Transcript Objective • Share Microsoft IT’s experiences with implementing Bring Your Own Device (BYOD) culture with the help of System Center 2012 SP1 and.

Objective
• Share Microsoft IT’s experiences with implementing Bring Your
Own Device (BYOD) culture with the help of System Center
2012 SP1 and Windows Intune
Takeaway
Managing Devices at
Microsoft
Goals
• Avoid additional hardware
investment and network
design complexity
• Means to safeguard BYOD
assets & access LOB apps
• Management support for
Windows 8 and
heterogeneous devices
• Single pane of glass for
administration ,
deployment & reporting
Solution
Unified Device Management
• System Center 2012 SP1
Configuration Manager
• Windows Intune
Benefits Of Adopting
Unified Solution
Better with Both
• Native management of
modern devices
• Ability to provide users
access to apps and data
while maintaining security
• Allows end users to
connect from anywhere
• No additional
infrastructure required
Challenges for
Heterogeneous devices
@ Microsoft IT
• Surge in Windows RT
and Windows Phone 8
population
• Limited LOB apps for
iOS
• Lack of LOB apps for
Android
Pre-requisites
•
Worked with Microsoft Online Directory
Services to provision Intune services for
Microsoft IT Tenant
•
•
What you need to know
•
Directory Sync to synchronize AD data and
ADFS setup for single sign on.
http://technet.microsoft.com/enus/library/hh967642.aspx
Performed User discovery for the entire
Microsoft corporate forest
•
This depends on how wide you want to
eventually open up BYOD in your
environment
Setup DNS redirection for
enterpriseenrollment.microsoft.com to the
Intune environment
•
DNS redirection for
enterpriseenrollment.<yourcompany>.com
will be needed
Pre-requisites
What you need to know
•
Window Phone 8 code signing certificate
•
Has to be a Verisign certificate. Work with
your app/security team
•
Windows RT code signing certificate and
side loading key
•
Purchase side loading key from volume
license center
•
Generate request from Configuration
Manager console and certificate from
apple's portal
•
•
•
AD Team – Dirsync and ADFS 2.0
App Team – Verisign Certificate
Security Team – Policy definition
•
•
iOS Apple push notification certificate
Collaboration with other teams for
dependencies
Unified Management Architecture
1
Built ConfigMgr SP1 Standalone Environment
 Virtual Primary Site in Corp Domain
 12GB, 4 Proc PS and 24 GB, 4 Proc SQL Server
Microsoft Corp
AD
2
Performed User Discovery for Entire Corp
Forest
3
MSODS team provisioned Intune Services for
Microsoft IT Tenant and set up services Admin
4
5
Setup DNS redirection for
enterpriseenrollment.Microsoft.com to Intune
Beta environment
Apply device specific certificates:
 Windows Phone 8 code signing cert
 Windows RT code signing cert & sideloading
 iOS Apple push notification cert
Active Directory
Federation
Server 2.0
MS Online
Directory Sync
(DirSync)
Microsoft Cloud Services
MSODS
User Discovery
corp domains
Intune
Subscription
Primary
Site
SQL
Server
Windows Intune
Connector
Site role
Infrastructure
• 6 Primary Sites
• 13 Secondary Sites
• 250 Distribution Points
PCs & Devices
• ~300,000 clients
• ~125k mobile devices
Users
• ~98k FTEs
• ~82k Vendors
Device
Mgmt.
Site
Redmond
Site 1
75k Clients
Redmond
Site 2
75k Clients
Active Directory
Federation
Server 2.0
AD
User Discovery
corp domains
MS Online
Directory Sync
(DirSync)
Intune
Subscription
Connector
Site role
North & South
America
35k Clients
Europe,
MidEast, Africa
40k Clients
Australia &
Asia
75k Clients
MS Online
Directory Services
(MSODS)
User not licensed to enroll device
User previously licensed but not a member
of device management collection anymore
Non-zero guid indicates user is licensed to
enroll device
Additional components to monitor
DMP Uploader – Policy changes flow from ConfigMgr to Intune
DMP downloader – Policy and data flow from Intune to ConfigMgr
Cloud user sync – User collection in ConfigMgr to be licensed in Intune
Delta user discovery and fast
collection
Sync frequency: default of 5
minutes
Developed custom report for
user license status
Device Enrollment and Company
portal
Windows Phone 8
Devices Enrolled
LOB apps published
Deep linked apps
Final rollout goal
Windows RT
Objectives
Implementation
Results
• Device enrollment process took less than a minute
Windows Phone 8 Company Portal
Worked with App provisioning team for apps and signing process
Signed Apps and Company Portal before publishing
Categorized apps as per MSIT App team standards
Apps deployed to “Cloud sync” user collection as “Available”
Security groups used for targeted deployment to set of users
What was learned
How we learned
Removed duplicate UPNs by exclusion
collection
Duplicate UPNs in different domains caused
cloud user sync failure
Lack of client logs on device for Enrollment
Log gathering for enrollment failures
escalated by users were not possible
Created FAQ docs and smart guides for users
Repeated set of questions from users after
device enrollment
Troubleshooting logs can be collected from
the company portal itself
Long time in loading portal was
investigated using portal log
On-demand Portal install or User initiated
Portal uninstall needs re-enrollment
Uninstallation of portal by some users
raised the concern for diverse portal
reinstall methods
Windows RT
Enrollment
•
•
•
•
No need to license users separately for
Windows RT
Side loading keys once provisioned are
automatically dispensed with enrollment
User experience for enrollment same as
Windows Phone 8
Company Portal installed as a required app
Company Portal App
Publishing
• Utilized Microsoft Root CA as part of
subscription
• Published Windows 8 modern apps
compatible for Windows RT
• Deep linked apps from MS Store
• Every re-enrollment of RT devices uses Side loading key
• User initiated un-enrollment does not remove Company
Portal
• No client logs for enrollment and Company Portal
troubleshooting
• Company Portal user experience in WinRT different from WP8
can result in user support calls
• Expected delay in Win RT policy refresh due to once a day
maintenance window
Setting Management at Microsoft IT
WP8
WinRT
iOS
True
Not Supported
Not Supported
Enabled
Not Supported
Enabled
True
Not Supported
True
Min Password Length
4
5 (local only)
4
Max inactive time to
lock
15 mins
15 mins
15 mins
• Created password and encryption policies
using pre-defined settings in CM
Max failed attempts
before wipe
5
5 (local)
5
• Set the baseline for remediation to
enforce
Password Expiration
Unlimited
70 days (local)
Unlimited
Password History
0
0
0
Min Complex
Characters
1
1 (local only)
0
Setting Up Device Policies
• UDM policies consistent with MSIT EAS
policies
• Added enrolled devices to target
collection using Agent Edition property in
system_disc
C o r p Po l i c i e s
Device Encryption
Device Password
Allow Simple Password
Retired all devices from console after dogfooding in MSIT
Device record automatically deleted from CM after retirement
Defining an RBAC role to limit access to Wipe and Retire
Windows Phone 8
Wipe
Factory default
Retire
Un-enrolls from service
SSP and LOB apps removed
Windows RT
Not Supported
Un-enrolls from service
Side-loaded LOB apps do not run
Unified Device Management Reports
Created custom
reports for device
inventory
App installation
reports are same as
App model reports
and ICM
Settings
Management reports
provide policy
enforcement status
Learnings
Actions
New experience for users enrolling
devices
Educated users with enrollment steps
Helpdesk awareness on modern devices
support
Created support documentation and
trained helpdesk
Common escalations from users
through email
Generated and shared FAQ document
Providing status on unified device
management for our stakeholders
Creating custom dashboard from
ConfigMgr for better visibility
Windows Enterprise: windows.com/enterprise
windows.com/ITpro
microsoft.com/mdop
microsoft.com/dv
microsoft.com/windows/wtg
tryoutlook.com
http://channel9.msdn.com/Events/TechEd
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn
For More Information
System Center 2012 Configuration Manager
http://technet.microsoft.com/enus/evalcenter/hh667640.aspx?wt.mc_id=TEC_105_1_33
Windows Intune
http://www.microsoft.com/en-us/windows/windowsintune/try-and-buy
Windows Server 2012
http://www.microsoft.com/en-us/server-cloud/windows-server
Windows Server 2012 VDI and
Remote Desktop Services
http://technet.microsoft.com/enus/evalcenter/hh670538.aspx?ocid=&wt.mc_id=TEC_108_1_33
http://www.microsoft.com/en-us/server-cloud/windows-server/virtualdesktop-infrastructure.aspx
More Resources:
microsoft.com/workstyle
microsoft.com/server-cloud/user-device-management