Information Technology Professionals - IT Pros USA


Enterprise Mobility Suite

The Enterprise Mobility Suite can come in a couple of different options – EMS E3 & EMS E5 are a pair of commonly bundled SKUs that features EMS. That’s said because EMS is not a stand-alone Microsoft product, but rather it represents a bundle of other Microsoft cloud products. At its core, both EMS SKUs include three core products: Microsoft Intune, Azure Active Directory Premium P1, and Azure Rights Management (aka Azure Information Protection).

In all variations of the EMS suite, you’ll have those three items bundled together. So, in this blog, we’ll take a look at just what each of those four products entails.

Microsoft InTune – Mobile Management Made Easy

Microsoft InTune isn’t a guitar tuning application from the tech giant. It is a mobile device management (MDM) service and it is top of the line. Basically, an MDM is an application you install on devices (mobile phones, tablets, laptops, etc.) that provides a business access to that device’s data. Microsoft InTune is product agnostic – working on Android, Windows, or Apple devices. It is not a Microsoft only product, because to have an impact, you must be able to support the major devices. That said, it is very integrated with Windows 10, particularly any of the Surface or Surface laptop products, where it is preinstalled and ready to go.

InTune allows businesses to do a lot of awesome things. First and foremost, Intune provides an inventory and location tracking for all of your business assets. Basically, any device that’s engaging with your network from a data standpoint should have InTune on it. This allows you to monitor your devices and control some basic policies regarding those devices. For instance, you could require additional passwords on the devices. If you want to go a step further, you could also enable different levels of encryption. In general, InTune provides a number of basic security features for businesses.

InTune on Mobile Devices

In advanced scenarios, Microsoft InTune can help you remotely manage specific devices. One such example is a remote wipe of company data. Say your business has to, unfortunately, part ways with a remote employee. This person had been using a personal computer for work purposes when on the road. And, this device had been properly set-up in the InTune network. Wiping the company data from this device is simple in this situation, as InTune offers that functionality.

As an organization, this allows you to create data protection policies that benefit both you and your employees. Such a policy could require users to enroll in InTune should they wish to use a personal device to access business information – even if that’s just email! As a business, you’re covering your own keister by putting such a policy in place, and you’re protecting your employee’s data from easier access by external threats. This will also prevent “user-error” breaches from spreading to the company’s network, as

InTune is the New Age “Clippy”

Remember the old paper clip in Microsoft Word? Well, InTune takes on a similar role in today’s world. The application can help your users install the other required apps (like Outlook, Teams, or a business VPN). InTune can also add corporate applications that help improve employee efficiency. Likewise, InTune can work on an employer-owned device and can provide complete control for the user. InTune has become our modern suggestion as a cloud management service that replaces the older, on-premise product called Microsoft System Center Configuration Manager (SSCM).

Microsoft SSCM has long been a de facto standard for managing a large Windows network. SSCM could help you enforce group and security policies, automatically push out Windows updates, and other similar actions. Now that we’re working on the Cloud, Microsoft needed a more capable offering. InTune is that offering. InTune has the ability to mirror SSCM’s policy enforcement actions, without any of the on-premise infrastructure. This is a stark contrast to SSCM, which requires a SQL server on the back end, an application server, and these devices need to be updated and maintained over time.

With InTune, that labor-intensive process is eliminated, as it is a SaaS offering. You simply go to the InTune portal and enroll your business. From there, you can immediately start implementing policies for your staff. And what’s even better, there are currently a number of “canned” policies that you can implement immediately – and they come with easy-to-follow instructions, just like the days of Clippy in Microsoft Word. Ultimately, the tools provided by InTune will allow you to get your business moving in the right direction from day one.

Azure Active Directory Premium P1

Although anytime you have a user in Office 365, you have an Active Directory (AD). In its simplest terms, AD is the log-in system for Windows devices. If you have a Windows system at your office, AD is what manages your username and password. The minute your company starts using Office 365 resources, you’re also extending that active directory into the cloud and using an Azure AD to also respond to your username and password. This is what allows you to use the same login information to log in on a personal laptop as you do Office 365 – your identity remains in sync using an Azure AD connect tool. And this basic AD service is included should you purchase an Office 365 SKU.

However, the version of Azure AD that comes standard with the EMS suite is the AAD Premium P1 SKU. This takes the same functionality of the basic tool outlined above and amplifies the best aspects for your business to leverage. The first of which is a self-service password reset (SSPR). As expected in the name of the product, your enterprise organization has upwards of 750 employees in this example. All of these individuals have personal access to an Office 365 account with their own username and password.

What can Azure’s SSPR really do for me?

In the past, a big part of your IT department’s job was resending staff their passwords manually. With AAD Premium P1, you can remove that work from your team’s load by creating alternative password reset options. This could be as simple as answering a couple of personal questions or a 2FA text message or robocall to a corporately-managed device to confirm the identity of a user and allow for individuals to update and change passwords themselves. And, because this password will be in the Azure cloud, it will remain in sync with other devices on the network (even those that are on-premise devices).

So, in theory, a user can walk into the office, forget their password, and instead of contacting IT, they can use SSPR to reset their password and then be able to log-in to their machine. There’s no IT ticket. It’s all self-service, encourages problem-solving, and provides a better user experience for end users. This is just one benefit to the Premium P1 upgrade over the Azure AAD basic.

Reporting Mechanisms in Premium are Worth the Extra Budget

In addition, Azure AD P1 includes some additional reporting mechanisms. This will let you see something like “a user has tried to log-in 50 times in 3 minutes, and it will send you a notification.” This is just one valuable security feature that is part of all EMS AAD packages.

You can set up a number of automatic logging criteria. These criteria help beef up security by helping you identify potential breaking points without manual data processing. You can help avoid the tedious, laborious task of mining this data by using the cloud service as a part of Azure AAD Premium P1.

Azure Rights Management (aka Azure Information Protection)

The final piece of the EMS puzzle that is worth your time is the Azure Rights Management, or Azure Information Protection (AIP). AIP helps manage and secure your key company documents – price lists, customer lists, key data – that you really wouldn’t want your competitor to gain access to. You wouldn’t want this information out in the wild, and yet, businesses give people computers that have access to this data and also have users accessing personal Gmail accounts right next to their work email – with the ability to share files between the two, or worse simply save classified data on a thumb drive and walk out the door with it. If you’ve ever thought about these concerns, AIP is the service that was built to combat these actions.

Basically, using the Azure Rights Management services, you can create files and folders of “classified” content. In laymen’s terms, for every excel file created by anyone in my company, you can have the default rights set for “only company users can access.” This wouldn’t change anything in terms of end-user experience, but it adds an immensely valuable security feature. Basically, if one of your employees sends that excel file out into the wild – even if it’s just to their own personal account, AIP will automatically fire several security precautions. First, AIP will send an alert to your business via email, notifying you of the potential threat. That alert will also feature a geotag, identifying where the file was attempted to be opened. And finally, it will either deny access to the file or will ask a user to log-in in order to view said file.

In short, AIP can help your business password protect any document created within your network. This tri-pronged security approach is tremendously valuable for businesses with lots of classified information – like law firms, healthcare providers, and other professional services that handle personal and private information.

Want to Know more about EMS?

That’s the big couple of items to know about Microsoft’s Enterprise Mobility Suite, and if you’re still reading, you clearly want to know more.

First – the cost of the suite runs around $12.50 per user per month, though you’re getting over $20 per user in bundled products in this offering. Each of these bundled products will have an immediate and lasting impact on the security, efficiency, and productivity of your organization.

Contact ITP today to learn more about EMS or discuss an EMS upgrade:


Get Started