The Presentation include these subjects
1.Case study - using SCCM in order to secure desktop in one of our clients.
2.Bring Your Own Device concept
3.Windows Intune -PC Management & Security in the cloud
Key Messages:Proliferation of consumer devices and digital generation entering work-force lead to higher user expectations of technology at workUbiquitous connectivity, fast paced nature of the modern business erode the line between people’s personal and professional life As a result, people’s individual workstyles are increasingly important part of how things get done.Users increasingly have final say in what technology they use to get job done – this is the trend called ConsumerizationWe (Microsoft) believe consumerization is great as it unleashes people’s productivity and passion and has the opportunity to drive innovation and competitive advantage. We believe there is a power in saying “Yes” to users and their technology requests, and embracing consumerization in a responsible way. Talk Track:Device proliferation, with users having broad access to consumer devices at home, leads to higher user expectations of technology at work. Indeed, according to the recent IDC study, the affluent user around the world ($98K annual income) owns on average 4.8 devices, while in the US there are 6.6 devices owned by the affluent user. Overall, there are estimated 700M personal computing devices WW in 2010, this expected to double by 2014 to 1.47B personal computing devices. Digital generation entering the work place raises these expectations to a whole new level - A generation that has grown up completely fluent in the language of digital technology—from texting, instant messaging, and blogs to Facebook, YouTube, and Twitter—has dramatically different expectations about the tools they should be able to use at work. These tech savvy users are also increasingly mobile, and operate in a fast paced environment. The dynamic environment, along with ubiquitous connectivity erodes the lines between people’s life and work. As the line between people’s life and work gets blurred, people’s personalities and individual workstyles have an increasing impact on how they get their work done and what technology they prefer to use. As a result, users increasingly want a say in what technology they use to get job done – this is the trend called Consumerization of IT. Examples of Consumerization: BYOD (users bringing and using their own PC/ slate/ phone) to work ; using social networking at work and for workA recent Forrester Research study showed that 35 percent of workers in the United States either buy their own smartphone for work, or use unsanctioned Web sites, or download unapproved applications on a work computer. Why? 24% of do-it-yourselfers say the technology is better than what their job provides. 36% say they need it, and their employer won’t provide an alternative. And nearly 40 percent say they use it at home and, well, they want it at work, too.Consumerization is great as it unleashes people’s productivity and passion, innovation and competitive advantage. We (Microsoft) believe there is a power in saying “Yes” to users and their technology requests in a responsible way and our goal at Microsoft is to partner with you in IT to enable you to embrace these trends but also ensure the environment remains secure and well managed.But embracing Consumerization is not easy for companies and it represents some key challenges (Segway to the next slide).
This is driven by a rise in a ‘Bring Your Own Device’ (BYOD) culture at work which is being fuelled by a tech-savvy work force, that expect to be able to connect their devices to the corporate network
Employee Empowerment o Allowing users to select and use devices as if their own instills a sense of ownership. This aids in usability, support, and overall happiness. Reduced Costs o By giving users their own systems, the users are more likely to understand and support their equipment. o With OEM provided service and warranties, it also effectively out sources desktop support. o This allows the organization to focus on items such as infrastructure and security, less on daily break/fix and maintenance. Flexibility o Users now have maximum flexibility for both professional and personal computing since they are one and the same. o Being able to support BYOD also means being able to support a mobile workforce, so if someone is sick, they may be able to work effectively from home, thus maintaining company productivity. Mobile Workforce o Due to the nature of a global economy and the periodic economic slowdowns, companies have benefited from a mobile workforce. o This can reduce travel, relocation, and office expenses. It can also provide flexibility for the road warriors who are in the field or on client sites. Re-purpose old equipment o A common cost savings point for VDI in general is the ability to re-use or re-purpose aging and obsolete hardware. Maybe that old P3 with 1 GB RAM won't run Windows 7 effectively. However, as long as it can run the necessary client-side tools, you can connect to a virtual image and upgrade without changing the client hardware Thin Client computing o Other environments are ideal for thin client systems. Education, health care, manufacturing, to name a few industries, have already adopted thin clients as a way to reduce costs and standardize computing. These are commonly used for task workstations. Gen Y Workers o More and more IT Departments are witnessing and having to deal with the “Consumeratization of IT” where employees are wanting the same look and feel at work that they have at home. o "The biggest thing that most young workers want today is access to social networks like Facebook and Twitter – even in the workplace," says Trent Dilkie, Vice President and CSO of Gibraltar Solutions, Inc. BYOD Possible Challenges Supporting Home Systems o Instead of one manufacture/model/OS to support, companies can now be faced with hundreds if employees are not successful in supporting themselves. Cost of Infrastructure o A solid BYOC program requires that you can support and enforce whatever standards (such as anti-virus) have been put in place as well as being able to maintain the delivery architecture (secure remote access, application delivery, etc.). o In many instances it will be harder for companies to “strike a deal” with a single hardware vendor since employees can choose themselves from several. o Thought needs to go into if the company will also purchase other peripherals to go along with the device (i.e. larger monitors, mice, keyboards, laptop bags, etc…) Security o Not only anti-virus, but information security. Need for Revised IT policy o Since IT would in essence be losing some control, the security model for BYOD would need to be carefully considered and tested and then a corresponding security policy should be written, communicated to the business, and then signed by the BYOD participants. Licensing and Legal Considerations o In a BYOD configuration, corporate software and personal software may reside on the same hardware. The general argument is that the business will only pay for the applications necessary to perform the employee’s duties. o What are the legal ramifications if inappropriate or illegal material is found on the device or if it is stolen? Greater Risk o “Enterprises that adopt "bring your own PC to work" (aka BYOD) programs will be exposed to higher rates of botnet-compromised PCs” (Gartner). o “Gartner estimates that approximately 4% to 8% of enterprises PCs have an active botnet client installed.” o “Data from Microsoft implies that 20% to 30% of consumer PCs have been compromised by botnet and other targeted threats” (Gartner).
Scenarios: 1) Home user, 2) contract workers, 3) highly mobile sales workforce, 4) mergers and acquisitions
Consumerisation: Support users anytime, anywhereComplement to SCCM: Don’t think of it as either/or with SCCM and Intune, but rather how Intune can complement your existing on premise client mgmt deployment. On the next slide I’ll talk about how Intune can help with some of those challenges.And of course since Windows Intune service includes Windows Enterprise upgrade rights, you get the latest and greatest modern OS experience.Because Intune is a cloud service, we have the ability to rapidly release get valuable new functionality in our customers hands more quickly.
Key Messages: Keeping a corporate network safe and secure can be costly for organizations.IT pros like David face the challenge of keeping non-network PCs secure without incurring huge costs to the business.David decides to use Windows Intune, an online solution, to manage all the PCs he’s responsible for keeping secure and update to date. By choosing Windows Intune, David is able to manage security and updates from one console without the costs of an on-premise infrastructure. He is able to remotely monitor all these PCs and track inventory of software assets. Talk Track: David decides to use Windows Intune, an online solution, to manage all the PCs he’s charged with keeping secureDavid can remotely log into a management console and centrally:Manage the deployment of Microsoft® updates and service packs to all these non-domain joined PCs.Manage and update endpoint protection policies onto these devices even when these devices were outside the corporate firewall. Push and deploy Microsoft Malware Protection Engine to ensure these devices have the latest anti-malware software in place. David can provide remote assistance to resolve PC issues as long as the PC has an internet connection. David can track hardware and software inventory to efficiently manage corporate licenses used. These PCs have access to enterprise features available in Windows 7 Enterprise SKU, such as Bitlocker encryption capability to ensure data is safe even when the device is lost. By choosing Windows Intune, David selects a Flexible Workstyle solution that allows him to manage security and updates from one console without the costs of an on-premise infrastructure.Key Message: Outline the complete picture of how the Windows Intune agents, service, and console work together.Note: This is an animated slide (the bricks icon in the top right is a visual reminder in the slide).There are three main technology components to the Windows Intune solution. The first component is the Windows Intune service itself, which has been designed from the ground up as a highly scalable and reliable cloud-based service. The design of the Windows Intune service was based on the work that was done for the Microsoft® Update Service (the world’s largest cloud-based service). The geographically dispersed data centers that support this service are enterprise-class, redundant systems that support millions of customers every day.The next component is the Windows Intune client agents, which handle the communications from the PC to the Windows Intune service. All of these communications are secured and encrypted by using Secure Sockets Layer (SSL). These communications are initiated from the client over Port 80 or Port 443, both of which tend to work with most organizations’ firewalls without additional configuration.The final component is the Windows Intune administrator console, which accesses this data from the managed computers. This console is also secured and encrypted by using SSL. Only a Windows Live™ ID that has specifically been granted administrative rights to the account may access the Windows Intune administrator console.
But for those businesses limited in manpower and looking for greater flexibility, Windows Intune can help. Windows Intune leverages the management expertise that went into building our on-premises product and has made significant strides in evolving the service with its latest October 2011 release to become increasingly enterprise-ready. The cloud service component in Windows Intune is delivered through a single, easy-to-use Web-based console. Thru this console, IT professionalscan complete a broad range of PC management and security tasks for all Windows Intune-managed PCs. All that’s needed is an Internet connection and the Windows Intune client installed on each PC they wish to manage. With Windows Intune, IT can:(Italic items are examples)Help Protect PCs from malware with centralized protection built on the Microsoft Malware Protection Engine. This leverages the same trusted technologies as Forefront Endpoint Protection and Microsoft Security Essentials. Centrally manage the deployment of updates to Microsoft® and now, most third-party software, keeping the applications your workers need currentDistribute software: One of the top feature requests for Intune since we’ve been in market has been software distribution. And with this release, we are pleased to share that we’ve now added this capability. Deploy most software like Microsoft Office 2010 or third-party applications, to PC located nearly anywhere.You don’t need to have a server infrastructure or physically touch each PC to install the software or update. Proactively monitor PCs: Receive alerts on updates, threats, offline PCs and more so that you can proactively identify and resolve problems with your PCs virtually anywhere. With this latest release, you can configure alert types to be reported according to a specified threshold, frequency, or number or percent of computers affected. This helps IT pros be as proactive as they would like about potential issues and provides them early insight into the magnitude of the issue. With remote assistance included,IT can deliver remote management and protection to keep both IT and end-users productive from virtually anywhere. And with this October release, we’ve further enhanced remote support that can be delivered - IT can now remotely perform the following tasks on Windows Intune managed PCs from the administration console - Full scan, Quick scan, Restart, Update Malware Definitions. Track hardware and software inventory to help customers in IT planning and asset management purposes. Manage your licenses: Manage Microsoft Volume License Agreements and other license agreements - such as Microsoft retail and OEM licenses, as well as third party software - to track how many licenses you’ve purchased against what you’ve installed. Increase insight with reporting: Generate and save reports on updates, software, hardware, and licenses. Export data as a comma separated value file and import it directly into Microsoft Excel® for further analysis. With the new hardware filters, you can create detailed hardware reports. Across all report types, you can now save report parameters, making it easy to run a specific report again in the future if your environment has changed. For example, you can now create reports identifying PCs with low disk space or PCs with less than 2GB RAM and be more proactive about potential hardware issues so they can recommend next steps or needed upgrades before a user runs out of hard disk space and experiences performance issues. Set security policies. Centrally manage update, firewall, and malware protection settings across all PCs, even on remote machines outside the corporate network.Couple of the major benefits of being cloud-based are that there are no infrastructure requirements and we can release updates to the service more quickly than compared to our on-premises products. In just under one year, we’ve already had two commercial releases of WindowsIntune delivering richer features and functionality to continue to simplify PC management and security. These updates will further help IT professionals and partners deliver proactive PC management and security - in new ways but with less costs and higher IT and end-user productivity.It’s important to note that with each update, that the core architecture remains unchanged - each new update builds upon the prior version, so regardless of when Windows Intune customers purchase the service, they will automatically get the latest and greatest features available.
Our goal with this release is to help IT pro “Enable users to be productive from anywhere, anytime on any device”. But offer that flexibility within the security boundaries defined by IT.So let us look at the 3 new areas we have invested in this release to help IT achieve the above goal.IT pro experience:Our initial 2 releases in 2011 offered IT pros a device centric management tool. But now each user has multiple devices.So it becomes much simpler to manage those devices based on the user’s profile/role than directly managing the devicesSelf service portal for end usersWe have developed a Company portal that enables end users to self service basic IT tasks. This is a win win situation. This helps IT reduce some help desk costs and . End users feel they have more control especially around getting access to applications they want on from any of their devices.Modern device managementHelp IT deal with heterogeneous device environment by supporting iOS and Android devices in addition to Windows phones. We will help you secure them, make users productive on them. Optional (All this have been built on a strong underlying theme of user centricity. SCCM 2012 release has already pioneered this space and we have adopted key concepts to make them available through a cloud based service so you can manage remote users and their devices.)Let us now look into the features offered in each one of these areas in detail.
3rd Party update supportPush 3rd party updates, like AdobeBuilds on WSUS and Microsoft Update frameworkLeverages proven WSUS platform.Design your update management workflows Approval rules security updates to install on “All Computers”Update agent policy lets you manage update detection frequency, update installation schedule and the end user experience of updating your machine.Manually approve “needed” non-SP updates to “Test”, then to “All Computers” a week laterManually approve a needed service pack to Test, gradually rollout via existing target groups (typically in a region/role structure).Makes patch Tuesday easyAlerts for new updates to be approvedApprove and/or decline updatesMonitor status (needed, pending, failed, etc.) at the system, group, computer and update levelsConfiguration options to choose updates to manage and customize the updates agent Products and classifications for updates you want to manage (what updates do you want to manage)Auto approval rules (do you want to automate initial approvals?)WUA policies (e.g., daily or weekly scheduled install)Can customize WUA “scanning, downloading, and installing” sample vb script for advanced scenarios; patch on first boot, non-standard install schedule, etc.
Built on the same Microsoft Malware Protection Engine used by Forefront Endpoint Protection 2010 and Microsoft Security EssentialsReal-time protectionHighly Accurate and Efficient Threat DetectionNetwork Inspection ServiceBehavior monitoringDynamic signature serviceSystem-wide, per group and per computer statusMalware infections needing follow-upRecently cleaned computersComputers that are not protectedComputers with protection warnings (scan overdue, definitions out-of-date, RTP disabled, etc.)Most common malware system-wideComputers running 3rd party malware protection software
Build on same policy engine:Set endpoint protection: based on MSFT recommended settingsPolicy Compliance status
Publish and deploy from anywhere to PCs anywhere: All you need is an access to browser and application installer binary.Highly reliable, available, secure hosting & distribution of applicationCustomer content is opaque to everyone but the customerMulti-tenant, persistent, fault-tolerant & geo distributed storeEasy deployment, monitoring & servicingApps can be easily deployed to managed PCs for scheduled or immediate installsEasy monitoring of installs through admin consoleUpdates to applications can be easily rolled outFailure investigation, uninstallTalking point for slide and demo: in wave 2 we push apps to PC’s, there isn’t a concept of the user nor the ability to grant access to Available software---focused on “mandatory” software. In a few minutes we’ll talk about how we’ve enhanced this in the coming release.
The new features allow admins to think users first. We do this through 3 new features.The lifecycle of user management starts with User identity. Most of our enterprise customers rely on AD for this. We will be able to take a offer an integrated single sign on experience for both Admins and end users into Windows Intune by integrating with your on premise directory. We do this by integrating Intune with Microsoft Azure Active directory – Microsoft’s cloud based directory service. Prior to this release we used live Id for admin logging into Intune. While it is secure, Live services are more suited for consumer scenarios like Skydrive/Hotmail. With our move to integrate with Azure AD, you now have an enterprise class, scalable identity system that is used by other Microsoft services like Office 365. UDA:We help you define and manage the relationship between a user and his/her devices. Gives you a much better perspective of your devices connecting to your network. End users claim ownership when they enroll PC or connect to Exchange with a mobile device. When a user leaves/transfers you can reassign. Impact analysis is also more powerful as you know which user has an issue rather than just know about the device.Dynamic groupingWave 2 group membership was static list. Provide details about users and their relationship to Security Groups and their ManagerNow you have relationship about user to device + user to security groups/manager. Allow Admins to define targeting groups based on these relationships
Now let us look at features enabled for your end users.One of the biggest issues for IT today is how to get management agents installed on devices of remote users. Even if you have an excellent Software dist product, it is still difficult to reach these devices. With our new Windows Intune Company portal,all you need to do is to ensure users have a Windows intune account and send them an email with URL to the company portal. And they can easily self enroll and those devices start showing up immediately in your IT console. During this process users are also automatically providing user device affinity.Second you can create a customized corporate software catalog to your end users. Mandatory apps can still be ‘pushed’ to devices. But all optional apps can now be published based on user’s role and they can self service it from any of their devices.The portal can be completely custom branded to suit your organization’s need.
Web based software catalogEasily search and install softwareUsers decide what software/apps to install from catalog made available to themInstall software locally/remotelyDo not need administrator privileges
Contact IT for support
Get your desktops secure with system center configuration manager 2012
Get Your Desktops Secure withSystem Center Configuration Manager 2012Asaf Nakash Asaf.firstname.lastname@example.orgIT Project Manager +97254970078Dario IT Solutions
Asaf.email@example.com 054-9700780Asaf NakashIT Project ManagerDario IT Solutions
Case Study – Desktop Lock Down Financial Organization – about 300 desktops The organization is under Regulation rules. Using Microsoft Windows XP
Case Study – Challenges Using Microsoft Windows XP SP2 and cant update to newer versions Users Have Administrative rights on the local computer. Users Install a lot of application locally. Application Lockdown approach –Blacklist Blacklist must have the ability to be updated immidiatly
Case Study –Solution Use SCCM with two titles * Lockdown Package * Lockdown Advertisment * Up to Date Lockdown Monitoring job Black List Using Software Inventory to get reports SCCM + SQL regarding unauthorise application. Active Protection Lock Computer We created a program that lockdown the computer Lockdown Script.exe The blacklist is stored in the SCCM and can be updated Windows XP Client
Case Study – Future Solution - AppLocker •AppLocker™ Users can install and run unapproved applications Even standard users can install some Eliminate unwanted/unknown types of software applications in your network Unauthorized applications may: Enforce application Introduce malware standardization within your Increase helpdesk calls organization Reduce user productivity Easily create and manage flexible Undermine compliance efforts rules using Group Policy
Mobile Device ManagementLight Management • EAS-based policy delivery • Discovery and inventory • Settings policy • Remote WipeDepth Management • Secure over-the-air enrollment • Monitor and remediate out-of- compliance devices • Deploy and remove applications (WinCE 5.0, 6.0 7.0; Windows Mobile 6.0, 6.1, 6.5.x ) • Inventory • Remote wipe
“Depth” Mobile Device Management Establishes mutual trust between the device and the management server Extend and align mobile device management Integration Mobile Device Manager and SCCM features Enable secure, compliant mobile devices Secure over-the-air enrollment Monitor and remediate out-of-compliance devices Deploy and remove applications // Inventory Devices enrolled and provisioned securely over-the-air
“Light” management via Exchange Provide basic management for all Exchange ActiveSync (EAS) connected devices Features Supported: Discovery/Inventory Settings policy Remote Wipe Supports on-premise Exchange 2010 and hosted Exchange
Bring Your Own DeviceUsing combination of SCCM and Windows Intune in order to give a full support
work-life more blur mobile digital multiple generation devices tech fast savvy paced
How We Work and Live is Changing…Fast! No longer about “work-life balance,” but work-life integration using many devices to collaborate & participate. IMPACT: Employees expecting to user THEIR devices of CHOICE
BYOD – Benefits & Challenges Bring Your Own Benefit Challenge Device (BYOD) • Recent trend of • Employee • Mobile Workforce employees Empowerment • Cost of bringing personally- • Reduced Cost Infrastructure owned mobile • Flexibility • Security devices to their • Mobile Workforce • Need for Revised IT place of work, and • Attract Gen Y policy using those devices to access Workers • Legal & HR privileged Considerations company • Greater Risk resources.
Bring Your Own Device Strategy Here is Your Own Choose Your Own (Managed) (Semi Managed) Trust Predefined devices Whitelisting devices Strict policies Loose policies Bring Your Own On Your Own (Semi Managed) (Unmanaged) Freedom of devices Freedom of devices Loose policies No policies Freedom
CHALLENGING BYOD SCENARIOS • Workers in many locations • Non-domain joined devices • Workers “offline” for extended periods • Compromised security on remote devices • Multiple configurations, versions • Lack of insight into devices & inventory • Infrastructure investments required
Windows Intune Pillars Empower Your Users Help Promptly Manage Drive Efficiency and Without Excess Cost and and Secure PCs Anywhere Reduce Complexity Increased Risk Enable mobile devices Fast online device Drive Efficiency with without increasing security & the Cloud business risk management Infrastructure Empower users to get Distribute software Gain Better Insight the applications they Help Keep device Into Your IT Estate to need for the device Secure & Working at control spend and they are using their best stay compliant
VisionDeliver the best user experience, embrace consumerisation trends withenterprise-class management
Cloud management for Windows devicesUse online services to ITmanage, secure & keep Windows Intuneyour Windows, IOS &Android devices Manage Security & Updates INTELLIGENT INFRASTRUCTUREupdated Benefits • No on-premise infrastructure required • You always have the latest features • Easy monitoring and reporting • IT can manage security and updates from anywhere
MANAGE & SECURE PCS AND DEVICESANYWHERE Simple Web-based Administration Console and a friendly IW experience Enabling Flexible Workstyles Devices can be managed from the office, branch office, or on the road IT and partners can work from virtually anywhere
WHAT’S NEW in Windows Intune User Centric IT Pro Device Management experienceEnable IT pros to think Empower end users to self Manage Corporateusers first service their and Personally owned management needs mobile (phone & tablets) devices User Centric Management
Desktop Monitoring and AlertsSystem Center Operations Manager 2007R2 Agent for desktop monitoringWindows, Office and desktop applicationmonitoring provided in-box.Configurable alert categories and alertthresholds to reduce noiseConfigurable email notifications
UPDATE MANAGEMENTBuilds on WSUS and Microsoft Updateframework3rd party update supportDesign your update managementworkflowsEasy ongoing management(Patch Tuesdays are easy)Configuration options to choose updates to manageand customize the updates agent
ENDPOINT PROTECTIONBuilt on the same protectionengine used by FEP 2010System-wide, per group andper computer statusFollow up actions provided byremote tasks
POLICYBuilt on the same policyengine as SCCM 2012Set Endpoint Protection,Update and Firewall policiesPolicy Compliance StatusReporting
USER CENTRICITY FOR END USERSEnable IT self service for end users with Company Portal
Self Enroll Devices View all my devices Manage device affinity
Web based software catalog Easily search and install software – Install software locally/remotely Users decide what software/apps to install from catalog made available to – Do not need administrator them privileges