Embed Size (px)
Citation preview
Device Management
Workshop
Enterprise Mobility
Selecting the Management Platform
Unified Device Management – System Center 2012 R2 Configuration Manager with Windows
Intune
Cloud-based Management - Standalone
Windows Intune
No existing Configuration Manager deployment
Simplified policy control
Simple web-based administration console
System Center 2012 R2 Configuration Manager
Enable Users
Allow people to be more productive
from almost anywhere on almost any
device.
Simplify Administration
Improve IT effectiveness
and efficiency.
Unify Infrastructure
Reduce costs by unifying IT
management infrastructure.
Enable Users
Unified Device ManagementUser-centric Application
Delivery
Unified Device Management
Mac OS X
Windows PCs
(x86/64, Intel SoC),
Windows to Go
Windows Embedded
Windows RT,
Windows Phone 8.x
iOS, Android
Platform Support
OS Platform Management Agent End User Experience
Windows 8.1 PC ConfigMgr Agent
Or
Management Agent(OMA-DM)
Software Center/Application Catalog
Windows Company Portal app
Windows PC
(Win8,Win7,Vista,XP)
ConfigMgr Agent Software Center/Application Catalog
Windows RT Management agent (OMA-DM) Windows Company Portal app
Windows Phone 8
Windows Phone 8.1
Management agent (OMA-DM) Windows Phone 8 Company Portal app
iOS Apple MDM Protocol iOS Company Portal app
Android Android MDM agent (OMA-DM) Android Company Portal app
Mac ConfigMgr Agent Limited self service experience
Linux/Unix ConfigMgr Agent N/A
Registering and Enrolling Devices
IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the users identity. Multi-factor authentication can be used through Windows Azure Active Authentication.
Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificateis installed on the device
Users can enroll devices which configure the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications
As part of the registration process, a new device object is created in Active Directory, establishing a link between the user and their device
Data from Windows Intune is sync with Configuration Manager which provides unified management across both on-premises and in the cloud
What’s New in Mobile Device Inventory?
* Inventory capability varies by device platform
Global condition to differentiate
app installs on corporate versus
personal
App Management
Personal devices – Inventory only apps
installed by ConfigMgr/Intune
Corporate devices – Complete inventory of
all applications on the device*
App inventory
By default, user-enrolled devices
are “Personal”
Admin can specify corporate-
owned devices
“Compromised” device detection
Personal vs Corporate
Owned Devices
Extensions for Windows Intune
Admin is
notified that
an extension
is available
when
console is
launched
Admin goes
to
Extensions
for Intune in
console, and
enables the
extension
Extension is
activated in
ConfigMgr
• (Extension
enables on all
site system,
then console
updates are
avail)
Admin
restarts
console, and
console is
updated with
the extension
Admin uses
feature
delivered by
the extension
Admin may
wish to
disable the
extension
Mobile Device Settings in ConfigMgr 2012 R2Category Windows 8.1 PC & RT Windows Phone 8.1 iOS Android
VPN
Wi-Fi
Certificates
Email Profiles
Password (*) (*) (*)
Device restrictions (*) (*) (*)
Store access
Browsers (*) (*) (*)
Content Rating
Cloud Sync (*)
Encryption (*) (*) (*)
Security (*) (*) (*) (*)
Roaming (*) (*)
Windows Server Work Folders
* Device platform supports a subset of the settings
Resource Access Configuration
Support platforms
Windows 8.1
Windows 8.1 RT
Windows Phone 8.1
iOS
Android
Benefits
End users get access to
company resources with no
manual steps for them
Features*Management and distribution of certificates
Corporate email profile provisioning
Configure networking profiles VPN profiles
Support for Windows 8.1 Automatic VPN
Wi-Fi protocol and authentication settings
Configure remote connection to work PCs
VPN Profile Management
Support for major SSL VPN vendors
DNS name-based initiation
support for Windows 8.1,
Windows Phone 8.1 and iOS
Application ID based initiation
support for Windows 8.1
Automatic VPN
connectionSupport for VPN
standards like PPTP, L2TP,
IKEv2SSL VPNs from Cisco, Juniper,
Check Point, Microsoft, Dell
SonicWALL, F5
Subset of vendors have Windows
Windows RT VPN plug-in
Wi-Fi and Certificate Profiles
Wi-Fi settings Manage and distribute certificates
Deploy trusted root certificates
Support for Simple Certificate Enrollment Protocol (SCEP)
Manage Wi-Fi protocol and authentication settings
Provision Wi-Fi networks that device can auto connect
Specify certificate to be used for Wi-Fi connection
Certificate Infrastructure
Email profile management
Manage Exchange ActiveSync accounts
New in January 2014 release!
Configure account settings and security restrictions
Enable certificate authentication
Support for iOS and Windows Phone 8
Enables selective wipe of managed email profile (if
platform supports it)
Delivered as Configuration Manager Extension for
Windows Intune
Work Folders
Sync files and data across devices Configuration Manager and Windows
Intune support
New settings to help provision the Work Folder
discovery settings
Company Portals have links to work folders
New feature in Windows 8.1 client and Windows
Server 2012 R2
Full and Selective WipeWindows 8.1 (x86/RT
OMA-DM managed)
Windows 8 RT Windows Phone
8.1
iOS Android
Full Wipe
Selective Wipe
Email (Mail App) (Mail App)
Company apps
and data
Apps uninstalled.
Sideloading keys removed.
Data removed.
Sideloading keys
removed but apps
remain installed.
Uninstalled and data
removed.
Uninstalled and data
removed.
Apps and data remain
installed.
VPN and Wi-Fi
profilesRemoved. Not applicable. Removed. Removed.
VPN: Not applicable.
Wi-Fi: Not removed.
Certificates Removed and revoked. Not applicable. Removed. Removed and revoked. Revoked.
Settings Requirements removed. Requirements removed. Requirements removed. Requirements removed. Requirements removed.
Management
Client
Not applicable. Management
agent is built-in.
Not applicable.
Management agent is
built-in.
Not applicable.
Management agent is
built-in.
Management profile is
removed.
Device Administrator
privilege is revoked.
Unified Device Management Recap
Unregistered Registered MDM Enrolled Fully Managed
Publish email to users (EAS) Yes Yes Yes Yes
Publish work folders to users Yes Yes Yes Yes
Conditional access based on user, device, location Block device only Yes Yes Yes
Audit logging and monitoring Yes Yes Yes
Unified Device Management Yes Yes
Unified Application Management Yes Yes
Selective data wipe Yes Yes
Compliance reporting Yes Yes
Group Policy and login scripts Yes
OS deployment and imaging Yes
Configuration management Yes
Patch management Yes
Anti malware management Yes
Full application management Yes
BitLocker management Yes
User-centric Application DeliveryWindows 8 Apps
Benefits
Software distribution updated
End user installation same as today
End users have one location for all enterprise apps
Windows RTWindows 8
Windows Store
Firewall
Corporate
Applications
User-centric Application DeliveryAdministration
Delivery Evaluation Criteria
• User
• Device type
• Network connection
User/Device Relationships
Primary Devices
• MSI
• App-V
• Windows 8 Apps
• Windows 8 Apps in the Windows Store
Non-primary Devices
• VDI
• Remote Desktop
User-centric Application DeliveryEnd User Self-Service
IT
Administrators publish software
titles to catalog, complete with
meta data to enable search
• Deliver best user experience
on each device
Users can browse, select and install
directly from Catalog
• Application model determines
format and policies for delivery
User
Unify Infrastructure
Reduced Infrastructure
Requirements
Endpoint Protection
Compliance and Settings
Management
Distribution Point for
Windows Azure
Software Update
Management
Content
ManagementUnify Infrastructure
Reduce costs by unifying
IT management
infrastructure.
Reduced Infrastructure Requirements
Central Administration Site
• Scale
• Support multiple primary
sites
• Future proofing your
hierarchy (SP1)
Primary Sites
• Client assignment (up to 100k)
• Reduce impact of a primary site
failing
• Political reasons
• Delegated administration
• Different client agent settings
• Language packs
• DMZ/Internet Facing
• Untrusted forests (new in R2)
Secondary Sites
• Content fan-out
• Manage upward
flow of WAN
traffic
• Content routing
• Throttling (now in
Distribution
Points)
Reaso
ns
Wh
yO
bso
lete
Reaso
ns
Distribution Points
• Distribute Content
• Branch Distribution
Points
“We spend almost [U.S.] $800 per server on annual maintenance activities. Configuration Manager scales to our
organization size and now we are able to reduce the number of servers from 110 to 35, thus saving on the
maintenance costs.” – Systems management administrator at a US based manufacturing company
Cross-platform Integration
Manage non-Windows desktops including Mac OS X
Manage non-Windows servers including Linux and
UNIX
Access business apps on non-Windows machines via
Citrix XenApp integration
* Cross-platform integration enhancements are
available with Configuration Manager Service Pack 1
(beta released in September 2012)
Consolidation and Cross-platform IntegrationConsolidation
Co-locating site system roles onto
single server.
Eliminating servers required for
client security.
Simplifying system architecture by
reducing number of sites.
600 hours or U.S. $30,000 saved each year due to reduced administration
overheadBusiness Value of Microsoft® System Center 2012 Configuration Manager
Unified Device Management Configuration
Device management integrated directly into console
Simple Windows Intune Subscription set-up
Centralized branding and customization of Company Portal experience
Windows Intune Connector deployed as a Site System Role
Security and ComplianceEndpoint Protection
Unified Infrastructure
Simplified server
and client deployment.
Streamlined updates.
Consolidated reporting.
Comprehensive
Protection Stack
Behavior monitoring.
Antimalware.
Dynamic Translation.
Windows Firewall Management.
Security and ComplianceSettings Management
ConfigMgr MP Baseline ConfigMgr Agent
WMI XML
Registry IISMSI
Script SQL
Software
UpdatesFile
Active
Directory
Baseline Configuration Items
Auto Remediate
OR
Create Alert (to Service Manager)!
Improved functionalityCopy settings
Trigger console alerts
Richer reporting
Enhanced versioning and audit trackingAbility to specify versions to be used in baselines
Audit tracking includes who changed what
Pre-built industry standard baseline templates
through IT Governance, Risk & Compliance(GRC) Solution
Accelerator
Assignment to
collections Baseline drift
CAS
Primary SiteMP Role
Primary SiteDP Role
Assigns policy to scan for
update status or to deploy
update
Distributes updatesReports
compliance
Microsoft Update
Primary SiteSUP Role/WSUS
Identifies who needs updates
and reports on complianceDownloads updates
Auto Deployment
Faster deployment through search.
Schedule content download and deployment to avoid
reboot during work hours.
State-based Updates
Allows individual or group deployment.
Updates added to groups auto deploy to targeted
collections .
Optimized for New Content Model
Reduce replication and storage.
Expired updates and content deleted.
Security and ComplianceSoftware Update
Distribution Point for Windows Azure
Rich feature set
PR1
MPMP
DP
Windows AzureDistribution Point
Microsoft Update
Policy
Content
Firewall
Corporate NetworkIntegrated monitoringIn-console content monitoring
Ability to monitor storage and traffic out
usage
Content is fully encrypted
Content Management in R2
monitoring
The sources for a pull DP can be randomized to achieve load balancing and flexibility.
Pull DP in-console monitoring on par with standard DP.
Enable pull distribution point to send state messages via MP.
Pull DP
improvements
Reduced the amount of interaction between remote DPs and the Distribution Manager.
Optimized content distribution by adding distribution point priority and keeping send requests in SQL.
New report: Distribution Point Usage – shows how much a particular DP gets used.
Infrastructure
improvements
Modern Management
Console
Role-based
Administration
Operating System
Deployment
Asset
Intelligence
Client
Health
Simplify Administration
Improve IT effectiveness
and efficiency.
Simplify Administration
Intuitive ribbon interface
In-console alerts
Global search capability
New collection membership rules allow better filtering of members
Windows PowerShell enablement
Modern Management Console
Unified Device Management Console
Mobile device management integrated directly in to console experience
Common tools for policy and application management
Unified reporting across device platforms
User collections enable user-centric setting and application deployment across device types
Role-based Administration
Functionality ConfigMgr 2007 ConfigMgr 2012
What types of objects can
I see and what can I do to
them?
Class rights Security roles
Which instances can I see
and interact with?
Object instance
permissionsSecurity scopes
Which resources can I
interact with?
Site specific resource
permissionsCollection limiting
Meg - WW Central System
Administrator
Louis - Software Update
Manager for France
Bob - US and France
Security Admin
• Can see & update “France” desktops
• Cannot modify security settings on “France” desktops
• Cannot see “All Systems” or “U.S.” desktops
• Can see and modify security settings on “France” and “U.S.” desktops
• Cannot update “France” or “U.S.” desktops
• Cannot see “All Systems”
Map the organizational roles of your administrators
to defined security roles
• Security organization role
• Geography
Reduces error, defines span of control for the organization
RBA enhancements in R2 include SQL Reporting
Operating System Deployment
Multiple Deployment Method Support
PXE initiated deployment allows client computers to
request deployment over the network
Multi-cast deployment to conserve
network bandwidth
Stand-alone media deployment for no network
connectivity or low bandwidth
Pre-staged media deployment allows you to deploy
an operating system to a computer that
is not fully provisioned
User State Migration Tool (USMT) 4.0 UI integration
makes it easier transfer files and user settings from one
machine to another
CAS
Primary Site
MP Role
Primary Site
DP Role
Image Task Sequence
Report
WDS PXE Server
Core Operating System Deployment Scenarios
Scenario Key Functionality
New computer• Fresh install of a new operating system on client or server system
• New or repurposed hardware
PXE boot• Integrate with Windows Deployment Services (WDS) PXE server
• Self-provisioning via F12
Wipe-and-load• Install new version of operating system
• Reinstall applications and user state under new operating system
Side-by-side • Similar to wipe-and-load, except between two different devices
Offline with
removable media
• With low bandwidth or no connectivity
• Large software packages are on the media
Prestaged Media• Optimized for network bandwidth
• Speeds up end to end deployment
Client Activity and Health
In-console view of client health
Threshold-based console alerts
Heartbeat DDRs
HW/SW inventory and status
Remediation
Asset Intelligence, Inventory, and Software Metering
Consolidated/simplified reporting that allows you to
Understand software installation profiles
Plan for hardware upgrades
Identify over or under licensing issues
Track custom apps or groups of titles
Software Metering and License Reports
Asset Intelligence Service
Asset Intelligence Catalog
Real-Time Application
and Hardware Intelligence
ConfigMgr Inventory
SummaryEn
ab
led
Un
ify
Sim
pli
fy
Role-based Administration
Content Management
Software Update Management
Reduced Infrastructure Requirements
User-centric Application Delivery
Modern Device Management
Compliance and Settings Management
Endpoint Protection
Operating System Deployment
Asset Intelligence, Inventory and Software
Metering
2012
EAS
User-centric
Updated engine
Improved
RBA in Reporting
Windows 8.1 support
2012 R2
Improved
Web App deployment
New
Integrated
Auto remediation
Improved
New
Improved
Improved
2012 SP1
Unified
Win 8 Apps
Flexible hierarchies
Real-time actions
User profile and data
Improved
Improved
Improved
Modern Management Console Additional cmdletsNew Windows PowerShell
Client Health Improved Improved
Distribution Point for Windows Azure New
http://www.microsoft.com/workstyle
http://www.microsoft.com/server-cloud/user-device-management
More Resources:
System Center 2012 Configuration Manager
http://technet.microsoft.com/en-
us/evalcenter/hh667640.aspx?wt.mc_id=TEC_105_1_33
Windows Intune
http://www.microsoft.com/en-us/windows/windowsintune/try-and-
buy
Windows Server 2012 http://www.microsoft.com/en-us/server-cloud/windows-server
For More Information
Windows Embedded Support
• Windows Thin PCRepurposed PC
Supported Write Filters
• File Based Write Filters (FBFW)
(preferred for scalability)
• Enhanced Write Filters (EWF) RAM
Ability to force persistence of changes for
• Applications
• Packages and programs
• Software updates
• Task sequences
• Endpoint Protection client installation
Eventual persistence of changes for
• Client agent settings
• Settings management remediation
• Power management
Without write filters enabled, embedded devices can be
managed like any other Windows client. When write filters
are enabled, they require special handling, now provided
seamlessly.
• Windows XP Embedded• Windows Embedded Standard 2009• Windows Embedded Standard 7• Windows Embedded Standard 8
Thin Clients
Same as Thin Clients, plus
• POS Ready 2009
• POS Ready 8POS/Kiosk
• Windows Embedded Standard 2009
• Windows Embedded Standard 7
• Windows Embedded Standard 8
Digital
Signage
Linux and UNIX Servers
• Version 4 (x86/x64)
• Version 5 (x86/x64)
• Version 6 (x86/x64)
Red Hat Enterprise
Linux
• Version 9 (SPARC)
• Version 10 (SPARC/x86)
• Version 11 (SPARC/x86)
Solaris
• Version 9 (x86)
• Version 10 SP1 (x86/x64)
• Version 11 SP1 (x86/x64)
SUSE Linux Enterprise
Server
Supported Operating System’s across both:
• Configuration Manager
• Operations Manager
Earlier versions supported as long as vendor provides support
Broader Linux distro support being evaluated
for future releases
Hardware and Software Inventory
Software Deployment
• Using the Package and Program model
• Deploy/patch software, deploy OS patches and run
maintenance scripts that target a collection
Consolidated reports
• CentOS 5, 6
• Debian 5, 6, 7
• Ubuntu 10.4 LTS, 12.4 LTS
• Oracle Linux 5, 6
• HP-UX 11iv2, 11iv3
• AIX 5.3, 6.1, 7.1
Recently Added
Mac OS X
Configuration Manager native client
Key management capabilities
Improved enrollment in R2
Scenarios Hybrid Standalone
Default browser Yes Yes
Disable Copy and paste functionality Yes Yes
Disable Telemetry/Diagnostic data Submission (SQM/Watson) -Granular
Yes Yes
Screen Capture Yes Yes
File encryption on mobile device Yes Yes
Allow simple password Yes Yes
Alphanumeric Password required Yes Yes
Idle time before mobile device is locked (minutes) Yes Yes
Minimum complex characters Yes Yes
Minimum password length (characters) Yes Yes
Number of failed logon attempts before device is wiped Yes Yes
Number of passwords remembered Yes Yes
Password complexity Yes Yes
Password expiration in days Yes Yes
Scenarios Hybrid Standalone
Bluetooth Yes Yes
Camera Yes Yes
Disable Internet Explorer Yes Yes
Disable USB sync No No
Disable WiFi Yes Yes
Near field communication (NFC) Yes Yes
Prevent user initiated un-enrollment/ disable PC settings No No
Removable storage (Any external storage device) Yes Yes
Disable Application Store Yes Yes
Disable Internet Sharing over WiFi (Tethering) Yes Yes
Disable Wi-Fi Offloading Yes Yes
Wi-Fi Hotspot reporting Yes Yes
Disable Custom Email Account (all or nothing) Yes Yes
Allow Microsoft Account Yes Yes – Roadmap
Turn on/off location awareness (cellular or GPS) Yes Yes
