UEM1745BE An Insiders View Into Windows 10 Management … · An Insiders View Into Windows 10...

Gareth KitsonDr. Alexander Bruns

UEM1745BE

#VMworld #UEM1745BE

An Insiders View Into Windows 10 Management Technical with VMware AirWatch

VMworld 2017 Content: Not fo

r publication or distri

bution

Speaker Introduction

2

Gareth Kitson, Senior Systems Engineer, VMware

Dr. Alexander Bruns, Digital Workplace Services & Solutionsm - Workplace Architecture & Consulting, DB Systel GmbH

Understanding the Windows 10 modern IT architecture for today’s workforce

Who

Why

#UEM1745BE CONFIDENTIAL



bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

3#UEM1745BE CONFIDENTIAL



bution

Session Agenda

1 Introduction

2 Simplifying Windows Deployments

3 Delivering Software at Scale

4 Windows Updates and the Cloud

5 Zero Trust and the New Security Paradigm




bution

Modern Workforce Requirements have Changed

© 2017 VMware Inc. All rights reserved. Confidential – Not for Distribution© 2017 VMware Inc. All rights reserved. Confidential – Not for Distribution

PC Lifecycle Management (PCLM) Has Not

Remote users and devices

Mobile-cloud OS and apps

New device type and ownership

Legacy, on-premises PCLM tools fall short of new OS and remote workforce demands! VMworld 2017 Content: N

ot for publicatio

n or distribution

Traditional PC Management

© 2017 VMware Inc. All rights reserved. Confidential – Not for Distribution

Falls short for your modern OS & workforce demands

Compromised SecuritySlow to identify non-compliance

Unreliable Software DistributionResource intensive packaging and deployment


Poor User ExperienceLocked down experience and no self-service

Limited VisibilityPolicies and updates pending

Tra

dit

ion

al

Syste

ms M

an

ag

em

en

t

OS UpdateServers (WSUS)

Software Distribution

Servers

GPO PolicyServers

(AD)



bution

Unified Endpoint Management


Enables a modern approach to PC management

Security Across NetworksBacked by a powerful compliance engine

Scalable Software DistributionFrom the cloud, eliminate physical infrastructure


Better User ExperienceSelf-service and peak user experience

Real-time VisibilityPolicy and updates in seconds, not months

Un

ifie

d E

nd

po

int

Man

ag

em

en

t

Store B

Configuration, Apps,

Updates, Security



bution

But PC Management Presents Certain Unique Challenges…

Thousands of settings in Windows

Group Policy Object (GPO)

Network constraints prevent using an MDM tool for software distribution

Limited Win32 software distribution capabilities

Can’t provide inventory data for traditional Win32 apps

Situations where we cannot use an in-place OS upgrade

Using built-in image means incompatibility risk

Application packaging of legacy apps will be a barrier

““““

“““




bution

Extending EMM with Critical PC Management NeedsComprehensive unified endpoint management (UEM) features transforming the way IT manages Windows 10

Self-Service Access & SSO

Co-exist with Systems

Management

Deploy Updates Off the Network

Device HealthAttestation

Win32 AppLifecycle

Management

Instant Push Configuration for Policies

GPOs On or Off the Domain

Windows Information Protection

Patch Auditing

Granular Updates

Management

5. Client Health & Security

3. OS Patch Management

4. SoftwareDistribution

2. ConfigurationManagement

1. MDM for Windows

Asset Tracking

Device and OS Lifecycle ManagementApp Management and

DeliveryEnd-to-end Security

Management

App Inventory

BitLocker Encryption

Enterprise App Store

Imageless Provisioning

In-place or custom image

migration

Modern Management


Intelligent Insights and Rules Engine

BIOS Management

DeliveryOptimization

AutomatedCompliance



bution

Simplifying Windows Deployments



bution

OLD IMAGE

11

MODERN TRUSTED IMAGE

Customized OS

Company Required Apps

User/Role Specific Apps

Company Required Policies

Base OEM OS(Preloaded)

Apps Policies OS Updates

AirWatch MicrosoftUpdates

Secured real-time and over-the-airHigh Touch – Expensive – Not Scalable




bution

#VMworld #UEM1745BU



bution

Configure Devices Over-the-Air

13

Wi-Fi, VPN, Certificates, Email, Passcodes, Restrictions,

Encryption, Firewall, Antivirus, OS Licenses…

Modern

MDM Settings

Group Policy Objects (GPOs), Security Baselines and ADMX Templates, BIOS / Firmware

configuration…

Legacy

PC Configuration

Task sequence PowerShell commands, custom scripts, files, applications, runtime conditions and actions…

Advanced

Task Automation




bution

#VMworld #UEM1745BU



bution

AirWatch Extends Cloud-Management to the Hardware Level

15

Dell Command and AirWatch integration enables cloud-management of Dell commercial system BIOS

OS and App Level

End-to-End Security Management

Device and OS Lifecyle Management

App management and Delivery

Battery lifecycle and power

Hardware error reporting

BIOS health and password

Asset management

Security and virtualization

System Level

Dell Command |

Monitor




bution

#VMworld #UEM1745BU



bution

Windows Updates and the Cloud



bution

Windows Update Servicing Has Changed


Challenges:

• Updates delivered more frequently

• Management infrastructure upgrade with each new version

• Application combability testing with each new version

• Bandwidth utilization with Cumulative Updates

• Reporting of Device Status

• Reaching Remote WorkersSource: Microsoft

18



bution

WUAS Requires a New Architecture

19

4

Update metadata

Report update metadata

Authorize approved KBs

Peer to peer delivery across Windows 10 Devices

Query available updates

List of KBs/Updates

Fetch authorized updates

Update as a Service

5

Approve updates based on smart group assignments

8

88

6

3

72

1




bution

Windows Update Analytics & AutomationContextual Intelligence for your Windows 10 updates

Business

Live dashboards enable

immediate compliance actions

and remediation

IT

Make informed deployment

decisions and rules for hands free

remediation


Decideoptimize rollouts - target when to install, which group

Viewinstall status by patch, patch type, distribution rings

Predictaverage time to patch; rollout completion

Remediatecreate rules to deploy missing critical updates

20



bution

#VMworld #UEM1745BU



bution

Delivering Software at Scale

22



bution

How IT Deploys Apps Today…

23

Special Request

Role Based

Company Wide

Manual provisioning on user request

User group or role specific images

OEM and device specific images




bution

Simplified Application Deployment Strategy With AirWatch

24

Special Request

Role Based

Company Wide

Allow access through self-service

Enable request work flows through integration

Push to single users

User group mapping makes role assignment easy

Create subgroups through AirWatch

Easy to manage updates

Can push over-the-air or manage on image

Can use WIP to add additional security to files

associated with company wide apps




bution

Deliver a Unified End User Experience Across All App Types

25

Internally developed mobile apps

Native public mobile apps

SaaS apps

Internal web apps

Modern Windows apps

Legacy Windows apps

Virtualized management desktops




bution

Simplify Management Across All App Types

26

Bring cloud apps and access management to AirWatch

Cloud Apps

2

Integrate with Microsoft Store and Business Store Portal

Store Apps

3

Full lifecycle management of Win32 or desktop applications

Desktop Apps

1




bution

Win32 Application Management Capabilities

27

• EXE, MSI, ZIP, APPX

• Framework + Libraries

• Dependency Mapping

• Device + User assignment

• Define Install Criteria

• MST Support

• Managed app settings

• Custom Packaging

• Cumulative and Additive Patching (MSP)

• Self Service Versioning Controls

• List of apps per device

• App adoption status

• Installation status

• Pre-defined reports

Simplified Configuration

Advanced Lifecycle Mgmt.

Inventory and Reporting

2 3 4

Native Application Support

1




bution

#VMworld #UEM1745BU



bution

CDN

CDN + P2P Distribution Technology

29

Drive down costs by using peer-to-peer

technology to eliminate the need for

costly on-premises servers

Protect your network by downloading

content only once at each site

Manage all endpoints from one unified solution, across any device, from anywhere – cloud and on-premises

Replace servers with Adaptiva’s

breakthrough peer-to-peer

software deployment technology

Adaptiva OneSite

VMware AirWatch UEM

Microsoft Windows




bution

#VMworld #UEM1745BU



bution

Client Health and Security

31



bution

The Old World




bution

The New World

33

Private

Clouds

Securing Interactions is Getting Increasingly Complex

Hybrid

Clouds

Infrastructure

Devices

Apps

Traditional Apps Cloud-Native Apps SaaS Apps

Typical App Connects

to 7 Cloud Services

Public

Clouds




bution

VMware’s Approach to Security

TRANSFORM SECURITY

New apps and

delivery models can’t

be easily protected

with perimeter-

centric network

security.

Proliferating and

diverse endpoints

access a range of

apps and IT services.

Increasingly complex

threat ecosystem

and slow to identify

non-compliance.

Secure Applications

and DataProtect Identity

and Endpoints

Streamline

Compliance

Intrinsic Security from Device to Data Center

34



bution

Ensure desired OS state with

over the air configuration of

hardware and OS

Harden OS with real-time device

and OS health data; block access

for compromised endpoints

Protect Identity and Endpoints

35

Safeguard user identities and endpoints

Establish user trust with new

identity features; multifactor

authentication based on context

Across any user, application and device



bution

Minimize Risk, Ensure Compliance

36

Manage governance, risk and compliance

Develop the rules, policies, and

management around security

requirements

Maintain and evolve compliance;

automate remediation for hands

free IT

Cloud patching of devices across

any network, on or off domain

On-demand visibility, reporting

and compliance auditing of all

endpoints

Real-time remediation and compliance



bution

Secure Access Based on Device Posture and Health Attestation

37

Managed and Compliant

Not Managed or Compliant

ACCESS DENIED

COMPLIANT

User identity validated

Cloud or

On-Premises Resources

Secure Boot

BitLocker Encryption

Antivirus and Firewall

Code Integrity

Windows Version

TPM 2.0 or Higher

✔

✔

✔

✔

✔

✔

X




bution

Secure access to any app with

context of identity, endpoint and

app interactions

Secure Apps and Data

38

Gain transformative insights into application infrastructure

Across any app, app type, and location

Lock down access to un-

approved and un-trusted apps

and malware

Protect data with encryption,

native DLP, per-app tunneling,

and traffic filtering

Remote wipe company data from

admin console or self-service

portal



bution

Unlock the Power of BitLocker

• Use built-in TPM for secure authentication at lower cost

(no need for additional startup flash drives) and also

ensure pre-startup OS integrity

• Enforce login PIN in conjunction with TPM for

multifactor authentication and lock out the OS from

auto-resume

• Set recovery password rotation meeting compliance

requirements and protecting against the key falling into

the wrong hands

• Display recovery password URL and escrow in self-

service portal to reduce helpdesk tickets

• Suspend BitLocker temporarily for scheduled

maintenance tasks so the user isn’t constantly

prompted for password / PIN




bution

New Level of Data Security with Windows Information Protection

40

Setting Policy LevelsConfigure how enterprise data is handled (encrypt, block, audit)

Configuring Per-App VPNDefine which apps can access internal network through VPN

Tagging DataDefine data sources to classify as enterprise (IP, domain, SharePoint, and more)

Defining Privileged AppsConfigure privileged apps that can handle enterprise data




bution

App Level VPN

Granular App Tunneling with AirWatch Tunnel

41

Restrict access to defined servers

instead of the entire network




bution

#VMworld #UEM1745BU



bution

Für externe Präsentationen bitte immer eine Titelfolie mit der Ressort-Farbe verwenden.

Foto: Volker Emersleben



bution

#UEM1745BE CONFIDENTIAL44



bution




bution

Ways to Learn More

Sessions

• UEM1359BE - Best Practices in Migrating Windows 7 to Windows 10 - 9/13 5:00pm

• UEM3155SE - The Evolution of Endpoint Management Within a Digital Workspace -9/13 3:30pm

Meet the Expert

• Stop by our booth

• MTE4825U - Taking a Cloud First, Modern IT Approach to Windows 10 Management with Morgan Abaziou - 9/13 11:15am

Content

• www.workspaceone.com

• www.airwatch.com/solutions/windows

Hands-on Labs

• Stop by our hands on labs at VMworld

• https://www.vmware.com/try-vmware/try-hands-on-labs.html

ASK THE EXPERTS




bution

http://www.workspaceone.com/

http://www.airwatch.com/solutions/windows

https://www.vmware.com/try-vmware/try-hands-on-labs.html



bution

UEM1745BE An Insiders View Into Windows 10 Management … · An Insiders View Into Windows 10...

Documents

Transcript of UEM1745BE An Insiders View Into Windows 10 Management … · An Insiders View Into Windows 10...