Wally Mead

Deploying a System Center 2012 R2 Configuration Manager Environment to Manage Mobile Devices

Agenda• Discussion of how to enable, configure, and

use Configuration Manager 2012 R2 to manage mobile devices with our integration with Windows Intune

• Demonstrations where appropriate

The explosion of devices is eroding the standards-based approach to corporate IT.

Devices

Deploying and managing applications across platforms is difficult.

Apps

Today’s challenges

3

Data

Users need to be productive while maintaining compliance and reducing risk.

Users expect to be able to work in any location and have access to all their work resources.

Users

Devices

AppsUsers

Empowering People-centric IT

4

Enable users

Allow users to work on the devices of their choice and provide consistent access to corporate resources.

Protect your data

Help protect corporate information and manage risk.

Management. Access. Protection.

Data

Unify your environment

Deliver a unified application and device management on-premises and in the cloud.

Selecting the Management Platform

Unified Device Management – System Center 2012 R2 Configuration Manager

with Windows Intune

Build on existing Configuration Manager deploymentFull PC management (OS Deployment, Endpoint Protection, application delivery control, rich reporting)Deep policy control requirementsScale to 200,000 mobile devicesExtensible administration tools (RBA, Windows PowerShell, SQL Reporting Services)

Cloud-based Management - Standalone Windows Intune

No existing Configuration Manager deploymentSimplified policy controlFewer than 7,000 devices and 4,000 usersSimple web-based administration console

System Center 2012 R2 Configuration Manager

Enable Users

Allow people to be more productive from almost anywhere on almost any device.

Simplify Administration

Improve IT effectiveness and efficiency.

Unify Infrastructure

Reduce costs by unifying IT management infrastructure.

Unified Device Management

IT

Mac OS X

Windows PCs(x86/64, Intel SoC),

Windows to GoWindows Embedded

Windows RT, Windows Phone 8

iOS, Android

Single AdminConsole

Platform SupportOS Platform Management Agent End User Experience

Windows 8.1 PC ConfigMgr Agent Or

Management Agent (OMA-DM)

Software Center/Application Catalog

Windows Company Portal app

Windows PC (Windows 8 down to Windows XP)

ConfigMgr Agent Software Center/Application Catalog

Windows RT Management agent (OMA-DM) Windows Company Portal app

Windows Phone 8 Management agent (OMA-DM) Windows Phone 8 Company Portal app

iOS Apple MDM Protocol iOS Company Portal app

Android Android MDM agent (OMA-DM) Android Company Portal app

Mac ConfigMgr Agent N/A

Linux/Unix ConfigMgr Agent N/A

Registering and Enrolling Devices

IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the users identity. Multi-factor authentication can be used through Windows Azure Active Authentication.

Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device

Users can enroll devices which configure the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications

As part of the registration process, a new device object is created in Active Directory, establishing a link between the user and their device

Data from Windows Intune is sync with Configuration Manager which provides unified management across both on-premises and in the cloud

Web Application Proxy

ADFS

Preparing the Infrastructure for Integration

• Requires a Windows Intune tenant account• Can get a 30-day trial account at

http://windowsintune.com

• Need a public domain and record in DNS• Configure from the Windows Intune admin portal

• Verify users have UPN in Configuration Manager• Configure, then perform AD User Discovery

Preparing the Infrastructure for Integration (2)

• Recommended to have an Active Directory Federated Services implementation• It not, should use DirSync with password sync or you

will need to maintain two separate passwords for users• Configure from the Windows Intune admin portal

• Implement Active Directory Synchronization• Syncs user accounts from on-premise AD into Windows

Azure AD• Installed and configured from the Windows Intune

admin portal

Preparing the Infrastructure for Integration (3)

• Create the Configuration Manager subscription for Windows Intune• Enable appropriate device platforms

• Enable the Windows Intune Connector site system role

Unified Device Management Configuration

Device management integrated directly into console

Simple Windows Intune Subscription set-up

Centralized branding and customization of Company Portal experience

Windows Intune Connector deployed as a Site System Role

Configuration Manager 2012 SP1 MDM Features• Over the air device enrollment• Self service portal for end users• User-targeted available application

deployment• User and device settings management• Device inventory• Remote device retirement• Remote device wipe

Configuration Manager 2012 R2 UDM Updates

New Features• Required application deployment• Application uninstall• Company versus Personal device designation• New Company Apps portal• VPN, Wifi, and Certificate Profiles• Application triggered VPN• Network traffic triggered VPN

Unified Device Management RecapUnregistered Registered MDM Enrolled Fully Managed

Publish email to users (EAS) Yes Yes Yes Yes

Publish work folders to users Yes Yes Yes Yes

Conditional access based on user, device, locationBlock device

only Yes Yes Yes

Audit logging and monitoring Yes Yes Yes

Unified Device Management Yes Yes

Unified Application Management Yes Yes

Selective data wipe Yes Yes

Compliance reporting Yes Yes

Group Policy and login scripts Yes

OS deployment and imaging Yes

Configuration management Yes

Patch management Yes

Anti malware management Yes

Full application management Yes

BitLocker management Yes

SummaryEn

ab

led

Un

ify

Sim

plify Role-based Administration

Content Management

Software Update Management

Reduced Infrastructure Requirements

User-centric Application Delivery

Modern Device Management

Compliance and Settings Management

Endpoint Protection

Operating System Deployment

Asset Intelligence, Inventory and Software Metering

2012

EAS

User-centric

Updated engine

Improved

RBA in Reporting

Windows 8.1 support

2012 R2

Improved

Web App deployment

New

Integrated

Auto remediation

Improved

New

Improved

Improved

2012 SP1

Unified

Win 8 Apps

Flexible hierarchies

Real-time actions

User profile and data

Improved

Improved

Improved

Modern Management Console Additional cmdletsNew Windows PowerShell

Client Health Improved Improved

Distribution Point for Windows Azure New

http://www.microsoft.com/workstylehttp://www.microsoft.com/server-cloud/user-device-management

More Resources:

System Center 2012 Configuration Managerhttp://technet.microsoft.com/en-us/evalcenter/hh667640.aspx?wt.mc_id=TEC_105_1_33

Windows Intunehttp://www.microsoft.com/en-us/windows/windowsintune/try-and-buy

Windows Server 2012 http://www.microsoft.com/en-us/server-cloud/windows-server

For More Information

Please evaluate the session before you leave