Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

System Center 2012 R2 Configuration Manager (SCCM) with Windows Intune

6,131 views

Published on

Microsoft has a history of providing rich IT-infrastructure solutions to help manage every aspect of enterprise operations. Microsoft’s people-centric solution consists of products and technologies that can help IT departments handle the influx of consumer-oriented technology and the work style expectations of users, thereby helping increase productivity and satisfaction for the people within their organizations.

Microsoft’s people-centric IT vision helps organizations enable and embrace the consumerization of IT by:

1. Enabling your end users by allowing users to work on the device(s) of their choice and providing consistent access to corporate resources from those devices.

2. Helping protect your data by protecting corporate information and managing risk.

3. Unifying your environment by delivering comprehensive application and device management from both your existing on-premises infrastructure, including System Center Configuration Manager, Windows Server, and Active Directory, as well as cloud-based services, including Windows Intune and Windows Azure.

Let’s discuss each of these areas in more detail.

Published in: Technology
  • Be the first to comment

System Center 2012 R2 Configuration Manager (SCCM) with Windows Intune

  1. 1. System Center 2012 R2 Configuration Manager with Windows Intune Amit Gatenyo CEO, Dario Microsoft Regional Director – Management & Windows Server 054-2492499 Amit.g@dario.co.il
  2. 2. The explosion of devices is eroding the standards-based approach to corporate IT. Devices Deploying and managing applications across platforms is difficult. Apps Today’s challenges Data Users need to be productive while maintaining compliance and reducing risk. Users expect to be able to work in any location and have access to all their work resources. Users
  3. 3. Devices AppsUsers Empowering People-centric IT Enable users Allow users to work on the devices of their choice and provide consistent access to corporate resources. Protect your data Help protect corporate information and manage risk.Management. Access. Protection. Data Unify your environment Deliver a unified application and device management on- premises and in the cloud.
  4. 4. Selecting the Management Platform Unified Device Management – System Center 2012 R2 Configuration Manager with Windows Intune Cloud-based Management - Standalone Windows Intune No existing Configuration Manager deployment Simplified policy control Simple web-based administration console
  5. 5. System Center 2012 R2 Configuration Manager Enable Users Allow people to be more productive from almost anywhere on almost any device. Simplify Administration Improve IT effectiveness and efficiency. Unify Infrastructure Reduce costs by unifying IT management infrastructure.
  6. 6. Enable Users Unified Device Management User-centric Application Delivery
  7. 7. Unified Device Management Mac OS X Windows PCs (x86/64, Intel SoC), Windows to Go Windows Embedded Windows RT, Windows Phone 8.x iOS, Android
  8. 8. Platform Support OS Platform Management Agent End User Experience Windows 8.1 PC ConfigMgr Agent Or Management Agent(OMA-DM) Software Center/Application Catalog Windows Company Portal app Windows PC (Win8,Win7,Vista,XP) ConfigMgr Agent Software Center/Application Catalog Windows RT Management agent (OMA-DM) Windows Company Portal app Windows Phone 8 Windows Phone 8.1 Management agent (OMA-DM) Windows Phone 8 Company Portal app iOS Apple MDM Protocol iOS Company Portal app Android Android MDM agent (OMA-DM) Android Company Portal app Mac ConfigMgr Agent Limited self service experience Linux/Unix ConfigMgr Agent N/A
  9. 9. Registering and Enrolling Devices IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the users identity. Multi-factor authentication can be used through Windows Azure Active Authentication. Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device Users can enroll devices which configure the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications As part of the registration process, a new device object is created in Active Directory, establishing a link between the user and their device Data from Windows Intune is sync with Configuration Manager which provides unified management across both on- premises and in the cloud
  10. 10. What’s New in Mobile Device Inventory? * Inventory capability varies by device platform Global condition to differentiate app installs on corporate versus personal App Management Personal devices – Inventory only apps installed by ConfigMgr/Intune Corporate devices – Complete inventory of all applications on the device* App inventory By default, user-enrolled devices are “Personal” Admin can specify corporate- owned devices “Compromised” device detection Personal vs Corporate Owned Devices
  11. 11. Extensions for Windows Intune Admin is notified that an extension is available when console is launched Admin goes to Extensions for Intune in console, and enables the extension Extension is activated in ConfigMgr • (Extension enables on all site system, then console updates are avail) Admin restarts console, and console is updated with the extension Admin uses feature delivered by the extension Admin may wish to disable the extension
  12. 12. Mobile Device Settings in ConfigMgr 2012 R2 Category Windows 8.1 PC & RT Windows Phone 8.1 iOS Android VPN    Wi-Fi     Certificates     Email Profiles   Password (*) (*)   (*) Device restrictions  (*) (*)   (*) Store access   Browsers  (*) (*)  (*) Content Rating  Cloud Sync (*)  Encryption (*)   (*)  (*) Security (*) (*) (*) (*) Roaming (*) (*) Windows Server Work Folders  * Device platform supports a subset of the settings
  13. 13. Resource Access Configuration Support platforms Windows 8.1 Windows 8.1 RT Windows Phone 8.1 iOS Android Benefits End users get access to company resources with no manual steps for them Features* Management and distribution of certificates Corporate email profile provisioning Configure networking profiles VPN profiles Support for Windows 8.1 Automatic VPN Wi-Fi protocol and authentication settings Configure remote connection to work PCs
  14. 14. VPN Profile Management Support for major SSL VPN vendors DNS name-based initiation support for Windows 8.1, Windows Phone 8.1 and iOS Application ID based initiation support for Windows 8.1 Automatic VPN connection Support for VPN standards like PPTP, L2TP, IKEv2 SSL VPNs from Cisco, Juniper, Check Point, Microsoft, Dell SonicWALL, F5 Subset of vendors have Windows Windows RT VPN plug-in
  15. 15. Wi-Fi and Certificate Profiles Wi-Fi settings Manage and distribute certificates Deploy trusted root certificates Support for Simple Certificate Enrollment Protocol (SCEP) Manage Wi-Fi protocol and authentication settings Provision Wi-Fi networks that device can auto connect Specify certificate to be used for Wi-Fi connection
  16. 16. Email profile management Manage Exchange ActiveSync accounts New in January 2014 release! Configure account settings and security restrictions Enable certificate authentication Support for iOS and Windows Phone 8 Enables selective wipe of managed email profile (if platform supports it) Delivered as Configuration Manager Extension for Windows Intune
  17. 17. Work Folders Sync files and data across devices Configuration Manager and Windows Intune support New settings to help provision the Work Folder discovery settings Company Portals have links to work folders New feature in Windows 8.1 client and Windows Server 2012 R2
  18. 18. Full and Selective Wipe Windows 8.1 (x86/RT OMA-DM managed) Windows 8 RT Windows Phone 8.1 iOS Android Full Wipe    Selective Wipe Email  (Mail App)  (Mail App)   Company apps and data Apps uninstalled. Sideloading keys removed. Data removed. Sideloading keys removed but apps remain installed. Uninstalled and data removed. Uninstalled and data removed. Apps and data remain installed. VPN and Wi-Fi profiles Removed. Not applicable. Removed. Removed. VPN: Not applicable. Wi-Fi: Not removed. Certificates Removed and revoked. Not applicable. Removed. Removed and revoked. Revoked. Settings Requirements removed. Requirements removed. Requirements removed. Requirements removed. Requirements removed. Management Client Not applicable. Management agent is built-in. Not applicable. Management agent is built-in. Not applicable. Management agent is built-in. Management profile is removed. Device Administrator privilege is revoked.
  19. 19. Unified Device Management Recap Unregistered Registered MDM Enrolled Fully Managed Publish email to users (EAS) Yes Yes Yes Yes Publish work folders to users Yes Yes Yes Yes Conditional access based on user, device, location Block device only Yes Yes Yes Audit logging and monitoring Yes Yes Yes Unified Device Management Yes Yes Unified Application Management Yes Yes Selective data wipe Yes Yes Compliance reporting Yes Yes Group Policy and login scripts Yes OS deployment and imaging Yes Configuration management Yes Patch management Yes Anti malware management Yes Full application management Yes BitLocker management Yes
  20. 20. User-centric Application Delivery Windows 8 Apps Benefits Software distribution updated End user installation same as today End users have one location for all enterprise apps Windows RTWindows 8 Windows Store Firewall Corporate Applications
  21. 21. User-centric Application Delivery Administration Delivery Evaluation Criteria • User • Device type • Network connection User/Device Relationships Primary Devices • MSI • App-V • Windows 8 Apps • Windows 8 Apps in the Windows Store Non-primary Devices • VDI • Remote Desktop
  22. 22. User-centric Application Delivery End User Self-Service IT Administrators publish software titles to catalog, complete with meta data to enable search • Deliver best user experience on each device Users can browse, select and install directly from Catalog • Application model determines format and policies for delivery User
  23. 23. Unify Infrastructure Reduced Infrastructure Requirements Endpoint Protection Compliance and Settings Management Distribution Point for Windows Azure Software Update Management Content ManagementUnify Infrastructure Reduce costs by unifying IT management infrastructure.
  24. 24. Reduced Infrastructure Requirements Central Administration Site • Scale • Support multiple primary sites • Future proofing your hierarchy (SP1) Primary Sites • Client assignment (up to 100k) • Reduce impact of a primary site failing • Political reasons • Delegated administration • Different client agent settings • Language packs • DMZ/Internet Facing • Untrusted forests (new in R2) Secondary Sites • Content fan-out • Manage upward flow of WAN traffic • Content routing • Throttling (now in Distribution Points) ReasonsWhyObsoleteReasons Distribution Points • Distribute Content • Branch Distribution Points
  25. 25. “We spend almost [U.S.] $800 per server on annual maintenance activities. Configuration Manager scales to our organization size and now we are able to reduce the number of servers from 110 to 35, thus saving on the maintenance costs.” – Systems management administrator at a US based manufacturing company Cross-platform Integration Manage non-Windows desktops including Mac OS X Manage non-Windows servers including Linux and UNIX Access business apps on non-Windows machines via Citrix XenApp integration * Cross-platform integration enhancements are available with Configuration Manager Service Pack 1 (beta released in September 2012) Consolidation and Cross-platform Integration Consolidation Co-locating site system roles onto single server. Eliminating servers required for client security. Simplifying system architecture by reducing number of sites. 600 hours or U.S. $30,000 saved each year due to reduced administration overhead Business Value of Microsoft® System Center 2012 Configuration Manager
  26. 26. Unified Device Management Configuration Device management integrated directly into console Simple Windows Intune Subscription set-up Centralized branding and customization of Company Portal experience Windows Intune Connector deployed as a Site System Role
  27. 27. Security and Compliance Endpoint Protection Unified Infrastructure Simplified server and client deployment. Streamlined updates. Consolidated reporting. Comprehensive Protection Stack Behavior monitoring. Antimalware. Dynamic Translation. Windows Firewall Management.
  28. 28. Security and Compliance Settings Management ConfigMgr MP Baseline ConfigMgr Agent WMI XML Registry IISMSI Script SQL Software Updates File Active Directory Baseline Configuration Items Auto Remediate OR Create Alert (to Service Manager)! Improved functionality Copy settings Trigger console alerts Richer reporting Enhanced versioning and audit tracking Ability to specify versions to be used in baselines Audit tracking includes who changed what Pre-built industry standard baseline templates through IT Governance, Risk & Compliance(GRC) Solution Accelerator Assignment to collections Baseline drift
  29. 29. CAS Primary Site MP Role Primary Site DP Role Assigns policy to scan for update status or to deploy update Distributes updates Reports compliance Microsoft Update Primary Site SUP Role/WSUS Identifies who needs updates and reports on complianceDownloads updates Auto Deployment Faster deployment through search. Schedule content download and deployment to avoid reboot during work hours. State-based Updates Allows individual or group deployment. Updates added to groups auto deploy to targeted collections . Optimized for New Content Model Reduce replication and storage. Expired updates and content deleted. Security and Compliance Software Update
  30. 30. Distribution Point for Windows Azure Rich feature set PR1 MP MP DP Windows Azure Distribution Point Microsoft Update Policy Content Firewall Corporate NetworkIntegrated monitoring In-console content monitoring Ability to monitor storage and traffic out usage Content is fully encrypted
  31. 31. Content Management in R2 monitoring The sources for a pull DP can be randomized to achieve load balancing and flexibility. Pull DP in-console monitoring on par with standard DP. Enable pull distribution point to send state messages via MP. Pull DP improvements Reduced the amount of interaction between remote DPs and the Distribution Manager. Optimized content distribution by adding distribution point priority and keeping send requests in SQL. New report: Distribution Point Usage – shows how much a particular DP gets used. Infrastructure improvements
  32. 32. Modern Management Console Role-based Administration Operating System Deployment Asset Intelligence Client Health Simplify Administration Improve IT effectiveness and efficiency. Simplify Administration
  33. 33. Intuitive ribbon interface In-console alerts Global search capability New collection membership rules allow better filtering of members Windows PowerShell enablement Modern Management Console
  34. 34. Unified Device Management Console Mobile device management integrated directly in to console experience Common tools for policy and application management Unified reporting across device platforms User collections enable user-centric setting and application deployment across device types
  35. 35. Role-based Administration Functionality ConfigMgr 2007 ConfigMgr 2012 What types of objects can I see and what can I do to them? Class rights Security roles Which instances can I see and interact with? Object instance permissions Security scopes Which resources can I interact with? Site specific resource permissions Collection limiting Meg - WW Central System Administrator Louis - Software Update Manager for France Bob - US and France Security Admin • Can see & update “France” desktops • Cannot modify security settings on “France” desktops • Cannot see “All Systems” or “U.S.” desktops • Can see and modify security settings on “France” and “U.S.” desktops • Cannot update “France” or “U.S.” desktops • Cannot see “All Systems” Map the organizational roles of your administrators to defined security roles • Security organization role • Geography Reduces error, defines span of control for the organization RBA enhancements in R2 include SQL Reporting
  36. 36. Operating System Deployment Multiple Deployment Method Support PXE initiated deployment allows client computers to request deployment over the network Multi-cast deployment to conserve network bandwidth Stand-alone media deployment for no network connectivity or low bandwidth Pre-staged media deployment allows you to deploy an operating system to a computer that is not fully provisioned User State Migration Tool (USMT) 4.0 UI integration makes it easier transfer files and user settings from one machine to another CAS Primary Site MP Role Primary Site DP Role Image Task Sequence Report WDS PXE Server
  37. 37. Core Operating System Deployment Scenarios Scenario Key Functionality New computer • Fresh install of a new operating system on client or server system • New or repurposed hardware PXE boot • Integrate with Windows Deployment Services (WDS) PXE server • Self-provisioning via F12 Wipe-and-load • Install new version of operating system • Reinstall applications and user state under new operating system Side-by-side • Similar to wipe-and-load, except between two different devices Offline with removable media • With low bandwidth or no connectivity • Large software packages are on the media Prestaged Media • Optimized for network bandwidth • Speeds up end to end deployment
  38. 38. Client Activity and Health In-console view of client health Threshold-based console alerts Heartbeat DDRs HW/SW inventory and status Remediation
  39. 39. Asset Intelligence, Inventory, and Software Metering Consolidated/simplified reporting that allows you to Understand software installation profiles Plan for hardware upgrades Identify over or under licensing issues Track custom apps or groups of titles Software Metering and License Reports Asset Intelligence Service Asset Intelligence Catalog Real-Time Application and Hardware Intelligence ConfigMgr Inventory
  40. 40. SummaryEnabledUnifySimplify Role-based Administration Content Management Software Update Management Reduced Infrastructure Requirements User-centric Application Delivery Modern Device Management Compliance and Settings Management Endpoint Protection Operating System Deployment Asset Intelligence, Inventory and Software Metering 2012 EAS User-centric Updated engine Improved RBA in Reporting Windows 8.1 support 2012 R2 Improved Web App deployment New Integrated Auto remediation Improved New Improved Improved 2012 SP1 Unified Win 8 Apps Flexible hierarchies Real-time actions User profile and data Improved Improved Improved Modern Management Console Additional cmdletsNew Windows PowerShell Client Health Improved Improved Distribution Point for Windows Azure New
  41. 41. System Center 2012 R2 Configuration Manager with Windows Intune Amit Gatenyo CEO, Dario Microsoft Regional Director – Management & Windows Server 054-2492499 Amit.g@dario.co.il
  42. 42. Windows Embedded Support • Windows Thin PC Repurposed PC Supported Write Filters • File Based Write Filters (FBFW) (preferred for scalability) • Enhanced Write Filters (EWF) RAM Ability to force persistence of changes for • Applications • Packages and programs • Software updates • Task sequences • Endpoint Protection client installation Eventual persistence of changes for • Client agent settings • Settings management remediation • Power management Without write filters enabled, embedded devices can be managed like any other Windows client. When write filters are enabled, they require special handling, now provided seamlessly. • Windows XP Embedded • Windows Embedded Standard 2009 • Windows Embedded Standard 7 • Windows Embedded Standard 8 Thin Clients Same as Thin Clients, plus • POS Ready 2009 • POS Ready 8 POS/Kiosk • Windows Embedded Standard 2009 • Windows Embedded Standard 7 • Windows Embedded Standard 8 Digital Signage
  43. 43. Linux and UNIX Servers • Version 4 (x86/x64) • Version 5 (x86/x64) • Version 6 (x86/x64) Red Hat Enterprise Linux • Version 9 (SPARC) • Version 10 (SPARC/x86) • Version 11 (SPARC/x86) Solaris • Version 9 (x86) • Version 10 SP1 (x86/x64) • Version 11 SP1 (x86/x64) SUSE Linux Enterprise Server Supported Operating System’s across both: • Configuration Manager • Operations Manager Earlier versions supported as long as vendor provides support Broader Linux distro support being evaluated for future releases Hardware and Software Inventory Software Deployment • Using the Package and Program model • Deploy/patch software, deploy OS patches and run maintenance scripts that target a collection Consolidated reports • CentOS 5, 6 • Debian 5, 6, 7 • Ubuntu 10.4 LTS, 12.4 LTS • Oracle Linux 5, 6 • HP-UX 11iv2, 11iv3 • AIX 5.3, 6.1, 7.1 Recently Added
  44. 44. Mac OS X Configuration Manager native client Key management capabilities Improved enrollment in R2
  45. 45. Scenarios Hybrid Standalone Default browser Yes Yes Disable Copy and paste functionality Yes Yes Disable Telemetry/Diagnostic data Submission (SQM/Watson) - Granular Yes Yes Screen Capture Yes Yes File encryption on mobile device Yes Yes Allow simple password Yes Yes Alphanumeric Password required Yes Yes Idle time before mobile device is locked (minutes) Yes Yes Minimum complex characters Yes Yes Minimum password length (characters) Yes Yes Number of failed logon attempts before device is wiped Yes Yes Number of passwords remembered Yes Yes Password complexity Yes Yes Password expiration in days Yes Yes
  46. 46. Scenarios Hybrid Standalone Bluetooth Yes Yes Camera Yes Yes Disable Internet Explorer Yes Yes Disable USB sync No No Disable WiFi Yes Yes Near field communication (NFC) Yes Yes Prevent user initiated un-enrollment/ disable PC settings No No Removable storage (Any external storage device) Yes Yes Disable Application Store Yes Yes Disable Internet Sharing over WiFi (Tethering) Yes Yes Disable Wi-Fi Offloading Yes Yes Wi-Fi Hotspot reporting Yes Yes Disable Custom Email Account (all or nothing) Yes Yes Allow Microsoft Account Yes Yes – Roadmap Turn on/off location awareness (cellular or GPS) Yes Yes

×