BYOD in Windows 8.1
In this article, we will be interested in the first place, what the new version of Windows 8.1 gives new from the point of view of its deployment in the corporate sector. The main innovations here can be grouped into the following main categories. This is a further development of the popular concept of BYOD (Bring Your Own Device), improvements in security, mobile access, printing, and a graphical interface. These changes are quite significant, so Windows 8.1 is more correct to call not an update, but a new release.
The phrase Bring Your Own Device means a company policy where employees can use personal mobile devices (laptops, tablets and smartphones) in their workplace to access confidential information and corporate applications. The fastest pace this process is in emerging markets (including Russia), where according to Wikipedia, ~ 75% of employees are covered. When looking for a job, more and more candidates give preference to organizations where the BYOD policy has been adopted than with the opposite approach. It is clear that, depending on the type of activity, in some cases it is simply impossible to do without selecting specific devices when working with confidential data or entering high-risk environments. However, in most situations, employers must adapt to the realities of the rapidly progressing world of personal devices. In this regard, there are certain technological problems. If the employee by activity is admitted to sensitive information, then in order to prevent its leakage, measures of a different order are necessary. You can prevent an employee from removing any media from an enterprise, including paper, but in the end, there remains a storage device called the human brain. We will talk about more mundane matters. Upon termination of the employment contract, the employee’s personal device, if he used it at work, must remove all service data and applications installed during the work related to his activity in the company. Prior to Windows 8.1, Exchange ActiveSync, built into Exchange Server and Office365, was used for these purposes, which provides a basic level of mobile device management and execution of mobile policies on them. These include not only selective remote wiping of service information (selective wipe), but also IRM (information rights management), data encryption on a mobile device (data stored on an SD card cannot be encrypted, but you can prohibit its use), password policy ( complexity, period of validity, password history) and much more. In Windows 8.1, you can use the open (in the sense described) protocol of the Open Mobile Alliance Device Management (OMA-DM), which is used in Windows InTune - a unified solution for managing PCs and various types of mobile devices, and integrates with the System Center Configuration Manager and a directory service that provides centralized delivery and installation of corporate applications and patches, integrated security policy management, Endpoint Protection (for PC). Integration with third-party mobile device management products such as MobileIron, AirWatch is possible.
Another interesting opportunity in the field of BYOD is the joining of a device running Windows 8.1 to the Workplace Join. Devices running Windows 8 and previous versions can either be domain joined or not. In the case of domain membership, the user gets access to corporate resources, in any case, those rights to which are given to him by the administrator, and his personal device is controlled by group policies. Otherwise, there is no access, as there is no control by the IT department of the company. Workplace joined-device is, in a sense, the golden mean. The user can work on the device of his choice (including iOS) and have access to corporate resources. His personal device becomes known in the domain, providing transparent two-factor authentication and SSO (Single Sign-On). Device attributes are registered in AD and can be used by IT administrators to provide granular access to resources. Thus, the device operates under IT control with controlled access to applications.
Another possibility closely connected with it is called Work Folders (Work Folders), which allow you to automatically synchronize data on the device with user folders in the corporate data center, without the need for a domain account to access corporate shared folders. The synchronization process is embedded in the file system and is bidirectional, that is, files created locally will also be copied to the corporate file server. An IT service can enforce Dynamic Access Control policies on Work Folder Sync Share (including Rights Management) and require Workplace Join. Both of these features, in addition to Windows 8.1, require the deployment of an infrastructure based on Windows Server 2012 R2.
The phrase Bring Your Own Device means a company policy where employees can use personal mobile devices (laptops, tablets and smartphones) in their workplace to access confidential information and corporate applications. The fastest pace this process is in emerging markets (including Russia), where according to Wikipedia, ~ 75% of employees are covered. When looking for a job, more and more candidates give preference to organizations where the BYOD policy has been adopted than with the opposite approach. It is clear that, depending on the type of activity, in some cases it is simply impossible to do without selecting specific devices when working with confidential data or entering high-risk environments. However, in most situations, employers must adapt to the realities of the rapidly progressing world of personal devices. In this regard, there are certain technological problems. If the employee by activity is admitted to sensitive information, then in order to prevent its leakage, measures of a different order are necessary. You can prevent an employee from removing any media from an enterprise, including paper, but in the end, there remains a storage device called the human brain. We will talk about more mundane matters. Upon termination of the employment contract, the employee’s personal device, if he used it at work, must remove all service data and applications installed during the work related to his activity in the company. Prior to Windows 8.1, Exchange ActiveSync, built into Exchange Server and Office365, was used for these purposes, which provides a basic level of mobile device management and execution of mobile policies on them. These include not only selective remote wiping of service information (selective wipe), but also IRM (information rights management), data encryption on a mobile device (data stored on an SD card cannot be encrypted, but you can prohibit its use), password policy ( complexity, period of validity, password history) and much more. In Windows 8.1, you can use the open (in the sense described) protocol of the Open Mobile Alliance Device Management (OMA-DM), which is used in Windows InTune - a unified solution for managing PCs and various types of mobile devices, and integrates with the System Center Configuration Manager and a directory service that provides centralized delivery and installation of corporate applications and patches, integrated security policy management, Endpoint Protection (for PC). Integration with third-party mobile device management products such as MobileIron, AirWatch is possible.
Another interesting opportunity in the field of BYOD is the joining of a device running Windows 8.1 to the Workplace Join. Devices running Windows 8 and previous versions can either be domain joined or not. In the case of domain membership, the user gets access to corporate resources, in any case, those rights to which are given to him by the administrator, and his personal device is controlled by group policies. Otherwise, there is no access, as there is no control by the IT department of the company. Workplace joined-device is, in a sense, the golden mean. The user can work on the device of his choice (including iOS) and have access to corporate resources. His personal device becomes known in the domain, providing transparent two-factor authentication and SSO (Single Sign-On). Device attributes are registered in AD and can be used by IT administrators to provide granular access to resources. Thus, the device operates under IT control with controlled access to applications.
Another possibility closely connected with it is called Work Folders (Work Folders), which allow you to automatically synchronize data on the device with user folders in the corporate data center, without the need for a domain account to access corporate shared folders. The synchronization process is embedded in the file system and is bidirectional, that is, files created locally will also be copied to the corporate file server. An IT service can enforce Dynamic Access Control policies on Work Folder Sync Share (including Rights Management) and require Workplace Join. Both of these features, in addition to Windows 8.1, require the deployment of an infrastructure based on Windows Server 2012 R2.
')
Source: https://habr.com/ru/post/212041/
All Articles