Microsoft Enterprise Mobility + Security Reviews

Microsoft Mobility and EMS include Intune for Mobility, which provides mobile device management and mobile application management. With mobile device management, you can control the entire device in an organization. For example, if you have a thousand devices, you can manage them using various available methods. These devices will appear on your portal, and you can effectively manage them.

If not, Intune also supports mobile application management, which means we only protect data that is on third-party devices. For instance, if a user has a company-controlled device, we have full control over it. However, if a user in the organization has a personal laptop and smartphone, we can control how data is regulated on those devices. They won't be able to save data on mobile storage, copy-paste to applications like WhatsApp or Notepad, or copy it to personal email accounts. The user can only copy data between corporate email addresses or copy it to OneDrive for Business. This level of control is provided by Intune.

In terms of security, EMS has Azure Ready Premium One, EMC Three, and EMC Five as its individual components. EMC five offers most of the features and it includes Azure Ready Premium 2. You can also have conditional access policies, which are part of Plan 1. It also has Azure Information Protection for labeling. You can create labels and labeling policies, including auto-labeling policies. There are Plan 1 and Plan 2 options. With Plan 2, you can automatically scan on-premises repositories for labeling. If you have Plan 2, it will label them. In the EMS, we have CASB, which stands for Cloud App Security. It's a Cloud App Security Broker. We refer to it as Defender for Cloud App.

It deals with all the shadow IT subdomains. For example, if you have one thousand users in your organization and you don't know what they are using on their laptops, even if Defender for Endpoint is already installed on their devices or if you are importing logs from the firewall, it will show you all the devices, websites, and applications that the user is accessing.

You can restrict their access, so they won't be able to work on any other devices. You can also identify any uncategorized websites or services being accessed. You can view this information from CASB and set session policies. If you have web applications on-premises, you can integrate with them. You can also integrate with anything that supports SAML authentication.

Furthermore, you can prevent users from copying text from browsers or your application. You can create file policies, activity policies, and session policies based on your requirements.

Additionally, you have Azure Identity Protection, which is also part of Azure Ready Premium 2. It includes features like bank passwords and more. A bank password is something that is not available on-premises. There is also a small agent that you can use to enforce it on-premises. Moreover, there is Azure ATP, which depends on identity.

It's crucial to have it on the domain controller. It investigates every authentication, even if you're authenticating through LDAP or web services. It tracks and verifies against a number of attacks and techniques listed by my tier, which is a nonprofit organization that investigates these attack techniques. They have a catalog or database of these techniques. Azure ATP will verify if any of these attempts are shown and reflect them. So that is Azure ATP for identity.

The identity management team is also included, and Privileged Identity Management is part of it. Along with that, you have access to reviews and event title management. So this is what the EMS offering includes.

Microsoft licensing has always been tricky. There have been several changes in the last quarter, such as the addition of a new SKU on top of the existing ones. The licensing can be messy at times. Apart from that, it's fine. One area where Microsoft lacks is network-level protection. Currently, it focuses on endpoint protection. However, with the shift to remote work, network-level protection has become less relevant since users take their devices home, and there is no physical boundary after COVID. So, investing in network equipment might not be as useful as protecting endpoints with features like EDR (Endpoint Detection and Response) and behavioral monitoring. That would probably be helpful. 

I have been using this product for five years. We have been implementing enterprise-level rollouts for over 15,000 users.

It's Microsoft we're talking about. The platform is generally stable. Occasionally, out of the many components involved, there may be a minor outage or some issues for a few hours. It happens, just like with other vendors. However, it's not to the extent that an entire region goes down. I haven't witnessed such a scenario.

Licenses and overall scaling horizontally are possible. Once you place an order for a specific number of licenses, it will be processed and made available within a few days.

Some of their support representatives are good, but some are very bad. If I don't get the right person, it can be frustrating. It depends on who you get assigned to. If you're fortunate enough to get an experienced person, they can resolve the issue in one call. Otherwise, it can be a drawn-out process. So, in my experience, I've created multiple tickets until I got the right support.

Neutral

It used to be complex, but now it's pretty easy. There are numerous videos and articles available that can guide you through the setup process. Microsoft provides resources that make it accessible for anyone to set up. That's the advantage of using Microsoft products.

The deployment model is mostly on the cloud, about 90%. We work with both on-premises. It's just a matter of reconfiguring. It's a mixed approach, but the majority of things are on the cloud.

EMS is extensive, comprising multiple components. It would take hours to describe the entire deployment process. You only need one or two people for the deployment process. Typically, we assign a single engineer to handle the deployment of all these components for a month.

Let's consider EMS as a licensing model. It's like setting up a home for users. Think of it as a house. You have licenses—let's say you have five licenses. With one license, you set up the plumbing, and with another license, you set up the electricity.

It's entirely different. So assigning an EMS license means you are licensed to use electricity and water, which means you need to handle the plumbing. There are different components and deployment methods. It's not like setting up a server in the traditional sense.

The deployment is done on the cloud. For some components, you need to deploy agents, while others are readily available. Some require enabling analytics, and for others, you need to enable sync. Threat protection requires environment and device hardening, including patching, for example.

The deployment process itself is quick. However, rolling out to all users can be time-consuming. Typically, we complete the initial deployment within a month for a certain number of users or devices. It then becomes the customer's responsibility to roll it out to the remaining users.

Moreover, the maintenance aspect is quite straightforward. It doesn't require much maintenance unless we're talking about specific products like Sentinel or Defender for Endpoint. Once it's configured, it will work smoothly. There might be occasional changes, but they are infrequent, happening maybe once a month. Overall, it is a low-maintenance area compared to other services.

There are a couple of other solutions, like Samsung Knox and Citrix. Although I personally haven't worked with them, we have a team here that implements Citrix. However, I haven't had personal experience with it for the past three years.

In terms of features, Microsoft has a very good strategy because most people are using Windows and Office 365 applications like Excel and PowerPoint. So it seamlessly integrates with devices and services. However, when it comes to pricing, Microsoft has its challenges, and I'm not sure if there are people who appreciate it.

For most organizations, since they are already using Windows and other Microsoft services, implementing EMS from Microsoft is easy, and it seamlessly integrates with application troubleshooting and other functionalities. You already have everything you need, so you don't have to install an agent. It just pushes an extension automatically. Additionally, auto-pilot is a service that is not available with any other vendors. So, yeah, Microsoft is a good choice.

Overall, I would rate it an eight out of ten. 

We use the product for centralized communications. We use chat, SCCM, Azure, Visio Pro, and quite a few other Microsoft applications.

As a business manager, I use it for all the basic stuff. I use Microsoft for, of course, the Office Suite, however, in regard to the Enterprise packaging, I use it for our communications tool. I use it as Teams. I really use Teams for communicating with the department. Other than that, the core licensing and things of that nature, the server items that we have, SCCM, that's more from our server-side. They use it more for server licensing whereas I just use it for the basics of communicating, chatting, and things of that nature. That's the regular Microsoft Office Suite.

The most valuable feature is it's a collaboration tool that we can dump all things in at the same time, and we don't have to go to different locations to search for documents that we want to share among 40 people.

It's great and it is something that is very user-friendly as a whole.  

Microsoft is a very strong product here the brand recognition and trust are high.

You can scale the solution up or down by department.

The stability is good.

My suggestion would be just for IT, for us, to continue pushing it out and making it more knowledgeable and easy to use for those that are not as savvy with technology. We don't want them to overthink just using the basic tools within Microsoft.

The licensing is quite expensive.

We've been using the solution since 2013.

I purchased this in 2013 and it's been pretty stable since then. It's been actually a really great tool. We're becoming more knowledgeable about different things that it can do day by day. We haven't had any issues with it. It's pretty stable.

Microsoft Enterprise is a tool that you can build on, or just scale back for departments that only utilize a very small portion. I only use a very small portion of the Enterprise agreement, however, others within IT use the platform for something much larger or something much more detailed. It can expand or contract to meet different departmental needs. It's a platform you can easily build on.

We have about 1,400 people within our organization using the solution.

I haven't used Microsoft tech support. That said, I am very aware that our server team has, and it's 24/7 support that they can't live without. It seems they have met our needs and overall, the company is very happy with them.

We handled the installation and never had a problem with it. We have 12 system admins that are capable of maintaining the solution.

We installed it ourselves.

The licensing period is three or four years and it's a pretty penny. We get it off a cooperative, meaning we share the cost with separate entities. I don't remember the exact amount.

We are considered a Microsoft partner as we are amongst a group that uses Microsoft Enterprise. It may not be a true partnership per se, however, we've been a customer for over 10 years.

We are level E3.

I'd advise potential new users to just become knowledgeable about all of the products within the platform, so that you do not purchase other items that you already have within Microsoft.

If you take the training before you roll out a large application like Microsoft, it's easier for your customers to understand how to use it.

I'd rate the solution at a nine out of ten.

A good feature that is present is MAM or Mobile Application Management. We can deploy this feature on the device, which is not managed by the organization. If I apply some security configuration on a personal device, the user would be really disappointed. What we do instead is that we give all access to the applications related to corporate and ask the users to use the application. We secure the application by putting the security features on the applications and not on the users' devices. This way, the users are happy, and we also meet our company's compliance standards. Then, everyone is happy.

The auditing and reporting could be updated and upgraded.

I would like to see light applications because they consume a lot of the device's memory at present.

I've been working with this solution for around four years.

Microsoft Enterprise Mobility Security is a stable solution.

We can force sync so that every device is scalable in configuration.

The configuration is very simple and straightforward. The only thing required is the authenticator app, and Microsoft has released step-by-step guides that are user-friendly.

I would rate pricing at eight out of ten. It is a bit higher because of the security features that Microsoft provides.

In general, I would give Microsoft Enterprise Mobility Security a nine out of ten.