System Center 2012 R2 Configuration Manager with Windows Intune Product Overview June 2013
Today s challenges Users Devices Apps Data Users expect to be able to work in any location and have access to all their work resources. The explosion of devices is eroding the standards-based approach to corporate IT. Deploying and managing applications across platforms is difficult. Users need to be productive while maintaining compliance and reducing risk.
People-centric IT Enable your end users Allow users to work on the devices of their choice and provide consistent access to corporate resources. Unify your environment Users Devices Apps Data Deliver a unified application and device management onpremises and in the cloud. Protect your data Management. Access. Protection. Help protect corporate information and manage risk.
Selecting the Management Platform Unified Device Management System Center 2012 R2 Configuration Manager with Windows Intune Cloud-based Management Standalone Windows Intune No existing Configuration Manager deployment Simplified policy control Less than 7,000 devices and 4,000 users Simple web-based administration console
Intune - Manage and Secure PCs and Devices Anywhere Simple web-based Administration Console and a richer experience for Information Workers Latest Release Help protect PCs from malware Manage updates Distribute software Proactive monitoring and alerts Provide remote assistance Inventory hardware and software Monitor & track licenses Increase insight with reporting Set security policies Richer Mobile Device Management
System Center 2012 R2 Configuration Manager Empower Users Empower people to be more productive from almost anywhere on almost any device. Unify Infrastructure Reduce costs by unifying IT management infrastructure. Simplify Administration Improve IT effectiveness and efficiency.
Empower Users Unified Device Management User-centric Application Delivery
Unified Device Management Windows PCs (x86/64, Intel SoC), Windows to Go Windows Embedded Mac OS X Windows RT, Windows Phone 8 ios, Android
Platform Support OS Platform Management Agent End User Experience Windows 8.1 PC ConfigMgr Agent Or Management Agent(OMA-DM) Software Center/Application Catalog Windows Company Portal app Windows PC (Win8,Win7,Vista,XP) ConfigMgr Agent Software Center/Application Catalog Windows RT Management agent (OMA-DM) Windows Company Portal app Windows Phone 8 Management agent (OMA-DM) Windows Phone 8 Company Portal app ios Apple MDM Protocol Native ios Company Portal App Android Android MDM agent (OMA-DM) Native Android Company Portal App Mac ConfigMgr Agent Limited self service experience Linux/Unix ConfigMgr Agent N/A
Registering and Enrolling Devices Users can enroll devices that configure the device for management with Windows Intune; the user can then use the Company Portal for easy access to corporate applications Data from Windows Intune is in sync with Configuration Manager, which provides unified management across both on-premises and in the cloud Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the user s identity.; multi-factor authentication can be used through Windows Azure Active Authentication (formerly PhoneFactor) As part of the registration process, a new device object is created in Active Directory, establishing a link between the user and their device
Solution Feature Products Simply BYOD registration and enrollment Web application proxy Active Directory Federation Services (ADFS) Device management Windows Server 2012 R2 System Center 2012 R2 Configuration Manager and Windows Intune Enable consistent access to corporate resources Work folders Web Application Proxy Company portal Windows Server 2012 R2 System Center 2012 R2 Configuration Manager and Windows Intune Enable modern work styles with Microsoft Virtual Desktop Infrastructure (VDI) Session shadow Deduplication storage Storage tiering RemoteApp Quick reconnect Codec and display improvements Windows Server 2012 R2 Hyper-V Remote Desktop Services System Center 2012 R2 Configuration Manager Automate how users connect to internal resources Web Application Proxy Support for VPN and Wi-Fi profiles Windows Server 2012 R2 System Center 2012 R2 Configuration Manager and Windows Intune
Solution Feature Products Selectively wipe devices Selective wipe System Center 2012 R2 Configuration Manager and Windows Intune Centralize corporate information for compliance and data protection with policy-based access control Web Application Proxy Work folders Dynamic Access Control Windows Server 2012 R2 Windows Server 2012 Windows Server 2012 R2 System Center 2012 R2 Configuration Manager and Windows Intune Enable multi-factor authentication and rights management services Multi-factor authentication Web Application Proxy Active Directory Federation Services Windows Server 2012 R2 Windows Azure Active Authentication Windows Server 2012 R2
Solution Feature Products Extend your existing System Center Configuration Manager infrastructure and manage mobile devices through the cloud Unified management infrastructure System Center 2012 R2 Configuration Manager and Windows Intune Simplify user-centric management across devices Unified device management System Center 2012 R2 Configuration Manager and Windows Intune Enable comprehensive settings management across platforms Device management policies Software distribution Distribution point usage reports and management System Center 2012 R2 Configuration Manager and Windows Intune System Center 2012 R2 Configuration Manager Define a common identity for accessing resources on-premises and in the cloud Windows Server Active Directory Domain Services Windows Azure Active Directory Windows Server 2012 R2 Windows Azure Active Directory
What s New in Mobile Device Inventory? Personal vs. Corporate Owned Devices By default, user-enrolled devices are Personal Admin can specify corporateowned devices App inventory Personal devices Inventory of applications installed by ConfigMgr/Intune only Corporate devices Complete inventory of all applications on the device* App Management New global condition to differentiate app installs on corporate versus personal * ios Apple MDM allows only inventory of MDM provisioned apps
Mobile Device Settings in ConfigMgr 2012 R2 Category Windows 8.1 PC & RT Windows Phone 8 ios VPN Android Wi-Fi Certificates Password (*) (*) (*) Device restrictions (*) Email (*) Store access Browsers (*) (*) Content Rating Cloud Synch Encryption (*) (*) (*) Security (*) (*) (*) * Subset of settings Note: Table applicable to direct MDM and not EAS
Property Win RT WP8 ios Android (EAS) Device name Y Y Y Y Unique device ID Y Y Y Serial number Y Email address Y Y Y Y OS type Y Y Y OS version Y Y Y Y OS language Y Y Total storage space (GB) Y Y Free Storage space (GB) Y Y System enclosure Chassis System enclosure IMEI Y Y Manufacturer Y Y Model Y Y Y Y Phone number (masked except last 4 digits) Y Y Subscriber carrier Cellular technology(none, GSM, CDMA) Y Y WiFI MAC Y Y Enrolled date (local time) Y Y Y Last contact (local time) Y Y Y Y Last Exchange status Last Policy update status Access State Access state reason Management state ActiveSync ID Y Y Y Y Y Y
Resource Access Configuration New Features* Configure networking profiles VPN profiles Support for Windows 8.1 Automatic VPN Wi-Fi protocol and authentication settings Management and distribution of certificates Benefits End users get access to company resources with no manual steps for them Platforms Windows 8.1 Windows 8.1 RT ios Android
VPN Profile Management Support for major SSL VPN vendors Support for VPN standards Automatic VPN connection SSL VPNs from Cisco, Juniper, Check Point, Microsoft, Dell SonicWALL, F5 Subset of vendors have Windows Windows RT VPN plug-in PPTP,L2TP, IKEv2 DNS name-based initiation support for Windows 8.1 and ios Application ID based initiation support for Windows 8.1
Wi-Fi and Certificate Profiles Wi-Fi settings Manage Wi-Fi protocol and authentication settings Provision Wi-Fi networks that device can auto connect Specify certificate to be used for Wi-Fi connection Manage and distribute certificates Deploy trusted root certificates Support for (SCEP) protocol
Work Folders Sync files and data across devices New feature in Windows 8.1 client and Windows Server 2012 R2 Configuration Manager and Windows Intune support New settings to help provision the Work Folder discovery settings Company Portals have links to Work Folders
Protect your Data Help protect corporate information and manage risk Lost or Stolen Enrollment Lost Retired or Stolen Retired Personal Apps and Data Personal Apps and Data Company Apps and Data Company Apps and Data Remote App Centralized Data Remote App Policies Policies
Full and Selective Wipe Category Windows 8.1 (x86/rt OMA-DM managed) Windows 8 RT Windows Phone ios Android Full Wipe Email (Email through EAS) (Email through EAS) Selective Wipe Corporate Apps (from ConfigMgr / Intune) VPN and Wifi Profiles (Uninstalled + sideloading key removed) Sideloading key removed Certificates Revoked on server N/A Revoked on server Revoked on server Revoked on server Settings Policy enforcement is removed Policy enforcement is removed Policy enforcement is removed Policy enforcement is removed Policy enforcement is removed Management Agent Corporate App Data N/A. Built into OS N/A. Built into OS N/A. Built into OS Management profile removed Data remains encrypted if app is EFS aware App container removed during uninstall App container removed during uninstall Device administrator privilege is revoked
Unified Device Management Recap Unregistered Registered MDM Enrolled Fully Managed Publish email to users (EAS) Yes Yes Yes Yes Publish work folders to users Yes Yes Yes Yes Conditional access based on user, device, location Block device only Yes Yes Yes Audit logging and monitoring Yes Yes Yes Unified Device Management Yes Yes Unified Application Management Yes Yes Selective data wipe Yes Yes Compliance reporting Yes Yes Group Policy and login scripts Yes OS deployment and imaging Yes Configuration management Yes Patch management Yes Anti malware management Yes Full application management Yes BitLocker management Yes
User-centric Application Delivery Windows 8 Modern Apps Benefits of Modern Apps Corporate Applications Software distribution updated Firewall End user installation same as today End users have one location for all enterprise apps Windows 8 Windows Store Windows RT
User-centric Application Delivery Administration Delivery Evaluation Criteria User Device type Network connection User/Device Relationships Primary Devices MSI App-V Windows 8 Apps Windows 8 Apps in the Windows Store Non-primary Devices VDI Remote Desktop
User-centric Application Delivery New Application Model Application Package General Information Administrator Properties End User Metadata App-V Windows Script Windows Installer.XAP,.APK,.IPA Deployment Type Detection Method Install Command Requirement Rules Dependencies Supersedence
User-centric Application Delivery End User Self-Service Administrators publish software titles to catalog, complete with meta data to enable search IT Deliver best user experience on each device Users can browse, select and install directly from Catalog User Application model determines format and policies for delivery
Unify Infrastructure Compliance and Settings Management Software Update Management Endpoint Protection Distribution Point for Windows Azure Reduced Infrastructure Requirements Unify Infrastructure Reduce costs by unifying IT management infrastructure. Content Management
Obsolete Reasons Reasons Why Central Administration Site Primary Sites Secondary Sites Distribution Points Scale Support multiple primary sites Client assignment (up to 100k) Reduce impact of a primary site failing Political reasons Content fan-out Manage upward flow of WAN traffic Content routing Distribute Content Future proofing your hierarchy (SP1) Delegated administration Different client agent settings Language packs DMZ/Internet Facing Untrusted forests (new in R2) Throttling (now in Distribution Points) Branch Distribution Points
Unified Device Management Configuration
Consolidation and Cross-platform Integration Consolidation Cross-platform Integration Co-locating site system roles onto single server. Eliminating servers required for client security. Simplifying system architecture by reducing number of sites. Manage non-windows desktops including Mac OS X Manage non-windows servers including Linux and UNIX Access business apps on non-windows machines via Citrix XenApp integration * Cross-platform integration enhancements are available with Configuration Manager Service Pack 1 (beta released in September 2012) We spend almost [U.S.] $800 per server on annual maintenance activities. Configuration Manager scales to our organization size and now we are able to reduce the number of servers from 110 to 35, thus saving on the maintenance costs. Systems management administrator at a US based manufacturing company 600 hours or U.S. $30,000 saved each year due to reduced administration overhead Business Value of Microsoft System Center 2012 Configuration Manager
Microsoft and Interoperability Interoperability agreements with Novell, Citrix (XEN) and Red Hat to support Linux Red Hat, SUSE, CentOS on Hyper-V SVVP (Server Virtualization Validation Program) to certify non-microsoft Hypervisors for Microsoft Support CentOS DHMC runs both Windows Server as guest operating systems under Hyper-V, as well as Linux. To date, DHMC has virtualized Web servers, sites on Microsoft Office SharePoint Server, reporting servers, medical applications, domain controllers, file and print servers, Citrix servers, and more. Dartmouth Hitchcock Medical Center Case Study System Center Configuration Manager 2012 SP1 supports administering non-windows platforms: Linux, Unix (monitored by SCOM) and Mac OS X systems System Center Operations Manager 2012 SP1 supports monitoring of non-windows, including Linux Red Hat, SUSE, CentOS; Unix HP UX, Sun Solaris and IBM AIX; from January 2013 new Linux distributions supported: Debian Linux, Oracle Linux, Ubuntu Linux Server System Center Virtual Machine Manager 2012 manages VMware ESX servers and Citrix XEN Servers
Linux and UNIX Servers Red Hat Enterprise Linux Solaris Version 4 (x86/x64) Version 5 (x86/x64) Version 6 (x86/x64) Version 9 (SPARC) Version 10 (SPARC/x86) Supported Operating System s across both: Configuration Manager Operations Manager Earlier versions supported as long as vendor provides support Broader Linux distro support being evaluated for future releases SUSE Linux Enterprise Server Version 9 (x86) Version 10 SP1 (x86/x64) Version 11 (x86/x64) Hardware and Software Inventory Software Deployment Using the Package and Program model Deploy/patch software, deploy OS patches and run maintenance scripts that target a collection Consolidated reports
Mac OS X
Security and Compliance Endpoint Protection Unified Infrastructure Simplified server and client deployment. Streamlined updates. Consolidated reporting. Comprehensive Protection Stack Behavior monitoring. Antimalware. Dynamic Translation. Windows Firewall Management.
Security and Compliance Settings Management ConfigMgr MP Baseline ConfigMgr Agent Assignment to collections Baseline drift! Auto Remediate OR Create Alert (to Service Manager) Active Directory File Baseline Configuration Items Script Software Updates WMI Registry XML MSI SQL IIS Improved functionality Copy settings Trigger console alerts Richer reporting Pre-built industry standard baseline templates through IT Governance, Risk & Compliance(GRC) Solution Accelerator Enhanced versioning and audit tracking Ability to specify versions to be used in baselines Audit tracking includes who changed what
Security and Compliance Software Update Microsoft Update Downloads updates Identifies who needs updates and reports on compliance Auto Deployment Faster deployment through search. Schedule content download and deployment to avoid reboot during work hours. CAS State-based Updates Primary Site SUP Role/WSUS Distributes updates Primary Site DP Role Reports compliance Primary Site MP Role Assigns policy to scan for update status or to deploy update Allows individual or group deployment. Updates added to groups auto deploy to targeted collections. Optimized for New Content Model Reduce replication and storage. Expired updates and content deleted.
Distribution Point for Windows Azure Windows Azure Distribution Point PR1 Policy Content MP Firewall MP Microsoft Update Rich feature set Integrated monitoring In-console content monitoring Ability to monitor storage and traffic out usage Content is fully encrypted DP Corporate Network
Simplify Administration Operating System Deployment Role-based Administration Client Health Modern Management Console Simplify Administration Improve IT effectiveness and efficiency. Asset Intelligence
Modern Management Console
Unified Device Management Console
Role-based Administration Map the organizational roles of your administrators to defined security roles Security organization role Geography Meg - WW Central System Administrator Reduces error, defines span of control for the organization RBA enhanced in R2 includes SQL Reporting Functionality ConfigMgr 2007 ConfigMgr 2012 What types of objects can I see and what can I do to them? Which instances can I see and interact with? Class rights Object instance permissions Security roles Security scopes Louis - Software Update Manager for France Can see & update France desktops Cannot modify security settings on France desktops Cannot see All Systems or U.S. desktops Bob - US and France Security Admin Can see and modify security settings on France and U.S. desktops Cannot update France or U.S. desktops Cannot see All Systems Which resources can I interact with? Site specific resource permissions Collection limiting
Operating System Deployment CAS PXE initiated deployment allows client computers to request deployment over the network Multi-cast deployment to conserve network bandwidth Stand-alone media deployment for no network connectivity or low bandwidth Pre-staged media deployment allows you to deploy an operating system to a computer that is not fully provisioned WDS PXE Server Image Primary Site DP Role Report Task Sequence Primary Site MP Role User State Migration Tool (USMT) 4.0 UI integration makes it easier transfer files and user settings from one machine to another
Core Operating System Deployment Scenarios Scenario New computer PXE boot Wipe-and-load Side-by-side Offline with removable media Prestaged Media Key Functionality Fresh install of a new operating system on client or server system New or repurposed hardware Integrate with Windows Deployment Services (WDS) PXE server Self-provisioning via F12 Install new version of operating system Reinstall applications and user state under new operating system Similar to wipe-and-load, except between two different devices With low bandwidth or no connectivity Large software packages are on the media Optimized for network bandwidth Speeds up end to end deployment
Client Activity and Health
Asset Intelligence, Inventory, and Software Metering Understand software installation profiles Plan for hardware upgrades Identify over or under licensing issues Track custom apps or groups of titles Real-Time Application and Hardware Intelligence Asset Intelligence Service Software Metering and License Reports ConfigMgr Inventory Asset Intelligence Catalog
Windows Embedded Support Thin Clients POS/Kiosk Digital Signage Repurposed PC Windows XP Embedded Windows Embedded Standard 2009 Windows Embedded Standard 7 Windows Embedded Standard 8 Same as Thin Clients, plus POS Ready 2009 POS Ready 8 Windows Embedded Standard 2009 Windows Embedded Standard 7 Windows Embedded Standard 8 Windows Thin PC Supported Write Filters File Based Write Filters (FBFW) (preferred for scalability) Enhanced Write Filters (EWF) RAM Ability to force persistence of changes for Applications Packages and programs Software updates Task sequences Endpoint Protection client installation Eventual persistence of changes for Client agent settings Settings management remediation Power management Without write filters enabled, embedded devices can be managed like any other Windows client. When write filters are enabled, they require special handling, now provided seamlessly.
Simplify Unify Empower Summary 2012 2012 SP1 2012 R2 Modern Device Management EAS Unified Improved User-centric Application Delivery User-centric Win 8 Apps Web App deployment Reduced Infrastructure Requirements New Flexible hierarchies Endpoint Protection Integrated Real-time actions Updated engine Compliance and Settings Management Auto remediation User profile and data Software Update Management Improved Improved Distribution Point for Windows Azure New Content Management Improved Modern Management Console New Windows PowerShell Additional cmdlets Role-based Administration New RBA in Reporting Operating System Deployment Improved Improved Windows 8.1 support Client Health Improved Improved Asset Intelligence, Inventory and Software Metering Improved Improved
For More Information System Center 2012 Configuration Manager http://technet.microsoft.com/enus/evalcenter/hh667640.aspx?wt.mc_id=te C_105_1_33 Windows Intune http://www.microsoft.com/en-us/windows/windowsintune/try-and-buy Windows Server 2012 RDS/VDI: http://technet.microsoft.com/en-us/windowsserver/ee236407.aspx http://www.microsoft.com/en-us/windows/enterprise/products-andtechnologies/virtualization/vdi.aspx More Resources: microsoft.com/workstyle microsoft.com/server-cloud/user-device-management