What is our primary use case?
Microsoft Mobility and EMS include Intune for Mobility, which provides mobile device management and mobile application management. With mobile device management, you can control the entire device in an organization. For example, if you have a thousand devices, you can manage them using various available methods. These devices will appear on your portal, and you can effectively manage them.
If not, Intune also supports mobile application management, which means we only protect data that is on third-party devices. For instance, if a user has a company-controlled device, we have full control over it. However, if a user in the organization has a personal laptop and smartphone, we can control how data is regulated on those devices. They won't be able to save data on mobile storage, copy-paste to applications like WhatsApp or Notepad, or copy it to personal email accounts. The user can only copy data between corporate email addresses or copy it to OneDrive for Business. This level of control is provided by Intune.
In terms of security, EMS has Azure Ready Premium One, EMC Three, and EMC Five as its individual components. EMC five offers most of the features and it includes Azure Ready Premium 2. You can also have conditional access policies, which are part of Plan 1. It also has Azure Information Protection for labeling. You can create labels and labeling policies, including auto-labeling policies. There are Plan 1 and Plan 2 options. With Plan 2, you can automatically scan on-premises repositories for labeling. If you have Plan 2, it will label them. In the EMS, we have CASB, which stands for Cloud App Security. It's a Cloud App Security Broker. We refer to it as Defender for Cloud App.
It deals with all the shadow IT subdomains. For example, if you have one thousand users in your organization and you don't know what they are using on their laptops, even if Defender for Endpoint is already installed on their devices or if you are importing logs from the firewall, it will show you all the devices, websites, and applications that the user is accessing.
You can restrict their access, so they won't be able to work on any other devices. You can also identify any uncategorized websites or services being accessed. You can view this information from CASB and set session policies. If you have web applications on-premises, you can integrate with them. You can also integrate with anything that supports SAML authentication.
Furthermore, you can prevent users from copying text from browsers or your application. You can create file policies, activity policies, and session policies based on your requirements.
Additionally, you have Azure Identity Protection, which is also part of Azure Ready Premium 2. It includes features like bank passwords and more. A bank password is something that is not available on-premises. There is also a small agent that you can use to enforce it on-premises. Moreover, there is Azure ATP, which depends on identity.
It's crucial to have it on the domain controller. It investigates every authentication, even if you're authenticating through LDAP or web services. It tracks and verifies against a number of attacks and techniques listed by my tier, which is a nonprofit organization that investigates these attack techniques. They have a catalog or database of these techniques. Azure ATP will verify if any of these attempts are shown and reflect them. So that is Azure ATP for identity.
The identity management team is also included, and Privileged Identity Management is part of it. Along with that, you have access to reviews and event title management. So this is what the EMS offering includes.
What needs improvement?
Microsoft licensing has always been tricky. There have been several changes in the last quarter, such as the addition of a new SKU on top of the existing ones. The licensing can be messy at times. Apart from that, it's fine. One area where Microsoft lacks is network-level protection. Currently, it focuses on endpoint protection. However, with the shift to remote work, network-level protection has become less relevant since users take their devices home, and there is no physical boundary after COVID. So, investing in network equipment might not be as useful as protecting endpoints with features like EDR (Endpoint Detection and Response) and behavioral monitoring. That would probably be helpful.
For how long have I used the solution?
I have been using this product for five years. We have been implementing enterprise-level rollouts for over 15,000 users.
What do I think about the stability of the solution?
It's Microsoft we're talking about. The platform is generally stable. Occasionally, out of the many components involved, there may be a minor outage or some issues for a few hours. It happens, just like with other vendors. However, it's not to the extent that an entire region goes down. I haven't witnessed such a scenario.
What do I think about the scalability of the solution?
Licenses and overall scaling horizontally are possible. Once you place an order for a specific number of licenses, it will be processed and made available within a few days.
How are customer service and support?
Some of their support representatives are good, but some are very bad. If I don't get the right person, it can be frustrating. It depends on who you get assigned to. If you're fortunate enough to get an experienced person, they can resolve the issue in one call. Otherwise, it can be a drawn-out process. So, in my experience, I've created multiple tickets until I got the right support.
How would you rate customer service and support?
How was the initial setup?
It used to be complex, but now it's pretty easy. There are numerous videos and articles available that can guide you through the setup process. Microsoft provides resources that make it accessible for anyone to set up. That's the advantage of using Microsoft products.
The deployment model is mostly on the cloud, about 90%. We work with both on-premises. It's just a matter of reconfiguring. It's a mixed approach, but the majority of things are on the cloud.
What about the implementation team?
EMS is extensive, comprising multiple components. It would take hours to describe the entire deployment process. You only need one or two people for the deployment process. Typically, we assign a single engineer to handle the deployment of all these components for a month.
Let's consider EMS as a licensing model. It's like setting up a home for users. Think of it as a house. You have licenses—let's say you have five licenses. With one license, you set up the plumbing, and with another license, you set up the electricity.
It's entirely different. So assigning an EMS license means you are licensed to use electricity and water, which means you need to handle the plumbing. There are different components and deployment methods. It's not like setting up a server in the traditional sense.
The deployment is done on the cloud. For some components, you need to deploy agents, while others are readily available. Some require enabling analytics, and for others, you need to enable sync. Threat protection requires environment and device hardening, including patching, for example.
The deployment process itself is quick. However, rolling out to all users can be time-consuming. Typically, we complete the initial deployment within a month for a certain number of users or devices. It then becomes the customer's responsibility to roll it out to the remaining users.
Moreover, the maintenance aspect is quite straightforward. It doesn't require much maintenance unless we're talking about specific products like Sentinel or Defender for Endpoint. Once it's configured, it will work smoothly. There might be occasional changes, but they are infrequent, happening maybe once a month. Overall, it is a low-maintenance area compared to other services.
Which other solutions did I evaluate?
There are a couple of other solutions, like Samsung Knox and Citrix. Although I personally haven't worked with them, we have a team here that implements Citrix. However, I haven't had personal experience with it for the past three years.
In terms of features, Microsoft has a very good strategy because most people are using Windows and Office 365 applications like Excel and PowerPoint. So it seamlessly integrates with devices and services. However, when it comes to pricing, Microsoft has its challenges, and I'm not sure if there are people who appreciate it.
What other advice do I have?
For most organizations, since they are already using Windows and other Microsoft services, implementing EMS from Microsoft is easy, and it seamlessly integrates with application troubleshooting and other functionalities. You already have everything you need, so you don't have to install an agent. It just pushes an extension automatically. Additionally, auto-pilot is a service that is not available with any other vendors. So, yeah, Microsoft is a good choice.
Overall, I would rate it an eight out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner