View
2.768
Download
4
Embed Size (px)
DESCRIPTION
Citation preview
Wally Mead
Managing Mobile Devices with System Center 2012 R2 Configuration Manager and Windows Intune
Agenda• Continue our discussion of how to enable,
configure, and use Configuration Manager 2012 R2 to manage mobile devices with our integration with Windows Intune• Will concentrate on the enrollment and
management of devices in part 2
• Demonstrations where appropriate
The explosion of devices is eroding the standards-based approach to corporate IT.
Devices
Deploying and managing applications across platforms is difficult.
Apps
Today’s challenges
3
Data
Users need to be productive while maintaining compliance and reducing risk.
Users expect to be able to work in any location and have access to all their work resources.
Users
Devices
AppsUsers
Empowering People-centric IT
4
Enable users
Allow users to work on the devices of their choice and provide consistent access to corporate resources.
Protect your data
Help protect corporate information and manage risk.
Management. Access. Protection.
Data
Unify your environment
Deliver a unified application and device management on-premises and in the cloud.
Selecting the Management Platform
Unified Device Management – System Center 2012 R2 Configuration Manager
with Windows Intune
Build on existing Configuration Manager deploymentFull PC management (OS Deployment, Endpoint Protection, application delivery control, rich reporting)Deep policy control requirementsScale to 200,000 mobile devicesExtensible administration tools (RBA, Windows PowerShell, SQL Reporting Services)
Cloud-based Management - Standalone Windows Intune
No existing Configuration Manager deploymentSimplified policy controlFewer than 7,000 devices and 4,000 usersSimple web-based administration console
Unified Device Management
IT
Mac OS X
Windows PCs(x86/64, Intel SoC),
Windows to GoWindows Embedded
Windows RT, Windows Phone 8
iOS, Android
Single AdminConsole
Platform SupportOS Platform Management Agent End User Experience
Windows 8.1 PC ConfigMgr Agent Or
Management Agent (OMA-DM)
Software Center/Application Catalog
Windows Company Portal app
Windows PC (Windows 8 down to Windows XP)
ConfigMgr Agent Software Center/Application Catalog
Windows RT Management agent (OMA-DM) Windows Company Portal app
Windows Phone 8 Management agent (OMA-DM) Windows Phone 8 Company Portal app
iOS Apple MDM Protocol iOS Company Portal app
Android Android MDM agent (OMA-DM) Android Company Portal app
Mac ConfigMgr Agent N/A
Linux/Unix ConfigMgr Agent N/A
Registering and Enrolling Devices
IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the users identity. Multi-factor authentication can be used through Windows Azure Active Authentication.
Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device
Users can enroll devices which configure the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications
As part of the registration process, a new device object is created in Active Directory, establishing a link between the user and their device
Data from Windows Intune is sync with Configuration Manager which provides unified management across both on-premises and in the cloud
Web Application Proxy
ADFS
Configuration Manager 2012 SP1 MDM Features
• Over the air device enrollment• Self service portal for end users• User-targeted available application
deployment• User and device settings management• Device inventory• Remote device retirement• Remote device wipe
Configuration Manager 2012 R2 UDM Updates
• Required application deployment• Application uninstall• Company versus Personal device designation• New Company Apps portal• VPN, Wifi, and Certificate Profiles• Application triggered VPN• Network traffic triggered VPN
Enrolling Mobile Devices• Windows 8.1• Use the built-in OMA-DM agent to “Enroll for
Management”• WindowsRT• Use the built-in OMA-DM agent and built-in Company
Apps application• Windows Phone 8• Use the built-in OMA-DM agent and add account in
Settings - company apps
Enrolling Mobile Devices (2)
• iOS• Use the App store to download our Company Apps
portal• Running the app will walk you through the enrollment
process• Android• Use Google Play to download our Company Apps
portal• Running the app will install the agent and enroll
the device
Unified Device Management Console
Mobile device management integrated directly in to console experience
Common tools for policy and application management
Unified reporting across device platforms
User collections enable user-centric setting and application deployment across device types
What’s New in Mobile Device Inventory?
* Inventory capability varies by device platform
New global condition to differentiate app installs on corporate versus personal
App Management
Personal devices – Inventory only apps installed by ConfigMgr/IntuneCorporate devices – Complete inventory of all applications on the device*
App inventory
By default, user-enrolled devices are “Personal” Admin can specify corporate-owned devices“Compromised” device detection
Personal vs Corporate Owned Devices
User-centric Application DeliveryEnd User Self-Service
IT
Administrators publish software titles to catalog, complete with meta data to enable search
• Deliver best user experience on each device
Users can browse, select and install directly from Catalog
• Application model determines format and policies for delivery
User
Deploying Applications• Create target collection• Create app• App types for:• Windows• Windows Phone• iOS• Android
• Deploy app to target collection
Deploying Applications (2)
• App would appear in Company Apps portal• Most deployments are targeted to users as available• Can now perform required app deployment• Likely would want to use the new Device
Ownership global condition as a requirement to control which devices get the required deployment
Mobile Device Settings in ConfigMgr 2012 R2 Category Windows 8.1
PC & RTWindows Phone 8
iOS Android
VPN
Wi-Fi
Certificates
Password (*) (*) (*)
Device restrictions
(*) (*)
Store access
Browsers (*) (*)
Content Rating
Cloud Sync (*)
Encryption (*) (*) (*)
Security (*) (*) (*)
Roaming (*) (*)
Windows Server Work Folders
* Subset of settings Note: Table applicable to direct MDM and not EAS
Resource Access Configuration
* Varies based on device platform
Support platforms
Windows 8.1Windows 8.1 RTiOSAndroid
Benefits
End users get access to company resources with no manual steps for them
New Features*Configure networking profiles VPN profiles Support for Windows 8.1 Automatic VPNWi-Fi protocol and authentication settingsManagement and distribution of certificatesConfigure remote connection to work PCs
VPN Profile Management
Support for major SSL VPN vendors
DNS name-based initiation support for Windows 8.1 and iOSApplication ID based initiation support for Windows 8.1
Automatic VPN connection
Support for VPN standards like PPTP,
L2TP, IKEv2SSL VPNs from Cisco, Juniper, Check Point, Microsoft, Dell SonicWALL, F5 Subset of vendors have Windows WindowsRT VPN plug-in
Wi-Fi and Certificate Profiles
Wi-Fi settings Manage and distribute certificates
Deploy trusted root certificatesSupport for Simple Certificate Enrollment Protocol (SCEP)
Manage Wi-Fi protocol and authentication settings Provision Wi-Fi networks that device can auto connectSpecify certificate to be used for Wi-Fi connection
Work Folders
Sync files and data across devices Configuration Manager and Windows Intune support
New settings to help provision the work folder discovery settingsSelf-service portals have links to work folders
New feature in Windows 8.1 client and Windows Server 2012 R2
Personal Apps and
Data
Lost or Stolen
Company Apps and Data
Remote App
Protect your dataHelp protect corporate information and manage risk
Centralized Data
Enrollment
Retired
Company Apps and Data
Remote App
Policies
Policies
Lost or Stolen
Company Apps and Data
Remote App
Policies
Personal Apps and
Data
Retired
Personal Apps and
Data
IT can provide a secure and familiar solution for users to access sensitive corporate data from anywhere with VDI and RemoteApp technologies.
Users can access corporate data regardless of device or location with Work Folders for data sync and desktop virtualization for centralized applications.
• Selective wipe removes corporate
applications, data, certificates/profiles, and
policies based as supported by each
platform
• Full wipe if supported by each platform
• Can be executed by IT or by user via
Company Portal
• Sensitive data or applications can be kept
off device and accessed via Remote
Desktop Services
Corporate Data ProtectionFull wipe effects depend on the platform and management type (EAS or native)
• iOS and WP: Complete wipe and reset to factory defaults • Android: EAS mailbox removal only • Windows RT and Windows 8: Only EAS mailbox removal if managed
through EAS
Retire• User or Admin initiated• Removes the record of the device from the system• Disables further MDM app installation and settings management on
the device & selectively wipes corporate app data• Uninstalls MDM-installed apps and removes data• Removes enterprise EFS certs and email
What gets removed or access revoked depends on platform• Email• Apps installed through our MDM channel• Profiles (WiFi/VPN)• Certificates• MDM Policies (Settings)• Management Agent• Corp App Data
Supported Platforms• Windows 8.1, Windows 8.1 RT• iOS• Android
Selective Wipe
Unified Device Management RecapUnregistered Registered MDM Enrolled Fully Managed
Publish email to users (EAS) Yes Yes Yes Yes
Publish work folders to users Yes Yes Yes Yes
Conditional access based on user, device, locationBlock device
only Yes Yes Yes
Audit logging and monitoring Yes Yes Yes
Unified Device Management Yes Yes
Unified Application Management Yes Yes
Selective data wipe Yes Yes
Compliance reporting Yes Yes
Group Policy and login scripts Yes
OS deployment and imaging Yes
Configuration management Yes
Patch management Yes
Anti malware management Yes
Full application management Yes
BitLocker management Yes
SummaryEn
ab
led
Un
ify
Sim
plify Role-based Administration
Content Management
Software Update Management
Reduced Infrastructure Requirements
User-centric Application Delivery
Modern Device Management
Compliance and Settings Management
Endpoint Protection
Operating System Deployment
Asset Intelligence, Inventory and Software Metering
2012
EAS
User-centric
Updated engine
Improved
RBA in Reporting
Windows 8.1 support
2012 R2
Improved
Web App deployment
New
Integrated
Auto remediation
Improved
New
Improved
Improved
2012 SP1
Unified
Win 8 Apps
Flexible hierarchies
Real-time actions
User profile and data
Improved
Improved
Improved
Modern Management Console Additional cmdletsNew Windows PowerShell
Client Health Improved Improved
Distribution Point for Windows Azure New
http://www.microsoft.com/workstylehttp://www.microsoft.com/server-cloud/user-device-management
More Resources:
System Center 2012 Configuration Managerhttp://technet.microsoft.com/en-us/evalcenter/hh667640.aspx?wt.mc_id=TEC_105_1_33
Windows Intunehttp://www.microsoft.com/en-us/windows/windowsintune/try-and-buy
Windows Server 2012 http://www.microsoft.com/en-us/server-cloud/windows-server
For More Information
Please evaluate the session before you leave