With the increased excitement around EMS within the industry, many organizations are trying to figure out how it fits into the overall business strategy for their company. As a whole, the offering sounds appealing, and Microsoft is driving for client adoption, but we have seen organizations struggle to match the capabilities of the suite (Microsoft Azure Active Directory Premium, Windows Intune, and Azure Rights Management) with their individual user base and business direction. Microsoft has released a great customer story outlining The Walsh Group’s adoption of EMS, and how it has been a differentiator for their business. Below is the customer story from Microsoft:
The Walsh Group, a construction firm, is busy building strategies to accommodate the proliferation of employee-owned devices used on job sites across the United States. For Walsh, the business case for enabling BYOD (bring your own device) is clear: the more employees can use their devices to access and share corporate resources from anywhere at any time, the better they can collaborate on efficient project management. The company turned to the Microsoft Enterprise Mobility Suite to enable this new workplace scenario.
Founded in 1898, the Walsh Group is a family-held business that specializes in large-scale construction projects, including airports, highways, and correctional facilities. In 2013, Walsh was recognized as the top bridge builder in the United States by Engineering News-Record. Walsh builds its business with as much care as it constructs large-scale installations for its clients, always managing its workload to minimize financial risk and never undertaking a contract without the proper resources to guarantee its success. To that end, the company has invested in a modern technology foundation to support every aspect of its business, using solutions that drive efficiency while minimizing costs.
Taking Steps to Promote Mobility
Most recently, Walsh turned its attention to new IT strategies that boost mobility and productivity for employees. “As a general rule of thumb, the more time our project managers and engineers spend in the field, the better we are as a company,” says Patrick Wirtz, Innovation Manager for the Walsh Group. “These managers are responsible for information flow and the cost of the project. Instead of sitting at their desks looking at blueprints, they’d prefer to be out walking the site, talking to supervisors and tradespeople. They need to access and share critical project information in the field so everyone stays informed about project developments. If an issue arises, everyone can work together to take action and avoid costly rework and delays.”
Walsh took one of its first steps toward promoting employee mobility in 2013, when it subscribed to Microsoft Office 365. Employees began bringing their own devices to work to access the cloud-based business email, collaboration, video conferencing, and file storage services, as well as Microsoft Office applications. They liked the convenience of anytime, anywhere access to their business productivity tools. “We saw a proliferation of unmanaged, noncorporate-owned devices, and we were getting requests to access more and more corporate data and resources from employees using their own devices on the work site,” says Wirtz.
Walsh owns approximately 1,500 iPhones. These, along with 300 iPads, are deployed to management staff. However, Wirtz estimates that there are approximately 2,400 employee-owned iPads carried onto job sites across the country every day. “We wanted to accommodate users’ requests to access data on their own devices because we know the business value in enabling mobility. But to do that, we needed a better handle on who was using what device to access what data,” says Wirtz. “In the construction industry, we deal with a lot of confidential data, especially with government contracts. It is vitally important that proprietary information, such as data that we use when bidding for new contracts, doesn’t fall into the wrong hands.”
A Blueprint for Enterprise Mobility
So instead of supporting a small, managed set of corporate-approved hardware, Walsh IT staffers needed to address the challenges of an emerging bring-your-own-device (BYOD) scenario. More employees wanting to use their own devices, and a growing demand for ubiquitous—and secure—access to information had changed the IT landscape with as much impact as a bulldozer clearing a new job site. Instead of focusing its management objectives on corporate devices, Walsh needed to turn its attention on accommodating employees and how they wanted to access their applications—anywhere, anytime, on any device.
“We had to start with identity before we could manage users’ devices,” says Wirtz. “We wanted a centralized identity management solution that covered employees’ access to both cloud and on-premises applications and data. Next we needed a tool to manage and secure their devices, and finally we needed a way to protect the corporate data that was being accessed and shared. In other words, to enable mobility and productivity, we needed to know our users, know their devices, and know that our data was safe.”
Walsh didn’t want to buy and manage multiple third-party tools to enable this scenario. “We are committed to moving to cloud computing where we can,” says Wirtz. “It’s cost-effective and frees up time for IT staff to deliver more strategic value to the company. So we began looking for a single, cloud-based solution that would take us as far as we could go with our enterprise mobility strategies.”
The Walsh Group found the cloud-based mobility solution that it needed: the Microsoft Enterprise Mobility Suite. IT staffers are using the suite’s three cloud-based services—Microsoft Azure Active Directory Premium, Windows Intune, and Azure Rights Management—for user identity and access management, mobile device management, and file and data protection capabilities. “The Enterprise Mobility Suite offered everything we needed in one, cost-effective package,” says Wirtz. “We spent less on 2,700 licenses for the entire suite than it would have cost for one third-party mobile device management solution.”
Walsh deployed the Enterprise Mobility Suite in June 2014. IT teams were impressed with how easy it was to subscribe to the services and set up the components. “With a lot of the features, we could see immediate benefits with only a couple of hours’ worth of work,” says Wirtz. “We deployed the different components of the suite concurrently; for example, the network team worked on the application proxy capabilities and the help desk worked on the self-service and password reset features.”
Walsh also took advantage of usage rights for Microsoft Forefront Identity Manager server and client access licenses (CALs) that are included with the Enterprise Mobility Suite. Walsh gets an unlimited number of server licenses and a CAL for every Azure Active Directory Premium licensed user.
A Unified Environment
An added benefit for Walsh is that most of the components work with the on-premises technology that the company already has. Azure Active Directory Premium works with Active Directory, the directory service that comes with the Windows Server 2012 R2 operating system. The Walsh IT staff gains a directory in the cloud for identity and access management to software-as-a-service applications that syncs with its on-premises directory for single sign-on across cloud and on-premises applications.
Similarly, Windows Intune, the mobile device management element of the solution, connects with the Microsoft System Center Configuration Manager component of System Center 2012, thus providing a single console for both tools. IT staffers use this console to develop user-centric device and application management policies that cover both devices that are domain-joined and those that are not domain-joined.
Finally, Walsh IT staffers who are familiar with file and data protection features in Active Directory Rights Management Services, a server role within Windows Server 2012, now get those capabilities and more from Microsoft Azure Rights Management, the cloud-based service.
“The Enterprise Mobility Suite gave us the benefit of deployment flexibility,” says Wirtz. “We could enable features as we saw fit, without replacing our existing technology. Everything runs in tandem with our existing infrastructure, so we don’t have to worry about affecting the organization with a disruptive upgrade—and we maximize the benefits of both on-premises and cloud-based IT investments.”
Walsh is using Windows Intune to administer 2,400 nondomain-joined devices. When employees enroll their devices in the Windows Intune service, they can access the Windows Intune Company Portal to download company-endorsed applications and services such as Office 365 services like Microsoft SharePoint Online collaboration sites and OneDrive for Business online storage space. “It is only because we use Windows Intune to manage and secure employees’ devices that we can enable mobile access to corporate resources,” says Wirtz.
By choosing the Enterprise Mobility Suite, the Walsh Group got the comprehensive cloud solution that it needed to support people-centric IT policies that embrace employee BYOD. By taking this step to accommodate a new workplace reality, IT staffers at Walsh are helping their organization increase productivity. “We use the Enterprise Mobility Suite to empower employees to use their own devices to securely access and share their data,” says Wirtz. “The upshot? We’re improving project management and reducing costs.”
Improved Security Boosts Competitive Advantage
When Walsh bids for government contracts, it has to be able to protect confidential blueprints, especially for maximum-security buildings such as correctional facilities. If blueprints are lost or stolen, it could cost a construction company many millions of dollars to redesign the building. Before subscribing to the Enterprise Mobility Suite, Walsh locked its blueprints inside a trailer at a construction site, and project managers wasted time walking back and forth every time they needed to refer to the documents. “By using the Enterprise Mobility Suite to manage employee access policies, we are now securely delivering blueprints to project managers’ devices, right in the field,” says Wirtz. “Such capabilities give us a competitive advantage when we are bidding for government contracts.”
Walsh uses the Enterprise Mobility Suite to enhance data security and reduce risk in other ways. According to Wirtz, there’s an uptick in “suspicious sniffer traffic from abroad” when the company is working on a US government contract. A sniffer is a piece of software that “listens” to the data flowing into and out of a computer attached to a network. Today, Walsh is mitigating the risk of network vulnerabilities by using the reporting capabilities in the Enterprise Mobility Suite to flag abnormal logons. “We can see anomalies, such as one person logging on to two different machines on the East Coast and the West Coast at the same time,” says Wirtz. “Now suspicious activities can be investigated before any damage is done.”
Walsh also uses the multifactor authentication capabilities within the Enterprise Mobility Suite to help mitigate the risk of spear phishing, which focuses on a single user or department within an organization. “We like the flexible multifactor authentication options because they help to minimize impact to our users,” says Wirtz. “We are using the option that requires multifactor authentication only in certain scenarios, such as when the employee isn’t in the office or is using a new device.”
Enhanced Collaboration Promotes Business Agility
As requests for proposals come on the market, Walsh could be competing with a company for one contract and very quickly be working with the same company in a joint venture on another project. The faster Walsh can move to grant access to the appropriate project information to federate with these new partners, the quicker both companies can get to work and stay in control of project deadlines. Walsh uses identity federation within the Enterprise Mobility Suite to help quickly and securely share data and collaborate with external businesses. “We quickly grant access to documents stored in our SharePoint Online environment to employees in a partner company using their own Active Directory user name and password,” says Wirtz. “Just as quickly, we can remove that access. And individuals who leave a partner’s employ are automatically blocked from access to Walsh data.”
Walsh is investigating using the Enterprise Mobility Suite to publish its applications on the Internet in a more secure manner than its current method of using a perimeter network (also known as DMZ, demilitarized zone, and screened subnet). “We want to share elements of our enterprise resource planning solution with contractors for cost reporting, so we need that application to be as secure as if it was behind our own firewall,” says Wirtz. “We can achieve this using Application Proxy capabilities within the Azure Active Directory Premium service.”
Improved Information Flow Helps Win Contracts
At Walsh, bidding for contracts is a collaborative effort that requires sharing sensitive information. In order to estimate costs and profits, the company needs to calculate the “production rate,” which sums up historical data from past jobs, such as how much concrete can be poured at a time. If competitors get hold of this information, it means they can underbid for the contract. To protect its data, only senior estimators at Walsh were entrusted with distributing production rates to other estimators around the country so they could bid on different contracts.
“Our senior estimators challenged us find a better way to securely distribute production rate data throughout the company, so we turned to the Enterprise Mobility Suite,” says Wirtz. “Now chief estimators use the Azure Rights Management service to assign policy-based access to the Microsoft Excel spreadsheets they send out. So only those employees who need to see production rate data will be able to.”
With this extra level of security at the file level, Walsh can distribute its content more directly throughout the company. “We are compiling our bids approximately 20 percent faster so we get our quotes in ahead of the competition,” says Wirtz. “Also, we are reducing the opportunity for manual errors while creating quotes, which could potentially save us millions of dollars due to inaccurate estimates.”
This capabilities also means that if a competitor gets access to the Excel sheet that contains Walsh production rate data, that person won’t be able to open or read the data because Azure Rights Management checks the identity of the user before the file can be opened.
Reduced IT Labor Enables Better Service to the Business
Since deploying the comprehensive enterprise mobility solution, Walsh IT staffers spend less time on administrative details. Wirtz estimates the IT department will save 15 hours a week by not having to manage the perimeter network. The help-desk staff is saving two hours a week from the 40 password reset requests that it usually gets every week, thanks to the self-service password reset capabilities that come with the Enterprise Mobility Suite.
“Because we now have a single source of truth regarding user identities and access to cloud and on-premises applications, we are offloading a lot of work in IT,” says Wirtz. “Beyond all the direct business benefits to the company that the Enterprise Mobility Suite delivers—a better competitive advantage, improved business agility, enhanced security, reduced costs—the big benefit for IT is that it enables us to be more of a strategic partner for the company. It’s been a great experience so far.”
To see the original article and other great literature on EMS, please visit https://customers.microsoft.com/Pages/CustomerStory.aspx?recid=10780.