Windows.
And then the next step we said, is which of those do
we want to be an MDM?
Like which ones do we really need?
I think a problem that people
and this comes back to your mind shift, right?
If you think that moving to the Cloud
and moving to MDM management
and moving that direction Internet-first.
If you think that's a lift and shift of all the policies
that you currently have, that's wrong.
>> Right.
>> That is the wrong way to look at it.
What you really need to say is look,
they're on the Internet, what access
do they need to resource to or what resources
do they need access to?
And then what controls do I have to put in place?
Because even internally Carmichael and I
fight this all the time with people.
They say "Well, it has to be like this
"because this is the way we did it on the domain."
We're like but they're not on the domain
and we don't want them on the domain.
>> When I think when you create the FAQ
for the user experience when they're
like why are you doing this to me?
You don't show 800 GPO's you show that standard
like this is the operating system standard
and these are the you know eight to 10 things
that we have to apply to that machine.
There's a lot of context behind that
and it could be Config Manager,
it could be GPO, it could be Intune policies, right?
But just showing them that set of these are the things
you know kind of back to that device health slide
is these are the things we are doing on your device
and require be done on your device,
you don't have to know what the back end of that is.
So having that experience sort of at that boundary
of what do we really then tell the users that
we have to do on their devices?
That's a good point.
>> And a second piece to that is,
this is what we're not doing on your device.
>> Well, that's the almost the more important piece.
(all laughing)
>> The user feedback we got was really clear
during our iOS and Android.
People are almost more important
or more interested in what we're not doing.
So we're not looking at your photos,
we're not looking at your web browsing.
We're not looking at your cache on the device.
We're not getting your password
to your Hotmail or Outlook account.
>> We're not doing a full device wipe when you leave.
>> We're not wiping your device stuff like that
so that's super important.
>> And that's part of the product now
so I know that we actually we re-did
all our product screens to make that
very transparent, very user friendly
so that it's not for the IT department
to have a custom solution
to reassure users, but it's in the products.
>> Absolutely.
>> Another interesting one
and I would like to know this myself is when
do you think you have solutions
to manage even the meeting rooms like Surface Hubs
and things like that?
Do you guys have plans to manage that as well?
>> So I think we do and so let's use Surface Hub
as an example we actually do have policies
that we can use through Intune to manage those
and I know Mike and I we worked on that for a while.
Kiosk machines too, right?
And we have iPads outside of some office,
some rooms that actually control information there.
So there's sort of that kiosk policy experience
that we can use through the same set of tooling
that we have to manage those devices.
I think there's still some of those
additional IOT things that
we're trying to work out.
I mean we have a standard we have a list of things
we want to be able to do on those devices
but you know getting kind of back to what my team does
is okay, how do we actually do that?
Working with your team, the product team.
Whether it's you know Intune or whether it's Azure IOT
or some other group to ensure that we can actually do
the effective controls we need to do on those devices.
So there is work in progress for sure.
But I think you know sort of again,
fundamentally understanding what is it that
the device needs to do?
Who's gonna be connecting to that device?
And what applications, things like that, run on it.
So I think having that minimized hub
experience with a set of policies that apply to that.
>> We're doing it today.
>> Right, and I know people like to know Roadmap
but that's something that is definitely exploring
how what role does IOT really play in the enterprise?
Because if you ask someone, what is IOT?
The answers would be all over the place.
So really nailing down what it means to the enterprise.
I mean you know is it just your Nest thermostat,
or is it something else?
We are really exploring that
and I think in the next few months
we will see much more targeted solutions around IOT
from the EMS Intune.
>> Well, and I think you're absolutely right.
Because I think that's one of the things
even internally we struggle some time is when I say
what is IOT?
If I go talk to our corporate real estate team IOT
is all the building management systems.
It's the thermometers in the rooms.
>> The HVACs, yep.
>> The HVAC systems.
It's the elevator controls.
It's you know, those various things versus
if I walk down and see a Harmon Kardon Cortana
device in somebody's office.
That's doing you know, hey what's my next meeting
or something like that, right?
So I think there's different experiences
depending on who you talk to and I know
when I will get my coffee pot in the morning
I wanna make sure it's set to the right temperature,
and I've got my cup of coffee
when I'm walking in the door, so.
>> Right.
>> But enabling that and you know getting kind of
to that trusted boundary again right, is okay,
but what of those devices do we trust to have access
to what areas of the systems, right?
So we don't have you know your coffee pot talking
to the building management system.
>> Highly confidential.
>> Exactly, how do you classify those, right?
>> And we have time for probably one last question
and I see people really sort of doubling down on
this question.
So I'm gonna ask you this one.
It's almost asking you again what are some of
the biggest challenges when you try to flip
on co-management or when you try
to do this SCCM plus Intune?
Is there something you can share without marketing it?
>> Yes, I think one of the things,
and maybe Mike, you can go into more details.
I think just at a high level
it was doing that mind shift of taking
SCCM first to Intune first, right?
But then using Config Manager to still manage the policies.
'Cause I think one of things we were originally
thinking of and again maybe this is our buddies
a little bit was is the challenge was
maybe how do we get the full device management
in the Cloud from that that layer.
But we realized that there was a lot of gaps in coverage
kind of back to what I was talking about
with the risk management, right?
So there's still these gaps how do I control those gaps.
We had a tool that already existed Config Manager
that was doing a lot of that for us.
So bringing that along to say
I'm still gonna do device management with Intune,
but I have to have that hybrid environment
to have those controls there.
And I think you know maybe even from
the user experience side you can touch that
a little bit but making sure that we have those.
>> Yeah one of the one of the gotchas perspective
that we we learned is and this is probably
a good tidbit for our listeners and people today.
If you look at the application policies
that you have in Config Manager.
I mean we've been running Config Manager
since its inception right?
So you think about kind of like GPO
everyone likes a GPO and they're like
yeah I have 5000 GPOs sitting group policies
running and it's just a mess.
Well, our Config Manager was a little bit that way
for us to be honest.
And so when we started to move to the the Plus Intune
and started to migrate over to the hybrid.
What we realized is we have a lot of clean up.
And so I think what people need to learn is
you need to kind of take a step back
and look at your application, your provisioning policies.
To me that's the real lesson.
>> Exactly.
>> That's the real meat and potatoes of
how am I gonna manage this?
Because if you don't take a step back,
take a hard look at what policies are conflicting
or going here.
For example, look I have an app
that's for people in Ireland,
but yet you're publishing it to 200,000 people,
to everyone, because the app owners
or the admin said, "Oh, I should just go to everyone."
Well, how many of those can you have in your environment?
>> A lot. >> A lot, too many.
(all laughing)
>> And while you're unplugging things
so we've got solutions like security baselines
coming in now with Intune that let really help you
to figure out okay this is what I really need
using the power of AI and machine learning.
Which was in fact another question
that I'm afraid we won't have the time
to cover today.
But again it points to the fact that
it all works together and it's really trying
to simplify the IT person's job.
And maybe that's what you could share with us
as some of the key recommendations
because we are almost at the top of the hour
so if you'd like to maybe go there
and leave something that people can now use
to go and do this themselves.
>> Yeah I mean I think for sure,
and I think we've got the slide up on the screen
where it's go back into that EMS view,
of use what you have licensed for,
and make sure that you understand what that is too, right?
'Cause I think when I go
to the Executive Briefing Center
and I talk to customers they don't necessarily
even know what they have
or what they're using, right?
Or what they have the ability to use.
So just understanding exactly what you have
and what you can use.
And then applying sort of that policy-level mindset
to your point Mike, understanding
what your existing policies are today.
And then how do you carry those forward
into this sort of new environment?
Where can you supplement with the more modern controls?
Where do you still have to have those legacy controls
that you still need to and require to be on those devices?
And then you know again I think
that covers the sort of group policy mindset too which is.
>> Yeah we've talked about that.
>> I've heard anywhere between 5,000,
8,000 group policies. (laughing)
That we've had to do from the day
we turned on group policy, and of course the guys
that were originally doing it aren't with us,
they've retired since.
So understanding we don't even necessarily know
what some of those group policies are.
>> And again, you're not alone.
>> Yeah exactly.
And then I think Mike, the planning those phases, right?
I mean the EPIC that you own.
>> Yeah I mean you have to take it in chunks, right?
If you look at conditional access
for example we focused on iOS and Android first.
And now we're focusing on Mac
and next we're gonna focus on Windows.
Windows is it a challenge internally here
because if you can imagine we run
every flavor of Windows there is.
You have people running server,
you have people running client.
You have people running N plus one in beta builds.
You have people running legacy builds.
Out there five, eight, 10 years for our customers.
So, you have to kind of build all that into something
that's consumable for your users.
>> Yeah and I think what you know sort of on that
legacy OS perspective we you're actually doing that
because we're actually supporting some of our customers
that are still running that too so we can't
just shut those things off through policies
and say you can't use that anymore.
But having that sort of understanding
exactly what they're being used for.
And then maybe creating that sort of an environment
that they can work in back to sort of the Zero Trust
and thing.
Where maybe they're not on the production environment
maybe they're in another supporting environment.
>> And then the other thing kind of
the last point here on educate and connect.
I think from a from a very high level
you really need to have a culture discussion
at your company.
You know here at Microsoft we are changing the culture
drastically from what it used to be.
It used to be a very entitled conversation
no I expect I'm an administrator.
I expect I can always do this, I have full access
to everything that's very different
than say going to the other end
which is say a just-in-time model.
Where I provision you only administrative access
when you need it and it's only for two minutes.
So it's a very different mind shift
and so I think people should look at that
as well in their environment
and say look from a top-down level,
what do we need to change from from the culture.
>> Well they even to that point right
just even within our iOS and Android
the rollout was right getting them
to understand that you don't have
to be on the corporate network.
The reason why you were using CorpWi-Fi
was because you were connecting
to the internet through that
and that gave you that you didn't have
to use your data on your phone mindset.
So, you know maybe you don't need to be on that network
with your mobile devices.
Maybe you can be on sort of that
internet facing Wi-Fi too, right.
So that the culture is a huge one for us
that we had to get past.
>> In fact that question came in
as you were talking about that.
About what advice from your experience
will you give to work with the old guard?
You know that person entered that in quotes.
How do you go about proving this
and introducing it as a pilot.
Because I'm sure it wasn't all you know
roses and champagne when you were trying to introduce this
through such a large organization.
So any tips you can share on that?
>> So I think it kind of going back
to when we were first talking about
the iOS and Android rolling out.
I think it's important to first understand
what the security policies are and work that
out within your own environment.
So within the SRE we made sure we understood
in partnership with our End User Support Organization
when Mike was over there at the time.
Understanding exactly what that meant to apply those
before we went forward with it
and that already builds your then resource kit
for your FAQs and things like that
to say here's what we are expecting to see
or what the types of questions you get.
I think then it's then reaching out to some people
you're happy with and honestly
when we started doing the testing
is we noticed that just even within
the Office suite of apps on those devices
there were some issues.
So rolling it to those engineering teams
to have them see the experience of working with us.
Now that's a benefit maybe our customers can't have
but when they deploy this they can feel
like we actually had to go through that,
so we've pushed that to our Office team
and partnered with them to ensure
that the experience was good right.
So I think within your own environment
if there's people that
you work with on a day to day
or if you have an application
that you have to make sure critically works
on those devices work with that team onboard them first.
Make sure that they understand the experience
that's about to happen in that application.
Because all the other piece of that is it then
allows them to build the muscle to help support
their customers.
When that application has issues
when they're trying to enroll too.
>> I like that so I mean have an FAQ handy
that can address the sort of mainstream questions
and then work with probably
the more critical team first.
So that you get the hard piece out rather than
maybe go for the low-hanging fruit of doing it
for the least.
>> Which is the opposite of how we typically.
(all laughing and talking.)
For years it oh go for the easy wins first
and then kind of build harder.
And then you end up with this long tail of five,
10, 20,000 people with an exception or something like that.
We took the opposite approach and said
let's go to the hard stuff first.
Let's fix that and then all the other stuff
is gonna fall in line.
>> Yeah and I think just one one last thought on that
is 'cause I know we're about
to run out of time here, is privacy.
Make sure you can work with your legal teams
and then figure out exactly what you need can
and can't do and understand on the devices, too.
>> Excellent points.
I mean a lot of this has been really educational for me
even though I do this for a living
and I've been working with you for so long
and I hope you guys had a great time
and you learned something completely new.
The on-demand version of this webinar
will be posted soon to microsoft.com/ITShowcase.
So that's IT showcase.
Where you can also find the related content
like case studies, blogs and upcoming webinars.
I already shared our Twitter handle with you
so if you'd like to interact with us
there's a MSIntune the Twitter handle.
And then if you want to just review some of the concepts
that they share today you should do that
on the on-demand webinar.
Send us questions if you have more questions
and then join us for future webinars
where we can answer more of your questions
and make sure to bring your colleagues with you as well.
So thank you so much.
Thank you Mike.
Thank you Carmichael good and have a great day everyone.
(music)
>> Hello again and welcome to the extended Q and A
session for the How Microsoft
is Modernizing Device Management Webinar.
We've received many great questions during our webinar
and wanted to make sure that we address
as many of them as possible.
So let's get started, with me here
are again Mike and Carmichael.
So I'm going to throw some questions at you
and then maybe you guys can help me answer them.
>> Excellent.
>> I'm so happy there's a lot of questions.
>> I know bring them on, that's good.
(all laughing)
>> So the first question I have here is
how is AI artificial intelligence
or machine learning implemented in the product?
Do you guys have any experience with that?
>> Probably the easiest example
is the user use of the Graph API.
So pretty much we've migrated
almost all our reporting solutions
from the Intune perspective over to Graph.
So, if you remember Graph came up
what about a year ago in February, I think so.
And once it did that we actually moved most
of our reporting solutions to a Graph API.
And so, now it's just ingrained into what we do.
So if we need any new data
we pull it into our data lake.
We use Graph API we pull it in
and then we evaluate on that data.
And we've even used some of the different analytics.
So depending on the license you're at,
so for the Office telemetry,
and the Windows telemetry, depending on what
settings you're using right?
We've actually been using that telemetry
for example, in our Office product.
We actually used it
and we said we have a ton of versions of Office
in our environment like ridiculous amounts of versions.
And so we said look let's look at the AI capabilities
and build out the story.
And we didn't just look at versioning
we're actually looking at the behavior
and we're actually using the the AI
to say what's the behavior on specific builds?
And then we can actually make a determination
what we should do on those builds using that AI
to make a determination for the best experience
for our internal users.
>> And I brought back up the the EMS slide
that we love to use from you guys.
Because I think to Mike's point
with the telemetry when you have it things
like Advanced Threat Analytics
and then applying sort of that telemetry ingestion.
So I can apply some machine learning
to that to make a determination.
I remember talking to a customer one time they were like
hey, we turn on a ATA,
and all sudden we had a whole bunch of alerts.
Because our users were globally traveling
it this you know the Superman scenario, right?
And it wasn't necessarily because their user
was actually doing that it's because resources
were globally dispersed.
So applying some of that learning
to your model to say okay
if my database is in Singapore
and my user's in, you know, India.
Ensuring that that doesn't seem
like a login event happens here,
but the login event on O365
is happening over here, it's the same event.
So I'm getting that correlation
of using that machine learning.
And I want to make sure we have that distinction
between AI and machine learning, right?
Because AI could do some additional things
but there's that layer of machine learning itself
that needs to be applied through
those telemetry gathering sources too, right?
Because there is a bit of a distinction
between what is AI and what is machine learning.
And then the one of the most important ones
sort of again, from the security perspective,
would be that Advanced Threat Analytics
or the Advanced Threat Protection.
Right, so that that malware in that EDR
sort of detection on most devices
when we go back to the health of the device.
Is ensuring that we have that machine learning,
that artificial intelligence,
that's looking at all the events that
are occurring from sort of,
that layer of security protection,
and making that determination on health of the device so.
I think there's definitely places
that plays not just within their own
ecosystems but in the ecosystems we support for them
to apply that logic so.
>> Yeah and what if somebody doesn't know that
all of this stuff is available
to all users or and all customers I mean.
So things like Graph API.
It really exposes everything that we do
the entire Intune product is available through
the Graph API.
So you as an IT administrator or as an IT organization
can build the same tools
or whatever you want using all of those graphic designers.
So it's nothing it's not a secret sauce
that we have here everything that we do
you can replicate up yourself.
And there are blogs and articles that talk about that.
So I think that was a pretty important question
so thank you for asking and thank you
for answering that one.
Switching gears a little bit towards
a more of a management question.
So this is asked by someone who says
currently there is not a way for Intune
to change machine association
without resetting the device.
Is there a plan to make this easier
when devices move around?
(all laughing)
>> Well, so there's also a flip side of that scenario too
which is the multi-user scenario, right?
So if I have a device that has multiple users
that have to log into it.
And I think there is experiences that
we're working on because even with our own environment,
we have to support that and Windows flow
for business with Azure Active Directory
are really trying to figure out what that works for, right?
I don't know if that's necessarily Intune
that's managing it.
Right, because that identity
piece is AAD and that's that's a great distinguishing
thing we have to do here.
Is there's multi layers and we don't necessarily talk
about the AAD layer of it.
But AAD really what's doing the conditional access right.
So identifying the user making sure that
they have access to that device
and access to the data.
So I think there are, like I said,
there are workflows that we are working out
to try to get sort of that multi-user device
tenancy on that so I don't know
if you have more information on that Mike or not.
>> No, I mean I think you covered most of that.
>> And I think that's a good kind of a Roadmap type
of for discussion it's not it's something
that we've heard a few times there
are definitely security reasons
why we do it that way.
But then there are management reasons
why we could make it a little bit better
and that's something definitely what..
>> There are things like device groups that are coming.
That have already been worked on and announced
in both Azure and in Intune
that's actually gonna enable
some of that separation.
So we are actually looking at that
in terms of how do we put device policies
on specific device groups based upon specific attributes?
So if a device changes well, the device group would change
ergo the policy would change.
And so we are starting to build out
those workflows internally
and that's a work in progress for us
over the next six to eight months.
>> I think some of the programs
like the Apple DEP program
and the Device Enrollment Program
and the Android For Work that's coming
as well as even our own autopilot scenarios
where we're embedding the sort of that
device identity into the system.
And then being able to manage the device, is sort of that
distinguishing factor, aside from just the user.
I think that's one of the things that
we sort of lose sight of is the, I'm done
with this device, now I want to hand to somebody else
kind of things.
When they log into it what does that experience
look like?
>> Right, right.
Yes and I believe we also have
this user-less device concept now.
So if you're really talking about just a device
that is used to be on a retail shop floor,
where there is nothing personal
about that experience.
You know, you're not checking email,
there's not calendars.
So then you do have a way to enroll it
as a device and there is no user associated
with that at all.
>> We've talked about the Hub experience.
>> Right, exactly.
>> And the Kiosk devices that we have today.
>> The Kiosk devices.
>> We have 500 of those across the globe today.
>> Wow. >> That we're managing.
>> Which we are actually managing?
>> Yeah.
>> Wow.
Okay.
>> When you come to a Microsoft Building, when you log in
those are all Intune managed.
>> I did not know that awesome.
>> When you want to request a shuttle between building.
>> All right.
>> That's Intune.
>> And that is amazing again, a very..
>> I think it's a good distinction though,
because I think we focus again and I'm happy
that Mike came over and join me on the security side.
So I think we maybe have taken a bit of a security
approach to this topic today.
But understanding device management
does definitely play a role in that
and then what is that sort of TCO
at the end of the day that when we apply that logic
to its perimeter of controls that we need to establish.
You know we talked about the scenarios of
being able to sort of dismantle infrastructure
and globally global offices
because we're making their experience better
by putting them on to the internet directly.
But giving the rights let level security controls.
So they don't have to backhaul through
you know another location to come back to the US
to get access to data.
So I think you know understanding that
some of the things we talked about in the closing
of our session was that those recommendations
of understanding what you have and what you have licensed
'cause that's another piece of that management puzzle
whether you get that TCO is.
If you have this list of things
and maybe you're not in the right
or maybe you're not in the highest level tier of EMS
and you know the fact is sort of the marketing.
But you have access to a lot of these things
just at the base level of EMS.
I'd talk to people about Azure Information Protection
a lot and the capabilities you get there.
Even if you just had the default out of the box
AIP experience which you get that baseline
of at the base of a EMS.
Just applying that logic and getting that
learning value out of that, right?
And you talked about just teaching people
or that culture change of getting people
to understand what it means to start tagging
your documents and what not, right?
So maybe you aren't able to auto-tag them,
but just teaching them and getting that culture shift
in mindset of what it means to be
at the different classification levels.
And I think that's a great way to start
and just sort of get the mindset shift
that culture change that you need
in your environment is to start at that baseline
of just experience.
And I think that's when we talk about device management
it's almost experience management.
We really have to talk about because
it's understanding how they're accessing the data
and we talked about that a lot.
Which is you know maybe they just need to come in
from OWA but we don't need to give them
a full experience through Office Web Apps.
We just need to give them the email
'cause that's really what they're there for
is to check their email 'cause somebody said
I sent you an email I need you to check it kind of thing.
>> Or look at their calendar.
>> Or calendar. >> More often.
>> That's what I was telling somebody other day
like the first thing I do before
I go to bed as I look at my calendar
to make sure what clothes I'm wearing for the next day.
So I don't show up with the wrong shirt
for this session.
(all laughing)
>> And again I've mentioned this earlier
but I'm, as an end-user, I always find it
to be one of the least intrusive IT experiences
at Microsoft.
So even though I know that a lot of things are controlled
and you're providing me that secure shell
to work in on a day-to-day basis I almost forget
that there is technology that I am dealing with.
Or I have to remember that this is what I am allowed to do
and this is what I'm not because
I know the system will take care of it.
If sharing something that
I'm not supposed to it will block me
I don't have to think about it as much.
>> I chuckle a little bit because when I started
about three years ago the enrollment experience
was much different for enrolling a device.
(all talking and laughing)
>> I'm thinking of our friend Clay Taylor
who's now on the product side
and the floor-to-ceiling maps they created of
the workflow for enrollment.
Just to describe what that process was
instead of you know having a PowerPoint on there
you literally would walk into the conference rooms
with these sheets of paper and unrolled
it would roll down on the floor it was pretty funny.
>> That's what gives him street cred today.
And now he starts every EBC with that story
so that's how he gets his street cred
so that wasn't a waste.
(all laughing)
Talking about stories in fact the next question
is about is from a person who says "I'm one of the people
"who likes to read and study before I do."
So they're saying the Microsoft environment is so huge
I would like to see the big picture
and how the different services fit together
so I have a two-fold question.
The person has a two-fold question.
"Where can I go to get that detail overview
"to understand how things interact.
"And then where to get the detailed knowledge
"on a service and how to implement it."
>> So this is a great question
'cause you know we've sort of been reevaluating
Zero Trust networking and what we're doing with it
in the last few months.
So like this person that asked this question,
I was doing a bunch of research
to see what that really meant
through the product, marketing stuff.
So we have an internal resource that we can go
to look at a lot of the Roadmaps
and just the way you guys describe things
on the product side.
And there's a cybersecurity reference architecture.
I would suggest looking at that
I think one of the things that I like about that
is that it gives the entire ecosystem
from a security perspective and again
it's my area of focus.
So it actually shows you not just the device
and the user but the application tiers,
the Azure, you're back end, your data center.
It shows that whole architecture
of what you really need to be thinking about
when you're applying this.
'Cause it's again it's not just Intune and a device
it's this whole architecture you have to apply around it.
One of the things I also found was the
I think you guys shared this publicly, is there's
a sort of Zero Trust with conditional access,
PDF that sort of shows that
at more of a contextual layer
for a customer to understand.
What the conditional access workflow
is for that Zero Trust?
And you know I would be remiss without
mentioning our IT Showcase friends and the work that
we do there and a lot of documentation out there.
>> And I believe we can show the links
to that you have that a couple of slides down
I don't know if you want to put that up.
>> And it'll, sorry but I know even
so Carmichael Patton on LinkedIn
I've got a few documents that we published through
the IT Showcase there.
There's a document called Cloud Connected Client.
Which is the summary name of that 'cause
it's actually a longer name.
That talks a lot about sort of the future state
of what we've been envisioning from the Zero Trust
that my team put together about a year ago
and we have some other documentation out there
on this topic specifically.
As well and it's on the resource side
and I think we just pulled up here for you to look at so.
>> And I think from a management point of view
we've also been very transparent in sharing some
of the challenges that we went through.
So I remember Brad Anderson, who's our CVP,
he did a series of blogs that spoke about,
how did we internally go from being
a very on-prem managed even product
and service, to being a globally-scalable Cloud seller?
>> And that's a good point because I think actually
Brad and Brett Arsenault, the CISO,
just did a in-zone YouTube.
>> Oh there's a platform, must watch.
>> That, yeah, I think Brett even mentioned that
we're the second-largest Mac shop in the world.
So back to sort of our device ecosystem.
>> And it's and it's true I mean I was personally surprised
to know but when you explain
why we are such a big Mac shop,
it's not at all surprising.
>> Yeah it's actually good points
so I don't know if we really talked about that
because when we go into that user experience
and being able to manage those devices.
We support applications being built on those device
until the culture change.
What I've been impressed with just in the three years
I've been here and of course I came in after Satya
was already the CEO.
But we have gone from this point of everything as Windows,
everything is developed on Windows.
Everything has to be Windows to you know what
if you're building an Office experience on a Mac.
You should be on a Mac and understand
what that experience looks like.
>> Absolutely.
>> If you're building it for iOS, for Android
you need to understand what that experience is.
And I think that culture itself of the be
sort of getting the engineering teams to ramp up
and understand that you doing these things
you should be experiencing that.
But then we have to be able to enable the back end
of that to ensure that we have the right controls
on those devices from a security perspective.
But I think just that culture change
that we touched on earlier is a huge piece
that we need to be mindful of.
>> Excellent and with an excellent question
I think that really you know hit at the heart
of this conversation.
I think it's time to wrap up.
Thank you Mike and Carmichael again.
Thank you to our audience for these amazing questions
you know, keep them coming,
and I believe now we can wrap up.
I hope to see you again on the next webinar.
Thank you everyone, bye bye. >> Thank you.
(music)
For more infomation >> Fuller Brush Co. Electrostatic AllSurface Sweeper - Duration: 13:34. 
Không có nhận xét nào:
Đăng nhận xét