Enterprise Mobility (Admin)
-
Upload
microsoft -
Category
Technology
-
view
128 -
download
2
description
Transcript of Enterprise Mobility (Admin)
System Center 2012 R2Configuration Manager with Windows Intune
Who am I•
•
••
•
•
••
•
•
••
• Microsoft TechNet Forums• System Center Alliance Team•
••
•
Devices AppsUsers
Empowering People-centric IT
Enable users
Allow users to work on the devices of their choice and provide consistent access to corporate resources.
Protect your data
Help protect corporate information and manage risk.Management. Access. Protection.
Data
Unify your environment
Deliver a unified application and device management on-premises and in the cloud.
Selecting the Management Platform
Unified Device Management – System Center 2012 R2 Configuration Manager with Windows
Intune
Cloud-based Management - Standalone
Windows Intune
No existing Configuration Manager deployment
Simplified policy control
Fewer than 7,000 devices and 4,000 users
Simple web-based administration console
Helping IT to enable users
IT can publish access to resources with the web application proxy based on device awareness and the users identity.
IT can provide seamless corporate access.
Users can work from anywhere on their devices with access to their corporate resources.
Users can register devices for single sign-on and access to corporate data with Workplace Join.
Users can enroll devices for access to the company portal for easy access to corporate applications.
IT can publish desktop virtualization resources for access to centralized resources.
Firewall
Platform Support
OS Platform Management Agent End User Experience
Windows 8.1 PC ConfigMgr Agent
Or
Management Agent(OMA-DM)
Software Center/Application Catalog
Windows Company Portal app
Windows PC
(Win8,Win7,Vista,XP)
ConfigMgr Agent Software Center/Application Catalog
Windows RT Management agent (OMA-DM) Windows Company Portal app
Windows Phone 8 Management agent (OMA-DM) Windows Phone 8 Company Portal app
iOS Apple MDM Protocol iOS Company Portal app
Android Android MDM agent (OMA-DM) Android Company Portal app
Mac ConfigMgr Agent Limited self service experience
Linux/Unix ConfigMgr Agent N/A
Unified Device Management Configuration
Device management integrated directly into console
Simple Windows Intune Subscription set-up
Centralized branding and customization of Company Portal experience
Windows Intune Connector deployed as a Site System Role
Registering and Enrolling Devices
IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the users identity. Multi-factor authentication can be used through Windows Azure Active Authentication.
Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificateis installed on the device
Users can enroll devices which configure the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications
As part of the registration process, a new device object is created in Active Directory, establishing a link between the user and their device
Data from Windows Intune is sync with Configuration Manager which provides unified management across both on-premises and in the cloud
How to get started
Mobile Device Inventory?
* Inventory capability varies by device platform
New global condition to
differentiate app installs on
corporate versus personal
App Management
Personal devices – Inventory only apps
installed by ConfigMgr/Intune
Corporate devices – Complete inventory of
all applications on the device*
App inventory
By default, user-enrolled devices
are “Personal”
Admin can specify corporate-
owned devices
“Compromised” device detection
Personal vs Corporate
Owned Devices
Mobile Device Settings in ConfigMgr 2012 R2Category Windows 8.1
PC & RT
Windows
Phone 8
iOS Android
VPN
Wi-Fi
Certificates
Password (*) (*) (*)
Device restrictions (*) (*)
Store access
Browsers (*) (*)
Content Rating
Cloud Sync (*)
Encryption (*) (*) (*)
Security (*) (*) (*)
Roaming (*) (*)
Windows Server
Work Folders
* Subset of settings Note: Table applicable to direct MDM and not EAS
Resource Access Configuration
Support platforms
Windows 8.1
Windows 8.1 RT
iOS
Android
Benefits
End users get access to
company resources with no
manual steps for them
New Features*Configure networking profiles VPN profiles
Support for Windows 8.1 Automatic VPN
Wi-Fi protocol and authentication settings
Management and distribution of certificates
Configure remote connection to work PCs
VPN Profile Management
Support for major SSL VPN vendors
DNS name-based initiation
support for Windows 8.1 and iOS
Application ID based initiation
support for Windows 8.1
Automatic VPN
connectionSupport for VPN
standards like PPTP, L2TP,
IKEv2SSL VPNs from Cisco, Juniper,
Check Point, Microsoft, Dell
SonicWALL, F5
Subset of vendors have Windows
Windows RT VPN plug-in
Wi-Fi and Certificate Profiles
Wi-Fi settings Manage and distribute certificates
Deploy trusted root certificates
Support for Simple Certificate Enrollment Protocol (SCEP)
Manage Wi-Fi protocol and authentication settings
Provision Wi-Fi networks that device can auto connect
Specify certificate to be used for Wi-Fi connection
Inventory & Settings
Target applications based
on user role the best way for
each device
• Windows/Windows RT
• Windows Phone
• iOS
• Android
• OS X
Evaluate device capabilities
for optimal application
delivery
• Local installation
• Microsoft Application
Virtualization
• Desktop Virtualization (VDI)
• Web applications
People-centric Application DeliveryAccessing apps the right way, on the right device
MSI RDSApp-V
(MDOP)Remote
App
Native
App/
App Store
User-centric Application DeliveryEnd User Self-Service
IT
Administrators publish software
titles to catalog, complete with
meta data to enable search
• Deliver best user experience
on each device
Users can browse, select and install
directly from Catalog
• Application model determines
format and policies for delivery
User
Inventory & Settings
Work Folders
Sync files and data across devices Configuration Manager and Windows
Intune support
New settings to help provision the work folder discovery
settings
Self-service portals have links to work folders
New feature in Windows 8.1 client and Windows Server
2012 R2
Personal Apps and Data
Lost or Stolen
Company Apps and Data
Remote App
Protect your dataHelp protect corporate information and manage risk
Centralized Data
EnrollmentRetired
Company Apps and Data
Remote App
Policies
Policies
Lost or Stolen
Company Apps and Data
Remote App
Policies
Personal Apps and Data
Retired
Personal Apps and
Data
IT can provide a secure and familiar solution for users to access sensitive corporate data from anywhere with VDI and RemoteApp technologies.
Users can access corporate data regardless of device or location with Work Folders for datasync and desktop virtualization for centralized applications.
• Selective wipe removes corporate applications,
data, certificates/profiles, and policies based as
supported by each platform
• Full wipe if supported by each platform
• Can be executed by IT or by user via Company
Portal
• Sensitive data or applications can be kept off
device and accessed via Remote Desktop Services
Full and Selective WipeCategory Windows 8.1 (x86/RT
OMA-DM managed)
Windows 8 RT Windows Phone iOS Android
Full Wipe Not applicable Not applicable
Selective Wipe
Email (Email through EAS) (Email through EAS)
Company apps
and associated
data installed by
using
Configuration
Manager and
Windows Intune
Uninstalled and sideloading
keys are removed.
In addition any apps using
Windows Selective Wipe will
have the encryption key
revoked and data will no
longer be accessible
Sideloading keys
removed but remain
installed
Uninstalled and data
removed
Uninstalled and data
removed
Apps and data remain
installed
VPN and Wi-Fi
profilesRemoved Not applicable Not applicable Removed
VPN: Not applicable
Wi-Fi: Not removed
Certificates Removed and revoked Not applicable Not applicable Removed and revoked Revoked
Settings Requirements removed Requirements removed Requirements removed Requirements removed Requirements removed
Management
Client
Not applicable. Management
agent is built-in
Not applicable.
Management agent is
built-in
Not applicable.
Management agent is
built-in
Management profile is
removed
Device Administrator
privilege is revoked
Unified Device Management Recap
Unregistered Registered MDM Enrolled Fully Managed
Publish email to users (EAS) Yes Yes Yes Yes
Publish work folders to users Yes Yes Yes Yes
Conditional access based on user, device, location Block device only Yes Yes Yes
Audit logging and monitoring Yes Yes Yes
Unified Device Management Yes Yes
Unified Application Management Yes Yes
Selective data wipe Yes Yes
Compliance reporting Yes Yes
Group Policy and login scripts Yes
OS deployment and imaging Yes
Configuration management Yes
Patch management Yes
Anti malware management Yes
Full application management Yes
BitLocker management Yes
http://www.microsoft.com/workstyle
http://www.microsoft.com/server-cloud/user-device-management
More Resources:
System Center 2012 Configuration Manager
http://technet.microsoft.com/en-
us/evalcenter/hh667640.aspx?wt.mc_id=TEC_105_1_33
Windows Intune
http://www.microsoft.com/en-us/windows/windowsintune/try-and-
buy
Windows Server 2012 http://www.microsoft.com/en-us/server-cloud/windows-server
For More Information