System Center 2012 R2Configuration Manager with Windows Intune

Who am I•

•

••

•

•

••

•

•

••

• Microsoft TechNet Forums• System Center Alliance Team•

••

•

Devices AppsUsers

Empowering People-centric IT

Enable users

Allow users to work on the devices of their choice and provide consistent access to corporate resources.

Protect your data

Help protect corporate information and manage risk.Management. Access. Protection.

Data

Unify your environment

Deliver a unified application and device management on-premises and in the cloud.

Selecting the Management Platform

Unified Device Management – System Center 2012 R2 Configuration Manager with Windows

Intune

Cloud-based Management - Standalone

Windows Intune

No existing Configuration Manager deployment

Simplified policy control

Fewer than 7,000 devices and 4,000 users

Simple web-based administration console

Helping IT to enable users

IT can publish access to resources with the web application proxy based on device awareness and the users identity.

IT can provide seamless corporate access.

Users can work from anywhere on their devices with access to their corporate resources.

Users can register devices for single sign-on and access to corporate data with Workplace Join.

Users can enroll devices for access to the company portal for easy access to corporate applications.

IT can publish desktop virtualization resources for access to centralized resources.

Firewall

Platform Support

OS Platform Management Agent End User Experience

Windows 8.1 PC ConfigMgr Agent

Or

Management Agent(OMA-DM)

Software Center/Application Catalog

Windows Company Portal app

Windows PC

(Win8,Win7,Vista,XP)

ConfigMgr Agent Software Center/Application Catalog

Windows RT Management agent (OMA-DM) Windows Company Portal app

Windows Phone 8 Management agent (OMA-DM) Windows Phone 8 Company Portal app

iOS Apple MDM Protocol iOS Company Portal app

Android Android MDM agent (OMA-DM) Android Company Portal app

Mac ConfigMgr Agent Limited self service experience

Linux/Unix ConfigMgr Agent N/A

Unified Device Management Configuration

Device management integrated directly into console

Simple Windows Intune Subscription set-up

Centralized branding and customization of Company Portal experience

Windows Intune Connector deployed as a Site System Role

Registering and Enrolling Devices

IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the users identity. Multi-factor authentication can be used through Windows Azure Active Authentication.

Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificateis installed on the device

Users can enroll devices which configure the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications

As part of the registration process, a new device object is created in Active Directory, establishing a link between the user and their device

Data from Windows Intune is sync with Configuration Manager which provides unified management across both on-premises and in the cloud

How to get started

Mobile Device Inventory?

* Inventory capability varies by device platform

New global condition to

differentiate app installs on

corporate versus personal

App Management

Personal devices – Inventory only apps

installed by ConfigMgr/Intune

Corporate devices – Complete inventory of

all applications on the device*

App inventory

By default, user-enrolled devices

are “Personal”

Admin can specify corporate-

owned devices

“Compromised” device detection

Personal vs Corporate

Owned Devices

Mobile Device Settings in ConfigMgr 2012 R2Category Windows 8.1

PC & RT

Windows

Phone 8

iOS Android

VPN

Wi-Fi

Certificates

Password (*) (*) (*)

Device restrictions (*) (*)

Store access

Browsers (*) (*)

Content Rating

Cloud Sync (*)

Encryption (*) (*) (*)

Security (*) (*) (*)

Roaming (*) (*)

Windows Server

Work Folders

* Subset of settings Note: Table applicable to direct MDM and not EAS

Resource Access Configuration

Support platforms

Windows 8.1

Windows 8.1 RT

iOS

Android

Benefits

End users get access to

company resources with no

manual steps for them

New Features*Configure networking profiles VPN profiles

Support for Windows 8.1 Automatic VPN

Wi-Fi protocol and authentication settings

Management and distribution of certificates

Configure remote connection to work PCs

VPN Profile Management

Support for major SSL VPN vendors

DNS name-based initiation

support for Windows 8.1 and iOS

Application ID based initiation

support for Windows 8.1

Automatic VPN

connectionSupport for VPN

standards like PPTP, L2TP,

IKEv2SSL VPNs from Cisco, Juniper,

Check Point, Microsoft, Dell

SonicWALL, F5

Subset of vendors have Windows

Windows RT VPN plug-in

Wi-Fi and Certificate Profiles

Wi-Fi settings Manage and distribute certificates

Deploy trusted root certificates

Support for Simple Certificate Enrollment Protocol (SCEP)

Manage Wi-Fi protocol and authentication settings

Provision Wi-Fi networks that device can auto connect

Specify certificate to be used for Wi-Fi connection

Inventory & Settings

Target applications based

on user role the best way for

each device

• Windows/Windows RT

• Windows Phone

• iOS

• Android

• OS X

Evaluate device capabilities

for optimal application

delivery

• Local installation

• Microsoft Application

Virtualization

• Desktop Virtualization (VDI)

• Web applications

People-centric Application DeliveryAccessing apps the right way, on the right device

MSI RDSApp-V

(MDOP)Remote

App

Native

App/

App Store

User-centric Application DeliveryEnd User Self-Service

IT

Administrators publish software

titles to catalog, complete with

meta data to enable search

• Deliver best user experience

on each device

Users can browse, select and install

directly from Catalog

• Application model determines

format and policies for delivery

User

Inventory & Settings

Work Folders

Sync files and data across devices Configuration Manager and Windows

Intune support

New settings to help provision the work folder discovery

settings

Self-service portals have links to work folders

New feature in Windows 8.1 client and Windows Server

2012 R2

Personal Apps and Data

Lost or Stolen

Company Apps and Data

Remote App

Protect your dataHelp protect corporate information and manage risk

Centralized Data

EnrollmentRetired

Company Apps and Data

Remote App

Policies

Policies

Lost or Stolen

Company Apps and Data

Remote App

Policies

Personal Apps and Data

Retired

Personal Apps and

Data

IT can provide a secure and familiar solution for users to access sensitive corporate data from anywhere with VDI and RemoteApp technologies.

Users can access corporate data regardless of device or location with Work Folders for datasync and desktop virtualization for centralized applications.

• Selective wipe removes corporate applications,

data, certificates/profiles, and policies based as

supported by each platform

• Full wipe if supported by each platform

• Can be executed by IT or by user via Company

Portal

• Sensitive data or applications can be kept off

device and accessed via Remote Desktop Services

Full and Selective WipeCategory Windows 8.1 (x86/RT

OMA-DM managed)

Windows 8 RT Windows Phone iOS Android

Full Wipe Not applicable Not applicable

Selective Wipe

Email (Email through EAS) (Email through EAS)

Company apps

and associated

data installed by

using

Configuration

Manager and

Windows Intune

Uninstalled and sideloading

keys are removed.

In addition any apps using

Windows Selective Wipe will

have the encryption key

revoked and data will no

longer be accessible

Sideloading keys

removed but remain

installed

Uninstalled and data

removed

Uninstalled and data

removed

Apps and data remain

installed

VPN and Wi-Fi

profilesRemoved Not applicable Not applicable Removed

VPN: Not applicable

Wi-Fi: Not removed

Certificates Removed and revoked Not applicable Not applicable Removed and revoked Revoked

Settings Requirements removed Requirements removed Requirements removed Requirements removed Requirements removed

Management

Client

Not applicable. Management

agent is built-in

Not applicable.

Management agent is

built-in

Not applicable.

Management agent is

built-in

Management profile is

removed

Device Administrator

privilege is revoked

Unified Device Management Recap

Unregistered Registered MDM Enrolled Fully Managed

Publish email to users (EAS) Yes Yes Yes Yes

Publish work folders to users Yes Yes Yes Yes

Conditional access based on user, device, location Block device only Yes Yes Yes

Audit logging and monitoring Yes Yes Yes

Unified Device Management Yes Yes

Unified Application Management Yes Yes

Selective data wipe Yes Yes

Compliance reporting Yes Yes

Group Policy and login scripts Yes

OS deployment and imaging Yes

Configuration management Yes

Patch management Yes

Anti malware management Yes

Full application management Yes

BitLocker management Yes

http://www.microsoft.com/workstyle

http://www.microsoft.com/server-cloud/user-device-management

More Resources:

System Center 2012 Configuration Manager

http://technet.microsoft.com/en-

us/evalcenter/hh667640.aspx?wt.mc_id=TEC_105_1_33

Windows Intune

http://www.microsoft.com/en-us/windows/windowsintune/try-and-

buy

Windows Server 2012 http://www.microsoft.com/en-us/server-cloud/windows-server

For More Information