Goals Goals • Management support for Windows 8.x and heterogeneous devices • Improve user productivity on user owned devices • Safeguard BYOD assets • Provide access to LOB.
Download ReportTranscript Goals Goals • Management support for Windows 8.x and heterogeneous devices • Improve user productivity on user owned devices • Safeguard BYOD assets • Provide access to LOB.
Goals Goals • Management support for Windows 8.x and heterogeneous devices • Improve user productivity on user owned devices • Safeguard BYOD assets • Provide access to LOB apps • Reduce infrastructure cost • Central management for all enterprise & BYOD devices Solution Unified Device Management • System Center 2012 R2 Configuration Manager • Windows Intune • System Center 2012 Orchestrator Benefits Of Adopting Unified Solution Better with Both • Ability to provide users access to LOB apps • Enforce security policies on devices • Allows end users to connect from anywhere • Access corporate resources • No additional infrastructure required Challenges for Heterogeneous devices @ Microsoft IT • Limited LOB applications for various platforms • Shift in the technical support model • User expectations for non domain joined PCs Windows Phone 8.x Devices Enrolled LOB apps published Deep linked apps Windows RT/8.x iOS Infrastructure • 6 Primary Sites • 13 Secondary Sites • 250 Distribution Points PCs & Devices • ~300,000 clients • ~125k mobile devices Users • ~98k FTEs • ~82k Vendors Device Mgmt. Site Redmond Site 1 75k Clients Active Directory Federation Server 3.0 AD User Discovery corp domains MS Online Directory Sync (DirSync) Intune Subscription Connector Site role Redmond Site 2 75k Clients North & South America 35k Clients Europe, MidEast, Africa 40k Clients Australia & Asia 75k Clients MS Online Directory Services (MSODS) 1 Built ConfigMgr R2 Standalone Environment Virtual Primary Site in Corp Domain 12GB, 4 Proc PS and 24 GB, 4 Proc SQL Server Microsoft Corp AD 2 Performed User Discovery for Entire Corp Forest 3 MSODS team provisioned Intune Services for Microsoft IT Tenant and set up services Admin 4 5 Setup DNS redirection for enterpriseenrollment.Microsoft.com to Intune Beta environment Apply device specific certificates: Windows Phone 8 code signing cert Windows RT code signing cert & sideloading iOS Apple push notification cert Active Directory Federation Server 3.0 MS Online Directory Sync (DirSync) Microsoft Cloud Services MSODS User Discovery corp domains Intune Subscription Primary Site SQL Server Windows Intune Connector Site role What you need to do What you need to do Directory Sync to synchronize AD data and ADFS setup for single sign on. http://technet.microsoft.com/enus/library/hh967642.aspx Obtain a VeriSign certificate. Work with your app/security team Perform User Discovery for users you will provide BYOD enrollment in your environment Generate request from Configuration Manager console and certificate from Apple's portal DNS redirection for enterpriseenrollment.<yourcompany>.com will be needed Purchase side loading key from volume license center AD Team – Dirsync and ADFS 3.0 App Team – App Certification Security Team – Policy definition Remote Resource Access Team – VPN/WiFi/Cert Managing Company Portal Across All Devices Marc Hurley Obtained WP8 Company Portal through internal process Worked with App certification team to sign Company Portal before publishing Deployed Company Portal as “Available” to User Collection Associated the published WP8 Company Portal in the Intune Subscription Published all LOB applications to All Users and/or Security Groups Deployed Company Portal as “Required” to User Collection during upgrade scenarios & maintain Company Portal reach Obtained Company Portal appx through internal process Configured the Intune Connector with Microsoft Internal Root Certificate Deployed Company Portal as “Required” to User Collection Published all LOB applications to All Users and/or Security Groups Deployed Company Portal as “Required” to User Collection during upgrade scenarios & maintain Company Portal reach Obtained Company Portal ipa file through internal process Created an internal website to host Company Portal install file Configured the Intune Connector with APN Certificate Published deep linked applications to All Users and/or Security Groups Deployed Company Portal as “Required” to User Collection during upgrade scenarios & maintain Company Portal reach Name Windows Intune Company Portal Platform Windows 8.x (RT, x86/x64) Windows Intune Company Portal for Windows Phone 8 Windows Phone 8 Windows Intune Company Portal for iOS iOS Windows Intune Company Portal for Android Android Installation Method IT Deployment - (push to NDJ devices/users at Microsoft; MSIT users should not install the Company Portal from store) Note: Public will download from Microsoft Store IT Deployment - (Auto Install post enrollment) Note: Public will download from Microsoft.com Direct User Installation - (We get from Intranet site: http://issp at Microsoft because we are in CTiP, moving to Extranet site) Note: The public will get it from the App Store. Direct User Installation - (Evaluation in progress). Note: The public will get it from Google Play. Advanced Modern Device Management Simplified Administration Experience Administration Available LOB apps in Portal Required LOB apps Deep Linked apps In console deployment monitoring Requirements Self service of Modern Application publishing Rapid turnaround time from request time to deployment Reduction of Configuration Manager Administrative Overhead Remove manual provisioning and deployment errors Technology Benefits IT DevCenter – application developer’s request portal Publishing process that mimics the Windows Store process Visual Studio 2012 Team Foundation Server Use of scripts & templates to enforce standardization System Center 2012 Orchestrator Reduce publishing time from 3 days to 6 hours System Center 2012 R2 Configuration Manager cmdlets Custom PowerShell modules Active Directory cmdlets Admins can focus on deployment errors rather than publishing 95% of app publishing work completed zero touch Pre-Process App owner submits application to Dev Center Dev Center Assigns Task Orch. Runbooks wake on schedule Check TFS tasks waiting for Automation Update task Status “In Process” Update Task Status Assigns Task to Dev Center Process Create, Deploy, Create & Deploy, Delete, Pause, Supersede Create XML files from TFS Task Identify “Activity Type” Call Power Shell Modules Security Policies Settings Management Setting Management at Microsoft IT Setting Up Device Policies • UDM policies consistent with MSIT EAS policies • Created password and encryption policies using pre-defined settings in CM • Set the baseline for remediation to enforce • Deployed the baseline to users • Provided reports to Security Team for compliance status C o r p Po l i c i e s WP WinRT Device Encryption True Not Supported Device Password Enabled Not Supported True Not Supported 4 6 (local only) 15 mins 15 mins 5 5 (local) Not configured 70 days (local) Password History 0 0 Min Complex Characters 1 1 (local only) Allow Camera Not configured Not configured Maximum grace Period Not configured Not configured Allow Browser Not configured Not configured Allow Simple Password Min Password Length Max inactive time to lock Max failed attempts before wipe Password Expiration Windows Not Supported Not Supported Not Supported 8 15 10 70 24 1 Not configured Not configured Not configured iOS Not Supported Enabled False 4 15 mins 5 Not Configured 0 0 Yes 3 Yes http://NDESFQDN/certsrv/mscep/mscep.dll UDM Reports Marc Hurley Unified Device Management Reports Learnings Actions New experience for users enrolling devices Educated users with enrollment steps Helpdesk awareness on modern devices support Created support documentation and trained helpdesk Restrict access for Remote Wipe and Retire commands Use RBAC to control Remote Wipe and Retire access Monitoring external components like NDES and VPN servers Work with VPN team to enable monitoring/reports Call out important apps to users Use Featured App function when publishing • WP App Signing Cert expired after 1 year • • • Had to replace AET with new token Had to resign and republish applications No need to resign apps for WP8.1 • Replaced Apple APN certificate • • Account used to obtain APN was user specific iTunes account Had to have all iOS devices un-enroll and re-enroll • Enrollment certificate expiration happens every year on WP8 • • WP8 users need to respond and renew cert before expiration to keep enrollment intact WP8.1 will update the certificate automatically in the background • Policies were targeted to devices instead of users • Delay in getting security policies as devices had to register first • Windows 8.x core OS does not support app Side Loading • Users had to upgrade OS license to Windows 8.x Pro or Enterprise • • • • • • • • http://technet.microsoft.com/en-us/library/dn482435.aspx • • http://technet.microsoft.com/en-us/library/hh925141.aspx • • http://channel9.msdn.com/Events/TechEd www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn