People-centric IT is predicated on being able to identify who the user is and what their permissions are for accessing data and resources. Active Directory is a critical tool to enable this, with common user accounts and security groups, a repository for inventory and device data, and central policy control. It also gives you a way to manage users consistently across the datacenter and the cloud, with federation to synchronize identity and the ability to access user accounts for third-party applications. Our management solutions – Configuration Manager and Windows Intune – leverage this consistent identity to manage and secure user activity appropriately.
Apart from Windows Intune integration, SP1 for Configuration Manager brings a range of other improvements. These improvements include the following:You can install the Configuration Manager client on Windows 8 computers and deploy Windows 8 to new computers or to upgrade previous client operating versions. Configuration Manager SP1 also supports Windows To Go.Configuration Manager supports Windows 8 features, such as metered Internet connections and Always On Always Connected.You can configure user data and profiles configuration items for folder redirection, offline files, and roaming profiles.You can configure new deployment types for Windows 8 applications, which support standalone applications (.appx files) and links to the Windows Store.Other significant changes include the following enhancements:Support for Windows Server 2012 on site systems and clients, and support for SQL Server 2012 for the Configuration Manager database. Clients are now supported on Mac computers, and on Linux and UNIX servers.Windows PowerShell cmdlets are available to automate Configuration Manager operations by using Windows PowerShell scripts.More flexible hierarchy management with support to expand a stand-alone primary site into a hierarchy that includes a new central administration site, and the migration of a Configuration Manager SP1 hierarchy to another Configuration Manager SP1 hierarchy.Support for multiple software update points for a site to provide automatic redundancy for clients in the same way as you can configure multiple management points. Client notification to initiate some client operations from the Configuration Manager console, which include downloading computer policy and initiating a malware scan to be performed as soon as possible, instead of during the normal client policy polling interval.Support for virtual environments that allow multiple virtual applications to share file system and registry information instead of running in an isolated space.Email alert subscriptions are now supported for all features, not just Endpoint Protection.
The latest release of Windows Intune includes a number of changes that enhance the management of people, PCs, and devices. With a unified configuration, the following added features are of interest:Unified management solution with System Center 2012 Configuration Manager with Service Pack 1 (SP1).With this update, you can now manage devices either from the existing cloud-based Windows Intune management solution or through a new connector, by using Microsoft System Center 2012 Configuration Manager with SP1. User-based licensing.This release of Windows Intune updates the licensing conditions and adds two new licensing options to help organizations with managed users who employ multiple devices, rather than focusing on one device at a time. The licensing changes are explained later in this course.Direct Mobile Device Management.This release of Windows Intune provides a new direct management capability that implements Mobile Device Management (MDM) features to Windows RT, Windows Phone 8, and iOS devices. Hence, modern devices no longer require an Exchange ActiveSync (EAS) connection in place to support the MDM solution.Company Portal Application. In the previous release of Windows Intune, administrators accessed company applications, device management and IT support features through an online web portal. In this new release, Windows 8 Phone and Windows RT devices can access these features through a new secure Self-service Portal (SSP) application. Windows RT and Windows Phone 8 Application Distribution. Microsoft has extended the software distribution feature of Windows Intune to support both Windows RT and Windows Phone 8 applications. In a unified environment,you can now publish line-of-business applications to Windows RT devices and Windows Phone 8 devices by using the same wizard.
Further, WindowsIntune offers a cloud-based self-service portal that allows users a central place to request to securely provision applications on any device. This one central place makes it easy for them to request the applications they need to stay productive – and they’ll only see the software they have permission to use.
Each portal has differing management capabilities, depending on the platform. The table summarizes these management capabilities.
With this update, you can now manage devices either from the existing cloud-based Windows Intune management solution or through a new connector, by using Microsoft System Center 2012 Configuration Manager with SP1. This slide provides an overview of how these two configurations can manage devices either directly through the cloud or through Configuration Manager on-premises.This first figure shows the classic cloud-based configuration, and existing users of Windows Intune will be familiar with this approach. With this arrangement, IT administrators use the Windows Intune web-based Administrator console to access the management features on the client computers and mobile devices. This configuration is covered in the other course in this series.[Click]The second figure shows the new unified on-premises configuration, where the administrator uses the Configuration Manager 2012 SP1 management console to access the management features for the supported clients. Using this configuration, an administrator can manage all the organization’s devices through a single console and get an unprecedented insight into the ways employees use their mobile devices to access company data.Another benefit of this solution is that the Configuration Manager infrastructure enables support for very large installations. This release supports installations of up to approximately 100,000 users, computers, and mobile devices in a single management infrastructure.
So now let’s walk through exactly how both these products can work together in the Enterprise. Integration between Configuration Manager with SP1 and this release of Windows Intune enable you to manage many different device types, all from the Configuration Manager management console:[Click] For your PCs – Mac, Linux, Windows 8 x86 – these can be managed through the existing on-premises infrastructure.[Click] For your mobile devices – RT, WP8, iOS, Android – we see an enhanced management experience through the cloud.[Click] User management happens by using Active Directory Federation Services (optional) for single sign-on and DirSync to synchronize user accounts.[Click] Exchange Server managed devices can still interoperate in this hybrid environment.But now with SP1 the admin from the CM console will be able to manage all these devices in a single pane. They will be able to keep their on-premises deployment and quickly realize the benefits of the cloud in terms of managing highly mobile devices.Note: It is possible to integrate Configuration Manager with Office 365 to help manage Office 365-based environments.
SystemCenter 2012 Configuration Manager offers an enhanced range of management features that result from the greater capabilities of this on-premise solution. Windows Intune extends a subset of these management capabilities to mobile devices, as shown in this table.
You may already be using Exchange ActiveSync to manage your mobile devices, so it is useful to compare the two management types to highlight the benefits of using the Windows Intune connector.Using Configuration Manager and Windows Intune, you can manage user settings, hardware inventory, and device lifecycle on Windows RT, Windows Phone 8, and iOS. To manage user settings for hardware inventory, and device lifecycle for Android you can manage user settings using Exchange ActiveSync by using the Exchange connector in Configuration Manager. Note that you can still manage devices through EAS and Windows Intune. However, when a device is receiving security settings from both the Exchange ActiveSync and Windows Intune, the most restrictive settings apply.
When you have signed up for a Windows Intune account, you will have access to a number of portals. With Configuration Manager unified management, you do not often need to use these portals; however, it is useful that you know about them and the functionality that they provide.The first is the account portal. In a cloud-based environment, account administrators use this portal to manage users, other account administrators, security groups, and subscriptions. Partner organization can also access Microsoft cloud services offerings to customers from the Partner tab of the account portal. With a unified configuration, you use the Account portal only for user verification and adding domains.[Click] The second site is the Windows Intune administrator console. This is the console that Windows Intune administrators use in cloud-based configurations to manage users and devices, monitor the health of devices, manage policies and updates, and define the apps that users can download from the company portal. In a unified configuration, you don't use this console.[Click] The third site is the company portal. Company portals are portals that let users have control over their devices. The company portals are tailored to devices. For example, the company portals are where users are able to view and download sideloaded apps. For Windows RT and Windows Phone 8, there are company portal apps that let users manage line of business apps on their devices. For iOS and Android devices the company portal is a web portal that allows users to manage line-of-business apps on their devices.
This diagram shows one possible road map for integrating Configuration Manager with Windows Intune. The steps you carry out are as follows:Sign up for a Windows Intune account. Note that you may not need to sign up for this account through the web portal, depending on your licensing arrangements.Add your internal domain to Windows Intune by demonstrating that you own the domain name. This process also helps ensure that your Active Directory UPNs match your planned Windows Intune logon names.Deploy ADFS 2.0 if you want to implement single sign-on (SSO). Federate your internal Active Directory implementation with Windows Azure Active Directory (WAAD), which provides the directory service for Office 365.Set up DirSync and synchronize your user accounts into Windows Intune.Verify that SSO works correctly and that users can authenticate to Windows intune with their corporate credentials.Configure the Windows Intune subscription to set Configuration Manager as the management authority for Windows Intune and specify the mobile platforms that Windows Intune will manage.Specify which server and site in the hierarchy will host the Windows Intune connector site system role.Finally, users can enroll their mobile devices into Windows Intune and you can manage them through the Configuration Manager console.
When you have set up ADFS and Directory Synchronization, your next stage is to set up the Windows Intune subscription. You do this in the Configuration Manager console by clicking Administration, then clicking Hierarchy Configuration, and click Windows Intune Subscriptions. You then click the Create Windows Intune Subscription button.Along with the general settings, there are four management options that you can enable or disable as required. However, enabling each management option requires varied levels of preparation before you can complete the process. In summary, the requirements are as follows:Android: There are no configuration requirements for Android devices.iOS: To enable management of iOS devices, you need to carry out a three-phase process. The actions in this process are:Click the Request APNs Certificate Service Request button in Configuration Manager to download a Certificate Service Request file (a .CSR file). You will have to log on to the Windows Intune service with your administrator credentials.Click the link for the Apple Push Certificate Portal and log on to the Apple portal with your Apple ID. You then submit the .CSR file and can then download the APNs certificate. Note that you need to close Internet Explorer before downloading the APNs certificate, otherwise you get a file with a .json extension, instead of a .pem file.Select the .pem file to upload it to Windows Intune.Windows RT: With Windows RT, there are no specific management requirements, but you need to obtain a valid code signing certificate and create sideloading keys in Configuration Manager to deploy applications.Windows Phone 8: With Windows Phone 8, you must both add a code-signed .pfx or .p12 certificate and upload a correctly signed company portal app. This process is covered in detail later in the course.The bottom row shows the actions you need to carry out before you set up that platform in the Windows Intune subscription.
When you click the button to create a Windows Intune Subscription, you see a seven-step wizard that takes you through the process of setting up the subscription. The process is as follows:Sign into Windows Intune with your administrative account and select the option to allow Configuration Manager to manage this subscription.Specify general settings, such as the Configuration Manager collection of users who will be enrolling their mobile devices for management through Windows Intune, the company name, portal color, documentation URL and Configuration Manager site code where devices will be assigned.You can then select the platforms to enable for management. Each platform has additional requirements as set out in the previous slide. Note: to add a subscription with minimum configuration, enable the Android platform.The final pages summarize the settings and show the progress completing.Note that the option to Allow the Configuration Manager Console to manage the subscription is a one-way setting and cannot be undone.
As mentioned previously, the Android setting requires minimal configuration.
With iOS, you need to download the CSR, upload it back to Apple, download the APNs certificate and then upload the APNs certificate back to Windows Intune.
Windows RT does not require any prior settings, but if you want to deploy applications, you need to specify the code signing certificate. You configure sideloading keys in the Configuration Manager console by clicking Software Library, clicking Application Management, and then clicking Windows RT Sideloading Keys.
Moving from Device Centric to a User Centric Management
Agenda• What is User Centric Management and Why do I care?• Device Centric Management• User Centric Management with Configuration Manager 2012• User Centric Management with InTune• Hybrid InTune/Configuration Manager
Management• The past – Device Centric Management• Today – Mixed Management• Tomorrow – User Centric Management
The times, they are a changing…..Your computer IS your tool for work Your computer CONTAINS your tool for work
Circle of influence is shrinking…. …. To this From this…. Well its really a square…..
Why implement UCM• Device Choice • Manage all devices through single interface• Application Self-service • Deliver applications to the user, not the device• Personalized Application Experience • Integrated security and compliance• Non-intrusive management • Reduced infrastructure complexity Single admin console Access to corp resources across devices & platforms
Evolution of Microsoft Management 2012 2012 +Client Management Infancy Laptops, Servers, Comprehensive Management Consumerization Groups Model (NT Domain) Enterprise Scale Management from the Cloud of IT
Bring Your Own Device• Many companies embracing this (if they know it or not) • More users are than administrators know about generally• The first vast BYOD solution was VDI (VMWare View or XenDesktop) • Offered broad device support to get to a Windows Desktop • Issue is that the Windows Desktop (<8) does not work well with touch • The “desktop” was the “app”• Today, apps are cross platform, and multi-platform. • You can deliver just the app, without the desktop • You need a way to manage all of this
The process1. Understand your existing Device Centric models2. Configuration Manager – Move to User Collections3. Configuration Manager – Implement Application Catalog4. InTune – Extend to non-managed devices5. Federation – Single management infrastructure
Device Centric Management• You (IT) owned the device (PC).• The PC was the “tool” for work.• In manage cases restricted, locked down, and highly controlled.• Encouraged the “Work Computer” and “Home Computer” model• Simplified Access to Work Tools • DA • VPN • VDI
Why it does not work today• Devices are prolific, cheap, and available. • There is more than one choice in Operating System• Users are more savvy, and have more devices.• There is a trend towards “apps” as tools instead of “hardware” as tools. • Blame Apple, “there’s and app for that”.• The boundaries of “work” are gone • Both physical and chronological
Modern Device Management Devices & Platforms Single admin console
Windows Embedded Support • Windows XP Embedded Supported Write Filters Thin Clients • Windows Embedded Standard 2009 • File Based Write Filters (FBFW) • Windows Embedded Standard 7 (preferred for scalability) • Enhanced Write Filters (EWF) RAM Same as Thin Clients, plus Ability to force persistence of changes for POS/Kiosk • POS Ready 2009 • Applications • POS Ready 8 • Packages and programs • Software updates • Task sequences • Endpoint Protection client installation • Windows Embedded Standard 2009 Eventual persistence of changes forDigital Signage • Windows Embedded Standard 7 • Client agent settings • Settings management remediation • Power managementRepurposed PC • Windows Thin PC Without write filters enabled, embedded devices can be managed like any other Windows client. When write filters are enabled, they require special handling, now provided seamlessly in SP1
Linux & UNIX Servers • Version 4 (x86/x64) Supported OS’s across both:Red Hat Enterprise Linux • Version 5 (x86/x64) • Configuration Manager • Version 6 (x86/x64) • Operations Manager Old versions supported as long as vendor provides support • Version 9 (SPARC) Solaris • Version 10 (SPARC/x86) Broader Linux distro support being evaluated for future releases • Version 9 (x86) SUSE Linux • Version 10 SP1 (x86/x64)Enterprise Server • Version 11 (x86/x64) Hardware and Software Inventory Software Deployment • Using the Package and Program model • Deploy/patch software, deploy OS patches and run maintenance scripts that target a collection Consolidated reports
Mac OS X10.6 (Snow Leopard)10.7 (Lion)Push Software DistributionSettings ManagementHardware and Software Inventory
CM 2012 SP1 - Updates Wider client operating system and application support • Windows 8 and Windows To Go • Windows Server 2012 site systems and clients • Mac OS clients, Linux and Unix servers • SQL Server 2012 Configuration Manager database Better feature support • Metered connections and always on, always connected in Windows 8 • New deployment types for Windows 8 applications • Configurable user data and profiles for folder redirection, offline files, and roaming profiles Greater manageability • Virtual environment support • PowerShell cmdlets • Client notification • Email alerts for all features
Designing a User Centric Delivery• Deliver best user experience on each device Delivery Evaluation Criteria• Define application once • User • Device type < > • Network connection User/Device Relationships Primary Devices • MSI • App-V • Windows 8 Apps • Windows 8 Apps in the Windows Store Non-primary Devices • VDI • Remote Desktop
User-centric Application Delivery New Application Model General InformationApplication Administrator Properties“Package” End User Metadata < > Deployment Type App-V Detection Method Windows Script Install Command Windows Installer Requirement Rules CAB Dependencies Supersedence
User-centric Application DeliveryEnd User Self-service Administrators publish software titles to catalog, complete with meta data to enable search • Deliver best user experience on each device IT Users can browse, select and install directly from Catalog • Application model determines format and policies for deliveryUser
Components• User Collections• User Deployments• Mixed deployment types• Application Catalog• Primary Device settings and rules• User policies
What’s New in Windows Intune Unified Management Solution Company Portal Application Windows RT and Windows 8 Phone User-Based Licensing Application Distribution Direct Mobile Device Management
Cloud-based Self-service Portal Securely provision application from anywhere Single point for application requests Users only see the software they have permission to request
Company Portal Capabilities Action user can take through the Windows RT Windows iOS Android company portal Phone 8 Enroll local device Rename devices Retire local device * Stores can be either Wipe other devices remotely Windows Store, WindowsPhone Store, App Store, or Install line-of-business apps Google Play, depending on Install apps from the consumer store* the device
Comparing Windows Intune Cloud andUnified Configurations Cloud-Only Configuration Unified ConfigurationUp to 100,000 users, computers, and mobiledevices in a single management infrastructure
Windows Intune Unified Architecture Windows RT Windows Phone 8 iOS Android Android App Distribution Direct Management & App Distribution Android
Unified Management Capabilities Managed Through System Center 2012 Configuration Manager Windows Intune Windows 7 Platform > Windows Vista Windows Windows Capability Windows 8 Windows XP To Go Mac OS Windows RT Phone 8 iOS Android Application management Endpoint Protection O O O O Hardware Inventory 1 Software Inventory 2 2 2 2 Remote control O O O O O Reporting Software updates O 4 O1 = Basic informationonly through Exchange Compliance settings 3 3 3 3ActiveSync2 = Managed OS deployment O N/A N/A N/A N/Aapplications only3 = Compliance Out-of-band management O N/A N/A N/A N/Areporting but noremediation automation Power management O O O O O4 = Device User has toaccept the update Software metering O O O O O
Comparing the Windows Intune and Exchange Server Connectors Management Functionality Windows Exchange Intune Server connector connector App management/deployment O Public key infrastructure (PKI) security between the O mobile device and Configuration Manager1. For Windows RT, Windows Phone 8, and iOS Discovery 2. Through reporting3. Both Exchange ActiveSync and Hardware inventory 1 Windows Intune use the same Software inventory 2 O security template for their settings. Settings, configuration items and baseline 3 3
Windows Intune Sites and Portals • Account Portal • https://account.manage.microsoft.com • Manage users, account administrators, security groups, subscriptions, partners System Center 2012 • Administrator Console Configuration Manager with SP1 – https://admin.manage.microsoft.com – Configure cloud-based management Windows RT Portal • Company Portal Windows – Download apps, associate users with Phone 8 Portal devices, contact IT support – Versions for different mobile device Company Portal Web types Site
Unified User Centric Management• Managed Devices • No real change • Can use “external” porgal• Big benefit is for “unmanaged” devices/BYOD • You get some management and reporting (varies by device) • You have an easy way to present an application across devices• This really only works if you have “cross platform” applications • Often the cost of building applications far exceeds the cost of enabling devices
Examining a functional deployment• InTune Connector• User Collections• Deployment types for devices• Company Portals • Windows • Andriod • IOS? Anyone?
Planning ADFS• What does ADFS do? • Enables SSO • Big deal• Is it needed? • No, but highly recommended • Affects mobile devices (simpler logon)• What if you don’t use ADFS? • Authenticate to Company Portal using InTune Creds (separate set) • Administration must manage through account portal, not AD
Roadmap for Integrating ConfigurationManager 2012 with Windows Intune Sign up for Set up Active Add domains to Federate withWindows Intune Deploy ADFS 2.0 Directory Windows Intune WAAD account Synchronization Place the Windows Configure Enroll and manage Verify single sign- Intune connector Windows Intune mobile devices on site system role Subscription
Intune App RequirementsAndroid iOS Windows RT Windows Phone 8There are no 1. Download a Certificate Service There are no initial configuration Add code-signing certificateconfiguration Request using the Request APNs requirements for enabling management of .pfx or .p12 filerequirements for Certificate Service Request dialog Windows RT devicesAndroid devices box in Configuration Manager 2. Submit the CSR to the Apple Push To enable installation of apps for Windows Upload signed company Certificate Portal and download the 8, you need to add a valid code signing portal app APNs certificate (.pem file) certificate and also add sideloading keys to Configuration Manager 3. Upload the APNs certificate to Windows IntuneNo action required No prior action required as process No action required - a code signing cert Require code signingprior to setup can be completed later in user and sideloading keys set up in the UI for certificate and signed interface app publication company portal app
Summary• People centric is the future, driven by user behavior, not IT governance.• Start implementing self service as step 1• Understand the deployment options for each LOB application• Use InTune to support mobile/BYOD scenarios• Federate for central management
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.