| Basel

Device Mgmt (BYOD)TechNet Event November 25th, 2013

Martin Weber

Technology Solution Professional

Microsoft Switzerland Ltd.

Supporting Bring Your Own Device (BYOD) Scenarios

Prioritize objectives, create a

plan, establish identity

profiles, and monitor access

Access, inventory, and manage

devices and applications;

remove corporate data in the

event the device is lost, stolen,

or retired

Fulfill specific usage scenarios

that enable a consistent

experience for users/groups

across devices and platforms

management

Unified management of

mobile devices—IT can

publish corporate apps and

services across device types,

regardless of whether they are

corporate-connected or

cloud-based

User profile User needsCompanion devices Primary devices

Potential device platforms

How many users and

which profiles and needs

are you targeting?

Understand Your Users’ Business Needs (Personas)Scope, types of users, services required

Questions that lay the

foundation for defining your

objectives

Who are the

primary users?

What services will

users actually need

to access?

How many users

do you want to

support?

How many devices

will each user have?

How many and what

types of devices will be

most prevalent?

Manage access to

corporate resources, with

conditional access based

on the user’s identity,

device being used, and

location

Develop common identity

profiles for accessing

resources on-premises and

in the cloud

Provide users with single

sign-on when accessing

all resources, meaning that

users do not have to

remember multiple sets of

credentials

Through federation, users

and IT can take advantage

of their common identity

for access to external

resources

User Identity and Access Management

The User is the Focus besides the Device

•

•

•

•

Access & Information Protection (AIP)

• Device choice

• Application self-service

• Personalized app experience

• Nonintrusive management

• Manage all devices through a single interface

• Deliver apps to the user, not the device

• Integrated security and compliance

• Reduced infrastructure complexity

Access to corporate

resources across devices

and platforms

Single admin

console

2012 R2 Configuration Manager

Users expect to be able to work in any location and have access to all their work resources.

The explosion of devices has eradicated the standards-based approach to corporate IT.

Deploying and managing apps across personal and organization-owned devices is difficult.

Users Devices Apps Data

Enabling users to be productive while maintaining compliance and reducing risk.

Devices AppsUsers

Empowering people-centric IT

Enable users

Allow users to work on the devices of their choice, and provide consistent access to corporate resources.

Protect your data

Help protect corporate information and manage risk.Management. Access. Protection.

Data

Unify your environment

Deliver a unified application and device management on premises and in the cloud.

Empower Bring your Own Device (BYOD)Flexible solutions for your business

Joining workplace with

personal devices

Windows To Go

Virtual

Desktop

Infrastructure

(VDI)

Device

Management

Microsoft Exchange

ActiveSync

Mobile device management (MDM)

via Open Mobile Alliance Device

Management (OMA-DM)

Enterprise

management

Governance Full control

Windows 8.1 provides choices.Choose by device based on scenario or capabilities needed.

Consider employee versus organization-owned, BYOD, connectivity.

Organizations can choose the options that work best for them.

Based on Open StandardsUses OMA-DM protocols Secure communication with cloud-based management Built into Windows 8.1 andWindows RT 8.1

Implemented by multiple independent software vendorsMicrosoft (Windows Intune)AirWatchMobileIron

Open protocol enables implementation by additional vendors

Mobile Device Management

Implements key device management functionality

Hardware and software inventory

Configuration of key settings

Line-of-business modern app installation and updating

Certificate provisioning and deployment

Data protection, including remote business data removal (wipe)

Mobile Device Management

Lightweight registration process for personal devices

Enables access to data when using a registered, trusted device; leverages the user and device identities together

Used with Dynamic Access Control in Windows Server 2012 R2

Primarily a security capability, potentially combined with MDM for manageability

Workplace Join

Simple access to corporate data

Enable offline access to files and folders stored on a Windows Server 2012 R2 file server

Simple Group Policy configuration for domain-joined computers, with easy discoverability for BYOD systems, as well

Leverages Web protocols (HTTP) for easy synchronization through firewalls

A complement to SkyDrive and SkyDrive Pro

Work Folders

Selecting the Management Platform for Your Enterprise

Unified Device Management: System Center 2012 R2 Configuration Manager

with Windows Intune

Cloud-based Management:

Stand-alone Windows Intune

No existing Configuration Manager deployment

Simplified policy control

Fewer than 7,000 devices and 4,000 users

Simple web-based administration console

Windows Intune: Stand-Alone Public Cloud Service

Windows PCs

(x86/x64, Intel SoC)

Windows RT,

Windows Phone 8

Apple iOS, Google Android

Manage up to 7,000 devices and 4,000 users

Manage and secure PCs and devices anywhere

Help protect PCs from malware

Manage updates

Proactive monitoring and alerts

Provide remote assistance

Inventory hardware and software

Monitor and track licenses

Increase insight with reporting

Set security policies

Distribute software

Richer mobile device management (MDM)

Simple web-based administration console and a

richer experience for information workers

Mobile Device Management (MDM) using Windows Intune

Microsoft Exchange ActiveSync–based management

Direct management (Windows RT,

Windows Phone 8, iOS)

End-User ExperienceConsistent self-service experience for users across mobile platforms

Native Windows app

Available in the Windows Store

Windows Phone 8

Company Portal

iOS

Company Portal

Native Windows Phone 8 app (.xap)

Sideloaded during enrollment

Native iOS application

Available in the Apple App store

Windows RT

Company Portal

End-User Capabilities for each Platform

Windows 8

Windows 8.1

Windows RT

Windows RT

8.1

Windows

Phone 8

iOS Android

Enroll (local device) Yes Yes Yes YesExchange

ActiveSync

Rename devices Yes Yes Yes Yes No

Retire (un-enroll local device) Yes Yes Yes Yes No

Remotely wipe other devices Yes Yes No No No

Install enterprise LOB apps Yes Yes Yes Yes Yes

Install publicly available apps Yes Yes Yes Yes yes

Browse to web links Yes Yes Yes Yes Yes

Contact IT Yes Yes Yes Yes Yes

Mobile Device Inventory

Hardware properties for mobile devices are collected through the Device Management Authority as well as Exchange ActiveSync (EAS).

No software inventory for mobile devices to respect the information worker’s privacy on their own device.

IT pros can track storage on

mobile devices, which helps

them anticipate and

troubleshoot issues.

Mobile Device Settings Management

Security policy on devices (iOS, Windows RT, and Windows Phone 8) direct management and Exchange ActiveSync (EAS)

Reporting available on

each setting whether it is

applicable, conformant,

or has an error

The same security policy template is used for both direct management and Exchange ActiveSync to help admins

Android and Windows Phone 8 devices can be managed through Exchange ActiveSync

Application Management on Mobile Devices

Platforms Windows 8.1

Windows RT

Windows

Phone 8

iOS Android

Sideload to

install

*.appx *.xap *.ipa *.apk

Deeplinks to

store apps:

Install from

store

Software Distribution Summary

PlatformDesktop apps

(.msi, .exe)

Modern app types

Sideloading Deep-

links

Web

apps.appx .xap .ipa .apk

Windows 8.1 Pro and

Enterprise√ √ √ √

Windows RT - √ √ √

iOS √ √ √

Android √ √ √

Windows Phone 8 √ √ √

Windows 7 and earlier √ √

Windows Intune Sites and Portals

• Administrator console

• https://admin.manage.microsoft.com

• Configure cloud-based management

• Company Portal

• http://portal.manage.microsoft.com

• Download apps, associate users with

devices, contact IT support

• Versions for different mobile device types

Windows

Phone 8

Portal

Company

Portal

Windows

RT Portal

System Center 2012 R2

Configuration Manager

System Center 2012 R2 Configuration Manager

Enable users

Allow people to be more productive

from almost anywhere on almost

any device.

Simplify administration

Improve IT effectiveness

and efficiency.

Unify infrastructure

Reduce costs by unifying IT

management infrastructure.

SCCM 2012 R2: User- and Full Device Mgmt Capabilities

Unified Device Management

User- & Machine centric App Delivery

Full Operating System Deployment (OSD)

Full Application Lifecycle Management

Rich Reporting & Inventory

Target applications based

on user role the best way for

each device

• Windows/Windows RT

• Windows Phone

• iOS

• Android

• OS X

Evaluate device capabilities

for optimal application

delivery

• Local installation

• Microsoft Application

Virtualization

• Desktop Virtualization (VDI)

• Web applications

People-Centric Application DeliveryAccessing apps the right way, on the right device

MSI RDSApp-V

(MDOP)Remote

App

Native

App/

App Store

Unified Device Management

Mac OS X

Windows PCs

(x86/64, Intel SoC),

Windows to Go

Windows Embedded

Windows RT,

Windows Phone 8

iOS, Android

What’s new in Mobile Device Inventory?

New global condition to

differentiate app installations on

corporate vs. personal devices

App management

Personal devices. Inventory only apps

installed by Configuration Manager or

Windows Intune

Corporate devices. Complete inventory of

all apps on the device

App inventory

By default, user-enrolled devices

are “personal”

Admin can specify corporate-

owned devices

“Compromised” device detection.

Personal vs. corporate-

owned devices

VPN Profile Management

Support for major SSL VPN vendors

DNS name-based initiation

support for Windows 8.1 and iOS

Application ID–based initiation

support for Windows 8.1

Automatic VPN

connectionSupport for VPN

standards like PPTP, L2TP,

IKEv2SSL VPNs from Cisco, Juniper,

Check Point, Microsoft, Dell

SonicWALL, F5

Subset of vendors have Windows

RT VPN plug-in

Wi-Fi and Certificate Profiles

Wi-Fi settingsManage and distribute certificates

Deploy trusted root certificates

Support for the Security Center Endpoint Protection

(SCEP) protocol

Manage Wi-Fi protocol and authentication settings

Provision Wi-Fi networks that device can auto-

connect

Specify certificate to be used for Wi-Fi connection

Work Folders

Sync files and data across devicesConfiguration Manager and

Windows Intune support

New settings to provision Work Folders discovery settings

Self-service portals have links to Work FoldersNew feature in Windows 8.1 and Windows Server 2012 R2