This blog post will break down EMS (Enterprise Mobility Suite) by first giving you an overview including some YouTube videos.
And you will then get a detailed look at the three different services that Enterprise Mobility Suite is built upon.
You might think that many of these features are included in licenses or services that you already own?
Well the second part of the blog post will describe the differences in detail and you will see that its not really the case as Enterprise Mobility Suite includes much more and got a lot of great features that you cant get anywhere else.
These particular features makes Enterprise Mobility Suite a must have and it gets our strong recommendation to buy with any Office 365 plan.
Remember that you can always contact us if you have any questions regarding Office 365 or Enterprise Mobility Suite on phone: +468239600 or email: cs@altitude365.com
Now let us start with the basics of Enterprise Mobility Suite.
The Enterprise Mobility Suite is a comprehensive suite of cloud services to address your consumerization of IT, BYOD (Bring Your Own Device), and SaaS (Software as a Service) challenges.
The suite is the most cost effective way to acquire all of the included Microsoft cloud services:
Please take a few minutes to watch the videos to get a better understanding of what Enterprise Mobility Suite can do for your organizations.
Hybrid Identity and access management, Azure AD Premium delivers robust identity and access management from the cloud, in sync with your existing on-premises deployments:
- -Cloud-based self-service password reset for your employees
- -Group Management, including user self-service management of groups
- -Group-based provisioning and access management for hundreds of Software as a Service applications-
- -Machine learning-driven security reports to show log-in anomalies and other threats
- -Rich and robust synchronization of user identities from on-premises directories, including write back of changes
- -Reduce risk and support compliance requirements with comprehensive Multi-Factor Authentication (MFA) options Mobile device management
Windows Intune enables you to manage PCs and mobile devices from the cloud. People can use the devices they love for work while protecting corporate data and adhering to security policies:
- -Deliver and manage apps across a broad range of devices.
- -Manage a variety of device types, from Windows, Windows RT, and Windows Phone 8 to Apple iOS and Google Android.
- -Configure and deploy policies, and inventory hardware and software. Data protection
Azure AD Premium and Azure Rights Management can help protect your corporate assets:
- -Deliver information protection in the cloud or in a hybrid model with your existing on- premises infrastructure.
- -Integrate information protection into your native applications with an easy-to-use software development kit (SDK).
Now that you have a basic understanding of Enterprise Mobility Suite lets break it down even more and look at the details, what is it that you really get for your bucks!
Comparing Azure Active Directory and Azure Active Directory Premium
Azure AD Premium has more advanced capabilities to help streamline Enterprise-level administrative tasks and make an admins life easier.
The following table describes common admin benefits and how signing up for Azure AD Premium helps to simplify them.
And remember the Azure AD Free is what you already got if you signed up for Office 365.
| Admin Benefits | Features | Azure AD Free | Azure AD Premium |
| Manage your cloud directory and how your accounts are synchronized | Directory as a service |  Up to 500K objects 1 |
 No object limit |
| Directory synchronization tool – For syncing between on-premises Active Directory and Azure AD |  |
 |
|
| Forefront Identity Manager (FIM) server licenses – For syncing between on-premises databases and/or directories and Azure AD |  |
||
| High availability SLA uptime (99.9%) |  |
||
| Centrally administer accounts and control access to your applications | User and group management using UI or Windows PowerShell cmdlets |  |
 |
| User-based application access management and provisioning |  |
 |
|
| Access Panel portal for SSO-based user access to SaaS and custom applications |  Up to 10 apps per user 2 |
 No app limit |
|
| Group-based application access management and provisioning |  |
||
| Customization of company logo and colors to the Sign In and Access Panel pages |  |
||
| Empower your users & reduce support costs | Self-service change password for cloud users |  |
 |
| Self-service group management for cloud users |  |
||
| Self-service reset password for cloud users |  |
||
| Monitor security and enforce additional verification methods to mitigate risks | Standard security reports |  |
 |
| Advanced anomaly security reports (machine learning-based) |  |
||
| Advanced application usage reporting |  |
||
| Multi-Factor Authentication service for cloud users |  |
||
| Multi-Factor Authentication server for on-premises users |  |
- 1. The 500k object limit does not apply for Office 365, Windows Intune or any other Microsoft online service that relies on Azure AD for directory services.
- 2. With Azure AD Free, end users who have been assigned access to each SaaS app, can see up to 10 apps in their Access Panel and get SSO access to them (assuming they have first been configured with SSO by the admin).
Admins can configure SSO and assign user access to as many SaaS apps as they want with Free, however end users will only see 10 apps in their Access Panel at a time.
Windows Intune features.
Now let’s look at Windows Intune and to do that comparison I have included a sheet that compares it with its on-premises step brother and what you get if you mix them both.
| Scenario |
System Center 2012 R2 Configuration Manager |
Windows Intune |
System Center 2012 R2 Configuration Manager and Windows Intune |
| Platform Support |
|||
| Microsoft Windows | Yes | Yes | Yes |
| Microsoft Windows Server | Yes | No | Yes |
| Windows Phone | No | Yes | Yes |
| Windows RT | No | Yes | Yes |
| iOS | No | Yes | Yes |
| Android | No | Yes | Yes |
| Mac OS X | Yes | No | Yes |
| Unix/Linux Servers | Yes | No | Yes |
| Compliance Settings |
|||
| Extensible Windows PC Device Configuration Settings (e.g., WMI, Registry) | Yes | No | Yes |
| Extensible Mac OS X Configuration Settings | Yes | No | Yes |
| Mobile Device Configuration Settings | No | Yes | Yes |
| Deployment |
|||
| Application Deployment | Yes | Yes | Yes |
| Windows Operating System Deployment | Yes | No | Yes |
| Security and Privacy |
|||
| Software Updates | Yes | Yes | Yes |
| Endpoint Protection | Yes | Yes | Yes |
| Administration and Reporting |
|||
| Software Metering | Yes | No | Yes |
| Hardware and Software Inventory | Yes | Yes | Yes |
| Custom hardware and software inventory | Yes | No | Yes |
| Role-based Administration and Reporting | Yes | No | Yes |
| Unified Reporting for Cloud- and Corporate-connected Devices | No | No | Yes |
| Cloud-based Reporting | No | Yes | No |
| Data Protection for mobile devices |
|||
| Security Settings | Yes | Yes | Yes |
| Remote Wipe | Yes | Yes | Yes |
| Remote Lock | No | Yes | No |
| Passcode Reset | No | Yes | No |
For a list of settings that you can configure on mobile devices, see:
- Mobile Device Management Capabilities in Windows Intune
- Compliance Settings for Mobile Devices in Configuration Manager
For information about new features in Windows Intune, see Windows Intune Service Updates.
Azure Rights Management
Azure Rights Management lets you encrypt and assign usage restrictions to content when your organization subscribes to Microsoft online services. Rights Management helps protect content that is created and exchanged by using Microsoft Office as well as other applications or services that have been updated to integrate with the Rights Management service. By implementing a cloud-based rights management service, Rights Management provides an alternative for organizations seeking information protection capabilities within Microsoft Office 365.
Information Rights Management (IRM)
- -Help protect data across different workloads such as SharePoint, Exchange, and Office documents by easily applying Information Rights Management to set up policy-based permissions rules
- -Help protect emails against unauthorized access by applying different IRM options to your email messages.
- -Enhance security of your SharePoint libraries by using IRM to set up appropriate permissions.
- -Help keep your information safe, online or offline, because your files are protected whether they’re viewed using Office Online or downloaded to a local machine.
- -Seamless integration with all Office documents helps guard your organization’s intellectual property.
- -Apply custom templates based on your business needs in addition to using default Rights Management Services templates.
- -Safeguards sensitive information. Applications and services such as Microsoft Office 2010 and Microsoft Office Professional Plus 2013, SharePoint Online and Microsoft Exchange Online are enabled to help safeguard sensitive information. Users and administrators can define who can open, modify, print, forward, or take other actions with the information. Organizations are provided usage policy templates such as “Company Confidential – Read Only” that can be applied directly to the information.
- -Provides persistent protection. Rights Management persists protection of file data when at rest and in motion. Once information is locked, only trusted entities that were granted usage rights under the specified conditions (if any) can unlock or decrypt the information.
- -Supports closer management of usage rights and conditions. Organizations and individuals can assign usage rights and conditions using rights management that define how a specific trusted entity can use rights-protected content. Examples of usage rights are permission to read, copy, print, save, forward, and edit. Usage rights can be accompanied by conditions, such as when those rights expire.
- -Integrates rights management with Office 365. Rights Management is integrated with SharePoint Online, Exchange Online, and other Office 2010 and Office Professional Plus 2013 applications to provide rights management functionality across the Microsoft Office suite.
Office 365 Message Encryption
Deliver confidential business communications with enhanced security, allowing users to send and receive encrypted email as easily as regular email directly from their desktops.
- -Send encrypted emails to anyone, independent of which mail service the recipient uses.
- -Grow your organization’s brand by enhancing the contents of the mail and your users’ experience with your custom logo or disclaimer.
- -Strong integration with Exchange transport rules allows you to set up encryption/decryption using a single action.
- -The clean Office 365 user interface makes it easier to read, review and respond to encrypted mail.
- -Help protect the entire conversation by encrypting an entire email thread without requiring any service subscription for recipients.
And to finally compare it with what you might already have on-premises
| Azure Rights Management | Active Directory Rights Management Services (AD RMS) |
| Supports information rights management (IRM) capabilities in Microsoft Online services such as Exchange Online and SharePoint Online, as well as Office 365.Also supports on-premises Microsoft server products, such as Exchange Server, SharePoint Server, and file servers that run Windows Server and File Classification Infrastructure (FCI). | Supports on-premises Microsoft server products such as Exchange Server, SharePoint Server, and file servers that run Windows Server and File Classification Infrastructure (FCI). |
| Enables implicit trust between organizations and users in any organization. This means that protected content can be shared between users within the same organization or across organizations when users have Microsoft Office 365, or Azure Rights Management, or users sign up for RMS for individuals. | Trusts must be explicitly defined in a direct point-to-point relationship between two organizations by using either trusted user domains (TUDs) or federated trusts that you create by using Active Directory Federation Services (AD FS). |
| Provides two default rights policy templates that restrict access of the content to your own organization; one that provides read-only viewing of protected content and another template that provides write or modify permissions for the protected content.You can also create your own custom templates. For more information, see Configuring Custom Templates for Azure Rights Management.In addition, users can define their own set of permissions if the templates are not sufficient. | Provides two default rights policy templates that restrict access of the content to your own organization; one that provides read-only viewing of protected content and another template that provides write or modify permissions for the protected content.You can also create your own custom templates. For more information, see AD RMS Policy Template Considerations.In addition, users can define their own set of permissions if the templates are not sufficient. |
| Minimum supported version of Microsoft Office is Office 2010, which requires the RMS sharing application.Microsoft Office for Mac 2011 is not supported. | Minimum supported version of Microsoft Office is Office 2007.Microsoft Office for Mac 2011 is supported. |
| Supports the RMS sharing application for Windows and mobile devices. | Supports the RMS sharing application for Windows. |
| Minimum supported version of the Windows client is Windows 7. | Minimum supported version of the Windows client is Windows Vista Service Pack 2. |
| Mobile device support includes Windows Phone, Android, iOS, and Windows RT.Email support by using Exchange ActiveSync IRM is also supported on all mobile device platforms that support this protocol. | Mobile device support is restricted to Windows Phone.Email support by using Exchange ActiveSync IRM is supported on all mobile device platforms that support this protocol. |
| Supports Cryptographic Mode 2 without additional configuration, which provides stronger security for key lengths and encryption algorithms.For more information, see the Cryptographic controls for signing and encryption section in this topic, and AD RMS Cryptographic Modes. | Supports Cryptographic Mode 1 by default and requires additional configuration to support Cryptographic Mode 2 for stronger security.For more information, see the Cryptographic controls for signing and encryption section in this topic, and AD RMS Cryptographic Modes. |
| Supports outbound migration from Azure Rights Management to Active Directory Rights Management Services (AD RMS).Does not currently support migration from AD RMS. | Supports migration from Azure Rights Management and migration from Windows Server 2003 AD RMS. |
And please feel free to contact us if you have any questions regarding Office 365 or Enterprise Mobility Suite on Phone: +468239600 or email: cs@altitude365.com
