Running Windows Intune as a Hosted Service for Multi-Tenant EnvironmentsHarris SchneidermanAccount ManagerKloud Solutions

WCL 331B

Overview of Windows Intune

Selecting the Management Platform

Unified Device ManagementSystem Center 2012 R2 Configuration

Manager with Windows Intune

Build on existing Configuration Manager deploymentFull PC management (OS Deployment, Endpoint Protection, application delivery control, rich reporting)Deep policy control requirementsScale to 100,000 devicesExtensible administration tools (RBA, PowerShell, SQL Reporting Services)

Cloud-based ManagementStandalone Windows Intune

No existing Configuration Manager deploymentSimplified policy controlLess than 7,000 devices and 4,000 usersSimple web-based administration console

Windows Intune – Standalone service

IT

Windows PCs(x86/64, Intel SoC)

Windows RT, Windows Phone 8

iOS, Android

Web-based AdminConsole

Manage up to 4,000 users and 7,000 devices

Manage and Secure PCs and Devices Anywhere

Help protect PCs from malware Manage updates

Proactive monitoring and alerts Provide remote assistance Inventory hardware and software Monitor & track licenses Increase insight with reporting Set security policies

Distribute software

Latest Release

Richer Mobile Device Management

Simple web-based Administration Console and a richer experience for Information Workers

Mobile Device Management with Windows Intune

EAS based management Integration with Exchange ServerEither on-premises or Office365 hosted

Corporate data protection

Over-the-air enrollment of devices for management

Mobile application management

Settings Management

Mobile device inventory

Direct management (Windows RT, Windows Phone 8, iOS)

Information Worker Self-service Experience

Connect every user ‘s device to the serviceEach platform is supported with an end user experience

Enable them to discover applicationsAccess applications or web links recommended by the IT proInstall Line Of Business (LOB) applications supplied by the IT pro

Let users manage their own devices and dataEnd users can enroll, rename and un-enroll devicesEnd users can wipe data or email

Provide a premium end user experience Minimal interruptions from management tasksEnd user privacy is respected

End User ExperienceConsistent Company Portal experiences across mobile platforms

Native Windows app package (.appx)

Available in the Windows Store

Windows Phone 8 Company Portal

iOS/Android Company Portal

Native Windows Phone 8 app (.xap)

Needs to be sideloaded

Web based portal

Hosted in Windows Intune

Windows RTCompany Portal

Settings Management

Security policy on devices (iOS, Windows RT and WP8) Direct management and Exchange ActiveSync.

Recommendation: Manage policy through only one management authority

Reporting available on each setting whether it is applicable, conformant or has an error.

The same security policy template is used for both Direct Management and EAS to help Admins

Android and Windows Phone 7 devices can be managed through EAS

Application Management on Mobile DevicesPlatforms Windows

8/Windows RTWindows Phone

8iOS Android

Sideload to install

*.appx *.xap *.ipa *.apk

Deep links to store apps – install from store

Recent Enhancements• Office 365 exchange connector• Windows Phone 8 trial support

Next Release – October 18th• Windows 8.1 client management• Alerts & monitoring for Windows 8• Endpoint protection• Agent upgrade control

Demo: Windows Intune

Running Windows Intune in Multi-Tenant Environments

Single vs. Multi-Tenant Environments• Single Tenant• One customer hosted per tenant• The most common deployment method• Ideal for customers who manage their own tenants• Option to use the multi-account console to view multiple tenants from a single

console

• Multi-Tenant• Multiple customers hosted in one tenant• Ideal for managed service providers looking to deliver a low cost, high scale service

offering• Works well for smaller customers with similar requirements

When To Use One Tenant per Customer• Granular delegated administration

required• Self-service admin of Windows Intune

tenant• Provide SSO with an existing Azure AD

domain• Customer runs other Microsoft cloud

services (i.e. Office365 and Microsoft CRM)• Extensive configuration needed to meet

customer requirements• Number of managed users exceeds 4,000

or the number of devices exceeds 7,000

When To Use One Tenant for Multiple Customers• Customer wants a managed service

offering• No requirement to federate with on-prem

infrastructure• Minimal variation between customer

requirements• Similar software packages deployed for

each client

Custom Domains• Intune provides a default xxx.onmicrosoft.com

domain• Customers can use their existing domain in

place of the default domain• Custom domains provide a better end user

experience• Domain verification required to use a custom

domain• Domain verification process is identical to

Office365• Custom domains can be used in one tenant

ONLY

Demo: Importing Multiple Domains into a Single Tenant

Group Structure• Company Structure• Policy• Automatic Updates• Software Deployment

Demo: Creating a Group Structure

Configuring Delegated Administration• Windows Intune Tenant Administrator• Full admin rights to the Windows Intune admin console• Can perform all operations in the console, including adding or deleting Windows

Intune service administrators. In addition, they can assign other tenant administrators

• Note that Tenant Administrators must be assigned in the Windows Intune account portal

• Windows Intune Service Administrator

• Full access: These Service Administrators have full administrative rights to the Windows Intune administrator console and can perform all operations in the console, including adding or deleting other Service Administrators.

• Read-only access: These Service Administrators have read-only rights and cannot modify data in the console; they can only view data in the console and run reports.

• Admin must be a member of the Windows Intune user group

• Note: There is no mechanism in the current version of Windows Intune to provide delegated admin to a group. This requires System Center Configuration Manager 2012 SP1 with UDM

Demo: Delegated Administration

Office365 Integration• Intune and Office365 use the same

identity store (Azure AD) which enables SSO

• Simple to configure a single tenant for Intune and Office365

• Limitations of multi-tenant Office365• No ability to segment the GAL by customer (potential privacy concern)• Only one public website per tenant• Custom domain can only be imported into one tenant

• Running Intune multi-tenant and Office365 single tenant breaks SSO

Case Study: H Tech Solutions

Who is H Tech Solutions?• Provides low-cost PC management and

security to consumers and SMBs• Microsoft certified small business partner• A global business with customers in the

U.S., E.U., and Australia• Standard offering utilizes Windows Intune

as a multi-tenant service

Target Customers for a Managed Service?• Consumers who have recently purchased a

new PC• Consumers who are heavily dependent on

their computers, but are not very tech savvy

• Consumers who have multiple devices that need to be secured

• Seniors who are not as familiar with computers

• Small businesses with no dedicated IT staff

Case Study: Kloud

Social Enterprise/CommunicationOffice 365SharePoint Online & HybridLync with Enterprise VoiceInformation ManagementYammer

Identity & Access ManagementForefront Identity ManagerActive Directory Federation Security

Development & IntegrationCloud ApplicationsEnterprise SearchApplication IntegrationMobility

Cloud Infrastructure ServicesHybrid CloudAzure Infrastructure ServicesStore SimpleBYOD Management Cloud Backup/DR

Kloud Services Portfolio

Managed ServicesProactive SupportReactive SupportEnhancements

Managed ServicesEverything we do in Managed Services is focussed on providing real business benefit to our clients by proactively improving reliability, performance and recommending enhancements.

Why Intune in an Enterprise ?• Kloud philosophy is to use Cloud technologies to

improve business outcomes, user experience and reliability

• Intune does this by…• Low overhead to implement• Rapid implementation• Evergreen service – immediately benefit from all

technology upgrades• Can integrate with on-prem infrastructure• AD, ADFS, SCCM, etc

Intune as a tool to deliver Managed Services

• PC Management• Mobile Device Management• Win8 • IOS• RT• Android

• Keep mobile apps updated• Device health & policy compliance monitoring

Onboarding process• Current state assessment• Customer management goals• Develop implementation plan• Phased implementation

• Operational Process Development• Patch approval process• Virus management• Policy enforcement • Software asset management • Software deployment• Remote support

Why Managed Service?• Focus on core business• Take advantage of collective learned experience• Economies of scale• Supplementary resources• Additional skills• Align to best practice

Project to Operations Lifecycle

transition

stabilizationProject Support and On-going

Operations

Related contentAll You Ever Wanted to Know About Windows Modern Apps and Sideloading OptionsDeploying Windows 8.1: What's NewThe Future of Desktop App Packaging on WindowsImplementing an Enterprise App Store for Windows 8 and Windows 8.1Find Me Later At The Kloud Coffee Cart

Track resourcesWindows Intune Getting Started Guide

http://download.microsoft.com/download/1/1/C/11CE10B7-E155-49E8-8FCE-1F6203A534D2/Dec-2012_Windows_Intune_Getting_Started_Guide.pdf

Windows Intune Administratorshttp://technet.microsoft.com/en-us/library/hh441722.aspxVerify a Domainhttp://technet.microsoft.com/en-us/library/jj151788.aspx

Track resourcesMulti Account Console

http://blogs.technet.com/b/windowsintune/archive/2010/08/05/the-windows-intune-multi-account-console.aspxMulti Account Dashboardhttp://blogs.technet.com/b/windowsintune/archive/2011/09/02/multi-account-dashboard-enhancements.aspxWindows Intune Technical FAQhttp://technet.microsoft.com/en-us/library/jj676583.aspx

Track resourcesRelease Notes for Windows Intune

http://technet.microsoft.com/en-us/library/jj662694.aspxConfiguring the Windows Intune Exchange

Connectorhttp://technet.microsoft.com/en-US/library/jj662678.aspxWindows Intunehttp://blogs.technet.com/b/windowsintune/archive/2013/06/04/exciting-updates-to-people-centric-it.aspx

Track resourcesWindows Intune Trial Management of Win Phone 8

http://www.microsoft.com/en-us/download/details.aspx?id=39079http://blogs.technet.com/b/windowsintune/archive/2013/07/03/support-tool-for-windows-intune-trial-management-of-windows-phone-8.aspx

Developer NetworkResources for Developers

http://msdn.microsoft.com/en-au/

LearningVirtual Academyhttp://www.microsoftvirtualacademy.com/

TechNet

Resources

Sessions on Demandhttp://channel9.msdn.com/Events/TechEd/Australia/2013

Resources for IT Professionalshttp://technet.microsoft.com/en-au/

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.