Desktop and Device ManagementAndy Taylor – Andy.Taylor@microsoft.comSusan Smith – Susan.Smith@microsoft.com

Agenda

• Introduction• System Center 2012 Configuration Manager• Windows Intune• Close

System Center 2012 Configuration Manager

SYSTEM CENTER 2012 CONFIGURATION MANAGER

Empower Users

Empower people to be more productive

from almost anywhere on almost

any device.

Simplify Administration

Improve IT effectiveness and efficiency.

Unify Infrastructure

Reduce costs by unifying IT management infrastructure.

NEED FOR NEW APPLICATION MODEL

Your end-users are changing – and apps are what they use to do work– Ultra mobility– Lots of devices– New generation with new

expectations

Your apps are changing– AppV– SaaS– Datacenter hosted (VDI,

remote/seamless apps)– Mobile apps/catalogs

Management Server

Traditional Model User Centric Model

APPLICATION MODEL• Manage applications; not scripts• Application Management:

– Detection method – re-evaluated for presence:• Required application – reinstall if missing• Prohibited application – uninstall if detected

– Requirement rules – evaluated at install time to ensure the app only installs in places it can, and should

– Dependencies – relationships with other apps that are all evaluated prior to installing anything

– Supersedence – relationships with other apps that should be uninstalled prior to installing anything

– Update an app – Automatic revision management

• Secure over-the-air enrollment

• Monitor and remediate out-of-compliance devices

• Deploy and remove applications

• Inventory

• Remote wipe

(WinCE 5.0, 6.0; Windows Mobile 6.0, 6.1, 6.5.x)

7NOKIA

• EAS-based policy delivery

• Discovery and inventory

• Settings policy

• Remote Wipe

Light Management

Depth Management

Mobile Device Management

DEMOAPPLICATION MANAGEMENT

WHAT IS USER DEVICE AFFINITY (UDA)?

• Key feature to help move to User Centric Application Deployment– Provides the ability to define a relationship between

a user and a device, then leverage this in app deployment• Ensure the application is not installed everywhere the

user logs on• Change the “deployment type” based on UDA• Predeploy to systems when the user is not logged in

for workgroup and after-hours deployments

• Configuration Manager 2012 supports:– Single primary user to primary device– Multiple primary devices per user– Multiple primary users per device

<

Windows Embedded

APPLICATION CATALOG

IT

Administrators publish software titles to catalog, complete with meta data to enable search Deliver best user experience

on each device

Users can browse, select and install directly from Catalog Application model determines

format and policies for deliveryUse

r

DEMOINSTALLING SOFTWARE FROM APPLICATION CATALOG

SIMULATE APPLICATIONGoal – build trust in moving to state based dynamic applications Did I do detection method right? Did I get

rules/relationships right? What will my deployment type mix be?

What it does - runs application as required in “rules only” mode No content download, no execution of deployment

type Results – what would the system have done?

Processes detection method, requirement rules, dependencies and supersedence

Does NOT simulate the install!Guidance Run for an app, then delete – these rules are

processed ongoing and will impact scale/perf It’s a REAL piece of policy – so may collide with

other inflight policies Preflight deploy a superseding application – may have

impact on user experience and compliance reporting

DEMOSIMULATE APPLICATION DEPLOYMENT

SIMULATE DEPLOYMENT GRAPH

Functionality ConfigMgr 2007 ConfigMgr 2012

What types of objects can I see and what can I do to them?

Class rights Security roles

Which instances can I see and interact with?

Object instance permissions Security scopes

Which resources can I interact with? Site specific resource permissions

Collection limiting

ROLE-BASED ADMINISTRATION

• Central management for security• Role-Based Administration lets you map the organizational

roles of your administrators to defined security roles:

• Removes clutter from the console– Supports “Show me what’s relevant to me” based

on my Security Role and Scope

CLIENT STATUS Goal -> Enable Administrators to monitor the activity and status of ConfigMgr client computers in their hierarchy.

Following two methods have been used to evaluate the overall status of client computers they are managing

• Client Activity: Monitored from the Server:

Configure thresholds to determine if a client is active

• Client Check: Monitored from the Client:

A client evaluation engine is installed with the ConfirMgr client, which periodically evaluates its health and state of dependencies. This engine can also remediate some problems with the client.

SOFTWARE UPDATES

• Auto Deployment Rules– Use filter to identify class of updates to automatically deploy:

category, products, language, date revised, article id, bulletin id, etc.

– Schedule content download• State-based Update Groups

– Deploy updates individually or in groups– Updates added to an update group automatically deploy to

collections targeted with the group

Unified Infrastructure

Reduce the cost of maintaining secure

endpoints with unified management

and security infrastructure

SYSTEM CENTER 2012 ENDPOINT PROTECTION

Easy to setup and operate the management infrastructure

Easy client install and migration

Automated deployment of updates using ConfigMgr infrastructure

Simplified deployment of antimalware policies

SETTINGS AND COMPLIANCE MANAGEMENT

ConfigMgr MP Baseline ConfigMgr Agent

WMI XML

Registry IISMSI

Script SQL

SoftwareUpdates

File

ActiveDirectory

Baseline Configuration Items

Auto RemediateOR

Create Alert

!Deploy baselines

to collectionsBaseline drift

Improved functionality• Copy settings• Trigger console alerts• Richer reporting

Enhanced versioning and audit tracking• Ability to specify versions to be used in baselines• Audit tracking includes who changed what

Pre-built industry standard baseline templates through IT GRC Solution Accelerator

REPORTING EXPERIENCESReport Viewer

(in-console)

Report Manager(Web)

REMOTE CONTROL• What's New in Remote Control

– Ability to send Ctrl-Alt-Del keystroke to host device

– Able to traverse the all Windows Secure Desktop modes• Winlogon, SAS, UAC, Locked screen,

– Granular client settings per collection

– Lock keyboard and Mouse– Ability to create Firewall exception

rule– Ccmeval monitors and

remediates Remote Control Service

Unified Management; On-Premise and from the Cloud

Active Directory

Windows Intune

WINDOWS INTUNE

Help protect PCs from malware Manage updates

Proactive monitoring and alerts Provide remote assistance Inventory hardware and software Monitor & track licenses Increase insight with reporting Set security policies

Distribute and consume software

MANAGE, SECURE PCS AND DEVICES ANYWHERESimple Web-Based Administration Console and a friendly IW experience

MOBILE CAPABLITIES

• Unified experience across all devices – Automatic discovery of mobile devices that access Exchange– Single console to manage computers and mobile devices– User centric views for device inventory

• Protect corporate data on mobile device– Deploy Active Sync policies to user groups (password, encryption…)– Define mobile device access rules by device family/model– Remove mobile devices that access Exchange (with option to wipe)

• IW empowerment through mobile LOB apps– Hosts & target in-house mobile apps to user groups (e.g. corp app store) – Provide mobile self-service to download mobile apps or contact IT

LOGICAL ARCHITECTURE

EXCHANGE WINDOWS INTUNE

ACTIVE DIRECTORY

EXCHANGE CONNECTOR

IDENTITY CLOUD INFRASTRUCTURE(MSODS)

Sync AD user data into the cloud

Sync managed users to Windows Intune

ActiveSync

Policy/Config

Sync mobile devices for managed users

Apply EAS policies or remediation tasks

ON-PREMISE INFRASTRUCTURE

MICROSOFT CLOUD

POLICY TRACKING

• Track compliance against policies– Unified Policy status across PCs and mobile devices– Consistent look and feel for device settings report

• Policy status for User groups and individual users– Display # of users who have devices with policy issues– Drill down into users and their devices with issues

• Noncompliance action for mobile device– Reports if email access has been allowed or denied to non-

compliant devices

APP MANAGEMENT

• Publish– The IT administrator uploads in-house apps to Windows Intune– The IT administrator deploys each app, specifying which targeted user

groups have access to each app

• Consume – Information workers sign in to the Windows Intune company portal using

their corporate credentials– In the mobile portal, information workers can do the following:

• View a detailed list of available apps • Download an app• Contact IT (in case of a problem)

• Track– The IT administrator tracks app adoption, using the aggregated and detailed

statistics provided by Windows Intune

DEMOWINDOWS INTUNE

Device Management Key Points

• User Centric Management• Applications that user needs them on the multiple

devices they use• User empowerment

• Public and Private cloud Management• Windows Intune• System Center 2012 Configuration Manager

• Manage all your devices

Next Steps

Microsoft System Center 2012:http://www.microsoft.com/en-us/server-cloud/system-center/default.aspx

Windows Intune:

Current version - http://www.microsoft.com/en-us/windows/windowsintune/try-and-buy.aspx

Try the next version - https://account.manage-beta.microsoft.com/Signup/MainSignUp.aspx?OfferId=1A981431-C1CF-1C28-4936-3F8229EC1411&ali=1

System Center Marketplace: http://systemcenter.pinpoint.microsoft.com

Blogs: http://blogs.technet.com/systemcenter

http://social.technet.microsoft.com/wiki/contents/articles/7075.system-center-2012-configuration-manager-survival-guide-en-us.aspx

Download and Evaluate More Resources

Some information relates to pre-released product which may be substantially modified before it’s commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here