Embed Size (px)
Citation preview
Enrollment and Management of Mobile Devices
Joey Glocke and Chris Green
PCIT-B317
Empowering people-centric IT
Mobile Device Management
Access and information protection
Desktop Virtualization
Hybrid Identity
Facing the challenges in keeping users productive while protecting company information
AppsUsers
DataDevices
What we want
Reality
Unify Enable
Protect
Mobile Device Management
Unify your environment
On-premises and cloud-based management of devices within a single console.
Simplified, user-centric application management across devices
Comprehensive settings management across platforms, including certificates, VPNs, and wireless network profiles
Enable users
Access to company resources consistently across devices
Simplified registration and enrollment of devices
Synchronized corporate data
Protect your data
Protect corporate information by selectively wiping apps and data from retired/lost devices
A common identity for accessing resources on-premises and in the cloud
Identify which mobile devices have been compromised
√
Configuration Manager MDM FeaturesFeaturesOver the air device enrollmentSelf service portal for end usersUser-targeted available app deploymentUser and device settings managementDevice inventory
Registering and Enrolling Devices
9
IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the user’s identity.; multi-factor authentication can be used through Windows Azure Active Authentication (formerly PhoneFactor)
Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device
Users can enroll devices that configure the device for management with Windows Intune; the user can then use the Company Portal for easy access to corporate applications
As part of the registration process, a new device object is created in Active Directory, establishing a link between the user and their device
Data from Windows Intune is in sync with Configuration Manager, which provides unified management across both on-premises and in the cloud
End User Self Service PortalNative apps
WindowsWindows Phone
iOSAndroid
FeaturesCorporate brandingAbility to feature appsApp specific privacy statementWipe corporate data and settings
Demo - Enrollment
Joey Glocke
Enrollment best practicesHow to ensure successful enrollment:
• Admin must configure mobile device management in the ConfigMgr console
• Admin must enable enrollment for specific device types• Admin must allocate an Intune license to the user and must
enable Active Directory user discovery• User must enroll one device at a time and have less than 20
mobile devices in the system• Windows Phone 8 Only: WP8 code signing certificate must be
configured properly • iOS only: Apple Push Notification Service certificate is must be
configured and not expired. • iOS 5.0+ is required
Bulk enrollmentEnroll a large number of corporate-purchased devices at onceUses service accountsOffers fully managed and secure devices without end user configuration required
Coming soon…
Mobile Device Inventory
* Windows and Windows Phone allow inventory of MDM provisioned apps only
Global condition to differentiate app installs on corporate versus personal
App Management
Personal devices – Inventory of applications installed by ConfigMgr/Intune onlyCorporate devices – Complete inventory of all applications on the device*
App inventory
By default, user-enrolled devices are “Personal” Admin can specify corporate-owned devices
Personal vs. Corporate Owned Devices
Demo - Inventory
Chris Green
Settings managementSettings can be applied to devices managed via Windows Intune and devices managed through the Exchange Server Connector
Single security policy template can be used to manage settings on all managed mobile devices. System figures out applicability to each platform.
Reporting available on each setting (compliant or error)
Settings conflict resolution is platform-specific. E.g. If Windows receives password policies from Exchange ActiveSync and Intune, the most restrictive one wins.
Mobile Device Settings in ConfigMgr 2012 R2Category Win 8.1 PC &
RTWP8.1 (New!)
iOS Android
VPN
Wi-Fi
Certificates
Password
Device restrictions
Store access
Browsers
Content Rating
Cloud Synch
Encryption
Security
Roaming
Windows Server Work Folders
* Note: Table applicable to direct MDM and not EAS
Resource Access Configuration
18* Varies based on device platform
Platforms
Windows 8.1Windows 8.1 RTiOSAndroidWindows Phone 8.1 (New!)
Benefits
End users get access to company resources with no manual steps for them
Features*Configure VPN profilesSupport for Windows 8.1 Automatic VPNWi-Fi protocol and authentication settingsEmail account profilesManagement and distribution of certificates
VPN Profile Management
Support for major SSL VPN vendors
DNS name-based initiation support for Windows 8.1 and iOSApplication ID based initiation support for Windows 8.1
Automatic VPN connection
Support for VPN standards
SSL VPNs from Cisco, Juniper, Check Point, Microsoft, Dell SonicWALL, F5 Subset of vendors have Windows VPN plug-in
PPTP ,L2TP, IKEv2
Wi-Fi and Certificate Profiles
Wi-Fi settings Manage and distribute certificatesDeploy trusted root certificates
Support for Simple Certificate Enrollment Protocol (SCEP)
Manage Wi-Fi protocol and authentication settings Provision Wi-Fi networks that device can auto connectSpecify certificate to be used for Wi-Fi connection
Certificate enrollment via NDES1. Certificate
profile deployed to device
2. Device sends SCEP request
3. Challenge is validated
4. Certificate is issuedNetwork Device
Enrollment Serv ice (NDES)
CA
SCCM
SCCM Connector
Desktop Admin
Device
IW
Intune
Certificate Registration
Point
SCCM plug-in
Deployment steps for NDES Policy Module
Network Device Enrollment Serv ice (NDES)
CA
SCCM
SCCM Connector
Desktop Admin
Device
IW
Intune
Certificate Registration
Point
SCCM plug-in
1. Install NDES rolea) Install PKI client
auth certificate2. Add Certificate
Registration Point site system rolea) Specify root CA
cert for client auth cert from 1a.
b) Self-signed server auth cert is created
3. Install Policy Module on NDESa) Specify client auth
cert from 1a.b) Specify server
auth cert from 2b.
Network topologies – perimeter forest
Reference: Using a Policy Module with the Network Device Enrollment Service
Network topologies – NDES in DMZ
Reference: Using a Policy Module with the Network Device Enrollment Service
Email profile management
Manage Exchange ActiveSync accounts
NEW in January ‘14 release!
Configure account settings and security restrictionsEnable certificate authenticationSupport for iOS and Windows Phone 8.1
Delivered as Configuration Manager Extension for Windows Intune
Configuration Manager Extensions for Windows Intune
Rapid delivery of Configuration Manager features to support new Mobile Device Management features through Windows IntuneUpdates are automatically downloaded to Central Administration Site (CAS) and optionally enabled through admin console.
Admin is notified that an
extension is available
when console is launched
Admin goes to
Extensions for
Intune in console,
and enables the extension
Extension is activated in ConfigMgr• (Extension
enables on all site system, then console updates are avail)
Admin restarts console,
and console is updated with the
extension
Admin uses feature
delivered by the
extension
Admin may wish to
disable the extension
Demo – Email Profiles
Chris Green
Q: Who sees the notification that extensions are available?A: All admins, but only admins with sufficient permissions can enable them
Q: What admin permissions are required?A: SiteModify on all sites in hierarchy
Q: How often is the notification shown?A: Once per console to each admin, or until the extension has been enabled
Q: Can I configure which admins get the notification?A: Not at this time
Q: Where can I find logging info to troubleshoot?A: AdminUI.ExtensionInstaller.log; FeatureExtensionInstaller.log; admin console log;
Q: What happens with new console installations?A: Console will see that the extension is available, and will download and install it.
FAQsConfiguration Manager Extensions for Windows Intune
Mobile Device Management Review
Unify your environment
On-premises and cloud-based management of devices within a single console.
Simplified, user-centric application management across devices
Comprehensive settings management across platforms, including certificates, VPNs, and wireless network profiles
Enable users
Access to company resources consistently across devices
Simplified registration and enrollment of devices
Synchronized corporate data
Protect your data
Protect corporate information by selectively wiping apps and data from retired/lost devices
A common identity for accessing resources on-premises and in the cloud
Identify which mobile devices have been compromised
√
30
Hybrid Identity Management
Mobile Device Management
Data Protection
• Group management & Self Service Password Reset• Security audit reports & MultiFactor Authentication• Connection between AD / Azure AD
• Information protection• Connection to on-premises assets
• Mobile device settings management• Mobile app management• Selective wipe
Enterprise Mobility Suite
Enterprise Agreement Prices starting at $4 per user per month*
* Limited time EA Level A promo pricing. Requires 250 seat minimum purchase and underlying CAL Suite license (CoreCAL/ECAL/BridgeCAL)
EMS will enable customers with:
Enabled via Azure Active Directory Premium:
Enabled via Windows Intune:
Enabled via Azure Rights Management Service:
Related contentSession Title Timeslot
FDN02 Enabling Enterprise Mobility with Windows Intune, Microsoft Azure, and Windows Server
Monday, May 12 11:00 AM - 12:00 PM
PCIT-B212 Design Considerations for BYOD Tuesday, May 13 10:15 AM - 11:30 AM
PCIT-B213 Access Control in BYOD and Directory Integration in a Hybrid Identity Infrastructure
Wednesday, May 14 3:15 PM - 4:30 PM
PCIT-B310 Empowering Your Users and Protecting Your Corporate Data Monday, May 12 1:15 PM - 2:30 PM
PCIT-B313 Hybrid Identity: Extending Active Directory to the Cloud Monday, May 12 4:45 PM - 6:00 PM
PCIT-B314 Understanding Microsoft’s BYOD Strategy and an Introduction to New Capabilities in Windows Server 2012 R2
Tuesday, May 13 8:30 AM - 9:45 AM
PCIT-B321 Deploying the New RMS for Cloud-Friendly and Cloud-Reluctant Customers Tuesday, May 13 5:00 PM - 6:15 PM
PCIT-B322 Deploying and Managing Work Folders Wednesday, May 14 10:15 AM - 11:30 AM
PCIT-B324 How to Rapidly Design and Deploy an Active Directory Federation Services Farm: The Do's and the Don'ts
Wednesday, May 14 8:30 AM - 9:45 AM
PCIT-B326 Providing SaaS Single Sign-on with Microsoft Azure Active Directory Thursday, May 15 10:15 AM - 11:30 AM
PCIT-B327 Introducing Web Application Proxy in Windows Server 2012 R2: Enable Work from Anywhere
Wednesday, May 14 3:15 PM - 4:30 PM
PCIT-B328 Microsoft Identity Manager vNext Overview Wednesday, May 14 5:00 PM - 6:15 PM
PCIT-B330 Active Directory + BYOD = Peace of Mind Thursday, May 15 8:30 AM - 9:45 AM
Breakout Sessions
Related content
Code Title Time
FDN02 Enabling Enterprise Mobility with Windows Intune, Microsoft Azure, and Windows Server Mon, May 12 11:00 AM
PCIT-B311
What's New in Enterprise Management with Microsoft System Center Configuration Manager and Windows Intune Mon, May 12 1:15 PM
PCIT-B215
What's New in Microsoft System Center 2012 R2 Configuration Manager Infrastructure Mon, May 12 3:00 PM
PCIT-B410
Microsoft System Center 2012 Configuration Manager: MVP Experts Panel Mon, May 12 4:45 PM
PCIT-B216
Infrastructure Deployment for Mobile Device Management with Microsoft System Center Configuration Manager and Windows Intune
Tue, May 13 8:30 AM
PCIT-B317
Enrollment and Management of Mobile Devices with Microsoft System Center Configuration Manager and Windows Intune
Tue, May 13 1:30 PM
PCIT-B320
Microsoft System Center Configuration Manager Community Jewels Tue, May 13 5:00 PM
PCIT-B323
Application Management with Microsoft System Center Configuration Manager and Windows Intune Wed, May 14 8:30 AM
PCIT-B325
Protecting Your Corporate Data with Microsoft System Center Configuration Manager and Windows Intune Wed, May 14 10:15 AM
PCIT-B340
What’s New with OS Deployment in Configuration Manager and the Microsoft Deployment Toolkit Wed May 14 5:00 PM
PCIT-B336
Managing Mac OS X Clients and Linux Servers Using Microsoft System Center Configuration Manager Thu May 15 8:30 AM
PCIT-B339
How Microsoft IT Manages Their Microsoft System Center Configuration Manager Application Lifecycle with Zero Touch
Thu, May 15 10:15 AM
PCIT-B333
How Microsoft IT Solves BYOD Using Microsoft System Center 2012 R2 Configuration Manager and Windows Intune
Thu, May 15 1:00 PM
Related contentInstructor Led Labs
Code Title Time
PCIT-IL200
Introduction to Microsoft System Center 2012 R2 Configuration Manager Mon, May 12 3:00 PMWed, May 14 5:00 PM
PCIT-IL201
Upgrading from Configuration Manager 2012 SP1 to Microsoft System Center 2012 R2 Configuration Manager
Thu, May 15 10:15 AM
PCIT-IL300
Deploying Windows 8.1 to Bare Metal Clients Wed, May 14 1:30 PMThu, May 15 1:00 PM
PCIT-IL305
Basic Software Distribution with Microsoft System Center 2012 R2 Configuration Manager Tue, May 13 5:00 PMWed, May 14 3:15 PM
PCIT-IL306
Implementing Endpoint Protection in Microsoft System Center 2012 R2 Configuration Manager Tue, May 13 10:15 AMThu, May 15 8:30 AM
PCIT-IL307
Managing Microsoft Software Updates in Microsoft System Center 2012 R2 Configuration Manager Tue, May 13 1:30 PMWed, May 14 8:30 AM
PCIT-IL308
Migrating from Configuration Manager 2007 to Microsoft System Center 2012 R2 Configuration Manager
Wed, May 14 10:15 AM
Related contentHands On Labs
Code Title
PCIT-H302
Deploying a Microsoft System Center 2012 R2 Configuration Manager Hierarchy
PCIT-H303
Deploying Microsoft System Center 2012 R2 Configuration Manager
PCIT-H304
Deploying Windows 8.1 to Bare Metal Clients
PCIT-H309
Implementing App-V 5.0 in Microsoft System Center 2012 R2 Configuration Manager
PCIT-H310
Implementing Endpoint Protection in Microsoft System Center 2012 R2 Configuration Manager
PCIT-H311
Implementing Linux Clients in Microsoft System Center 2012 R2 Configuration Manager
PCIT-H312
Implementing Role-Based Administration in Microsoft System Center 2012 R2 Configuration Manager
PCIT-H314
Managing Clients with Microsoft System Center 2012 R2 Configuration Manager
PCIT-H315
Managing Content in Microsoft System Center 2012 R2 Configuration Manager
PCIT-H316
Managing Software Updates in Microsoft System Center 2012 R2 Configuration Manager
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Complete an evaluation and enter to win!
Evaluate this session
Scan this QR code to evaluate this session.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
