getting started with the enterprise mobility suite (ems)
TRANSCRIPT
MVP Roadshow 2015
Enterprise Mobility Suite
Key TakeawaysWhy is mobile management important?
What is EMS and why do you need it is your Enterprise?
How do we configure and get started with EMS?
© EG A/S 2
Ronni PedersenMicrosoft MVP: Enterprise Client Management
Senior Infrastructure Architect
Founder: System Center User Group Denmark
Microsoft Certified Trainer
Microsoft TechNet Moderator
Twitter: https://twitter.com/ronnipedersen
Blog: http://www.ronnipedersen.com/
Mail: [email protected]
© EG A/S 3
Kenny Buntinx
Managing Consultant
© EG A/S
https://twitter.com/KennyBuntinx
http://be.linkedin.com/KennyBuntinx
http://scug.be/blogs/sccm
Demo EnvironmentPowered by Hyper-V in the Cloud
DC01
Domain Controller
DNS Server
DHCP Server
CLIENT02
Windows 10 TP
CM01
SQL 2012
ConfigMgr 2012 R2
CLIENT01
Windows 8.1
MDT01
Enterprise Mobility Suite
2015 Enterprise Mobility PredictionsSay goodbye to BOYD
Say Hello to Data Protection
Organizations will generally have three types of devicesEmployee Owned, Company Managed (EOCM)Company Owned, Company Managed (COCM)Company Owned, Company Dictated (COOD)
Source:http://simon-may.com/yet-another-predictions-post-mobility-2015/
© EG A/S 7
• SCCM is undisputed winner
of PC Mgmt w/ >70% share
• You need to look into a MDM
solution today
• We believe Microsoft is the
long-term winner
Growth is all in Mobile Devices
349 315 296 294 293 292
725
1,0101,131
1,2831,434
1,579162
231
270
308
340
368
0
500
1,000
1,500
2,000
2,500
1 2 3 4 5 6
Series3 Series2
Series1
Devices Shipments (MM)
Source: IDC
LicensingMicrosoft Intune (Standalone)
Enterprise Mobility SuiteMicrosoft IntuneAzure Active Directory PremiumAzure Rights Management
Enterprise Cloud SuiteEnterprise Mobility SuiteOffice 365 Enterprise E3Windows Software Assurance (Per
http://www.microsoft.com/licensing/about-licensing/briefs/enterprise-cloud-suite.aspx
© EG A/S 9
Enterprise Mobility SuiteMicrosoft Intune
Mobile and Device Management
Azure Active Directory PremiumHybrid Identity Management
Azure Rights ManagementInformation Protection
© EG A/S 10
Microsoft IntuneMobile Device Management
Windows, Windows Phone, IOS and Android
Policy and Application Management
Compliance reporting
Conditional Access to resources
Selective Wipe Devices
Hybrid / Cloud solution
© EG A/S 11
Azure Active Directory PremiumActive Directory in the cloud
Federation and identity provisioning
Centrally managed identitiesSynchronizationSingle User Identity (SSO)
Monitoring and protect access to cloud appsAuthentication and Security reportsMulti-Factor Authentication (MFA)
Empower end UsersSelf-Service password reset
© EG A/S 12
Microsoft Rights ManagementEncrypt and control
DocumentsMails
Prevent unwanted viewing/printing or access to Corporate data
© EG A/S 13
Getting Started with IntuneSetting up the environment
Subscription requirements
© EG A/S 15
Process Overview
Prepare
• Create Accounts for cloud services
• Create Subscriptions
Deploy
• Add Public DNS
• Configure AD Users with Public Domain UPNs
• Deploy and Configure Azure AD Sync
Configure
• Configure Configuration Manager for Mobile Device Management
• Configure Device Enrolment
© EG A/S 16
Create accounts for the cloudStart by creating dedicated admin accounts:
Microsoft account: https://signup.live.com/
Apple ID: https://appleid.apple.com/account
Google account: https://accounts.google.com/Signup
© EG A/S 17
Create the trial subscriptionsMicrosoft Office 365:http://aka.ms/ITcampO365Trial
Microsoft Intune:http://aka.ms/tryintune
Microsoft Azure Active Directory (AD) Premium:http://azure.microsoft.com/en-us/pricing/free-trial
Azure Rights Management:https://manage.windowsazure.com
© EG A/S 18
DEMOCreate accounts and subscriptions
Azure AD Sync and ADFSConnect your Active Directory to the Cloud
Domain, DNS, and UPN management
21
Tony Allen
Add external
domaincontoso.com
Tony Allen
Add UPN suffix to
Active Directorycontoso.onmicrosoft.com
Change UPNs toSynchronise with
Directory synchronization
Alternative approachRecommended option
User name
and UPN
must match
Active Directory Windows Azure AD
contoso.onmicrosoft.comcontoso.com Default domain
Default UPN suffix
Domain name
@contoso.com @contoso.onmicrosoft.comAccounts created as
Planning for Azure AD Sync (DirSync) / ADFS
Azure AD Sync with HashThe Password hash is stored in Azure
Azure AD Sync without the HashPassword are stored in AzureMultiple user ID and password
Azure AD Sync without the hash + ADFSRequires wildcard certificatePasswords are only stored in AD
© EG A/S 22
Azure AD Sync AccountsCreate a dedicated Accounts for Azure AD Sync
Azure AD: [email protected]
On-Prem: AD: DOMAIN\SA-AzureADSync
© EG A/S 23
Disable password expiry on Sync Account$MsolCredential = get-credential
$ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $MsolCredential -Authentication Basic -AllowRedirection
Import-PSSession $ExchangeSessionConnect-MsolService -Credential $MsolCredential
Set-MsolUser -UserPrincipalName [email protected] -PasswordNeverExpires $true
© EG A/S 24
DEMOSetting up Azure AD Sync
Single management console for IT admins
© EG A/S 26
Is your ConfigMgr Environment ready for UDM?
Cumulative Update 4http://support.microsoft.com/kb/3026739
Why CU’s Matter?http://blogs.technet.com/b/configmgrteam/archive/2015/02/26/updates-for-managing-mobile-devices-with-configuration-manager-and-microsoft-intune.aspx
http://scug.be/sccm/2014/12/29/hybrid-scenarios-with-system-center-configuration-manager-2012-r2-windows-intune-adfs-wap-ndes-workplace-join-hotfixes-you-really-need-in-your-environment/
© EG A/S
DEMOConfiguring Microsoft Intune
Single management console for IT admins
© EG A/S 29
Company Portal(s)
Company portal self-service experienceConsistent experience across:
WindowsWindows PhoneAndroidiOS
Discover and install corporate apps
Manage devices and data
Customizable terms and conditions
Ability to contact IT
Force the Policy refresh
© EG A/S 3131
Mobile Device – Portals
All portals offer the same experience(except for Windows Phone)
Device Enrollment
Enrolling Devices
Users can enroll devices that configure the device for management with Windows Intune; the user can then use the Company Portal for easy access to corporate applications
Data from Windows Intune is in sync with Configuration Manager, which provides unified management across both on-premises and in the cloud
Dirsync
w Pwd Sync
Connector
Inte
rnal
Co
nn
ect
or
Expanding device support with Workplace Join
Limited access
No IT Control
Active Directory
Not Joined to AD Workplace Joined Domain Joined
Lost Device ProtectionDevices registered via Workplace Join are registered within Active Directory in the container :
CN=<Device ID>,CN=RegisteredDevices,DC=mydomain,DC=com.
Lost devices can be denied access by disabling or deleting the appropriate object within AD. Access through AD FS is immediately revoked for the workplace joined client.
From testing thus far, devices joined, left and re-registered via Workplace Join are not currently cleaned up within the RegisteredDevices container. Some PowerShell scripting is currently required to enforce this.
© EG A/S
As a side note…ADFS with Workplace join?
Windows Phone 8.1 requires GDR 2
v 8.10.14192.280
© EG A/S 37
Mobile Device – Personal vs Corporate
App Management
By default, user-enrolled devices are “Personal”
Complete inventory of all Apps on the device only when set to Corporate
Only the admin can specify corporate-owned devices !
Personal
vs.
Corporate Owned
Devices
Collecting IMEI from devicesRetrieve International Mobile Equipment Identity (IMEI)
Through custom MOF
Windows Phone 8.1
Full Details:http://blogs.technet.com/b/configmgrteam/archive/2014/07/30/collecting-imei-from-devices-enrolled-in-windows-intune-with-sc-2012-r2-configmgr.aspx
© EG A/S
DEMOEnrollment Walkthrough / Workplace Join / Lost Devices
Workplace Join Hitman tool
Beta available via TechNet Galleries:
http://gallery.technet.microsoft.com/WorkPlace-Join-Hitman-8c691238#content
Settings Management
Key Concepts
Mobile device setting categories
© EG A/S 44
Category Win 8.1 PC &
RT
Windows
Phone 8.1
iOS Android/KNOX Exchange
ActiveSync
Password ● ● ● ●
Encryption ● ● ●
Malware ●
System Settings ● ● ● ●
Cloud ● ●
Window Server Work Folders ●
Accounts and Sync ● ●
Email ● ● ●
Browser ● ● ● ●
Store Applications & Gaming ● ● ●
Device Hardware ● ● ●
Device Cellular/Roaming ● ● ●
Device Features ● ● ●
DEMOSettings Management
Intune Extensions
Configuration Manager Extensions for IntuneRapid delivery of Configuration Manager features to support new Mobile Device Management features through Microsoft Intune
Updates are automatically downloaded and optionally enabled through admin console.
© EG A/S 47
Admin is
notified that
an extension
is available
when console
is launched
Admin goes
to Extensions
for Intune in
console, and
enables the
extension
Extension is
activated in
ConfigMgr
• (Extension
enables on all
site system,
then console
updates are
avail)
Admin
restarts
console, and
console is
updated with
the extension
Admin uses
feature
delivered by
the extension
Admin may
wish to
disable the
extension
As a side note …
Permissions !
Local Admin Required
Security Scope: All Instances
See:
http://scug.be/sccm/2014/02/11/cm12-extensions-for-windows-intune-resources-and-gotchas/
© EG A/S
Extending Settings management Through OMA-DM
OMA-DMSpecification designed for management of mobile devices
• Mobile Phones
• PDA’s
• Tablets
Supporting following use case scenarios• Provisioning – Configuration of the device (including first time use), enabling and disabling features
• Device Configuration – Allow changes to settings and parameters of the device
• Software Upgrades – Provide for new software and/or bug fixes to be loaded on the device, including applications and system software
• Fault Management – Report errors from the device, query about status of device
OMA-DM for WP8.1:• http://technet.microsoft.com/en-us/library/dn499787.aspx
© EG A/S
DEMOExtending Settings Management
Business Scenario
At a customer during a Windows Intune UDM Proof of concept :
Customer was ordering 1000 corporate owned (COPE) Nokia Lumia 630 Windows Phones
He wanted us to provide the option when a ‘device owner’ in CM12 R2 is set to “corporate” , a user can’t unenroll a “corporate” device.
Unless you are the ConfigMgr 2012 MDM admin , you can’t.
Read the full story here :
http://scug.be/sccm/2014/04/24/configmgr-2012-r2-windows-intune-udm-how-to-prevent-an-end-user-can-un-enroll-his-corporate-windows-phone-8-1/
© EG A/S
Solution Outline• Create configuration item “Deny WP8.1 MDM UnEnrollment’
• Select the checkbox : ‘Configure additional settings that are not in the default settings groups’ • Hit the “Create Setting” tab.
1. Give it a Name
2. Settings Type : OMA-URI
3. Data Type : Integer
4. OMA-URI : ./Vendor/MSFT/PolicyManager/My/Experience/AllowManualMDMUnenrollment
• Highlight your recently created ‘Deny MDM Unenrollment’ and hit the ‘Select’ button
1. Rule Type : Value
2. Data Type : 0 (0 = un-enroll not allowed / 1 = enroll allowed)
3. Set ‘Remediate noncompliant rules when supported’
4. Set Noncompliance severity for reports to ‘Warning’
• Create the baseline • Create the collection• Deploy the baseline • Wait 5 minutes
© EG A/S
Resource Access Configuration
Resource Access Configuration
© EG A/S
Benefits• End users get access to company resources
with no manual steps for them
Features*• Configure VPN profiles
• Support for Windows 8.1 Automatic VPN
• Wi-Fi protocol and authentication settings
• Email account profiles
• Management and distribution of certificates
• Conditional Access
VPN Profile Management
DNS name-based initiation support
for Windows 8.1 and iOS
Application ID based initiation
support for Windows 8.1
Automatic VPN
connection
Support for VPN standards
SSL VPNs from Cisco, Juniper,
Check Point, Microsoft, Dell
SonicWALL, F5
Subset of vendors have Windows
VPN plug-in
PPTP ,L2TP, IKEv2
Support for Major SSL
VPN Vendors
Wi-Fi and Certificate Profiles
Manage and distribute certificates
Deploy trusted root certificates
Support for Simple Certificate Enrollment Protocol (SCEP)
Manage Wi-Fi protocol and authentication settings
Provision Wi-Fi networks that device can auto connect
Specify certificate to be used for Wi-Fi connection
Wi-Fi Settings
DEMOResource Access Configurations
N-What ? NDES ? SCEP ??? WTH …
Certificate Profiles
Manage and distribute certificates
Deploy trusted root certificates
Support for Simple Certificate Enrollment Protocol (SCEP)
This is not a next, next, finish configuration
Certificate enrollment via NDES1. Certificate profile
deployed to device
2. Device sends SCEP request
3. Challenge is validated
4. Certificate is issued
© EG A/S
Why CU’s Matter (again)
CU4 improvements for NDES
Target to user instead of devices
> Ensures fastest delivery
Pre CU3 templates need to be recreated
> Re-targetting from device to user is not sufficient
© EG A/S
As a side note …
Certificate deployment to iOS 8Required modification to template: Remove Signature in proof of origin
See:http://blog.coretech.dk/kea/troubleshooting-certificate-deployment-on-ios-devices-with-configmgr-intune/
© EG A/S
As a side note … (2)
User based Certificate deployment to iOS 8
Required modification to “subject name format” for user deployments: Only “Common name” supported
© EG A/S
DEMOCertificate deployment
End result :
© EG A/S
Custom iOS policy
© EG A/S 68
Application Management
Mobile Application Management
© EG A/S 70
Personal apps
Mobile Application Management
© EG A/S 71
Conditional access for Office 365
© EG A/S 72
7
5
4
2
1
3
6
DEMOMobile Application Management
Allow or block appsPrevent unauthorized apps from being used on devices
© EG A/S 74
Business Scenario
© EG A/S
http://scug.be/nico/2014/05/22/deny-windows-phone-apps-with-configuration-manager-intune/
Solution Outline• Create configuration item “Deny Windows Phone Apps”• Select the checkbox : ‘Configure additional settings that are not in the default settings groups’ • Hit the “Create Setting” tab.
- Give it a Name
- Settings Type : OMA-URI
- Data Type : String
- OMA-URI : ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions
- <AppPolicy Version=”1″ xmlns=”http://schemas.microsoft.com/phone/2013/policy”><Deny><App ProductId=”{2e59d843-22e4-4df1-869e-22adadb8005b}”/></Deny></AppPolicy>
• Highlight your recently created ‘Deny Windows Phone Apps’ and hit the ‘Select’ button
- Rule Type : Value
- Data Type : 0 (0 = application not allowed / 1 = application allowed)
- Set ‘Remediate noncompliant rules when supported’
- Set Noncompliance severity for reports to ‘Warning’
• Create the baseline • Create the collection• Deploy the baseline • Wait 5 minutes
© EG A/S
WorkFolders
Work Folders
Simple access to corporate data• Enable offline access to files and folders stored on a Windows Server 2012 R2 file server
• Simple Group Policy configuration for domain-joined computers, with easy discoverability for BYOD systems, as well
• Leverages web protocols (HTTP) for easy synchronization through firewalls
• A complement to OneDrive and OneDrive for Business
Make corporate data available to users with Work Folders
Https://support.microsoft.com/kb/2891638
Windows 7 support
1. Must be joined to the domain2. Install the Work Folders client
Ipad supportHttps://itunes.apple.com/us/app/work-
folders/id950878067?mt=8
DEMOWork Folders
Corporate Data RemovalFull Wipe vs. Selective Wipe
Options for corporate data removal
© EG A/S 83
Selective wipe for business data
DEMOSelective/Full Wipe
Questions
© EG A/S 86
© EG A/S 87