Basel Modern Device Management with System Center Config
| Basel Modern Device Management with System Center Config Manager and Intune Andras Khan Solution Sales Professional Microsoft Western Europe
Today’s challenges Users expect to be able to work in any location and have access to all their work resources. Devices The explosion of devices has eradicated the standards based approach to corporate IT. Apps Deploying and managing applications across platforms is difficult. Data Enabling users to be productive while maintaining compliance and reducing risk.
People-centric IT Empower users Allow people to work on the device of their choice and provide consistent access to corporate resources. Unify your environment Users Devices Apps Management. Access. Protection. Data Deliver a unified application and device management on-premise and in the cloud. Protect your data Help protect corporate information and manage risk.
User and Device Management Empower users Unify your environment Protect your data Access to company resources consistently across devices On-premises and cloud-based management of devices within a single console. Protect corporate information by selectively wiping apps and data from retired/lost devices Simplified, user-centric application management across devices A common identity for accessing resources on-premises and in the cloud Simplified registration and enrollment of devices Synchronized corporate data Comprehensive settings management across platforms, including certificates, VPNs, and wireless network profiles
Empower users Challenges Solutions Users want to use the device of their choice and have access to both their personal and work-related applications, data, and resources. Users can register their devices, which makes them known to IT, who can then use device authentication as part of providing access to corporate resources. Users want an easy way to be able to access their corporate applications from anywhere. Users can enroll their devices, which provides them with the company portal for consistent access to applications and data, and to manage their devices. IT departments want to empower users to work this way, but they also need to control access to sensitive information and remain in compliance with regulatory policies. IT can publish access to corporate resources with conditional access based on the user’s identity, the device they are using, and their location.
Enabling IT to empower users Users can enroll devices for access to the Company Portal for easy access to corporate applications Users can work from anywhere on their device with access to their corporate resources. RDS Gateway Client VM Session host IT can publish access to resources with the Web Application Proxy based on device awareness and the users identity Published Apps Web Application Proxy Users can register devices for single signon and access to corporate data with Workplace Join LOB Apps Remote Access Active Directory IT can publish Desktop Virtualization (VDI) resources for external access Files IT can provide seamless corp. access with Direct. Access and automatic connections with apptriggered VPNs.
People-centric Application Delivery Accessing apps the right way, on the right device Target applications based on user role the best way for each device • Windows/Windows RT • Windows Phone • i. OS • Android MSI App-V (MDOP) Native App/ App Store Remote App RDS • OS X Evaluate device capabilities for optimal application delivery • Local installation • Microsoft Application Virtualization • Desktop Virtualization (VDI) • Web applications
Unify your environment Challenges Solutions MDM products are typically delivered as point solutions, which do not integrate with the main PC management solution already in use. IT has a single “pane of glass” to view and manage all managed devices, whether on-premises or cloud-based, PCs or mobile devices. Managing multiple identities and keeping the information in sync across environments is a drain on IT resources. Users and IT can leverage their common identity for access to external resources through federation.
Unify your environment Deliver comprehensive application and device management Single Admin Console Unified infrastructure enables IT to manage devices “where they live” User Comprehensive settings management across platforms, including certificates, VPNs, and wireless network profiles IT can manage the device and application lifecycle
Providing users with a common identity 3 rd party services Apps in Azure Active Directory IT can use Active Directory Federation Services to connect with Windows Azure for a consistent cloud-based identity. IT can provide users with a common identity across on-premises or cloudbased services, leveraging Windows Server Active Directory and Windows Azure Active Directory. Users are more productive by having a single sign-on to all their resources. Web Apps LOB Apps Active Directory Users get access through accounts in Windows Azure Active Directory to Windows Azure, Office 365, and thirdparty applications. Developers can build applications that leverage the common identity model. Files 12
Protect your data Challenges Solutions As users bring their own devices in to use for work, they will also want to access sensitive information and have access to this information locally on the device. Users can work on the device of their choice and be able to access all their resources, regardless of location or device. A significant amount of corporate data can only be found locally on user devices. IT needs to be able to secure, classify, and protect data based on the content it contains, not just where it resides, including maintaining regulatory compliance. IT can enforce a set of central access and audit polices, and be able to protect sensitive information based on the content of the documents. IT can centrally audit and report on information access.
Protect your data Help protect corporate information and manage risk Lost or Stolen Lost. Retired or Stolen Enrollment • Selective wipe removes corporate applications, data, certificates/profiles, and policies based as supported by Users can access corporate data regardless of device or location with Work Folders for data sync and desktop virtualization for centralized applications. IT can provide a secure and familiar solution for users to access sensitive corporate data from anywhere with VDI and Remote. App technologies. Personal Apps and Data Personal Apps each platform Company Apps and Data Company Apps • Full wipe if supported by each platform and Data • Can be executed by IT or by user via Company Portal • Retired Centralized Data Appoff device Sensitive data or applications can be. Remote kept Remote App and accessed via Remote Desktop Services Policies
Strategic Direction One unified device management solution that combines on premise and cloud capabilities into one solution – creating a no compromise, offering that enables customers to choose the right delivery mechanism for them.
Windows Intune Key Customer Scenarios Mobile Devices Remote Workers Application Deployment to Devices Quick Deployment Scenarios
Delivering People-centric IT Enable your end users • Unify your environment Protect your data Comprehensive settings management across platforms, including certificates, VPNs, and wireless network profiles 18
• This i. Pad is already enrolled and the Company Portal app installed from the i. Tunes store • From the home screen, the user taps on the Company Portal icon to logon
• The Company Portal app provides a rich experience to access corporate apps, device information, and support details
• Tapping on the user name in the top right shows the ability to sign out of the app or get more information on the app privacy • Under “My Devices” users can see their devices listed across the middle of the screen
• Selecting the i. Pad brings up details of this device, plus the options to retire or wipe this device (Retire removes it from IT management and selectively wipes company Lo. B apps)
• Selecting the Surface brings up options for that device. The options listed here allow the user to set a friendly name for the device or carry out a remote selective wipe on this device by removing it from IT management
• For application installation, the experience has been redesigned enabling greater functionality and easier use and navigation
• Tapping on featured apps displays a list of applications that are being promoted by the company – a great way to get visibility of key applications in the catalog
• Users can also browse by category or just see a list of all the applications they have access to
• If the users views the details of Adobe Reader, they will see the option to install this app. As a deep linked app, this would take them to the i. Tunes store for installation
• Aperture is an example of an application that the company is requiring approval before installing. • By selecting “Request” the user will enter business justification and wait for the approval process to complete on the backend.
• By tapping on the Drop. Box app, the user can see that they already requested this app and it has been denied
• Tapping on “Request History” enables the user to see all requests and the responses from IT regarding why it was denied
• To complete a successful application installation, the user choose the Dynamics CRM app and clicked “Install” • This is a link to a web application, so the user will get a short-cut to that web application place on the home screen
• While the installation is in progress there is an indicator in the top right corner showing installation status
• Now that it is installed, the user can go to the home screen and launch the web app directly from the icon
• As an example of Workplace Join for i. OS, the user receives an email from IT offering the user the ability to join their device to AD
• On clicking the URL, the user will be asked to authenticate
• Multi-factor authentication is also supported such as using Azure Active Authentication Service
• Details are shown once the device is joined
• As a function of being Workplace Joined, a management profile and certificate will be placed on the device (This does not mean the device is enrolled in Windows Intune)
• Let’s show the ability to add a device ID to Active Directory (new for Win 8. 1, i. OS, Android)
• Workplace Join (not Domain Join) allows IT Pro to audit the device access, understand who is using the device, and provide conditional access based on the user, location and device.
• The user will be prompted for domain credentials via ADFS
• This also allows for corporations to use the new Azure Active Authentication Service (formerly Phone. Factor) or other multi-factor authentication service
• The device is now Workplace Joined and the user can also choose to enroll in management of the device via Windows Intune
• Enrolling in management allows for certificate management, VPN and Wi-Fi profile configuration, among other security settings and application distribution. To do this the user selects “Turn On”
• The user will be prompted to authenticate into the Windows Intune service to ensure they have rights to enroll devices
• The user will also be prompted to acknowledge that IT will be managing the device. Once accepted the device will enroll and install the Company Portal app (over the course of a few minutes)
• Some of the items that were distributed to this userdevice include a VPN profile shown here
• Also installed is the Company Portal App users leverage to install applications
• In addition to installing applications, users can see the various devices they have enrolled and take action on them. In this example the user can remove this machine or connect remotely to it (via a Remote Connection profile) using the Remote Desktop feature
• A new feature in Windows 8. 1 is Work Folders will give a user access to their documents on a file server
• After clicking the Work Folder button users can configure their access
• The user has a choice to change the sync location of their files on their device
• The user must accept the IT admin policy for Work Folder use. The folder will be encrypted and a password on the device will be required if not already done. If the device is retired this folder is removed
• Once installed and sync users can see the status in the Work Folder section their device
• For access, users can see their Work Folder in the Favorites tab. As users create content they will sync data to their corporate share (and vice versa)
• Leveraging Azure Rights Management Services or on-prem RMS, IT can require, via dynamic access controls in Windows Server 2012, a policy be enforced on documents containing specific things. The user is opening a file that was dynamically protected
• In System Center Configuration Manager 2012 R 2 new capabilities for Peoplecentric IT have been added such as: • Remote Connection Profiles • Company Resource Access for VPN, Wi-Fi, and Certificate management
• With this release the Windows Intune Subscription location has been moved under the Cloud Service folder in the Administration pane
• New features in the Intune subscription include: • Company Logo and Contacts tabs • Intune Service Status check • Additional options for Windows Phone certificate provisioning
• Company Logo
• Company Contact Info
• Configuration Manager 2012 provides the ability to see the primary devices in use by user
• New in Configuration Manager 2012 R 2 is the ability to see primary device ownership via the Device Owner attribute
• Global Conditions can be set for device ownership to target application deployment to corporate owned devices • In addition deeper software inventory can be done for corporate owned devices
• New Company Resource Access pane has three components: • Certificate Profiles • VPN Profiles • Wi-Fi Profiles
• Creating a VPN Profile
• VPN Profiles support configurations from the major VPN vendors in the market • Profiles are deployed to the users. No need to create a VPN per mobile platform
• VPN can be created to automatically connect when accessing a specific DNS Suffix or launching a program (Windows 8. 1 only)
• VPN Profiles are currently supported on Windows 8. 1 and i. OS platforms
• By right-clicking on the VPN Profile and choosing Deploy, IT Admins can target User Collections to receive the VPN Profile
• Wi-Fi Profile creation
• Wi-Fi Profile creation allows for autoconnection when in range or just having the profile automatically configured on the device
• Wi-Fi Profiles support a wide range of security types
• Wi-Fi Profiles are supported on Windows 8. 1, i. OS, and Android devices
• Certificate Profiles
• Certificate Profiles can be trusted CA or the client receiving a dynamic certificate based on the SCEP protocol
• Certificates can be user or computer based
• Supported platforms include Windows 8. 1, i. OS, and Android
• Configuration Items and Configuration Baselines are used to deploy policy settings to mobile devices
• The Configuration Item type must be set to Mobile Device
• You can use the wizard to define settings based on category
• Or you can search on and filter specific settings to add
• Settings can be defined for all mobile platforms at the same time
• Not all platforms support the available settings and Configuration Manager will alert the IT Admin of incompatible settingsplatforms before the Configuration Item is created
Demo • Windows Intune Cloud-Only Console • Windows Intune UDM: • i. OS User Experience • Windows 8. 1 Experience • Configuration Manager 2012 R 2
Enable your end users Allow users to work on the devices of their choice and provide consistent access to corporate resources. Unify your environment Users Devices Apps Data Deliver a unified application and device management onpremises and in the cloud. Protect your data Management. Access. Protection. Help protect corporate information and manage risk.
Flexible Licensing that Fits Your Needs • Per User Licensing • Up to 5 devices/user Don’t Have Configuration Manager Already have Configuration Manager Windows Intune (includes Config. Mgr license) ($6 per user per month) Windows Intune (Add-On) ($4 per user per month)
For More Information • Windows Intune information and trial – www. windowsintune. com • Enabling People-Centric IT http: //channel 9. msdn. com/Events/Tech. Ed/North. America/2013/FDN 03 Contacts: • Your Microsoft account team • danderse@microsoft. com - Please put WEBCAST in the subject line
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U. S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
DEMO Hybrid Environment
DEMO Intune Cloud Only
- Slides: 94