Managing your hybrid Mobile cloud Workforce Demystified with System Center Configuration Manager 2012 R2

Microsoft NDA Confidential

Your first host of today

@KennyBuntinx

http://be.linkedin.com/KennyBuntinx

http://scug.be/blogs/sccm

Kenny BuntinxEnterprise Client Management MVP from 2009 Principal Consultant Kenny.Buntinx@inovativ.be

Microsoft NDA Confidential

Your second host of today

@Tim_DK

http://be.linkedin.com/in/timdekeukelaere/

http://scug.be/tim/

Tim De Keukelaere

Freelance Consultant

Tim.De.Keukelaere@IT-Essence.be

Microsoft NDA Confidential

Before we begin …

Take home a signed copy !

Microsoft NDA Confidential

Key Takeaways

Understanding

• These concepts:• UDM Integration with CM12• ConfigMgr Extensions for Windows

Intune• Settings Management (aka DCM)• Company Resource Access

Knowing • How to implement them

Microsoft NDA Confidential

Assumptions

About our audience

• Practical experience with System Center Configuration Manager 2012 SP1/R2

• Knowledge of Windows Intune and Device Enrollment

About us

• Not aiming to explain in detail• “How to enroll all possible devices”• “All possible UDM capabilities”

Introduction

Empowering people-centric IT

Mobile Device Management

Access and information protection

Desktop Virtualization

Hybrid Identity

AppsUsers

DataDevices

What we wantReality

Mobile Device Management Vision

Unify your environmentOn-premises and cloud-based management of devices within a single console.

Simplified, user-centric application management across devices

Comprehensive settings management across platforms, including certificates, VPNs, and wireless network profiles

Enable usersAccess to company resources consistently across devices

Simplified registration and enrollment of devices

Synchronized corporate data

Protect your dataProtect corporate information by selectively wiping apps and data from retired/lost devices

A common identity for accessing resources on-premises and in the cloud

Identify which mobile devices have been compromised

√

UDM Management Capabilities• Over the air enrollment• Retire and wipe devices• Configure compliance settings on devices

• Settings for passwords, security, roaming, encryption, and wireless communication.

• Deploy certain Resource Profiles• VPN Profiles, WIFI and Email Profiles.

• Deploy line of business apps to device• Deploy apps from the store that the device connects

to• Collect inventory

• Hardware• Software

Device Enrollment

Enrolling Devices

13

Users can enroll devices that configure the device for management with Windows Intune; the user can then use the Company Portal for easy access to corporate applications

Data from Windows Intune is in sync with Configuration Manager, which provides unified management across both on-premises and in the cloud

Dirsync

w Pwd Sync

Connector

Inte

rnal

Connect

or

Mobile Device – Personal vs Corporate

App Management

• By default, user-enrolled devices are “Personal”

• Admin can specify corporate-owned devices !

Personal vs. Corporate Owned Devices

Unenrolling devices• Local (user) vs Remote (IT Admin)

• Outcome:• Enterprise application and associated business apps are removed• Certificates configured by MDM server are removed• Setting policies no longer enforced

• Reporting• IT Admin initiated: always• User initiated: best effort as of WP8.1

Demo - Enrollment

Kenny Buntinx

Settings Management

Configuration Manager Extensions for Windows Intune• Rapid delivery of Configuration Manager features to support

new Mobile Device Management features through Windows Intune

• Updates are automatically downloaded and optionally enabled through admin console.

Admin is notified that

an extension is

available when

console is launched

Admin goes to

Extensions for Intune in console,

and enables the

extension

Extension is activated in ConfigMgr• (Extension

enables on all site system, then console updates are avail)

Admin restarts console,

and console is updated with the

extension

Admin uses feature

delivered by the

extension

Admin may wish to

disable the extension

Baselin

eGroup of CIs with

presence rules.

Configuration Item Configuration model defined

for OS , Application (settings,

rules, applicability )

WMI

XML

Registry

IIS

MSI

Script

SQL

SoftwareUpdates

File

ActiveDirectory

Agent discovers CIs,

validates data

against rules,

remediates and

reports compliance

ConfigMgr Agent

DeploymentMonitor/remediate

Collection

Key Concepts

OMA-DM• Specification designed for management of mobile

devices• Mobile Phones• PDA’s• Tablets

• Supporting following use case scenarios• Provisioning – Configuration of the device (including first time use), enabling and

disabling features• Device Configuration – Allow changes to settings and parameters of the device• Software Upgrades – Provide for new software and/or bug fixes to be loaded on the

device, including applications and system software• Fault Management – Report errors from the device, query about status of device

• OMA-DM for WP8.1:• http://technet.microsoft.com/en-us/library/dn499787.aspx

Mobile Device Settings in ConfigMgr 2012 R2Category Win 8.1 PC & RT WP8.1

(New!)iOS Android

VPN

Wi-Fi

Certificates

Email

Password

Device restrictions

Store access

Browsers

Content Rating

Cloud Synch

Encryption

Security

Roaming

Windows Server Work Folders

Demo – Extending Settings Management

Kenny Buntinx

ScenarioLast week at a customer during a Windows Intune UDM Proof of concept :

• Customer was ordering 1000 corporate owned (COPE) Nokia Lumia 630 Windows Phones

• He wanted us to provide the option when a ‘device owner’ in CM12 R2 is set to “corporate” , a user can’t unenroll a “corporate” device.

• Unless you are the ConfigMgr 2012 MDM admin , you can’t.

Read the full story below :

http://scug.be/sccm/2014/04/24/configmgr-2012-r2-windows-intune-udm-how-to-prevent-an-end-user-can-un-enroll-his-corporate-windows-phone-8-1/

Demo – Black list applications through Settings Management and Intune extensionsKenny Buntinx

Scenario

http://scug.be/nico/2014/05/22/deny-windows-phone-apps-with-configuration-manager-intune/

Company Resource Access

Resource Access Configuration

29

* Varies based on device platform

Platforms

Windows 8.1Windows 8.1 RTiOSAndroidWindows Phone 8.1 (New!)

Benefits

End users get access to company resources with no manual steps for them

Features*Configure VPN profilesSupport for Windows 8.1 Automatic VPNWi-Fi protocol and authentication settingsEmail account profilesManagement and distribution of certificates

VPN Profile Management

Support for major

SSL VPN vendors DNS name-based initiation

support for Windows 8.1 and iOSApplication ID based initiation support for Windows 8.1

Automatic VPN connection

Support for VPN standards

SSL VPNs from Cisco, Juniper, Check Point, Microsoft, Dell SonicWALL, F5 Subset of vendors have Windows VPN plug-in

PPTP ,L2TP, IKEv2

Wi-Fi and Certificate Profiles

Wi-Fi settings

Manage and distribute certificatesDeploy trusted root certificates

Support for Simple Certificate Enrollment Protocol (SCEP)

Manage Wi-Fi protocol and authentication settings Provision Wi-Fi networks that device can auto connectSpecify certificate to be used for Wi-Fi connection

Certificate enrollment via NDES

1. Certificate profile deployed to device

2. Device sends SCEP request

3. Challenge is validated

4. Certificate is issued

Network Device Enrollment Serv ice (NDES)

CA

SCCM

SCCM Connector

Desktop Admin

Device

IW

Intune

Certificate Registration

Point

SCCM plug-in

Email Profile Management

Overview• Delivered as Configuration

Manager Extension for Windows Intune

• Configure account settings and security restrictions

• Enable certificate authentication

• Support for iOS and Windows Phone 8.1

Demo – Email Profiles Management

Kenny Buntinx

Notes from the field

• Email profile not provisioned?• Check Mail Attribute in AD -> cannot be empty !• See:

http://scug.be/sccm/2014/03/21/sysctr-configmgr-2012-and-intune-provisioning-email-profiles-and-the-why-the-profile-may-not-turn-up-on-devices-such-as-an-ipad/

Q & A

Microsoft NDA Confidential

Book raffle finale!

Andthe winners are …