sysctr track: managing your hybrid mobile cloud workforce demystified with system center...
DESCRIPTION
by Kenny Buntinx, Tim De Keukelaere Do you need to manage Windows 8.1 /RT including other non-Microsoft mobile devices with Microsoft's UDM Solution ( CM12R2 + Intune). Do you need to provide functionality for deploying the new Intune Extensions such as email profiles, managing your MDM settings, configuring VPN and wireless profiles, deploying cert's? Compliance Settings , Company Resource Access and Intune Extensions delivered in Configuration Manager are mostly unexplored territory for the configmgr admin. During this session we will demystify these features for you.TRANSCRIPT
Managing your hybrid Mobile cloud Workforce Demystified with System Center Configuration Manager 2012 R2
Microsoft NDA Confidential
Your first host of today
@KennyBuntinx
http://be.linkedin.com/KennyBuntinx
http://scug.be/blogs/sccm
Kenny BuntinxEnterprise Client Management MVP from 2009 Principal Consultant [email protected]
Microsoft NDA Confidential
Your second host of today
@Tim_DK
http://be.linkedin.com/in/timdekeukelaere/
http://scug.be/tim/
Tim De Keukelaere
Freelance Consultant
Microsoft NDA Confidential
Before we begin …
Take home a signed copy !
Microsoft NDA Confidential
Key Takeaways
Understanding
• These concepts:• UDM Integration with CM12• ConfigMgr Extensions for Windows
Intune• Settings Management (aka DCM)• Company Resource Access
Knowing • How to implement them
Microsoft NDA Confidential
Assumptions
About our audience
• Practical experience with System Center Configuration Manager 2012 SP1/R2
• Knowledge of Windows Intune and Device Enrollment
About us
• Not aiming to explain in detail• “How to enroll all possible devices”• “All possible UDM capabilities”
Introduction
Empowering people-centric IT
Mobile Device Management
Access and information protection
Desktop Virtualization
Hybrid Identity
AppsUsers
DataDevices
What we wantReality
Mobile Device Management Vision
Unify your environmentOn-premises and cloud-based management of devices within a single console.
Simplified, user-centric application management across devices
Comprehensive settings management across platforms, including certificates, VPNs, and wireless network profiles
Enable usersAccess to company resources consistently across devices
Simplified registration and enrollment of devices
Synchronized corporate data
Protect your dataProtect corporate information by selectively wiping apps and data from retired/lost devices
A common identity for accessing resources on-premises and in the cloud
Identify which mobile devices have been compromised
√
UDM Management Capabilities• Over the air enrollment• Retire and wipe devices• Configure compliance settings on devices
• Settings for passwords, security, roaming, encryption, and wireless communication.
• Deploy certain Resource Profiles• VPN Profiles, WIFI and Email Profiles.
• Deploy line of business apps to device• Deploy apps from the store that the device connects
to• Collect inventory
• Hardware• Software
Device Enrollment
Enrolling Devices
13
Users can enroll devices that configure the device for management with Windows Intune; the user can then use the Company Portal for easy access to corporate applications
Data from Windows Intune is in sync with Configuration Manager, which provides unified management across both on-premises and in the cloud
Dirsync
w Pwd Sync
Connector
Inte
rnal
Connect
or
Mobile Device – Personal vs Corporate
App Management
• By default, user-enrolled devices are “Personal”
• Admin can specify corporate-owned devices !
Personal vs. Corporate Owned Devices
Unenrolling devices• Local (user) vs Remote (IT Admin)
• Outcome:• Enterprise application and associated business apps are removed• Certificates configured by MDM server are removed• Setting policies no longer enforced
• Reporting• IT Admin initiated: always• User initiated: best effort as of WP8.1
Demo - Enrollment
Kenny Buntinx
Settings Management
Configuration Manager Extensions for Windows Intune• Rapid delivery of Configuration Manager features to support
new Mobile Device Management features through Windows Intune
• Updates are automatically downloaded and optionally enabled through admin console.
Admin is notified that
an extension is
available when
console is launched
Admin goes to
Extensions for Intune in console,
and enables the
extension
Extension is activated in ConfigMgr• (Extension
enables on all site system, then console updates are avail)
Admin restarts console,
and console is updated with the
extension
Admin uses feature
delivered by the
extension
Admin may wish to
disable the extension
Baselin
eGroup of CIs with
presence rules.
Configuration Item Configuration model defined
for OS , Application (settings,
rules, applicability )
WMI
XML
Registry
IIS
MSI
Script
SQL
SoftwareUpdates
File
ActiveDirectory
Agent discovers CIs,
validates data
against rules,
remediates and
reports compliance
ConfigMgr Agent
DeploymentMonitor/remediate
Collection
Key Concepts
OMA-DM• Specification designed for management of mobile
devices• Mobile Phones• PDA’s• Tablets
• Supporting following use case scenarios• Provisioning – Configuration of the device (including first time use), enabling and
disabling features• Device Configuration – Allow changes to settings and parameters of the device• Software Upgrades – Provide for new software and/or bug fixes to be loaded on the
device, including applications and system software• Fault Management – Report errors from the device, query about status of device
• OMA-DM for WP8.1:• http://technet.microsoft.com/en-us/library/dn499787.aspx
Mobile Device Settings in ConfigMgr 2012 R2Category Win 8.1 PC & RT WP8.1
(New!)iOS Android
VPN
Wi-Fi
Certificates
Password
Device restrictions
Store access
Browsers
Content Rating
Cloud Synch
Encryption
Security
Roaming
Windows Server Work Folders
Demo – Extending Settings Management
Kenny Buntinx
ScenarioLast week at a customer during a Windows Intune UDM Proof of concept :
• Customer was ordering 1000 corporate owned (COPE) Nokia Lumia 630 Windows Phones
• He wanted us to provide the option when a ‘device owner’ in CM12 R2 is set to “corporate” , a user can’t unenroll a “corporate” device.
• Unless you are the ConfigMgr 2012 MDM admin , you can’t.
Read the full story below :
http://scug.be/sccm/2014/04/24/configmgr-2012-r2-windows-intune-udm-how-to-prevent-an-end-user-can-un-enroll-his-corporate-windows-phone-8-1/
Demo – Black list applications through Settings Management and Intune extensionsKenny Buntinx
Scenario
http://scug.be/nico/2014/05/22/deny-windows-phone-apps-with-configuration-manager-intune/
Company Resource Access
Resource Access Configuration
29
* Varies based on device platform
Platforms
Windows 8.1Windows 8.1 RTiOSAndroidWindows Phone 8.1 (New!)
Benefits
End users get access to company resources with no manual steps for them
Features*Configure VPN profilesSupport for Windows 8.1 Automatic VPNWi-Fi protocol and authentication settingsEmail account profilesManagement and distribution of certificates
VPN Profile Management
Support for major
SSL VPN vendors DNS name-based initiation
support for Windows 8.1 and iOSApplication ID based initiation support for Windows 8.1
Automatic VPN connection
Support for VPN standards
SSL VPNs from Cisco, Juniper, Check Point, Microsoft, Dell SonicWALL, F5 Subset of vendors have Windows VPN plug-in
PPTP ,L2TP, IKEv2
Wi-Fi and Certificate Profiles
Wi-Fi settings
Manage and distribute certificatesDeploy trusted root certificates
Support for Simple Certificate Enrollment Protocol (SCEP)
Manage Wi-Fi protocol and authentication settings Provision Wi-Fi networks that device can auto connectSpecify certificate to be used for Wi-Fi connection
Certificate enrollment via NDES
1. Certificate profile deployed to device
2. Device sends SCEP request
3. Challenge is validated
4. Certificate is issued
Network Device Enrollment Serv ice (NDES)
CA
SCCM
SCCM Connector
Desktop Admin
Device
IW
Intune
Certificate Registration
Point
SCCM plug-in
Email Profile Management
Overview• Delivered as Configuration
Manager Extension for Windows Intune
• Configure account settings and security restrictions
• Enable certificate authentication
• Support for iOS and Windows Phone 8.1
Demo – Email Profiles Management
Kenny Buntinx
Notes from the field
• Email profile not provisioned?• Check Mail Attribute in AD -> cannot be empty !• See:
http://scug.be/sccm/2014/03/21/sysctr-configmgr-2012-and-intune-provisioning-email-profiles-and-the-why-the-profile-may-not-turn-up-on-devices-such-as-an-ipad/
Q & A
Microsoft NDA Confidential
Book raffle finale!
Andthe winners are …