The Bring Your Own Device (BYOD) trend brings up major challenges to IT departments, which now have to authorize unmanaged devices to connect to the internal network and thus access sensitive data or line-of-business (LOB) applications. This first version of BYOD Test Lab Guides describes technical solutions leveraging the Windows Server 2012 platform to address specifically BYOD issues.
The "Bring Your Own Device" (BYOD) phenomenon is a deep trend born of the advent of more and more powerful personal devices that became now essential to our relationship with the outside world. These new tools, originally designed for the consumer market, tend to break into the professional sphere through the porosity of the border between private life and work.
Employees want to bring their own devices into the enterprise to be able to connect to the internal network, access their corporate email, the Internet, and Web-based resources or any line-of-business (LOB) applications required for their everyday work.
This trend brings up major challenges on the table to IT departments, which now have to authorize these new type of devices while maintaining compliance with the enterprise security policies along with (industry) regulations if any.
Interestingly enough in such a context, The Microsoft vision for embracing BYOD is based on the capability to differentiate the level of confidence of both the identity and the device in order to adjust the access level and the related user experience according to the data sensitivity. The solutions proposed in a set of relevant scenarios are demonstrating how it is possible, using already existing or new capabilities of the Windows platform to implement these principles.
The “Bring Your Own Device” series of documents comprises Test Lab Guides (TLGs) that allow you to get hands-on experience using a pre-defined and tested methodology that results in a working configuration for relevant BYOD scenarios. Each of these guides also covers how to test and demo each capability.
When you use a TLG to create a BYOD test lab, instructions tell you what servers to create, how to configure the operating systems and platform services, and how to install and configure any additional products, technologies or devices. A TLG experience enables you to see all of the components and the configuration steps on both the front-end and back-end that go into a single- or multi-product or technology solution.
The BYOD Base Configuration TLG constitutes the beginning of the BYOD test lab experience. Other BYOD TLGs of the series focus on a specific scenario, and describe how to set up the components that are necessary to demonstrate the scenario in a logical progression. All the remaining TLGs of the series use the BYOD Base Configuration TLG as a starting point.
The TLGs as a whole demonstrate how current and forthcoming Microsoft technologies such as Windows Server 2012, Windows 8, Exchange Server 2013, Authentication Assurance Mechanism, Dynamic Access Control, can enable relevant BYOD scenarios.
This series of TLGs completes previous guides focused on the Consumerization of IT topic:
The following list sums up the scenarios illustrated in this BYOD Version 1.2 Test Lab Guides:
- An initial series of TLGs already available on the Microsoft Download Center entitled Consumerization of IT Test Lab Guides and that illustrates key CoIT scenarios with previous versions of Microsoft technologies such as Windows Server 2008 R2. This series includes as an introduction a white paper entitled Consumerization of IT (CoIT), A Trend To Be Considered that presents the CoIT phenomenon where consumer technologies and consumer behavior are driving innovation in IT products and practices;
- A 2nd Version 2.0 of the CoIT Test Lab Guides built with the final OS versions of Windows Server 2012 and Windows 8, including two new important scenarios based on Windows 8 Windows To Go and Windows 8 Client Hyper-V features in addition to remote access implementation with Windows Server 2012 Direct Access.
What’s new in this series?
- Base Configuration – Covers the setup of the core infrastructure including network and services like Active Directory, and PKI in order to later allow viable access to the internal network from a Windows 8 non-domain joined computer, a Microsoft Surface, iPad and Android tablets all through a Wi-Fi connection.
- File Access depending on device status and user authentication strength – Describes, for the aforementioned different types of BYOD devices, a suitable implementation to provide selective file sharing access on a file server depending on both the level of confidence of the device, and the strength of authentication. The suggested implementation relies on the Authentication Assurance Mechanism, Virtual Smartcard, and Dynamic Access Control (DAC) technologies.
- Exchange Messaging with Data Protection – Focusses on how to access an Exchange 2013 messaging system with email protection on the internal corporate network from a Windows 8 non-domain joined computer, a Microsoft Surface − Windows RT −, an iPad, and an Android tablet. The Exchange Active Sync (EAS) with Information Right Management (IRM) is leveraged for that purpose.
- Data Classification and encryption – Details how to classify and protect sensitive data on a file server (wherever it goes) by leveraging the DAC technology along with an Active Directory Right Management Server (AD RMS) infrastructure for information protection and control (IPC) as well as a selective access for BYOD devices as implemented in the TLG 2: File Access.
- Windows Intune – Covers the management of both Windows-based and non-Windows based devices with the Microsoft Windows Intune Mobile Device Management (MDM) solution and illustrates how to provide certificate enrolment in this context.
Albeit this series shares some common approaches with the Consumerization of IT Test Lab Guides, the current series includes important changes and introduces new key features:
- New situation with a Windows 8 non-domain joined computer and a new device with the Microsoft Surface tablet running Windows RT;
- Selective access to file servers taking in account the level of confidence of the device and the strength of authentication for Windows and non-Windows based devices;
- New key features such as the Authentication Assurance Mechanism and the conditional expressions for permissions rules allowed by Dynamic Access Control;
- Simplification of the access to protected e-mails from iOS and Android devices that capitalize on a newest version of the EAS protocol;
- Introduction of the Virtual Smartcard technology available on both Windows 8 and Windows RT platforms to offer stronger authentication without the need of a physical smartcard;
- Introduction of a Data Classification and encryption scenario based on the new Dynamic Access Control capabilities coming with Windows Server 2012;
- Introduction of a simple BYOD Risk Analysis allowing to identify the top threats and to understand how the different remediation solutions described in this series can be used to address these threats;
- Windows Intune basic implementation to understand how Windows and non-Windows based devices can be enrolled in the MDM solution.
Supported Operating Systems:
Windows Server 2012
To be able to build the BYOD test lab according to the provided guides, you need at least:
- A domestic router with an integrated Ethernet switch and Wi-Fi 802.1X compatible, or an Ethernet switch, a Wi-Fi Access Point 802.1X compatible and a router for accessing the Internet.
- One Windows Server 2012 server, with 64-bit quad-core, 2GHz CPU, 12GB RAM and 150GB of available disk space, and with the Hyper-V role installed.
- One Windows 8 compatible laptops (optional if you prefer to use a Windows 8 VM).
- One Windows RT tablet − for example Microsoft Surface – (optional).
- One iPad tablet (optional).
- One Android tablet (optional).
- The following Microsoft products:
- Windows Server 2012
- Windows 8 Pro (64-bit)
- Microsoft Exchange 2013
- Microsoft Office 2010/2013 Professional Plus or Standard
- The following non-Microsoft products
- The FileBrowser (Stratospherix) app for the iPad for TLG 2 only
- The File Manager HD app (Rhythm Software) for the Android tablet for TLG 2 only
- The TouchDown (NitroDesk) app for iPad and Android devices for TLG 3 only