Transcript Users Devices Apps Data Mobile Device Management √ Unify your environment Enable users Protect your data On-premises and cloud-based management of devices within a single console. Simplified, user-centric application management across devices Comprehensive.

Users
Devices
Apps
Data
Mobile Device Management
√
Unify your environment
Enable users
Protect your data
On-premises and cloud-based
management of devices within a
single console.
Simplified, user-centric application
management across devices
Comprehensive settings
management across platforms,
including certificates, VPNs, and
wireless network profiles
Access to company resources
consistently across devices
Simplified registration and
enrollment of devices
Synchronized corporate data
Protect corporate information by
selectively wiping apps and data
from retired/lost devices
A common identity for accessing
resources on-premises and in the
cloud
Identify which mobile devices have
been compromised
• Full wipe of
device
• Mobile Device
Management
• Granular device
policy controls
• Provision access
to corp
resources (Email,
VPN etc)
• Selective wipe
MAM
• Device Policies
tied to Mailbox
• PIN
• Encryption
• Device
restrictions
MDM
Early Mobile security
PC Security
• Data protection
through device
lockdown (Group
Policy, app
mgmt., OSD,
compliance)
• Hardening
devices against
attack (patch,
anti-malware,
etc.)
• Mobile
application
management:
• Corporate data
containerization
• Per application
policy
restrictions
• Compliance
based access
control to
corporate
resources
On Premise
SharePoint
On Premise
File Server
Sign Up for a Trial
http://manage.microsoft.com
Intune
SCCM Connector
Network Device
Enrollment Service
(NDES)
SCCM
Certificate
Registration
Point
SCCM
plug-in
Device
CA
IW
Desktop
Admin
Windows Intune
MDM Gateway
IW Service
Enrollment
Service
Portal Content
Enroll /
Re-enroll /
Un-enroll
SSP Shared
Library
Enrollment
GCM Service
Policy (Syncml)
Policy Engine
Policy Providers
Refresh Policy
Intent
Boot Broadcast
Receiver
Alarm
Broadcast
Receiver
Compliance /
Enrollment
Changed
Intent
Android
SSP BL
SSP View Model
SSP View
GCM Notifcation
Company Portal
GCM Broadcast
Receiver
Write Certificates
Read/Write
State
OMADM
Client Service
Write Certificates
Read/Write State
Read Certificates
Read/Write State
Private Internal
Storage
Logging
Logging
Public Storage
Android Package
Require Password
Allow Diagnostic Data Submission (i.e.
Google Crash Reports)
Allow Removable Storage
Minimum Password Length
Allow Google Backup
Allow Wi-Fi
Allow web browser
Allow Geolocation
Allow Autofill
Allow NFC
Password Expiration in days
Allow pop up blocker
Allow voice roaming
Remember Password History
Allow active scripting (i.e. Javascript)
Allow Data Roaming
No. of repeated sign-in failures
allowed before device is wiped
Minutes of inactivity before screen
turns off
Prevent reuse of previous passwords
(only if remember password history Allow Fraud Warning
is on)
Allow voice assistant
Password Quality
Allow Cookies
Allow voice dialing
Require Encryption
Allow Application Store
Allow copy/paste
Allow Camera
Allow video conferencing
Allow Bluetooth
Allow Screen Capture
Require encryption on storage cards
Allow Clipboard Share between
applications
Screen Capture
File encryption on mobile device
Allow simple password
Alphanumeric Password required
Disable Internet Explorer
Disable USB sync
Disable WiFi
Near field communication (NFC)
Prevent user initiated un-enrollment/ disable PC
Idle time before mobile device is locked (minutes)
settings
Minimum complex characters
Removable storage (Any external storage device)
Minimum password length (characters)
Disable Application Store
Number of failed logon attempts before device is
Disable Internet Sharing over WiFi (Tethering)
wiped
Number of passwords remembered
Disable Wi-Fi Offloading
Password complexity
Wi-Fi Hotspot reporting
Password expiration in days
Disable Custom Email Account (all or nothing)
Blue Tooth
Allow Microsoft Account
Platform
Remote Lock
iOS
Supported
Android
Supported
Windows Phone 8
Not Supported
Windows RT 8.1 and Windows RT
Supported
Windows 8.1
Supported
Platform
Passcode Reset
iOS
Supported for clearing the passcode from a device. Does not create a new temporary passcode.
Android
Supported and a temporary passcode is created.
Windows Phone/Windows
Not Supported
• iOS, Android, WP: Complete wipe and reset to factory defaults
• Android: EAS mailbox removal only
• Windows RT and Windows 8: Only EAS mailbox removal if managed through EAS
•
•
•
•
User or Admin initiated
Removes the record of the device from the system
Disables further MDM app installation and settings management on the device
Selectively wipes corporate app data
• Uninstalls MDM-installed apps and removes data
• Removes enterprise EFS certs and email
• NEW - iOS and WinPhone 8.1 email selective wipe
5. Intune sends
notifications using Sender
ID, Registration ID
Intune
GCM
3. GCM returns a
Registration ID to device
2. Device passes Sender
ID to GCM
4. Device returns
Registration ID to Intune
1. Intune sends Sender ID
to device
Windows 8.1 (x86/RT
OMA-DM managed)
Windows 8 RT
Windows Phone 8
Full Wipe

iOS
Android


KNOX

Selective Wipe
Email
Company apps
and data
VPN and Wi-Fi
profiles
 (Mail App)
 (Mail App)
Apps uninstalled.
Sideloading keys removed.
Data removed.
Sideloading keys
removed but apps
remain installed.

Uninstalled and data
removed.
Uninstalled
and data
removed.
Apps and data
Uninstalled and
remain
data removed
installed.
VPN: Not
VPN: Not
applicable.
applicable.
Wi-Fi: Removed
WiFi: Removed
Removed.
Not applicable.
Not applicable.
Removed.
Certificates
Removed and revoked.
Not applicable.
Not applicable.
Removed and
revoked.
Revoked.
Revoked.
Settings
Requirements removed.
Requirements
removed.
Requirements
removed.
Requirements
Removed.
Management
profile is
removed.
Device
Administrator
privilege is
revoked.
Device
Administrator
privilege is
revoked.
Management
Client
Not applicable. Management
agent is built-in.
Requirements removed. Requirements removed.
Not applicable.
Management agent is
built-in.
Not applicable.
Management agent is
built-in.
Protected Corporate Email and Collaboration
Secure access to
email and corp
resources
•
•
•
•
Access email and documents only if device is managed
Deny access if device falls out of compliance
Deploy certificates to Wi-Fi, VPN & Email profiles
Provide access to internal resources via per-app VPN
Mobile App &
Data Protection
•
•
•
•
•
•
Contain corporate data to corporate apps and services
Push, publish and uninstall apps centrally
Provision iOS managed apps and accounts
Wrapper for protected internal LoB apps
Protected web browser, PDF, audio, video
Selective wipe for managed apps and documents
Solution architecture – Secure email in O365
Azure AD
Who does what?
2
Office 365 EAS
Service
3
Intune: Evaluate policy
compliance for device
Azure AD: Auth user,
provide device compliance
status
Exchange Online:
Enforces access to email
based on device state.
4
Attempt email
connection
1
6
If not compliant,
Push device into
quarantine
Intune
Quarantine
7
If compliant, email
access is granted
EAS Client
Quarantine email
with remediation
steps
Link to enroll
device/Compliance
Remediation steps
5
Enrollment /
Compliance
Remediation
Set device
management/
compliance
status
Solution architecture – Secure email in On Prem Exchange Server
Allow managed
device
On Prem
Exchange
Server
5
1
Who does what?
Intune: Evaluate and
manage device state
Exchange Server:
Provides API and
infrastructure for
quarantine
3
Attempt email
connection
2
Block non
Managed devices
If not managed,
Push device into
quarantine
Quarantine
4
6
If managed, email
access is granted
EAS Client
Intune
Quarantine email
with remediation
steps
Link to enroll device
Device
Enrollment
LoB
app
Secure
Browser
Native
E-mail
LoB
app
Windows
Intune
Azure
RMS
Azure
AD
Mobile Device Management Review
√
Unify your environment
Enable users
Protect your data
On-premises and cloud-based
management of devices within a
single console.
Simplified, user-centric application
management across devices
Comprehensive settings
management across platforms,
including certificates, VPNs, and
wireless network profiles
Access to company resources
consistently across devices
Simplified registration and
enrollment of devices
Synchronized corporate data
Protect corporate information by
selectively wiping apps and data
from retired/lost devices
A common identity for accessing
resources on-premises and in the
cloud
Identify which mobile devices have
been compromised
Enterprise Mobility Suite
EMS will enable customers with:
Hybrid Identity Management
• Group management & Self Service Password Reset
• Security audit reports & MultiFactor Authentication
• Connection between AD / Azure AD
Mobile Device Management
• Mobile device settings management
• Mobile app management
• Selective wipe
Data Protection
• Information protection
• Connection to on-premises assets
Enterprise Agreement Prices starting at $4 per user per month*
* Limited time EA Level A promo pricing. Requires 250 seat minimum purchase and underlying CAL Suite license (CoreCAL/ECAL/BridgeCAL)
Session
Title
Timeslot
FDN02
Enabling Enterprise Mobility with Windows Intune, Microsoft Azure, and Windows Server
Monday, May 12 11:00 AM - 12:00 PM
PCIT-B212
Design Considerations for BYOD
Tuesday, May 13 10:15 AM - 11:30 AM
PCIT-B213
Access Control in BYOD and Directory Integration in a Hybrid Identity Infrastructure
Wednesday, May 14 3:15 PM - 4:30 PM
PCIT-B310
Empowering Your Users and Protecting Your Corporate Data
Monday, May 12 1:15 PM - 2:30 PM
PCIT-B313
Hybrid Identity: Extending Active Directory to the Cloud
Monday, May 12 4:45 PM - 6:00 PM
PCIT-B314
Understanding Microsoft’s BYOD Strategy and an Introduction to New Capabilities in
Windows Server 2012 R2
Tuesday, May 13 8:30 AM - 9:45 AM
PCIT-B321
Deploying the New RMS for Cloud-Friendly and Cloud-Reluctant Customers
Tuesday, May 13 5:00 PM - 6:15 PM
PCIT-B322
Deploying and Managing Work Folders
Wednesday, May 14 10:15 AM - 11:30 AM
PCIT-B324
How to Rapidly Design and Deploy an Active Directory Federation Services Farm: The Do's
and the Don'ts
Wednesday, May 14 8:30 AM - 9:45 AM
PCIT-B326
Providing SaaS Single Sign-on with Microsoft Azure Active Directory
Thursday, May 15 10:15 AM - 11:30 AM
PCIT-B327
Introducing Web Application Proxy in Windows Server 2012 R2: Enable Work from
Anywhere
Wednesday, May 14 3:15 PM - 4:30 PM
PCIT-B328
Microsoft Identity Manager vNext Overview
Wednesday, May 14 5:00 PM - 6:15 PM
PCIT-B330
Active Directory + BYOD = Peace of Mind
Thursday, May 15 8:30 AM - 9:45 AM
Code
Title
Time
FDN02
Enabling Enterprise Mobility with Windows Intune, Microsoft Azure, and Windows Server
Mon, May 12 11:00 AM
PCIT-B311
What's New in Enterprise Management with Microsoft System Center Configuration Manager and Windows Intune
Mon, May 12 1:15 PM
PCIT-B215
What's New in Microsoft System Center 2012 R2 Configuration Manager Infrastructure
Mon, May 12 3:00 PM
PCIT-B410
Microsoft System Center 2012 Configuration Manager: MVP Experts Panel
Mon, May 12 4:45 PM
PCIT-B216
Infrastructure Deployment for Mobile Device Management with Microsoft System Center Configuration Manager and Windows
Intune
Tue, May 13 8:30 AM
PCIT-B317
Enrollment and Management of Mobile Devices with Microsoft System Center Configuration Manager and Windows Intune
Tue, May 13 1:30 PM
PCIT-B320
Microsoft System Center Configuration Manager Community Jewels
Tue, May 13 5:00 PM
PCIT-B323
Application Management with Microsoft System Center Configuration Manager and Windows Intune
Wed, May 14 8:30 AM
PCIT-B325
Protecting Your Corporate Data with Microsoft System Center Configuration Manager and Windows Intune
Wed, May 14 10:15 AM
PCIT-B340
What’s New with OS Deployment in Configuration Manager and the Microsoft Deployment Toolkit
Wed May 14 5:00 PM
PCIT-B336
Managing Mac OS X Clients and Linux Servers Using Microsoft System Center Configuration Manager
Thu May 15 8:30 AM
PCIT-B339
How Microsoft IT Manages Their Microsoft System Center Configuration Manager Application Lifecycle with Zero Touch
Thu, May 15 10:15 AM
PCIT-B333
How Microsoft IT Solves BYOD Using Microsoft System Center 2012 R2 Configuration Manager and Windows Intune
Thu, May 15 1:00 PM
Code
Title
Time
PCIT-IL200
Introduction to Microsoft System Center 2012 R2 Configuration Manager
Mon, May 12 3:00 PM
Wed, May 14 5:00 PM
PCIT-IL201
Upgrading from Configuration Manager 2012 SP1 to Microsoft System Center 2012 R2 Configuration Manager
Thu, May 15 10:15 AM
PCIT-IL300
Deploying Windows 8.1 to Bare Metal Clients
Wed, May 14 1:30 PM
Thu, May 15 1:00 PM
PCIT-IL305
Basic Software Distribution with Microsoft System Center 2012 R2 Configuration Manager
Tue, May 13 5:00 PM
Wed, May 14 3:15 PM
PCIT-IL306
Implementing Endpoint Protection in Microsoft System Center 2012 R2 Configuration Manager
Tue, May 13 10:15 AM
Thu, May 15 8:30 AM
PCIT-IL307
Managing Microsoft Software Updates in Microsoft System Center 2012 R2 Configuration Manager
Tue, May 13 1:30 PM
Wed, May 14 8:30 AM
PCIT-IL308
Migrating from Configuration Manager 2007 to Microsoft System Center 2012 R2 Configuration Manager
Wed, May 14 10:15 AM
Code
Title
PCIT-H302
Deploying a Microsoft System Center 2012 R2 Configuration Manager Hierarchy
PCIT-H303
Deploying Microsoft System Center 2012 R2 Configuration Manager
PCIT-H304
Deploying Windows 8.1 to Bare Metal Clients
PCIT-H309
Implementing App-V 5.0 in Microsoft System Center 2012 R2 Configuration Manager
PCIT-H310
Implementing Endpoint Protection in Microsoft System Center 2012 R2 Configuration Manager
PCIT-H311
Implementing Linux Clients in Microsoft System Center 2012 R2 Configuration Manager
PCIT-H312
Implementing Role-Based Administration in Microsoft System Center 2012 R2 Configuration Manager
PCIT-H314
Managing Clients with Microsoft System Center 2012 R2 Configuration Manager
PCIT-H315
Managing Content in Microsoft System Center 2012 R2 Configuration Manager
PCIT-H316
Managing Software Updates in Microsoft System Center 2012 R2 Configuration Manager
http://channel9.msdn.com/Events/TechEd
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn