Managing Windows RT devices in the Enterprise

Windows RT in the Enterprise

Nico SienaertLead Infrastructure Consultant | GetronicsV-Technology Solutions Professional | Microsoft

Session Objectives and TakeawaysPositioning of Windows RT devices

Where does Windows RT in the Enterprise makes sense

What are the challenges

How do you manage and keep control

Flavors of Windows 8 tablets

Windows 8 tablets with Intel

Core64-bit processors

Windows 8 tablets with Intel

Atom32-bit processors

Windows RT tablets with ARM

processors

Windows tablets in Business Environments

Ready for Business to Embrace

Devices & Experiences People Love

High Quality Work and Life

Hardware and Software Innovation

Applications MobilityWorkload

Manageability Connectivity

Data & App Access

What capabilities are needed?

Mobility Windows 8 tablets with Atom or Windows RT tablets

Workload

Data & Apps

Manageability

Connectivity

Windows 8 tablets with Intel Core

Desktop Apps: W8 tablets with Intel CPUW8 LOB Apps: Intel Core, Atom or ARM

Best Connectivity: W8 tablets with Intel CPUAlways on Capability: Atom or Windows RT

(Full) Management: Intune\ConfigMgr

Modern Device Management

Devices & Platforms

IT

Single adminconsole

Mac OS X

Windows PCs(x86/64, Intel SoC),

Windows to GoWindows Embedded

Windows RT, Windows Phone 8

iOS, Android

Service Pack 1

Configuration Steps

1. Purchase\Try Windows Intune Subscription2. Add Public Company Domain and CNAME for enrollment redirection3. Verify Users have Public Domain UPNs and perform AD User Discovery4. Deploy and Configure AD Federated Services (ADFS 2.0)5. Deploy and Configure AD Directory Synchronization6. Configuring Configuration Manager for Mobile Device Management

Creating a Windows Intune Subscription in the Configuration Manager Admin Console

Creating the Windows Intune Connector Site System role7. Verification of Configuration Manager is successfully connecting to

Windows Intune Service.CloudUserSyncDMPDownloaderDMPUploader

Management Infrastructure Cloud

Windows 8 App Delivery

Self-Service Portal (SSP)

Side Load from Your Infrastructure

Windows 8

Download from Windows Store

Public AppsCustom LOB AppsApp Delivery

Windows RT

Enroll a Windows RT device

Get a certificate (for instance internal PKI) to sign your Apps

Sign your Apps with the certificate

Upload the certificate into ConfigMgr\Intune

Upload Sideloading key into ConfigMgr\Intune

Go on the Windows RT device to “Company Applications”

Connect to the Windows Intune Service

Install Company Portal

You are ready to manage and to deploy Apps

Troubleshooting of Software Distribution

HKCU\Software\Microsoft\Windows\CurrentVersion\MDM\JobDB

• BITSId• DeployRetryCount• LastError• Status

Initialized /Created = 10Download In Progress = 20 Download Failed = 30Download Complete = 40Install In Progress = 50Install Failed = 60Install Complete = 70

Problem Scenarios (1)

Symptom:Application is not installing and Reg status of the App is 10

Problem Cause:Most likely sideloading is not enabled

Mitigation:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowTrustedApps=1


Problem Cause:Internet Connection down\DP where content is hosted was down\Cert to issue the device is expired

Mitigation:Solve above

Problem Scenarios (2)


Problem Cause:Application Package corrupt\Certificate expired\...

Mitigation:Install App locally with Add-AppxPackage

Symptom:No Job entry is created in the Registry corresponding to the application requested

Problem Cause:Internet Connection lost during install\notification channel with the device is not created

Mitigation:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\MDM\WNSChannelURi value in this case would be empty.

ConfigMgr\Intune interopability

User Experience on Windows RT

• Thin, light, and sleek • Long battery life• Includes class drivers

for most peripherals• Secure by default

(UEFI, TPM)

• Integrated engineering with ecosystem

• Predictable and reliable over time• Pre-configured

environment on certified hardware

• New UI, including desktop• Office Home and Student

2013 RT is included • Inbox Mail client• Touch, mouse, keyboard• Multiple user accounts

• Run on both Windows RT and x86

• Leverage existing developer language and tools

• Sideloading (for line-of-business WinRT apps) and Windows Store

High Quality Work and Life

Hardware and Software Innovation

Applications

Driver Compatibility

www.microsoft.com/en-us/windows/compatibility/winrt/CompatCenter/Home

Office Home and Students 2013 RT

• Preinstalled on ARM-based Windows RT devices• Includes new Office applications: Word, Excel,

PowerPoint, OneNote• Office Home & Student 2013 RT commercial

use rights are included in: Office 365 orOffice Standard/Professional Plus 2013 (as secondary use right) orCommercial use license via Volume Licensing

Connectivity (1)

VPN connection• Inbox VPN client for Microsoft server is included• Inbox VPN client can interoperate with 3rd party VPN servers

via PPTP, L2TP, SSTP and IKEv2.• Encryption: 3DES, AES_128, AES_192, AES_256, CBC_3DES,

CBC_DES• Integrity: SHA1, SHA_256, SHA_384• Password: PAP / CHAP / MS-CHAPv2 / EAP• Certificates: User & Machine • Support for split-tunnel• Web Proxy and intranet settings

Connectivity (2)

VPN Client Provsioning• Get Connected Wizard• Intune\ConfigMgr• Powershell

Provisioning VPN via Intune\ConfigMgr

InTune MDM

SCCMRRAS Server

Enterprise Premises

4 - VPN Connection establishment

1 – VPN Profile XML configured

for WinRT clients

2 – WinRT cl

ients enroll f

or LOB

a

pps via “CompanyApps”

3 – InTu

ne pushes t

he VPN profile

XML to

enrolled cl

ients

Connectivity (2)

Multi-factor authentication• Smartcard (PIV, GIDS) or Virtual Smartcards• RSA Token


OTP using RSA Secure ID

InternetVPN Tunnel

Windows RT device

VPN ServerRSA

Authentication Manager

Enterprise PremisesTTLS-PAP authentication protocol

Only one OTP vendor supported: Odyssey

Connectivity (2)

Multi-factor authentication• Smartcard (PIV, GIDS) or Virtual Smartcards• RSA Token


• Limitations:• PIN Changes• Token Challenge-Response

• Workaround:• Web-login page protected by the RSA Web Agent

Data and App Access

RemoteApp• Grant access to line-of-business applications and data • Seamlessly launch apps from Windows RT• Secure corporate data: avoid storing enterprise data on

consumer devices• Ensure compliance requirements

VDI• Full VDI experience (RemoteFX, USB redirection, Multi-touch

remoting)

3rd Party• Citrix ReceiverRemote Assistance

VPN, VDI and Remote Apps

Security and Manageability (1)

Security capabilities on Windows RT devices• Secured Boot, Trusted Boot• Device Encryption• Picture password• Windows Firewall, Windows Defender• NAP (Network Access Protection) supported

Governance through Exchange ActiveSync (EAS)*• Password requirements (e.g., password complexity, picture

password, device lock, password expiration etc.)• No support of external encryption• Remote Content Wipe & lockout behavior• Mail App limitations (Alternative OWA with Exchange 2013

or O365)* Enabled through Mail app

Security and Manageability (2)

Cloud-based management with Windows IntuneSingle pane-of-glass administration through ConfigMgr 2012 SP1• Distribute and manage new Windows apps (via

sideloading)• Push configurations (e.g., VPN config)• Enforce more governance settings• Ensure compliance (e.g., monitor security settings) • Collect inventory information (e.g., which LOB apps are

installed)

Diagnostics and troubleshooting• Windows PowerShell supported• The traditional Windows tools (Eventvwr, TaskMgr,

Troubleshooting,…)

Windows RT Management Details

Windows RT Direct Management via Windows Intune

Exchange ActiveSync

Setting

Allow convenience logon policy ü üAlphanumeric password required policy ü üAttachments enabled ü üHardware inventory ü üMaximum inactivity time lock ü üPassword management ü üRequire device encryption ü üCapability

Application publishing ü ûDeep-link into public application stores ü ûUser self-service portal ü ûVPN Client configuration ü! û

Capabilities in a glance

Capability Windows RT

Application management ü

Endpoint Protection O

Hardware Inventory ü

Software Inventory ü!

Remote control O

Reporting ü

Software updates O

Compliance settings ü!

Power management O

Software metering O

Portal Capability Windows RT

Enroll Device Yes

Rename Device Yes

Retire (un-enroll local device) Yes

Wipe (remotely other devices) Yes

Install LOB Applications Yes

Install publicly available applications Yes

Contact IT Yes

Retire Device Windows RT

Removal of Side-loading key Yes

Continue usage of side-loaded Apps No

Install new side-loaded Apps No

Policies retain on device Yes

Settings Management

Miscellaneous

RECAP

Windows RT devices are primarily designed as

consumer devices, but can be used in corporate environments as well, either using employee-owned devices or company-owned

devices depending on the situation. To properly support Windows RT devices in the

workplace, enterprises should understand the capabilities provided in and

restrictions imposed by Windows RT, as well as

the specific infrastructure requirements for supporting Windows RT devices within their organization.

Interesting Links

Windows RT VPN user guide http://technet.microsoft.com/en-us/library/jj900206.aspx

Windows 8 VPN – PowerShell support

http://technet.microsoft.com/en-us/library/jj613766.aspx

Compatibility and Interoperability


How to Manage Mobile Devices by Using the Windows Intune Connector in Configuration Manager


Windows RT in the Enterprise

Thank you!