Device Management Workshop Enterprise Mobility
Selecting the Management Platform Unified Device Management System Center 2012 R2 Configuration Manager with Windows Intune Cloud-based Management - Standalone Windows Intune No existing Configuration Manager deployment Simplified policy control Simple web-based administration console
System Center 2012 R2 Configuration Manager Enable Users Allow people to be more productive from almost anywhere on almost any device. Unify Infrastructure Reduce costs by unifying IT management infrastructure. Simplify Administration Improve IT effectiveness and efficiency.
Enable Users Unified Device Management User-centric Application Delivery
Unified Device Management Windows PCs (x86/64, Intel SoC), Windows to Go Windows Embedded Mac OS X Windows RT, Windows Phone 8.x ios, Android
Platform Support OS Platform Management Agent End User Experience Windows 8.1 PC ConfigMgr Agent Or Management Agent(OMA-DM) Software Center/Application Catalog Windows Company Portal app Windows PC (Win8,Win7,Vista,XP) ConfigMgr Agent Software Center/Application Catalog Windows RT Management agent (OMA-DM) Windows Company Portal app Windows Phone 8 Windows Phone 8.1 Management agent (OMA-DM) Windows Phone 8 Company Portal app ios Apple MDM Protocol ios Company Portal app Android Android MDM agent (OMA-DM) Android Company Portal app Mac ConfigMgr Agent Limited self service experience Linux/Unix ConfigMgr Agent N/A
Registering and Enrolling Devices Users can enroll devices which configure the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications Data from Windows Intune is sync with Configuration Manager which provides unified management across both onpremises and in the cloud Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the users identity. Multi-factor authentication can be used through Windows Azure Active Authentication. As part of the registration process, a new device object is created in Active Directory, establishing a link between the user and their device
What s New in Mobile Device Inventory? Personal vs Corporate Owned Devices By default, user-enrolled devices are Personal Admin can specify corporateowned devices Compromised device detection App inventory Personal devices Inventory only apps installed by ConfigMgr/Intune Corporate devices Complete inventory of all applications on the device* App Management Global condition to differentiate app installs on corporate versus personal * Inventory capability varies by device platform
Extensions for Windows Intune Admin is notified that an extension is available when console is launched Admin goes to Extensions for Intune in console, and enables the extension Extension is activated in ConfigMgr (Extension enables on all site system, then console updates are avail) Admin restarts console, and console is updated with the extension Admin uses feature delivered by the extension Admin may wish to disable the extension
* Device platform supports a subset of the settings Mobile Device Settings in ConfigMgr 2012 R2 Category Windows 8.1 PC & RT Windows Phone 8.1 ios Android VPN Wi-Fi Certificates Email Profiles Password (*) (*) (*) Device restrictions (*) (*) (*) Store access Browsers (*) (*) (*) Content Rating Cloud Sync (*) Encryption (*) (*) (*) Security (*) (*) (*) (*) Roaming (*) (*) Windows Server Work Folders
Resource Access Configuration Features* Management and distribution of certificates Corporate email profile provisioning Configure networking profiles VPN profiles Support for Windows 8.1 Automatic VPN Wi-Fi protocol and authentication settings Configure remote connection to work PCs Benefits End users get access to company resources with no manual steps for them Support platforms Windows 8.1 Windows 8.1 RT Windows Phone 8.1 ios Android
VPN Profile Management Support for major SSL VPN vendors SSL VPNs from Cisco, Juniper, Check Point, Microsoft, Dell SonicWALL, F5 Subset of vendors have Windows Windows RT VPN plug-in Support for VPN standards like PPTP, L2TP, IKEv2 Automatic VPN connection DNS name-based initiation support for Windows 8.1, Windows Phone 8.1 and ios Application ID based initiation support for Windows 8.1
Wi-Fi and Certificate Profiles Wi-Fi settings Manage Wi-Fi protocol and authentication settings Provision Wi-Fi networks that device can auto connect Specify certificate to be used for Wi-Fi connection Manage and distribute certificates Deploy trusted root certificates Support for Simple Certificate Enrollment Protocol (SCEP)
Certificate Infrastructure
Email profile management Manage Exchange ActiveSync accounts Configure account settings and security restrictions Enable certificate authentication Support for ios and Windows Phone 8 Enables selective wipe of managed email profile (if platform supports it) New in January 2014 release! Delivered as Configuration Manager Extension for Windows Intune
Work Folders Sync files and data across devices New feature in Windows 8.1 client and Windows Server 2012 R2 Configuration Manager and Windows Intune support New settings to help provision the Work Folder discovery settings Company Portals have links to work folders
Full and Selective Wipe Windows 8.1 (x86/rt OMA-DM managed) Windows 8 RT Windows Phone 8.1 ios Android Full Wipe Selective Wipe Email (Mail App) (Mail App) Company apps and data Apps uninstalled. Sideloading keys removed. Data removed. Sideloading keys removed but apps remain installed. Uninstalled and data removed. Uninstalled and data removed. Apps and data remain installed. VPN and Wi-Fi profiles Removed. Not applicable. Removed. Removed. VPN: Not applicable. Wi-Fi: Not removed. Certificates Removed and revoked. Not applicable. Removed. Removed and revoked. Revoked. Settings Requirements removed. Requirements removed. Requirements removed. Requirements removed. Requirements removed. Management Client Not applicable. Management agent is built-in. Not applicable. Management agent is built-in. Not applicable. Management agent is built-in. Management profile is removed. Device Administrator privilege is revoked.
Unified Device Management Recap Unregistered Registered MDM Enrolled Fully Managed Publish email to users (EAS) Yes Yes Yes Yes Publish work folders to users Yes Yes Yes Yes Conditional access based on user, device, location Block device only Yes Yes Yes Audit logging and monitoring Yes Yes Yes Unified Device Management Yes Yes Unified Application Management Yes Yes Selective data wipe Yes Yes Compliance reporting Yes Yes Group Policy and login scripts Yes OS deployment and imaging Yes Configuration management Yes Patch management Yes Anti malware management Yes Full application management Yes BitLocker management Yes
User-centric Application Delivery Windows 8 Apps Benefits Corporate Applications Software distribution updated Firewall End user installation same as today End users have one location for all enterprise apps Windows 8 Windows Store Windows RT
User-centric Application Delivery Administration Delivery Evaluation Criteria User Device type Network connection User/Device Relationships Primary Devices MSI App-V Windows 8 Apps Windows 8 Apps in the Windows Store Non-primary Devices VDI Remote Desktop
User-centric Application Delivery End User Self-Service Administrators publish software titles to catalog, complete with meta data to enable search IT Deliver best user experience on each device Users can browse, select and install directly from Catalog User Application model determines format and policies for delivery
Unify Infrastructure Compliance and Settings Management Software Update Management Endpoint Protection Distribution Point for Windows Azure Reduced Infrastructure Requirements Unify Infrastructure Reduce costs by unifying IT management infrastructure. Content Management
Obsolete Reasons Reasons Why Reduced Infrastructure Requirements Central Administration Site Primary Sites Secondary Sites Distribution Points Scale Support multiple primary sites Client assignment (up to 100k) Reduce impact of a primary site failing Political reasons Content fan-out Manage upward flow of WAN traffic Content routing Distribute Content Future proofing your hierarchy (SP1) Delegated administration Different client agent settings Language packs DMZ/Internet Facing Untrusted forests (new in R2) Throttling (now in Distribution Points) Branch Distribution Points
Consolidation and Cross-platform Integration Consolidation Cross-platform Integration Co-locating site system roles onto single server. Eliminating servers required for client security. Simplifying system architecture by reducing number of sites. Manage non-windows desktops including Mac OS X Manage non-windows servers including Linux and UNIX Access business apps on non-windows machines via Citrix XenApp integration * Cross-platform integration enhancements are available with Configuration Manager Service Pack 1 (beta released in September 2012) We spend almost [U.S.] $800 per server on annual maintenance activities. Configuration Manager scales to our organization size and now we are able to reduce the number of servers from 110 to 35, thus saving on the maintenance costs. Systems management administrator at a US based manufacturing company 600 hours or U.S. $30,000 saved each year due to reduced administration overhead Business Value of Microsoft System Center 2012 Configuration Manager
Unified Device Management Configuration Device management integrated directly into console Simple Windows Intune Subscription set-up Centralized branding and customization of Company Portal experience Windows Intune Connector deployed as a Site System Role
Security and Compliance Endpoint Protection Unified Infrastructure Simplified server and client deployment. Streamlined updates. Consolidated reporting. Comprehensive Protection Stack Behavior monitoring. Antimalware. Dynamic Translation. Windows Firewall Management.
Security and Compliance Settings Management ConfigMgr MP Baseline ConfigMgr Agent Assignment to collections Baseline drift! Auto Remediate OR Create Alert (to Service Manager) Active Directory File Baseline Configuration Items Script Software Updates WMI Registry XML MSI SQL IIS Improved functionality Copy settings Trigger console alerts Richer reporting Pre-built industry standard baseline templates through IT Governance, Risk & Compliance(GRC) Solution Accelerator Enhanced versioning and audit tracking Ability to specify versions to be used in baselines Audit tracking includes who changed what
Security and Compliance Software Update Microsoft Update Downloads updates Identifies who needs updates and reports on compliance Auto Deployment Faster deployment through search. Schedule content download and deployment to avoid reboot during work hours. CAS State-based Updates Primary Site SUP Role/WSUS Distributes updates Primary Site DP Role Reports compliance Primary Site MP Role Assigns policy to scan for update status or to deploy update Allows individual or group deployment. Updates added to groups auto deploy to targeted collections. Optimized for New Content Model Reduce replication and storage. Expired updates and content deleted.
Distribution Point for Windows Azure Windows Azure Distribution Point PR1 Policy Content MP Firewall MP Microsoft Update Rich feature set Integrated monitoring In-console content monitoring Ability to monitor storage and traffic out usage Content is fully encrypted DP Corporate Network
Content Management in R2 monitoring Pull DP improvements The sources for a pull DP can be randomized to achieve load balancing and flexibility. Pull DP in-console monitoring on par with standard DP. Enable pull distribution point to send state messages via MP. Infrastructure improvements Reduced the amount of interaction between remote DPs and the Distribution Manager. Optimized content distribution by adding distribution point priority and keeping send requests in SQL. New report: Distribution Point Usage shows how much a particular DP gets used.
Simplify Administration Operating System Deployment Role-based Administration Client Health Modern Management Console Simplify Administration Improve IT effectiveness and efficiency. Asset Intelligence
Modern Management Console Intuitive ribbon interface In-console alerts Global search capability New collection membership rules allow better filtering of members Windows PowerShell enablement
Unified Device Management Console Mobile device management integrated directly in to console experience Common tools for policy and application management Unified reporting across device platforms User collections enable user-centric setting and application deployment across device types
Role-based Administration Map the organizational roles of your administrators to defined security roles Security organization role Geography Meg - WW Central System Administrator Reduces error, defines span of control for the organization RBA enhancements in R2 include SQL Reporting Functionality ConfigMgr 2007 ConfigMgr 2012 What types of objects can I see and what can I do to them? Which instances can I see and interact with? Class rights Object instance permissions Security roles Security scopes Louis - Software Update Manager for France Can see & update France desktops Cannot modify security settings on France desktops Cannot see All Systems or U.S. desktops Bob - US and France Security Admin Can see and modify security settings on France and U.S. desktops Cannot update France or U.S. desktops Cannot see All Systems Which resources can I interact with? Site specific resource permissions Collection limiting
Operating System Deployment Multiple Deployment Method Support CAS PXE initiated deployment allows client computers to request deployment over the network Multi-cast deployment to conserve network bandwidth Stand-alone media deployment for no network connectivity or low bandwidth Pre-staged media deployment allows you to deploy an operating system to a computer that is not fully provisioned WDS PXE Server Image Primary Site DP Role Report Task Sequence Primary Site MP Role User State Migration Tool (USMT) 4.0 UI integration makes it easier transfer files and user settings from one machine to another
Core Operating System Deployment Scenarios Scenario New computer PXE boot Wipe-and-load Side-by-side Offline with removable media Prestaged Media Key Functionality Fresh install of a new operating system on client or server system New or repurposed hardware Integrate with Windows Deployment Services (WDS) PXE server Self-provisioning via F12 Install new version of operating system Reinstall applications and user state under new operating system Similar to wipe-and-load, except between two different devices With low bandwidth or no connectivity Large software packages are on the media Optimized for network bandwidth Speeds up end to end deployment
Client Activity and Health In-console view of client health Threshold-based console alerts Heartbeat DDRs HW/SW inventory and status Remediation
Asset Intelligence, Inventory, and Software Metering Consolidated/simplified reporting that allows you to Understand software installation profiles Plan for hardware upgrades Identify over or under licensing issues Track custom apps or groups of titles Real-Time Application and Hardware Intelligence Asset Intelligence Service Software Metering and License Reports ConfigMgr Inventory Asset Intelligence Catalog
Simplify Unify Enabled Summary 2012 2012 SP1 2012 R2 Modern Device Management EAS Unified Improved User-centric Application Delivery User-centric Win 8 Apps Web App deployment Reduced Infrastructure Requirements New Flexible hierarchies Endpoint Protection Integrated Real-time actions Updated engine Compliance and Settings Management Auto remediation User profile and data Software Update Management Improved Improved Distribution Point for Windows Azure New Content Management Improved Modern Management Console New Windows PowerShell Additional cmdlets Role-based Administration New RBA in Reporting Operating System Deployment Improved Improved Windows 8.1 support Client Health Improved Improved Asset Intelligence, Inventory and Software Metering Improved Improved
For More Information System Center 2012 Configuration Manager Windows Intune http://technet.microsoft.com/enus/evalcenter/hh667640.aspx?wt.mc_id=tec_105_1_33 http://www.microsoft.com/en-us/windows/windowsintune/try-andbuy Windows Server 2012 http://www.microsoft.com/en-us/server-cloud/windowsserver More Resources: http://www.microsoft.com/workstyle http://www.microsoft.com/server-cloud/user-device-management
Windows Embedded Support Thin Clients POS/Kiosk Digital Signage Repurposed PC Windows XP Embedded Windows Embedded Standard 2009 Windows Embedded Standard 7 Windows Embedded Standard 8 Same as Thin Clients, plus POS Ready 2009 POS Ready 8 Windows Embedded Standard 2009 Windows Embedded Standard 7 Windows Embedded Standard 8 Windows Thin PC Supported Write Filters File Based Write Filters (FBFW) (preferred for scalability) Enhanced Write Filters (EWF) RAM Ability to force persistence of changes for Applications Packages and programs Software updates Task sequences Endpoint Protection client installation Eventual persistence of changes for Client agent settings Settings management remediation Power management Without write filters enabled, embedded devices can be managed like any other Windows client. When write filters are enabled, they require special handling, now provided seamlessly.
Linux and UNIX Servers Red Hat Enterprise Linux Solaris Version 4 (x86/x64) Version 5 (x86/x64) Version 6 (x86/x64) Version 9 (SPARC) Version 10 (SPARC/x86) Version 11 (SPARC/x86) Supported Operating System s across both: Configuration Manager Operations Manager Earlier versions supported as long as vendor provides support Broader Linux distro support being evaluated for future releases SUSE Linux Enterprise Server Recently Added Version 9 (x86) Version 10 SP1 (x86/x64) Version 11 SP1 (x86/x64) CentOS 5, 6 Debian 5, 6, 7 Ubuntu 10.4 LTS, 12.4 LTS Oracle Linux 5, 6 HP-UX 11iv2, 11iv3 AIX 5.3, 6.1, 7.1 Hardware and Software Inventory Software Deployment Using the Package and Program model Deploy/patch software, deploy OS patches and run maintenance scripts that target a collection Consolidated reports
Mac OS X Configuration Manager native client Key management capabilities Improved enrollment in R2
Scenarios Hybrid Standalone Default browser Yes Yes Disable Copy and paste functionality Yes Yes Disable Telemetry/Diagnostic data Submission (SQM/Watson) - Granular Yes Yes Screen Capture Yes Yes File encryption on mobile device Yes Yes Allow simple password Yes Yes Alphanumeric Password required Yes Yes Idle time before mobile device is locked (minutes) Yes Yes Minimum complex characters Yes Yes Minimum password length (characters) Yes Yes Number of failed logon attempts before device is wiped Yes Yes Number of passwords remembered Yes Yes Password complexity Yes Yes Password expiration in days Yes Yes
Scenarios Hybrid Standalone Bluetooth Yes Yes Camera Yes Yes Disable Internet Explorer Yes Yes Disable USB sync No No Disable WiFi Yes Yes Near field communication (NFC) Yes Yes Prevent user initiated un-enrollment/ disable PC settings No No Removable storage (Any external storage device) Yes Yes Disable Application Store Yes Yes Disable Internet Sharing over WiFi (Tethering) Yes Yes Disable Wi-Fi Offloading Yes Yes Wi-Fi Hotspot reporting Yes Yes Disable Custom Email Account (all or nothing) Yes Yes Allow Microsoft Account Yes Yes Roadmap Turn on/off location awareness (cellular or GPS) Yes Yes