Month: June 2019

Microsoft Intune Review: Putting It Up Against MobileIron

The world we live in is changing at an amazing pace.

The innovation enabled by the rapid growth and worldwide adoption of the internet has been absolutely incredible. Surely that’s no surprise to anyone connected today, but let’s take a moment to put it into perspective the jaw-dropping scope of the number of connected devices.

One of the trendiest buzzwords to hit the market today is the IoT (Internet of things). The IoT is exactly what it sounds like; a collection of devices that connect to the internet.

Map of the IOT landscape across the globe.
The Internet of Things

This could be anything from your Nest thermostat, that Tesla roadster parked in your garage, or the far more common smartphone sitting in your back pocket. Sounds like that could be a lot of connected ‘things’, right? Well, as of 2018, the IoT was a $151B market with 7B connected devices and is expected to reach 10B by 2020.

What exactly does this have to do with MobileIron or Intune? Well, as the number of connected devices skyrockets, organizations are scrambling to protect their data that could invariably find their way to those devices.

Traditionally, a business would view their datacenter as the security boundary. But as we dive into a more cloud-first, a mobile-first world that simply is no longer true. We need to ensure that data is protected, regardless of which ‘thing’ it ends up on. In order to accomplish that, businesses are transitioning to unified endpoint management (UEM) solutions like Intune and MobileIron.

Let’s dive into this Microsoft Intune review.

Application Management

In the past, companies would use device management solutions to enforce strict control over devices before granting them access. Sounds good, right? Well, what about situations where end-users bring their own devices or try to access your data from a device not owned by your company?

Sure, you could choose to block those devices but that means you’ll need to provide those users with devices to work with remotely. Even in that scenario, most individuals would prefer not to carry a personal device and a work device.

Modern management solutions take that struggle into account and allow application-level control of your data, regardless of what devices it ends up on. This is where solutions like Intune or MobileIron shine. They allow you to ensure that data you’re putting on a specific device stays on that device.

Mobile Device Management - MDM - separates and secures corporate data from personal data.
Mobile Device Management allows you to separate and secure corporate data from personal data.

You’re able to enforce data encryption. You’re able to ensure the data can’t be moved to an unmanaged location. As an administrator, you are able to effectively remove your data from that device when necessary.

Comparing Intune versus MobileIron in Managing Your Data

Now let’s take a minute to compare both Intune and MobileIron when it comes to managing your data on end-user owned devices (BYOD). Both solutions offer great functionality here; they grant you the ability to ensure that your data doesn’t leave the application that it started in. No copy/paste, no save to the device, no save to unsupported cloud locations, enforce encryption, etc.

The problem is that both solutions require you to use their client (Outlook, OneDrive, Apps, Docs, or Mail+). Things like the default applications in iOS and Android are out of the question due to a lack of SDK (Software Development Kit) support.

MobileIron struggles here because typically, in order for you to actually get the required app, you need to enroll the device and enforce a wider area of control. More control than some individuals are comfortable granting to their employer over their personal devices.

Intune’s MAM

Microsoft’s Intune allows for application management (MAM) without enrollment. Simply use the Outlook app (or OneDrive, SharePoint, Box, Dropbox, etc.) and sign-in from any device as you normally would to access your data. At that point, policies created by the administrator are enforced on the application itself and not on the device. Again, the goal here is to prevent someone from taking sensitive information and copying directly to their iOS mail app and forwarding it outside of your scope of influence.

Intune MAM illustration
Intune MAM separates and protects your personal from corporate data.

Consider that the Enterprise Mobility and Security license required for Intune also includes Azure AD Premium for auditing and reporting in Azure as well as Conditional Access to restrict access or require multifactor and it’s a pretty compelling argument for Intune.

The official graphic from Microsoft for Azure Active Directory Premium.

 Device Management

Management of the device as a whole is a little easier to accomplish and has been an industry mainstay for a decade. Both Intune and MobileIron are excellent options if you’re going to require all devices to be enrolled and managed centrally.

In fact, MobileIron was selected as the industry leader by Gartner in 2017. The problem of needing specific applications on the device to access the data is easily overcome by simply pushing the required application to the device in question.

Of course there’s more to working remotely than just using applications; you’re also able to push configuration like WiFi profiles to allow them to automatically connect to the office WiFi or deploying certificates to the device to allow a more secure, seamless sign in experience when they open up their work apps.

Requiring enrollment is the big gotcha here. It’s difficult to require an end-user to enroll their device; after all, it is theirs. And what happens when one of those 10B other connected devices is able to be integrated in the near future (here’s looking at you Alexa, Cortona, and Ford)?

Trending Forward

This is a 3D graphic illustrating how enterprise data is integrated securely, from the company's server to a mobile device information provider using MobileIron.

While MobileIron may be a great option for mobile device management today, there are some glaring limitations that they need to address. Today, MobileIron is truly only an MDM/MAM solution with Android and iOS in mind. It struggles with cloud integration for the directory which means that the future is a little murky when there may no longer be an on-premises ‘identity’ for your users.

It also doesn’t have a way to integrate Windows devices (or platforms that may operate as ‘dumb’ devices, like Alexa); which will be a key differentiator in the future as more and more of that IoT make their way into the business landscape.

Intune is already built with Azure Active Directory as it’s backbone to provide conditional access, multifactor authentication, and all the analytics and telemetry you need to find out who signed in, how many times, and from where.

Microsoft has positioned Intune as the clear replacement of System Center Configuration Manager (SCCM) for modern endpoint management, all while allowing for device co-management with SCCM still in the picture to handle legacy endpoints.

Intune Takes the Lead

Not only has Microsoft built a solution in Intune that disrupted the enterprise mobility market, they immediately doubled down by partnering with other major players to ensure that as industry evolves, they’ll not be left out.

Now all this isn’t to say that MobileIron (or any of the other current solutions) isn’t an excellent answer to the problem of securing your data on mobile devices. MobileIron scales incredibly well with numerous deployments exceeding 100,000k devices and there’s an on-premises offering for organizations that are entirely cloud adverse.

But the question really is; why would I choose MobileIron over Intune and considering the way that Microsoft has positioned themselves to take advantage of connected devices in the future with Azure, MobileIron has a tough time standing up.

Cloud Storage Reviews: Which One is Right for You?

The information technology industry is bursting at the seams.

Most business experience data sprawl. It is something IT managers and Managed Service Providers constantly have to prepare for.

We’ve come a long way since CompuServe, back in 1983, first offered a small amount of disk space to its customers.

Considering the amount of data organizations are required to host for their users, it’s not surprising to see the cost of maintaining that storage become astronomical. It’s a constant balancing act between costs and availability of resources.

Whether your business works primarily with documents or large multimedia files, ensuring data continuity through a solid business continuity, or disaster recovery, plan is more challenging than ever.

Businesses are not investing in expensive, high-performance, tiered storage services. They just want general file storage. Leveraging storage as service providers for personal files is an excellent option to offload a significant portion of that financial burden. Advantages of cloud storage, as a storage service, means dramatically improved reliability and increased organizational resilience.

Cloud Storage as a Service

The 4 Main Cloud Storage Providers

Most people are already familiar with Box, Dropbox, and Google Drive due to the storage service they’ve been providing to retail consumers, but what else is out there? All 3 evolved into enterprise class competitors. Now they’ve been joined by Microsoft’s OneDrive.

All 4 offer a solution to the problem

All 4 provide a cost effective, highly available centralized service to improve storage and collaboration for your employees. Let’s explore how cloud storage works.

Specific Key Points to Consider

It is critical to maintain business continuity. File and storage service availability is necessary to ensure users are able to accomplish the work that makes a business successful. Check the capacity per user and overall ease of use.

Following a foundation of security and compliance best practices will protect users from those accidents where they share sensitive information with the wrong party. Overcoming overshare and incidents like ransomware or data destruction are important.

Finally, cost is a consideration. What’s the point of having such an amazing solution if you can’t justify the cost of ownership?

Which Business Continuity Management Framework to Use

Continuity of business enterprise relies on how much data can be stored in the service per person, and how easy it is to access. Although the first half is transparent, there are licensing implications in each of the services that impact the amount of space accessible.

* There are more granular enterprise class licenses available for Microsoft, Dropbox, and Box but the space provided is similar what’s outlined above.

Storage Space

Each provider has 3 business class offerings comparable with each other. Both Google and Box offer entry level offerings providing 30GB and 100GB per user respectively. Most users will need much less on premises.

Based purely on storage space provided per user, Dropbox is the clear winner with Google and Box following close behind. Both types of Storage as a Service (SaaS) offer unlimited capacity to their mid-tier licenses.

Microsoft’s licensing model grants each user a terabyte of storage, which is impressive in itself, but unlimited is unlimited.

Based on storage space provided per user, Dropbox is the clear winner.

Availability

Now that we’ve talked about space, let’s consider accessibility. Users need to access their files without incident, share with internal teams for collaboration, and share with external parties when necessary.

In order for users to access their files on the same account, they need to synchronize those accounts to the cloud through each of these prospective services. Administrators will need to maintain an identity infrastructure like ADFS, OKTA, Ping, or Centrify to handle those sign-in claims. If those servers go down, users can’t access their files in the cloud.

Microsoft’s OneDrive sync is built into Windows 10

The Microsoft Advantage

Microsoft allows seamless single sign-on without that infrastructure. They either deploy an agent on an existing on premises server for pass through authentication, or by securely synchronizing a password hash with the accounts.

Enabling individuals to access their data, whether they’re online or not, is becoming increasingly important. Each of these solutions have a sync client that will ensure their files are stored and accessed locally on both Mac and Windows PCs (as well as Android and MacOS mobile). Changes to those files are sync’d back up to the cloud to ensure the individual is always accessing the most recent version of their file.

This is a distinct advantage offered by the Microsoft file and storage service. Microsoft’s OneDrive sync is built into Windows 10 and can be controlled via Group Policy. Each of the other clients need to be distributed by an admin and maintained individually.

Nothing is Perfect

No cloud infrastructure is perfect. Downtime is always a possibility. Each of the cloud storage services, with the exception of Dropbox, offer financially backed service level agreements of 3 or 4 “nines” of availability (99.9% or 99.99%). These numbers are measured throughout the year with 99.9% availability representing just eight hours per year of service interruption. Considering the minimal difference over between 99.9% or 99.99% uptime, we can view this as a wash.

DropBox

Obviously DropBox is out of contention because they don’t financially guarantee uptime with a service level agreement. That’s not to say that DropBox doesn’t meet those lofty standards, but it means that, in a worst case scenario, they offer reimbursement for poor quality of service. Depending on your business, this may not be a concern; however, if the organization maintains a high business continuity policy standard, this may be a deal breaker.

Security

When evaluating migration of your IT infrastructure to the cloud, security should be among the top priorities.

Summation

These cloud storage services allow for single sign-on users for businesses-on-premises accounts. The same controls placed on users’ accounts are inherently enforced by these solutions as well! Should anyone attempt to discover a password by repeatedly trying to sign in (Brute Force), having good on- premises lockout and password policies will maintain security.

Additionally, using a federation provider for single sign-on will prevent access outside of your building, or enforce multi-factor authentication for specific services. Federation services often have intelligent features built into them. For example, ADFS’s extranet smart lockout uses machine learning to assess good or bad request by determining regular sign-in locations

These protections are not typically part of the cloud services presented in this article. These are options that ensure business continuity management policies are in place regardless of the file and storage provider selected. All of these cloud storage services invest heavily to comply with global security and compliance standards, but it’s the responsibility of the organization’s leadership to develop and ensure sound business continuity practices and see that they’re maintained.

Sharing

Microsoft has the advantage of having the share feature designed into the Windows interface. The interface also allows for close integration with other Microsoft office products. While it is simple to share files or folders both internally and externally with other services; Microsoft Office products have the ‘Share’ button built conveniently into the workspace.

Each of the services have a great web-based interface allowing for data storage, accessibility, and file sharing; but the benefits of Microsoft’s complete collaboration provide a real distinct advantage of its competitors.

Cost

Business level licenses offered by each of the platforms are listed above. The table below compares exactly the space costs per person. Note: there are additional, more granular, enterprise level licenses available, but not shown, for each of the services listed.

Those cloud storage providers offering unlimited storage have the advantage. Is the advantage worth the extra expense? Google has a strong stake with their Business license, offering unlimited storage (as well as several other G Suite offerings) at just $12. Box and DropBox struggle with a higher starting price point, but offer little else outside of their storage and sharing collaboration services (even though they do include data loss prevention services).

Microsoft is the clear winner even though they offer “just” 1TB per user. For $8.25 per person/month, Microsoft offers storage included with their entire Office Suite. Most organizations, if not all, would be already paying for Microsoft’s suite of programs. Why not save the cost of an additional storage service provider.

If an organization were to opt for the business premium license at $12.50 per user, they would also be getting Exchange Online with 50GB of mailbox quota per person, Microsoft Teams for collaboration services (personal chat, team based persistent chat, external sharing, etc), and SharePoint for an array of collaboration options (Intranet sites, Team sites, external file sharing, and content management services).

And The Winner Is?

While Box, Dropbox, and Google all offer great cloud file sharing and storage services for a very reasonable price (seriously, *unlimited* storage for $12 user/month?!), it’s difficult to compete with Microsoft in the business collaboration space. Users are likely to be using Microsoft Office already and logging into Windows PCs, using accounts provided by Microsoft’s Active Directory.

Integration and Security Compliance is Everything

The integration between OneDrive, Office, and Windows is fantastic and the familiarity offered to your users and admin staff is a clear enabler.

Add in the security and compliance features offered through some of the similarly priced Enterprise licensing, users not only have the ability to seamlessly collaborate with peers, they do so while the admin protects them with encryption, data loss prevention, and advanced features built into Azure AD. These features leverage machine learning to protect end users’ credentials and provide MFA.

Because Microsoft’s licensing options can be so specific, it’s possible to select the preferred features. Maybe you have a subset of individuals who share the same computer, or maybe don’t need all the same bells and whistles as your information workers, no problem; just give them a license that doesn’t include the things they don’t need (the $5.00 Business Essentials license comes to mind here).