Module 3: Managing Devices Enterprise Device Infrastructure Camp Dan Stolts Chief Technology Strategist Microsoft [email protected] Twitter: @ITProGuru.
Download ReportTranscript Module 3: Managing Devices Enterprise Device Infrastructure Camp Dan Stolts Chief Technology Strategist Microsoft [email protected] Twitter: @ITProGuru.
Module 3: Managing Devices Enterprise Device Infrastructure Camp Dan Stolts Chief Technology Strategist Microsoft [email protected] Twitter: @ITProGuru Agenda • • • • OMA-DM Management Agent Microsoft Intune System Center Configuration Manager 2012 R2 Unified Device Management Governance Lightweight Control Exchange ActiveSync OMA-DM Mobile Device Management Full Control Windows Phone 8.1 Windows RT 8.1 Windows 8.1 Allow e-mail access BYOD-style management Fully-managed corporate device Core Mobile Device Management Requirements Direct management Windows 8.1 Inventory Windows Phone 8.1 Inventory CPU Information Web links deployed via MDM Device ID Memory Information RemoteApps deployed via MDM OS platform type Operating System Firewall enabled Firmware version Computer System Windows Update (Auto Update) enabled OS version Networking Adapters Anti-virus enabled Device local time Physical Disks Anti-virus signature Processor type Logical Disks Encryption enabled Device model Encrypted Volumes Bluetooth enabled Device manufacturer Display Devices Wi-Fi enabled Device processor architecture Infrared Devices PC Settings synchronization enabled Device language Battery Credentials synchronization enabled Wi-Fi MAC address System Bios Metered network synchronization enabled Phone number Shared Resources (disk, printer, screen) Intranet zone security level Roaming status Services Internet zone security level IMEI & IMSI Date and Time Information Restricted sites zone security level Wi-Fi IP address Modern apps deployed via MDM Trusted sites zone security level Wi-Fi DNS suffix and subnet mask Enterprise apps installed Supported Policies and Settings Setting Setting Enable Windows Error Reporting (Diagnostics Submission) Enable SmartScreen (Force Fraud Warning) Permit Data Roaming (Mobile) Enable Auto-Fill Allow Work Folders Allow Internet Scripting (JavaScript) Configure Work Folders Allow Internet Plugins Enable User Account Control Enable Popup Blocking Enable Smart Screen Enable Do Not Track Minimum Password Length Intranet Security Zone Enabled Auto-lock Timeout Internet Zone Configuration Maximum Password History Define Wi-Fi Profiles Password Expiration Define VPN Profiles Failed Password Attempts before Wipe Enroll Certificates Minimum Required Complex Characters Define Application Launch VPN Triggers Disallow Convenience Login Reset local account password Enterprise Mode IE enable and configure App whitelisting and blacklisting URL filtering Supported Policies and Settings Setting Setting Simple password Disable Location Alphanumeric password Disable NFC Minimum password length Disable Microsoft Account Minimum password complex characters Disable roaming between Windows devices Password expiration Disable custom email accounts Password history Disable screen capture Device wipe threshold Disable copy & paste functionality Auto-lock Timeout Disable sharing and saving of Office Documents Inactivity timeout Disable MDM un-enrollment Device encryption Define Wi-Fi profiles and settings Disable removable storage card Define VPN Profiles Disable Camera Certificate management Disable Bluetooth Storage management Disable Wi-Fi Assigned Access management Disable telemetry data submission E-mail account management App whitelisting and blacklisting S/MIME configuration Mobile device wipe and retire Category Windows 8.1 (x86/RT OMA-DM managed) Windows 8 RT Full Wipe Windows Phone 8.1 iOS Android (EAS) Apps are uninstalled. Company app data is removed. Apps and data remain installed. Retire (Selective wipe) Email (Email through EAS) Company apps and associated data installed by Microsoft Intune. Apps originally installed through the company portal are uninstalled and sideloading keys are removed. Apps using Windows Selective Wipe will have the encryption key revoked and data will no longer be accessible. Settings Requirements removed Management Client Not applicable. Management agent is built-in (Email through EAS) Sideloading keys are removed but apps remain installed. Apps originally installed through the company portal are uninstalled. Company app data is removed. Requirements removed Requirements removed Requirements removed Requirements removed Not applicable. Management agent is built-in Not applicable. Management agent is built-in Management profile is removed Device Administrator privilege is revoked. Management lifecycle Mobile Device Management (MDM) Services Microsoft Approach • Connects existing infrastructure (manage PCs, Mobile and “Things” from one place) • Leverages investment (technology • Single Identity: (Active Directory + Azure • Integrated Suite: (Intune, Configuration and skills) Active Directory) Manger, Active Directory + Azure Active Directory, Rights Management) Selecting the Management Platform Unified Device Management – System Center 2012 R2 Configuration Manager with Microsoft Intune Cloud-based Management - Standalone Microsoft Intune No existing Configuration Manager deployment Simplified policy control Simple web-based administration console For a full comparison of features see: http://technet.microsoft.com/en-us/library/dn600286.aspx Mobile device inventory Hardware properties for mobile devices are collected through the Device Management Authority as well as Exchange ActiveSync. No software inventory for mobile devices to respect the information worker’s privacy on their own device. IT pros can track storage on mobile devices, which helps them anticipate and troubleshoot issues. Settings management Security policy on devices (iOS, Windows RT, and Windows Phone 8) direct management and Exchange ActiveSync Reporting available on each setting whether it is applicable, conformant, or has an error The same security policy template is used for both direct management and Exchange ActiveSync to help admins Android and Windows Phone 8 devices can be managed through Exchange ActiveSync Network Connections HomeGroup Proxy Radio devices Workplace Workplace Enter your user ID to get workplace access or turn on device management [email protected] Join your workplace network so that you can use network resources like internal websites and business apps. Join Apps and services from IT Turn on Network Connections HomeGroup Proxy Workplace Enter your user ID to get workplace access or turn on device management. [email protected] This device has joined your workplace network Leave Radio devices Workplace Get apps and services from IT Your organization’s device management system lets your IT admin set up apps and network connections for you. Some workplaces have policies, certificates, and apps that help Turnyou on connect your device to business info. If you connect your PC, your workplace can apply settings, collect basic information, and install or remove apps they manage. Talk with your IT admin to learn more about your specific workplace. I agree to the Terms of Use Turn on Cancel End User Experience Consistent self service experience for end user across mobile platforms Windows Windows Phone Available in the Windows Store Side-loaded during enrollment Android Available in the Google Play Store iOS Available in the Apple App store Microsoft Intune: Stand-alone service Windows PCs (x86/x64, Intel SoC) Windows RT, Windows Phone 8 Apple iOS, Google Android Mobile Device Settings in Microsoft Intune Category Win 8.1 PC & RT WP8.1 iOS Android Password Encryption Malware System Settings Cloud Windows Server Work Folders Browser Applications & Gaming Device restrictions Store access Roaming Remote Lock Clears Passcode Temp Code Set Passcode Reset For more details see: http://technet.microsoft.com/en-us/library/jj676628.aspx and http://technet.microsoft.com/en-us/library/dn600287.aspx * Subset of settings Note: Table applicable to direct MDM and not EAS Manage and secure PCs and devices anywhere Simple web-based administration console and a richer experience for information workers Help protect PCs from malware Manage updates Distribute software Proactive monitoring and alerts Provide remote assistance Inventory hardware and software Monitor and track licenses Increase insight with reporting Set security policies Richer mobile device management (MDM) Managing Windows 8.1 with Microsoft Intune Management tasks can work with the Windows 8.1 maintenance window: Management tasks do not interrupt users if they are immersed in a modern app: Registering and enrolling devices Users can enroll devices, which configures the device for management with Microsoft Intune. The user can then use the Company Portal for easy access to corporate apps. Users can register Bring Your Own Device for SSO and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device. IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the user’s identity. Multi-Factor Authentication can be used through Microsoft Azure Active Authentication. Data from Microsoft Intune is synced with Configuration Manager, which provides unified management both on premises and in the cloud. As part of the registration process, a new device object is created in Active Directory, establishing a link between the user and the device. Extensions for Microsoft Intune Admin is notified that an extension is available when console is launched Admin goes to Extensions for Intune in console, and enables the extension Extension is activated in ConfigMgr • (Extension enables on all site system, then console updates are avail) Admin restarts console, and console is updated with the extension Admin uses feature delivered by the extension Admin may wish to disable the extension Mobile Device Settings in ConfigMgr 2012 R2 Category Windows 8.1 PC & RT Windows Phone 8.1 iOS VPN Wi-Fi Certificates Email Profiles Android Password (*) (*) (*) Device restrictions (*) (*) (*) (*) (*) Store access Browsers (*) Content Rating Cloud Sync (*) Encryption (*) (*) (*) Security (*) (*) (*) (*) Roaming (*) Windows Server Work Folders * Device platform supports a subset of the settings (*) Mobile Device Inventory Personal vs. corporateowned devices App inventory By default, user-enrolled devices are “personal” Admin can specify corporateowned devices “Compromised” device detection. Personal devices. Inventory only apps installed by Configuration Manager or Microsoft Intune Corporate devices. Complete inventory of all apps on the device* App management New global condition to differentiate app installations on corporate vs. personal devices * Inventory capability varies by device platform VPN profile management Support for major SSL VPN vendors SSL VPNs from Cisco, Juniper, Check Point, Microsoft, Dell SonicWALL, F5 Subset of vendors have Windows RT VPN plug-in Support for VPN standards like PPTP, L2TP, IKEv2 Automatic VPN connection DNS name-based initiation support for Windows 8.1 and iOS Application ID–based initiation support for Windows 8.1 Wi-Fi and certificate profiles Wi-Fi settings Manage Wi-Fi protocol and authentication settings Provision Wi-Fi networks that device can autoconnect Specify certificate to be used for Wi-Fi connection Manage and distribute certificates Deploy trusted root certificates Support for the Simple Certificate Enrollment (SCEP) protocol Email profile management Manage Exchange ActiveSync accounts Configure account settings and security restrictions Enable certificate authentication Support for iOS and Windows Phone 8 Enables selective wipe of managed email profile (if platform supports it) New in January 2014 release! Delivered as Configuration Manager Extension for Microsoft Intune Security and Compliance Settings Management ConfigMgr MP Baseline ConfigMgr Agent Assignment to collections Baseline drift ! Auto Remediate OR Create Alert (to Service Manager) Baseline Configuration Items Active Directory Script WMI XML SQL File Software Updates Registry MSI IIS Improved functionality Copy settings Trigger console alerts Richer reporting Enhanced versioning and audit tracking Ability to specify versions to be used in baselines Audit tracking includes who changed what Pre-built industry standard baseline templates through IT Governance, Risk & Compliance(GRC) Solution Accelerator Work Folders Sync files and data across devices New feature in Windows 8.1 and Windows Server 2012 R2 Configuration Manager and Microsoft Intune support New settings to help provision the Work Folders discovery settings Self-service portals have links to Work Folders Client Activity and Health In-console view of client health Threshold-based console alerts Heartbeat DDRs HW/SW inventory and status Remediation Summary • • • • OMA-DM Management Agent Microsoft Intune System Center Configuration Manager 2012 R2 Unified Device Management More information http://www.microsoft.com/en-us/download/details.aspx?id=42508 http://www.microsoft.com/en-us/download/details.aspx?id=42509 http://go.microsoft.com/fwlink/?LinkID=279003 Next steps Download evaluation software Download free Microsoft software trials today at the TechNet Evaluation Center. http://aka.ms/CampEval Learn more Boost your technical skills with free expert-led technical training on Windows 8 from Microsoft Virtual Academy. http://aka.ms/CampMVAWin Get certified Get hired, get recognized, and get ahead with the MCSA Windows 8 certifications from Microsoft. http://aka.ms/CampCertWin Evaluate online Test Microsoft’s newest products and technologies in a virtual environment for free at the Microsoft Virtual Labs. http://aka.ms/CampVlabs