October 18, 2015

Windows 10 - Identity - Part 2

"Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke, "Profiles of The Future", 1961

In my previous blog post, I introduced a few identity concepts and how they fit in with Windows 10. In this session, I’ll cover some of the how/what/why. This will also serve as a type of “tying it all together” from some of the other blog entries I’ve done regarding mobility and security.

To begin, let’s say you recently rolled out Windows 10 to several thousand pilots that fly for a major US airline. The pilots and copilots visited their local electronics superstore and picked up a Surface Pro 3 that has Windows 10 on it. They opened it up, logged in with the personal identity – perhaps a Microsoft Account which they use for Outlook.com, Windows App Store, etc. If they had another device at home that was already running Windows 10, they are pleasantly surprised their desktop background, applications, recent documents, etc all appear magically on their device. That magic is the Microsoft Account identity behind the scenes. The pilot then opens up Edge and navigates to Office 365. They log in with a username and password for the company. Detecting this is an untrusted and unmanaged device, Office 365 sends the pilot a text message with a code. The pilot enters the code into Edge and they are then presented with their company mail. Once there, the pilot clicks on an email message that contains instructions for making this personal device a company device and a magical file called a provisioning package. The pilot clicks through a prompt or two acknowledging that the device is about to become a corporate managed device. Once finished – a few things in our scenario are now complete:

  1. The pilot’s personal computer is still his personal computer – it has all of his personal identity things working – games, music, pics, background, etc.
  2. This computer now has an additional identity, a corporate one. As a result, the airline has set him up with a PIN code instead of a password, encrypted the device, enrolled it in mobile device management and installed a few applications he may need.
  3. There are OTHER identities that may also be present on the computer – like Facebook or Twitter. These continue to work just like before.

By combining a personal and work experience, the obvious question is, how do we prevent data loss and contamination? How do we keep the personal things separate from the business things? The identity management tools to the rescue! The magic bullet comes in the form of the common save dialog box which includes options for personal or company containers; which comes out with Threshold 2.

That is the common file save dialog – it exists in all applications that save stuff. This is where the pilot can make the first choice when saving things – is this personal or corporate? If personal – send it to OneDrive. If corporate, send it to an “Enterprise Folder” that is protected, encrypted, and audited. Next, we move on over to Windows Explorer, where there will be a column in the standard explorer grid to show which encryption/device policy is being applied.

This is where we see identities really coming into action. I can quickly see what files are personal and which ones are corporate. The two identities are able to exist together in the same user profile! It’s magic! Even more, when logging in to the computer, I also get single sign on to all the company apps, like Office 365, the company’s flight management system, and any other system hooked up for single sign on.
Now, let’s say the device gets lost, stolen or the pilot moves to another airline. With the flick of a switch back in IT, every piece of content that was managed in the corporate identity are wiped securely and permanently without the pilot having to come into the office. The corporate identity is now gone, leaving only the personal identity(ies) and the context, apps, files, etc that are part of that identity.