Transcript • Share Microsoft IT’s experiences with implementing Bring Your Own Device (BYOD) culture with the help of System Center 2012 SP1 and Windows.

•
Share Microsoft IT’s experiences with implementing Bring Your
Own Device (BYOD) culture with the help of System Center
2012 SP1 and Windows Intune
Managing Devices at
Microsoft
Goals
• Avoid additional hardware
investment and network
design complexity
• Means to safeguard BYOD
assets & access LOB apps
• Management support for
Windows 8 and
heterogeneous devices
• Single pane of glass for
administration ,
deployment & reporting
Solution
Unified Device Management
• System Center 2012 SP1
Configuration Manager
• Windows Intune
Benefits Of Adopting
Unified Solution
Better with Both
• Native management of
modern devices
• Ability to provide users
access to apps and data
while maintaining security
• Allows end users to
connect from anywhere
• No additional
infrastructure required
Challenges for
Heterogeneous devices
@ Microsoft IT
• Surge in Windows RT
and Windows Phone 8
population
• Limited LOB apps for
iOS
• Lack of LOB apps for
Android
Pre-requisites
•
Worked with Microsoft Online Directory
Services to provision Intune services for
Microsoft IT Tenant
•
•
What you need to know
•
Directory Sync to synchronize AD data and
ADFS setup for single sign on.
http://technet.microsoft.com/enus/library/hh967642.aspx
Performed User discovery for the entire
Microsoft corporate forest
•
This depends on how wide you want to
eventually open up BYOD in your
environment
Setup DNS redirection for
enterpriseenrollment.microsoft.com to the
Intune environment
•
DNS redirection for
enterpriseenrollment.<yourcompany>.com
will be needed
Pre-requisites
What you need to know
•
Window Phone 8 code signing certificate
•
•
Windows RT code signing certificate and
side loading key
•
•
iOS Apple push notification certificate
•
Generate request from Configuration
Manager console and certificate from
apple's portal
•
Collaboration with other teams for
dependencies
•
•
•
AD Team – Dirsync and ADFS 2.0
App Team – Verisign Certificate
Security Team – Policy definition
Has to be a Verisign certificate. Work with
your app/security team
Purchase side loading key from volume
license center
Built ConfigMgr SP1 Standalone Environment
 Virtual Primary Site in Corp Domain
 12GB, 4 Proc PS and 24 GB, 4 Proc SQL Server
Performed User Discovery for Entire Corp
Forest
MSODS team provisioned Intune Services for
Microsoft IT Tenant and set up services Admin
Setup DNS redirection for
enterpriseenrollment.Microsoft.com to Intune
Beta environment
Apply device specific certificates:
 Windows Phone 8 code signing cert
 Windows RT code signing cert & sideloading
 iOS Apple push notification cert
Active Directory
Federation
Server 2.0
MS Online
Directory Sync
(DirSync)
User Discovery
corp domains
Infrastructure
• 6 Primary Sites
• 13 Secondary Sites
• 250 Distribution Points
PCs & Devices
• ~300,000 clients
• ~125k mobile devices
Users
• ~98k FTEs
• ~82k Vendors
Device
Mgmt.
Site
Redmond
Site 1
75k Clients
Redmond
Site 2
75k Clients
Active Directory
Federation
Server 2.0
AD
User Discovery
corp domains
MS Online
Directory Sync
(DirSync)
Intune
Subscription
Connector
Site role
North & South
America
35k Clients
Europe,
MidEast, Africa
40k Clients
Australia &
Asia
75k Clients
MS Online
Directory Services
(MSODS)
•
User not licensed to enroll device
User previously licensed but not a member
of device management collection anymore
Non-zero guid indicates user is licensed to
enroll device
Additional components to monitor
DMP Uploader – Policy changes flow from ConfigMgr to Intune
DMP downloader – Policy and data flow from Intune to ConfigMgr
Cloud user sync – User collection in ConfigMgr to be licensed in Intune
Delta user discovery and fast
collection
Sync frequency: default of 5
minutes
Developed custom report for
user license status
Device Enrollment and
Company portal
Karthik Jayavel
Windows Phone 8
Devices Enrolled
LOB apps published
Deep linked apps
Rollout plan
Windows RT
Objectives
Implementation
Results
• Device enrollment process took less than a minute
Windows Phone 8 Company Portal
Worked with App provisioning team for apps and signing process
Signed Apps and Company Portal before publishing
Categorized apps as per MSIT App team standards
Apps deployed to “Cloud sync” user collection as “Available”
Security groups used for targeted deployment to set of users
What was learned
How we learned
Removed duplicate UPNs by exclusion
collection
Duplicate UPNs in different domains caused
cloud user sync failure
Backend logs available on Intune side
Log gathering for enrollment failures
escalated by users
Created FAQ docs and smart guides for users
Repeated set of questions from users after
device enrollment
Troubleshooting logs can be collected from
the company portal itself
Portal login issues investigation
On-demand Portal install or User initiated
Portal uninstall needs re-enrollment
Uninstallation of portal by some users
raised the concern for diverse portal
reinstall methods
Windows RT
Enrollment
•
•
•
•
No need to license users separately for
Windows RT
Side loading keys once provisioned are
automatically dispensed with enrollment
User experience for enrollment same as
Windows Phone 8
Company Portal installed as a required app
Company Portal App
Publishing
• Utilized Microsoft Root CA as part of
subscription
• Published Windows 8 modern apps
compatible for Windows RT
• Deep linked apps from MS Store
• Every re-enrollment of RT devices uses one side loading key
• Company Portal user experience in WinRT different from WP8
can result in user support calls
• User initiated un-enrollment does not remove Company
Portal
• Backend Intune logs for enrollment and Company Portal
troubleshooting
• Expected delay in Win RT policy refresh due to once a day
maintenance window
Karthik Jayavel
Setting Up Device Policies
• UDM policies consistent with MSIT EAS
policies
• Added enrolled devices to target
collection using Agent Edition property in
system_disc
WP8
WinRT
iOS
True
Not Supported
Not Supported
Enabled
Not Supported
Enabled
True
Not Supported
True
4
5 (local only)
4
15 mins
15 mins
15 mins
C o r p Po l i c i e s
Device Encryption
Device Password
Allow Simple Password
Min Password Length
Max inactive time to lock
• Created password and encryption policies
using pre-defined settings in CM
Max failed attempts
before wipe
5
5 (local)
5
• Set the baseline for remediation to
enforce
Password Expiration
Unlimited
70 days (local)
Unlimited
Password History
0
0
0
Min Complex Characters
1
1 (local only)
0
Retired all devices from console after dogfooding in MSIT
Device record automatically deleted from CM after retirement
Defining an RBAC role to limit access to Wipe and Retire
Windows Phone 8
Wipe
Retire
Factory default
Un-enrolls from service
Removes Company Portal
Removes apps and settings
Windows RT
Mail connection removed
Un-enrolls from service
Side-loaded LOB apps do not run
Karthik Jayavel
App installation
reports are same as
App model reports
and ICM
Settings
Management reports
provide policy
enforcement status
and in ICM
Created custom
reports for device
inventory and user
licensing status
Learnings
New experience for users enrolling
devices
Helpdesk awareness on modern devices
support
Common escalations from users
through email
Providing status on unified device
management for our stakeholders
Actions
Educated users with enrollment steps
Created support documentation and
trained helpdesk
Generated and shared FAQ document
Creating custom dashboard from
ConfigMgr for better visibility