2011 11-28 sccm-2012_technical_overview

Configuration Manager 2012: Technical Overview

Martin WeberTechnology Solution Professional (TSP)Microsoft Switzerland

classic .msi

App-V Applications

IT AssetIntelligence Software Update

Management Software Metering

Support forthe Mobile Workforce

What is in SCCM 2012?

Settings Management(aka DCM)

Network Access Protection

Power Management

OS Deployment

Antivirus

Selfservice

Portal

Remote Control

Configuration Manager 2012

Unify InfrastructureEmpower Users Simplify Administration

Empower people to be productive from anywhere on whatever device they choose

Reduce costs by unifying IT management infrastructure

Improve IT effectiveness and efficiency

Device freedomOptimized, personalized application experienceApplication self-service

Mobile, physical, and virtual managementSecurity and complianceService management integration

Comprehensive client management capabilitiesImproved administrator effectivenessReduced infrastructure complexity

New Features for Software Distribution in Configuration Manger 2012

Application ModelIncorporates all supported software types (MSI, Script, App-V, Mobile CAB)Greatly improved dependency handlingInstallation requirement rules Installation detection methodsApplication supersedenceApplication uninstall

User Device Affinity

Unified monitoring experienceRich End user experience

Application CatalogSoftware Center

Content managementDistribution Point groupsContent libraryImproved content monitoring experienceContent validation

System and User-Centric Configuration Manager 2007 Configuration Manager 2012Optimized for Systems Management scenarios • Still committed and focused on System

Management scenarios

• Challenging to manage users• Forced to translate a user to a device• Explicit: run a specific program on a specific

device

• Embrace User Centric Scenarios• Moving to a state based design, for apps,

deployments, content on DPs.• Full application lifecycle model. Install,

Revision Mgt, Supersedence and Uninstall

• Software Distribution is a glorified script execution • Understand and intelligently target the relationships between user systems

• Management solution tailored for applications

Embracing User Centric: Administrator Promises

Let the administrator think user firstDeploy applications to usersManage users beyond the desktop

SCCM maintains relationships Between Users, Systems and Apps to solve core user targetingSet conditions to control installations Schedule ‘Pre-deploy’ to users’ primary devices for WoL, off-hrs, workgroup, etc.

Application model captures ‘administrative intent’

Application Model

Manage applications; not scriptsApplication Management:

Detection method – re-evaluated for presence:Required application – reinstall if missingProhibited application – uninstall if detected

Requirement rules – evaluated at install time to ensure the app only installs in places it can, and shouldDependencies – relationships with other apps that are all evaluated prior to installing anythingSupersedence – relationships with other apps that should be uninstalled prior to installing anythingUpdate an app – Automatic revision management

Requirement Rules in 2012State-based Application Management

Properties of users and/or devices that makes delivering software appropriateRules are per deployment typeEvaluated in real time on the clientEvaluated before content is downloaded to the client

Dependencies

Other deployment types that must be present in order for the current application deployment type to be installed1 to n DependenciesThis AND this AND this OR this

.NET Framework either 3.5 or 4.0 andBrowser either IE7 or IE8, install IE8 if none present

Dependencies are modeled as applications and can also be deployed independentlyTwo dependency uses:

Dependency not present, don’t install applicationsDependency not present, auto install dependent application

User Centric – Operating System Deployment

Support for new software distribution features during operating system deployment

Evaluate application requirement rules, dependencies and supersedenceUser Device Affinity support – install applications deployed to the primary user

What is User Device Affinity?

Is the key to helping our customers move to User Centric Software Distribution

Provides the ability to define a relationship between a user and a device Allows the admin to think “user first”, while also ensuring the application not installed everywhere the user logs on

Configuration Manager 2012 supports:Single primary user to primary deviceMultiple primary devices per userMultiple primary users per device

The system allows both the administrator and user to define this relationship

Benefits of User Device Affinity

Allows the deployment of software based on the nature of the relationship between the user and device

For example:Only install the MSI version of Microsoft Visio if the device is a primary device of the targeted user, otherwise don’t installInstall the MSI or App-V version of Microsoft Office when the device is a primary device of the user targeted; install the Citrix XenApp version if the device is not a primary device

Enables Pre-Deployment of Software: Allows software to be pre-deployed on a user’s primary devices whether or not the user is logged in

Application Model Diagram

Deployment Type

Requirement Rules

Dependencies

Detection Method

End User Metadata

Content

Install Command

The “friendly” information for your users

Keep your apps organized and managed

Workhorse for application

Can/cannot install app

Source files for the app

Is app installed?

Command line and options

Apps that must be present

App-V

Windows Script

Windows Installer (MSI)

Mobile (CAB)

Administrator Properties

General information about the software application

ConfigMgr 2007 to 2012 Comparison – App Model

Feature Configuration Manager 2007 Configuration Manager 2012

Create/Model Software PackageProgram

Application and Deployment Types

Deploy Software Advertisement (Install Status)

Deployment (state based) via detection method

Targeting Collection rules (Server) Requirement rules (Client)

User-targeting None or limited User Device Affinity

Client User Experience Run Advertised Programs Software Center

Software Install from Web site

None Software Catalog

Content Management None or limited Content library

Enhanced Detection Methods

Provides more granular control over detecting the presence of an applicationIncludes File, Windows Installer, and Registry providers

File – File and folder properties including exists, version, date/time, size and moreWindows Installer – Product code and versionRegistry – Key exists, value exists, comparisons of registry values

Complex expressions containing multiple rules can be built and grouping logic applied

Application Lifecycle

New Application

Update Application

Replace ApplicationRetire Application

Remove Application

Application Installation

Application Revision

Application Retirement Application Supersedence

Application Uninstall

What is Application Supersedence

Definition: The ability for the admin to create a relationship and declare one application newer than another previous application. Ultimately resulting in the newer application replacing the older application for a user on a deviceWhy is this feature important to our customers?

Provides the ability to ensure users have the latest version of softwareProvides the ability in one process to migrate users from one application version to another version/application

Overall goals Utilize supersedence conceptual models from Software Updates and WUAllow admins to test/pilot newer application, prior to production release. While permitting the older application to continue to exist for the majority of usersAllow the admin to eventually halt installations of the older application and move users to the newer applicationProvide the ability to uninstall OR upgrade previous versionAbility to offer users only the latest release of an app in the software catalog or software center. Ability to create new application or version and make sure we do not get in a “race condition” between conflicting detection methods

Supersedence and the End User Experience

User only sees latest application version in Software

Catalog (by default)Required applications are always the enterprise’s latest versionAvailable Applications installed by user can be automatically updated

Simple Example

Scenario and Assumptions2 applications:

Adobe Reader 9 supersedes Adobe Reader 8

Both applications deployed to same device

If client has Adobe Reader 8 already installedassuming requirements are met for Reader 9, Reader 8 will be replaced with Reader 9 (either uninstalled or updated)

If client has Adobe Reader 9 already installedevaluates both 8 and 9 detection methods, 9 is present, 8 is not – but since 9 supersedes, it doesn’t try to install 8

If neither are installed, only Adobe Reader 9 will be installed

Create an ApplicationApp-V Client or Adobe Flash Player ActiveX

Martin WeberTechnology Solution ProMicrosoft Switzerland

demo

Content Monitoring

Compliance of content distributed in multiple views

Application, package, etc. levelDistribution point group levelDistribution point level

Ability to validate content on a distribution point

Available as a set schedule or on demandUpdates package compliance in the monitoring node

Managing users means managing beyond desktops with “Single pane of glass” administration Reaching beyond Windows platforms

User Centric – Device Management

“Depth”

Broad feature setCommon administration model for mobile devices, desktops, and servers

“Light”

Provides basic management for all Exchange ActiveSync (EAS) connected devices

• Secure over-the-air enrollment

• Monitor and remediate out-of-compliance devices

• Deploy and remove applications

• Inventory

• Remote wipe

(WinCE 5.0, 6.0; Windows Mobile 6.0, 6.1, 6.5.x)

7NOKIA

• EAS-based policy delivery

• Discovery and inventory

• Settings policy

• Remote Wipe

Light Management

Depth Management

Mobile Device Management

“Depth” Mobile Device Management

Establishes mutual trust between the device and the management serverExtend and align mobile device management

Integration Mobile Device Manager and SCCM featuresEnable secure, compliant mobile devices

Secure over-the-air enrollmentMonitor and remediate out-of-compliance devicesDeploy and remove applications // Inventory

Devices enrolled and provisioned securely over-the-air

“Light” management via Exchange

Provide basic management for all Exchange ActiveSync (EAS) connected devicesFeatures Supported:

Discovery/InventorySettings policyRemote Wipe

Supports on-premise Exchange 2010 and hosted Exchange

http://www.google.com/imgres?imgurl=http://www.dirjournal.com/entertainment-journal/wp-content/uploads/2010/01/iphone-apps.jpg&imgrefurl=http://www.dirjournal.com/entertainment-journal/9-weirdest-iphone-apps/&usg=__Nn7Wk9EiWu9lTLLyUhaAeTpvEGc=&h=480&w=478&sz=43&hl=en&start=1&um=1&itbs=1&tbnid=yUi6_48MUNytZM:&tbnh=129&tbnw=128&prev=/images?q=iphone+apps&um=1&hl=en&sa=N&tbs=isch:1

Embracing User Centric: End-User Promises

“A Fitting End-User Experience”Web based ‘Software catalog’Easily search, install or request softwareChoose software intelligently:

Clear, consistent information about applications and their impact, supported by App model

User preferences to control ConfigMgr behaviors:

“My business hours” – used to control when to install softwarePresentation mode – don’t notify when presentingRemote control settings – when allowed, end user can control their experience

Software Catalog:User Targeted Available Software

Browse and search for softwareFully localized for site and applicationsSearch via category or name

Install SoftwareDirect self-installation from software catalogLeverages full infrastructure for content and statusAutomatic installation upon approval

Request ApplicationsRequest approval for softwareView request history

On Demand Installation

1• User clicks “install” on Catalog item

2• Web site checks user’s permissions to

install

3

• Web site requests Client ID from ConfigMgr client agent and passes it to Site server

4• Server creates policy for the specified

client and app and passes it to client

5• Client agent evaluates requirements

from the policy and initiates installation

6• Client agent completes installation

process and reports status Agent

Web Site

Melissa

Site ServerProcess Flow

SCCM 2012: Software Catalog in Kiosk (Client)

Administrator Experience

• Intuitive ribbon interface• Common look and feel

across System Center products

• Improved discoverability• Role-Based

Administration: Only show what is relevant to the administrative role

• Complete scenarios within the console

• Simplified navigation

Role-Based Administration

Central management for securityRole-Based Administration lets you map the organizational roles of your administrators to defined security roles:

Removes clutter from the consoleSupports “Show me what’s relevant to me” based on my Security Role and Scope

Functionality ConfigMgr 2007 ConfigMgr 2012

What types of objects can I see and what can I do to them?

Class rights Security roles

Which instances can I see and interact with?

Object instance permissions Security scopes

Which resources can I interact with? Site specific resource permissions

Collection limiting

Simplified Hierarchical Infrastructure

Central Administration Site

Primary Sites Secondary Sites

Central primary site administration

Client management & settings

Content routing

Reporting 100K clients per site

Distributions points

Delegated Administration

Requires SQL server

Language Packs Lack of local administrator

Support distributed organizational boundaries

Collection Enhancements

Resources security based on collection, not site• Collection

scopes

Reduce complex query logic• New

membership rules: Exclude and include other collections

Easier to organize collections• Organizationa

l folders for collectionsImproved

UI validation for user centric scenarios• Device and

User Collections

SCCM 2012 Collections

Collections

demo

Application Evaluation Flow

Requirements met?

New Policy App Install Schedule

Dependencies installed?

Yes

Install dependenciesNo

No

Yes

Install Application

Is installed?

No

Yes

Dependencies installed

Benefits of Multiple Deployment Types

Flexible way to deliver different installation formats based on conditionsNo restrictions on the number and types of deployment types

Many of the same type of deployment types could be added to an application each representing a different flavor or transformApp-V or Remote Desktop Services app might go to a guest logged into a kiosk, full MSI to a users primary desktop machine

Built-in deployment typesMSI ScriptApp-VWindows Mobile 6.x

Infrastructure Promises

Modernizing ArchitectureMinimizing infrastructure for remote officesConsolidating infrastructure for primary sitesScalability and Data Latency Improvements

Central Administration Site is just for administration and reporting – Other work distributed to the primaries as much as possibleFile processing occurs once at the Primary Site and uses replication to reach other sites (no more reprocessing at each site in the hierarchy)System-generated data (HW Inventory and Status) can be configured to flow to CAS directly

Be TrustworthyInteractions with SQL DBA are consistent with ConfigMgr 2007ConfigMgr admin can monitoring and troubleshoot new replication approach independently

When Do I Need a Primary Site?

To manage any clients

Add more primary sites for: Scale (more than 100,000

clients)

Reduce impact of primary site failure

Local point of connectivity for administration

Political reasons

Content regulation

Decentralized administration

Logical data segmentation

Client settings

Language

Content routing for deep hierarchies

Reducing Primary Sites

Unique ConfigMgr 2007 Primary Site for:

ConfigMgr 2012 solutions (no unique primary sites):

Decentralized administration Role Based Administration

Logical data segmentation Role Based Administration

Client settings Client settings for the hierarchy and unique collections

Language Language packs

Content routing for deep hierarchies Secondary Sites or Distribution Points

Infrastructure Changes: Content

ONE Distribution PointPXE Service Point – Increased scalability beyond the ConfigMgr 2007 limit of 75 PXE service points per siteMulticast optionThrottling and scheduling of content to that locationPre-stage of content and specify specific drives for storage

Improved Distribution Point GroupsManage content distribution to individual Distribution Points or GroupsContent automatically added or removed from Distribution Points based on Group membershipAssociate Distribution Point Groups with a collections to automate content staging for software targeted to the collection

No Branch DPs - DPs can be installed on clients and servers now

Boundaries

Boundaries represent network topology –used to optimized network utilization Clients use boundaries to:

Automatically determine site assignmentLocate the best management point (MP)Locate the best distribution point (DP) or state migration point (SMP)

Define separate boundaries for client activities versus content

Boundary Management

Automatically created with the Forest Discovery method

Discovers AD Sites, IP Subnets, IPv6 Prefix type boundariesCan automatically add as boundaries immediately or add later

Boundaries are members of one or more groups:Groups support: site assignment, site system look-ups or bothCreate group with boundaries in one stepAdd boundaries to an existing groupMulti-select and reflective views supported

Hierarchy View and Site Status

Hierarchy View and Site Status

demo

Forefront Endpoint Protection 2010One infrastructure for desktop management and protection

• Built on top of Microsoft® System Center Configuration Manager

• Supports all System Center Configuration Manager topologies and scale

• Facilitates easy migration

• Deploy across various operating systems Windows® client and Server

• Protection against all type of malware

• Proactive security against zero day threats

• Productivity-oriented default configuration

• Integrated management of host firewall

• Backed by Microsoft Malware Protection Center

• Unified management interface for desktop administrators

• Effective alerts

• Simple, operation-oriented policy administration

• Historical reporting for security administrators

Ease of Deployment Enhanced Protection Simplified Desktop Management

FEP Architecture

SQLReportingServices

(or File Share)

ConfigMgrSoftwareDistribution

ConfigMgrDesiredConfigurationManagement

ConfigMgr SiteServer & DB

DATA

Config. /Dashboard

Reports

EVENTS

Desktops, Laptops, and Servers running ConfigMgr Client & FEP 2010

TELEMETRY

SpyNet

Forefront Endpoint Protection 2010

Client Activity and Health

Product integrated health and remediation solutionServer side metrics for evaluating client activity:

Policy RequestsHardwate and software InventoryHeartbeat DDRsStatus Messages

Client side monitoring/remediation for: Dependent Windows components and servicesConfigMgr client prerequisitesWMI Repository and namespace evaluationIn console and Web reporting

‘In-console’ alerts when healthy/unhealthy ratio drops below configurable threshold


demo

Content MonitoringCompliance of content distributed in multiple views

Application, package, etc.. levelDistribution point group levelDistribution point level

Ability to validate content on a distribution point Available as a set schedule or on demand Updates package compliance in the

monitoring node

Software Updates

Auto Deployment RulesUse search criteria to identify class of updates to automatically deploy: category, products, language, date revised, article id, bulletin id, etc.Schedule content download and deployment based on sync schedule or define a separate schedule per rule

State-based Update GroupsDeploy updates individually or in groupsUpdates added to an update group automatically deploy to collections targeted with the group

Operating System Deployment (OSD)

Offline Servicing of ImagesSupport for Component Based Servicing compatible updatesUses updates already approved

Boot Media UpdatesHierarchy wide boot media – no longer need one per siteUnattended boot media mode – no longer need to press “next”Use pre-execution hooks to automatically select a task sequence – no longer see many optional task sequences

USMT 4.0 - UI integration and support for hard-link, offline and shadow copy features

SCCM Task Sequences «The Cook Book»

Phase 1: Monitor•Enable client management agent•Begin monitoring usage and activity

Phase 2: Plan•Continue monitoring on usage and activity•Begin to develop Power Plan

Mid-Month:•Power Plan has been confirmed

Phase 3: Apply Power policy•Begin applying Power Plan

Phase 4: Compliance & Analyze•Review before and after usage and activity•Determine savings in Kwh and Co2 saved

Non-Peak & Peak

Power Management

Settings Management

Unified settings management across servers, desktops and mobile devicesConfigMgr 2007 reports configuration drift – ConfigMgr 2012 can “set” for Registry, WMI and Script-Based Improved functionality:

Copy settingsDefine compliance SLAs for Baselines to trigger console alertsRicher reporting to include troubleshooting, conflict, remediation information

Enhanced versioning and audit trackingAbility to specify specific versions to be used in baselinesAudit tracking includes who changed what

Settings Management

Settings Management

demo

Remote Control

Send Ctrl-Alt-Del to host device to regain previous feature parity

IS BACK!

Migration from ConfigMgr 2007 to 2012

Assist with Migration of Objects

Assist with Migration of Clients

Minimize WAN impact

Maximize Re-usability of x64 Server Hardware

Assist with Flattening of Hierarchy

Built-in Migration Features

Migration Job Types:Object Migration (Collections, software distribution packages, boundaries, metering rules etc.)Collection based Migration (Select a collection and migrate associated objects)

Content functionality:Re-use of existing ConfigMgr 2007 content (Distribution Point sharing)Distribution Point upgrade

Import of ConfigMgr 2007 inventory MOF files

Prepare for Configuration Manager 2012

Flatten hierarchy where possiblePlan for Windows Server 2008, SQL 2008, and 64-bitStart implementing BranchCache with SCCM 2007 SP2Move from web reporting to SQL Reporting ServicesAvoid mixing user and devices in collection definitionsUse UNC (\\server\myapp\myapp.msi) in package source path instead of local path (d:\myapp)

© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Related Sessions – Breakout

BA01 Configuration Manager: State of the UnionBA02 Configuration Manager 2007 R3: Technical UpdateBA03 Configuration Manager 2012: Technical OverviewBA04 Configuration Manager 2012: Application Management (Part 1 of 2)BA05 Configuration Manager 2012: Application Management (Part 2 of 2)BA06 Configuration Manager 2012: Migrating from 2007 to 2012BA07 Configuration Manager 2012: Deployment and Infrastructure Technical Overview (Part 1 of 2)BA08 Configuration Manager 2012: Deployment and Infrastructure Technical Overview (Part 2 of 2)BA09 Configuration Manager 2012: Software Update ManagementBA11 Configuration Manager 2012: Settings management (aka DCM)BA17 Virtualizing Configuration Manager – What you need to know and how to get thereBA18 Introduction to System Center Updates Publisher 2011BA19 Configuration Manager 2012: Software Delivery Advanced Topics and TroubleshootingBA24 Configuration Manager 2012: How to Get There and How Your Day Will ChangeBA38 Deploying Configuration Manager 2012 in the Enterprise – Real WorldBG02 Client Health in Configuration Manager 2012 – How Microsoft IT is Using ItBG03 Converting Your Existing Software Packages into the Configuration Manager 2012 Application ModelEA01 Configuration Manager 2012 – Ask the Panel of ExpertsBI02 - Forefront Endpoint Protection Overview: Managing desktop security and antimalware solution with System Center Configuration Manager

2011 11-28 sccm-2012_technical_overview

Documents

Transcript of 2011 11-28 sccm-2012_technical_overview