Mastering the Move to Modern Management using...
Transcript of Mastering the Move to Modern Management using...
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Josué NegrónSr. Solutions Architect
VMware
Brooks PeppinEUS Systems Engineer
VMware
Mastering the Move to Modern Management using ConfigMgr
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
AgendaChallenges with PCLM SolutionsWhat are your Options? Co-Management with ConfigMgr using IntuneScripting Options to Move WorkloadsCo-Management with Workspace ONE
On-boardingCollection MappingApp MigrationTracking and Dashboard
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
2003
20122012
2011
2007
1999SMS 2.0
1994SMS 1.0
Client Management Infancy (NT Domain)
Groups ModelComprehensive Management
Laptops, Servers, Enterprise Scale
Management from the Cloud
Evolution of Microsoft Client Management
2017
Consumerization of IT
Co-Management
SCCM as a Service
2016
Windows 10
2015
Windows 8
2012
Windows 7
2009
Windows Vista
2006
Windows XP
2001
Windows 95
1995
Windows 3
1992
2014 EnterpriseMobility Suite
Transitioning to Modern Management
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM4
With Windows 10, Microsoft Enables “Modern Management” of PCs
Integrated MDM Framework
Simplified Device Onboarding
Cloud-based Management
Microsoft’s own IT is moving away from traditional PC management to modern management for Windows 10.*
* Source: Microsoft IT Showcase; Aug 21, 2017; https://www.microsoft.com/itshowcase/Article/Video/708/Windows-10-deployment-tips-and-tricks-from-Microsoft-IT
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Journey to Modern Management
• Not a flip of a switch to get to Windows 10 / Modern Management• Will take time, potentially years
• May have servers and legacy Windows OS under SCCM management
• Need to change 25 years of management practices• Domain Centric to Device/User Centric
• Many plug-ins for SCCM• Asset management, Auditing
• Similar to move from Exchange, Active Directory• Hybrid Mode Exchange with O365 / AD Federation with Azure
• Customers may not be able to move all devices to modern management• Will happen with device replacement (3-5 years)
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Legacy PC Management
DeployHigh IT touch – build and constantly maintain images specific to OEMs, OS version, use cases, roles
PatchPoor patch compliance – patch management of domain joined PCs on company network
ConfigureOn-network and domain joined PCs only, leveraging group policy objects (GPOs)
AppsResource intensive packaging and deployment (heavy distribution infrastructure); supports Win32 apps only
Perimeter defense and no visibility across off-network endpoints; manual remediation for compromised PCs
Simpler out-of-the-box and IT runtime provisioning without the need for imaging; upgrade to new version from cloud
Updates PCs on or off the domain from the cloud in minutes; not months
Configures PCs over-the-air and across any network; supports modern MDM + GPOs
Scalable and reliable app distribution with cloud CDN + P2P; supports any app - Win32, store/UWP, SaaS
Smarter conditional access polices and real-time visibility, compliance, and auto remediation across all endpoints
Unified Endpoint Management
Lacks self-service capabilities or requires third party add-ons (e.g. store front, recovery keys, etc.)
Limited to corporate owned desktop management use cases with locked down machines
Retire Manual process: wipe and replace image for new user
Self-service features for app access, domain password reset, BitLocker recovery, remote wipe and lock and others
Easily scales to modern use cases (e.g. BYOD) and other Windows, mobile, rugged and IoT endpoints (UEM)
Wipe and reset remotely; ready for the new user
Secure
Self-service
Use Cases
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
AD/AAD
connect
Adopt Windows 10
Adopt Office 365/ProPlus
Imaging to Signature Image
End of Support for Windows 7
GPO to MDM Policy
Kerberos to Modern Auth
Win32 to Modern Apps
ConfigMgr Content Delivery to Cloud Content Delivery
Today
WSUS to WUfB
Adopt & Connect Transition to Modern
Bridging to Modern Management
Modernizing with a co-management bridge
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
• SCCM is a religion• People have built their careers on SCCM
• As they move to Modern Management, SCCM becomes irrelevant
• Unless a customer is already 100% at Windows 10 • WinXP, Win7, Win8 and Server OS’s
• Most companies have had SCCM in place for over 20 years• Not easy to just “rip off the Band-Aid”
• We may need SCCM to get to Windows 10• Upgrade Win7 to Win 10
• Typical hardware refresh cycle is 3-5 years
Why Co-Manage with SCCM
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Co-Management with Intune
You must have the following prerequisites in place before you can enable co-management with Intune or EMS:
• Requires Windows 10 version 1709 or later
• Requires Configuration Manager version 1710 or later
• Must be Intune Standalone
• Cannot be Hybrid MDM (Intune joined to SCCM)
• EMS or Intune license for all users
• Devices must be Hybrid Azure AD-joined (SCCM Managed)
• Azure AD Joined (Intune Managed)
• Azure AD automatic enrollment enabled
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Supported Workloads• Device Compliance Policies
• Resource Access Policies
• Configure VPN, Wi-Fi, email, and certificate settings on devices.
• Windows Update Policies
• Endpoint Protection (starting in Configuration Manager version 1802)
• Device Configuration (starting in Configuration Manager version 1806)
• Office 365 Click-to-Run apps (starting in Configuration Manager version 1806)
• Mobile apps (starting in Configuration Manager version 1806 as a pre-release feature)
• Ability to Execute Remote Commands
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Co-Management Dashboard
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Major Limitations Today
• Many Prerequisites: SCCM 1710+, Windows 10 1709+, AD+AAD Joined, CMG for Intune-Only Managed Devices, etc.
• No clear path to fully migrate apps to a modern approach
• Does not migrate workloads over from SCCM to Intune, Co-Management only chooses who the primary source of management should be
• Only supports some use-cases, thus might not work for all of your devices in your organization
• No clear path for customers who want to rip-and-replace quickly; but great for a longer term migration plan
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
• Available on GitHub & VMware {code}:
• SCCM to AirWatch App MigrationMigrate existing Win32 applications from SCCM to AirWatch
• SCCM to AirWatch Tag CreationAutomatically create tags in AirWatch for SCCM collections and tag devices to maintain a link between SCCM and AirWatch
• SCCM to AirWatch Auto RegistrationAutomatically pre-register SCCM devices into AirWatch using serial number and primary user. Allows silent AirWatch enrollment via staging account.
Open-Source SCCM Migration Tools
AirLift to get to Modern Management
SCCM App Migration
Device Collection Migration
Auto Onboarding
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
SCCM Terms Workspace ONE Translations Intune Translations
WMI/MOF Closest would be CSPs/APIs CSPs/APIs
Apps & Packages Software Distribution (Win32 Apps) Client Apps (Windows MSI Line-of-Business)
Distribution Points (DPs) + BranchCache
CDN + P2P Cloud DPs
MDT/OSD Next Evolution is OOBE/AutoPilot/Dell Factory Provisioning
OOBE + AutoPilot
Software Center/App Catalog Workspace ONE Catalog Company Portal
MBAM for Encryption BitLocker Lifecycle Management BitLocker Configuration via CSP
Collections Smart Groups / Tags Assignments/Groups
Software Updates/ADRs/WSUS Windows Update Profile (WUfB or WSUS) Software Updates (WUfB)
Task Sequences No Mapping – similar to Product Provisioning No Mapping – PowerShell Scripts
Site Code (3 Characters) & Assigned Site
Group ID & Enrollment Group Tenant
Enrollment Point Device Services (Mobile and Mac Devices Only) --
Management Point Device Services (Windows Devices) Cloud Management Gateway
Primary Site/Secondary Site Parent/Child Organization Group --
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Did you know….
VMware has supported co-existence (“co-management”) with SCCM since late 2015!So where are we today with speeding your transition to Windows 10 modern management, let’s take a look!
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Workspace ONE AirLift
• Server-side Connector
• Web-based Admin Experience
• Passive Orientation to Simplify Co-Management
• Fully Productized and Supported
• Available with ALL Workspace ONE Editions
Windows 10 Clients
ConfigMgr Workspace ONE UEM
6
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Communication Protocols
Workspace ONE
MODERN
Configuration Manager
TRADITIONAL AirLift
Windows Remote Management (WinRM) & Configuration Manager
Cmdlets
Workspace ONE UEM RESTful APIsAirLift Service
AirLift Web UI
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
AirLift Prerequisites
✓ Workspace ONE UEM 9.5+
✓Admin with API Access & REST API Key
✓Device Services, Console, API URLs
✓ SCCM 2012 R2+
✓ SCCM Account with at Least Read-Only Permissions✓ Additional access needed to create Enrollment App from AirLift (Optional)
✓ SCCM Account must be Remote Management Group (Win RM)
✓ SCCM Site Code
✓ SCCM Device Collections with Active Windows 10 Devices
✓ AirLift VM (Recommend Small Dedicated VM with Good SCCM Connectivity)
✓AirLift Installer will Download & Install SQL Express and MongoDB✓ Installer will Securely Configure for Use Only by AirLift
✓AirLift will Create Two Services that Run under ‘Network Service’
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Live Demo: Getting Started with AirLift
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Mapping Device Collections
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
SCCM Device Collection Mapping
Empower the admin to accelerate their adoption and visibility of our Co-Management capabilities
• Leverage existing ConfigMgr Device Collections• Complex Query Based Rules
• Based on Device Type (e.g. Dell XPS)
• One to Many Mapping between Collections and Workspace ONE
• Map ConfigMgr Collections to Workspace ONE Smart Groups• Backend Task keeps Workspace ONE Synced with ConfigMgr
• Multiple Purposes for Collection Mapping• Windows 10 Devices
• Systems that can be Upgraded to Windows 10
• Dell Laptops, etc.
• One to One, Many to One or Specific Mapping
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Live Demo: Taking Flight with AirLift; Onboarding
Devices
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Enrollment
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Live Demo: Migrating Apps
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Application Migration
Transition SCCM Applications to Workspace ONE UEM
• Enumerate SCCM Applications • Supports MSI’s
• Supports Scripted Installs (MSI, EXE, ZIP)
• Supports Multiple Deployment Types
• Validations to Increase Predictability• Rules Introspect SCCM App Metadata BEFORE Export
• Validate Info (e.g. Install Translated from ‘System’ to ‘Device’)
• Validation Error (e.g. Uninstall Command Line Missing)
• Application Export is NOT• App Rationalization Offering
• Automated Packaging
• Does Not Work Against SCCM Packages
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Troubleshooting
• AirLift Install Directory: %ProgramFiles%\VMware\VMware AirLift• Workspace ONE Enrollment Application – Contains the AirWatch Agent, SCCM
Integration Client, and icons.
• AppSettings.JSON – Change logging level and contains the connection strings to SQL Express and MongoDB
• %ProgramData%\VMware\VMware AirLift• MongoData
• Log – Contains logs for Mongo DB
• Logs• Contains AirLift logs, more detailed than the Activity Log
• Note before installing AirLift you should ensure your user account has the minimum required access to SCCM. You should also have admin rights to install all of the dependencies.
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Dashboard
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
FAQ's1. Does this install require access to the SCCM DB? No
2. How does this communicate with SCCM? WinRM and SCCM Cmdlets
3. What SCCM information does it query? Device Collections, Devices, Users, SCCM Apps
4. What SCCM RBAC access is needed? Read-only Analyst
5. What SCCM RBAC access is optional? Privilege to create SCCM App and Deploy
6. How long will AirLift take to do the initial synchronization? 1-20 mins depending on the size and number of both Workspace ONE and SCCM entities. Subsequent synchronization is incremental.
7. Does AirLift support Direct and Rule-based Device Collections? Yes
8. Does AirLift support anything other than SCCM Device Collections? No
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Demos• https://youtu.be/3OOap0qQOM
Y
• https://vmwarelearningzone.vmware.com/oltpublish/site/cms.do?view=openlearning
Hands-on-Labs• http://labs.hol.vmware.com/HOL
/catalogs/catalog/878
• Beginners: HOL-1857-01-UEM -Getting Started
• Advanced: HOL-1857-02-UEM -Unified Endpoint Management for Windows 10
Sign up to VMware TestDrive: • https://portal.vmtestdrive.com/
TestDrive Getting Started Guide: • https://kb.vmtestdrive.com/hc/en-
us/articles/360001372254-Getting-Started-with-TestDrive
Workspace ONE for Windows 10 Walkthrough Guide:
• https://kb.vmtestdrive.com/hc/en-us/articles/360001152734-Experience-Workspace-ONE-on-Windows-10
POC: Workspace ONE Windows 10 Reviewers Guide:
• https://techzone.vmware.com/resource/reviewers-guide-windows-10-unified-endpoint-management-airwatch
Deployment: Professional Services Use Case Add-on for Windows 10:
• https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/datasheet/vmware-workspace-one-airwatch-service-add-on-use-case-datasheet.pdf
Learn Workspace ONE modern management for Windows 10
Test Drive Workspace ONE on your Windows 10 devices
Get Started on Your POC or Deployment
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
You’ve got questions, we got answers… hopefully