user and device management tomáš kanty kantůrek [email protected]
TRANSCRIPT
User and Device Management
Tomáš „Kanty“ Kantů[email protected]
The explosion of devices is eroding the standards-based approach to corporate IT.
Devices
Deploying and managing applications across platforms is difficult.
Apps
Today’s challenges
2
Data
Users need to be productive while maintaining compliance and reducing risk.
Users expect to be able to work in any location and have access to all their work resources.
Users
Devices
AppsUsers
Empowering People-centric IT
3
Enable usersAllow users to work on the devices of their choice and provide consistent access to corporate resources.
Protect your data
Help protect corporate information and manage risk.
Management. Access. Protection.
Data
Unify your environment
Deliver a unified application and device management on-premises and in the cloud.
User and Device Management
Enable users
Access to company resources consistently across devices
Simplified registration and enrollment of devices
Synchronized corporate data
Unify your environment
On-premises and cloud-based management of devices within a single console.
Simplified, user-centric application management across devices
Comprehensive settings management across platforms, including certificates, VPNs, and wireless network profiles
Protect your data
Protect corporate information by selectively wiping apps and data from retired/lost devices
A common identity for accessing resources on-premises and in the cloud
Identify which mobile devices have been compromised
√
Challenges Solutions
Users want to use the device of their choice and have access to both their personal and work-related applications, data, and resources.
Users want an easy way to be able to access their corporate applications from anywhere.
IT departments want to empower users to work this way, but they also need to control access to sensitive information and remain in compliance with regulatory policies.
Users can register their devices, which makes them known to IT, who can then use device authentication as part of providing access to corporate resources.
Users can enroll their devices, which provides them with the company portal for consistent access to applications and data, and to manage their devices.
IT can publish access to corporate resources with conditional access based on the user’s identity, the device they are using, and their location.
Enable users
Helping IT to enable users
IT can publish access to resources with the web application proxy based on device awareness and the users identity.
IT can provide seamless corporate access.
Users can work from anywhere on their devices with access to their corporate resources.
Users can register devices for single sign-on and access to corporate data with Workplace Join.
Users can enroll devices for access to the company portal for easy access to corporate applications.
IT can publish desktop virtualization resources for access to centralized resources.
VDI Session hostRD Gateway
Firewall FilesLOB AppsWeb Apps
Target applications based on user role the best way for each device
• Windows/Windows RT
• Windows Phone
• iOS
• Android
• OS X
Evaluate device capabilities for optimal application delivery
• Local installation
• Microsoft Application Virtualization
• Desktop Virtualization (VDI)
• Web applications
People-centric Application DeliveryAccessing apps the right way, on the right device
MSI RDSApp-V
(MDOP)Remote
App
Native App/App
Store
Protect your data
8
Challenges Solutions
As users bring their own devices in to use for work, they will also want to access sensitive information and have access to this information locally on the device.
A significant amount of corporate data can only be found locally on user devices.
IT needs to be able to secure, classify, and protect data based on the content it contains, not just where it resides, including maintaining regulatory compliance.
Users can work on the device of their choice and be able to access all their resources, while IT can identify at-risk devices through jailbreak and root detection
IT can enforce a set of central access and audit polices, and be able to protect sensitive information based on the content of the documents.
IT can centrally audit and report on information access.
√
Personal Apps and
Data
Lost or Stolen
Company Apps and Data
Remote App
Help protect corporate information and manage risk
Centralized Data
Enrollment
Retired
Company Apps and Data
Remote App
Policies
Policies
Lost or Stolen
Company Apps and Data
Remote App
Policies
Personal Apps and
Data
Retired
Personal Apps and
Data
IT can provide a secure and familiar solution for users to access sensitive corporate data from anywhere with VDI and RemoteApp technologies.
Users can access corporate data regardless of device or location with Work Folders for data sync and desktop virtualization for centralized applications.
• Identify at-risk devices through jailbreak and root
detection
• Selective wipe removes corporate applications,
data, certificates/profiles, and policies based as
supported by each platform
• Full wipe as supported by each platform
• Can be executed by IT or by user via Company
Portal
• Sensitive data or applications can be kept off
device and accessed via Remote Desktop
Services
Unify your environment
Challenges Solutions
MDM products are typically delivered as point solutions, which do not integrate with the main PC management solution already in use.
Managing multiple identities and keeping the information in sync across environments is a drain on IT resources.
IT has a single “pane of glass” to view and manage all managed devices, whether on-premises or cloud-based, PCs or mobile devices.
Users and IT can leverage their common identity for access to external resources through federation.
Providing users with a common identity
IT can provide users with a common identity across on-premises or cloud-based services, leveraging Windows Server Active Directory and Windows Azure Active Directory.
Users are more productive by having a single sign-on to all their resources.
IT can use Active Directory Federation Services to connect with Windows Azure for a consistent cloud-based identity.
Users get access through accounts in Windows Azure Active Directory to Windows Azure, Office 365, and third-party applications.
Developers can build applications that leverage the common identity model .
11
Files
LOB Apps
Web Apps
Active Directory
Unify your environmentDeliver comprehensive application and device management
IT can manage the device and application lifecycle
Unified infrastructure enables IT to manage devices “where they live”
Comprehensive settings management across platforms, including certificates, VPNs, and wireless network profiles
Single AdminConsoleIT User
Windows Intune – Standalone service
IT
Windows PCs(x86/64, Intel SoC)
Windows RT, Windows Phone 8
iOS, Android
Web-based AdminConsole
Manage up to 7,000 devices and 4,000 users
Manage and Secure PCs and Devices Anywhere
Help protect PCs from malware
Manage updates
Proactive monitoring and alerts
Provide remote assistance
Inventory hardware and software
Monitor & track licenses
Increase insight with reporting
Set security policies
Distribute software
Richer Mobile Device Management
Simple web-based Administration Console and a richer experience for Information Workers
End User ExperienceConsistent self service experience for end user across mobile platforms
Native Windows application
Available in the Windows Store
Windows Phone 8 Company Portal
iOSCompany Portal
Native Windows Phone 8 app (.xap)
Side-loaded during enrollment
Native iOS application
Available in the Apple App store
Windows RTCompany Portal
End User Capabilities for each Platform
Windows 8 &Windows 8.1
Windows RT & Windows 8.1
RT
Windows Phone 8
iOS Android
Enroll (local device) Yes Yes Yes Yes EAS
Rename devices Yes Yes Yes Yes No
Retire (un-enroll local device) Yes Yes Yes Yes No
Remotely wipe other devices Yes Yes No No No
Install enterprise LOB applications Yes Yes Yes Yes Yes
Install publicly available applications Yes Yes Yes Yes yes
Browse to web links Yes Yes Yes Yes Yes
Contact IT Yes Yes Yes Yes Yes
Application Management on Mobile DevicesPlatforms Windows
8/Windows RTWindows Phone
8iOS Android
Sideload to install
*.appx *.xap *.ipa *.apk
Deep links to store apps – install from store
Software Distribution Summary
PlatformDesktop Apps
(.msi, .exe)
Modern App Types
Side loadingDeep Links
web apps.appx .xap .ipa .apk
Windows 8 Pro/Ent √ √ √ √
Windows RT ** √ √ √
iOS √ √ √
Android √ √ √
WP8 √ √ √Windows 7 and below √ √
** Windows 8 SSP on WinRT will show MSI/EXE apps that can remotely install to other PCs linked to the user, but not installable on the local Window RT device
Selecting the Management Platform
Unified Device Management – System Center 2012 R2
Configuration Manager with Windows Intune
Build on existing Configuration Manager deploymentFull PC management (OS Deployment, Endpoint Protection, application delivery control, rich reporting)Deep policy control requirementsScale to 200,000 mobile devicesExtensible administration tools (RBA, Windows PowerShell, SQL Reporting Services)
Platform SupportOS Platform Management Agent End User Experience
Windows 8.1 PC ConfigMgr Agent Or
Management Agent(OMA-DM)
Software Center/Application Catalog
Windows Company Portal app
Windows PC (Win8,Win7,Vista,XP)
ConfigMgr Agent Software Center/Application Catalog
Windows RT Management agent (OMA-DM) Windows Company Portal app
Windows Phone 8 Management agent (OMA-DM) Windows Phone 8 Company Portal app
iOS Apple MDM Protocol iOS Company Portal app
Android Android MDM agent (OMA-DM) Android Company Portal app
Mac ConfigMgr Agent Limited self service experience
Linux/Unix ConfigMgr Agent N/A
Resource Access Configuration
* Varies based on device platform
Support platforms
Windows 8.1Windows 8.1 RTiOSAndroid
Benefits
End users get access to company resources with no manual steps for them
New Features*Configure networking profiles VPN profiles Support for Windows 8.1 Automatic VPNWi-Fi protocol and authentication settingsManagement and distribution of certificatesConfigure remote connection to work PCs
User-centric Application DeliveryAdministration
Delivery Evaluation Criteria
• User• Device type• Network connection
User/Device Relationships
Primary Devices• MSI• App-V• Windows 8 Apps• Windows 8 Apps in the Windows
StoreNon-primary Devices• VDI• Remote Desktop
User-centric Application DeliveryEnd User Self-Service
IT
Administrators publish software titles to catalog, complete with meta data to enable search
• Deliver best user experience on each device
Users can browse, select and install directly from Catalog
• Application model determines format and policies for delivery
User
Unified Device Management Configuration
Device management integrated directly into console
Simple Windows Intune Subscription set-up
Centralized branding and customization of Company Portal experience
Windows Intune Connector deployed as a Site System Role
Security and ComplianceEndpoint Protection
Unified Infrastructure
Simplified server and client deployment.Streamlined updates.Consolidated reporting.
Comprehensive Protection Stack
Behavior monitoring.Antimalware.Dynamic Translation.Windows Firewall Management.
Security and ComplianceSettings ManagementConfigMgr MP Baseline ConfigMgr Agent
WMI XML
Registry IISMSI
Script SQL
SoftwareUpdates
File
ActiveDirectory
Baseline Configuration Items
Auto RemediateOR
Create Alert (to Service Manager)
!
Improved functionalityCopy settingsTrigger console alertsRicher reporting
Enhanced versioning and audit trackingAbility to specify versions to be used in baselinesAudit tracking includes who changed what
Pre-built industry standard baseline templates through IT Governance, Risk & Compliance(GRC) Solution Accelerator
Assignment to collections Baseline drift
CAS
Primary SiteMP Role
Primary SiteDP Role
Assigns policy to scan for update status or to deploy update
Distributes updates Reports
compliance
Microsoft Update
Primary SiteSUP Role/WSUS
Identifies who needs updates and reports on compliance
Downloads updates
Auto Deployment
Faster deployment through search.Schedule content download and deployment to avoid reboot during work hours.
State-based Updates
Allows individual or group deployment.Updates added to groups auto deploy to targeted collections .
Optimized for New Content Model
Reduce replication and storage.Expired updates and content deleted.
Security and ComplianceSoftware Update
Role-based Administration
Functionality ConfigMgr 2007
ConfigMgr 2012
What types of objects can I see and what can I do to them?
Class rights Security roles
Which instances can I see and interact with?
Object instance permissions
Security scopes
Which resources can I interact with?
Site specific resource permissions
Collection limiting
Meg - WW Central System Administrator
Louis - Software Update Manager for France
Bob - US and France Security Admin
• Can see & update “France” desktops
• Cannot modify security settings on “France” desktops
• Cannot see “All Systems” or “U.S.” desktops
• Can see and modify security settings on “France” and “U.S.” desktops
• Cannot update “France” or “U.S.” desktops
• Cannot see “All Systems”
Map the organizational roles of your administrators to defined security roles
• Security organization role• Geography
Reduces error, defines span of control for the organization
RBA enhancements in R2 include SQL Reporting
Operating System Deployment
Multiple Deployment Method Support
PXE initiated deployment allows client computers to request deployment over the network Multi-cast deployment to conserve network bandwidthStand-alone media deployment for no network connectivity or low bandwidth Pre-staged media deployment allows you to deploy an operating system to a computer that is not fully provisioned
User State Migration Tool (USMT) 4.0 UI integration makes it easier transfer files and user settings from one machine to another
CAS
Primary SiteMP Role
Primary Site
DP Role
ImageTask
Sequence
Report
WDS PXE Server
Core Operating System Deployment ScenariosScenario Key Functionality
New computer• Fresh install of a new operating system on client or server system• New or repurposed hardware
PXE boot• Integrate with Windows Deployment Services (WDS) PXE server• Self-provisioning via F12
Wipe-and-load• Install new version of operating system• Reinstall applications and user state under new operating system
Side-by-side • Similar to wipe-and-load, except between two different devices
Offline with removable media
• With low bandwidth or no connectivity• Large software packages are on the media
Prestaged Media• Optimized for network bandwidth• Speeds up end to end deployment
Client Activity and Health
In-console view of client health
Threshold-based console alerts
Heartbeat DDRs
HW/SW inventory and status
Remediation
Asset Intelligence, Inventory, and Software MeteringConsolidated/simplified reporting that allows you to
Understand software installation profilesPlan for hardware upgradesIdentify over or under licensing issuesTrack custom apps or groups of titles
Software Metering and License Reports
Asset Intelligence Service
Asset Intelligence Catalog
Real-Time Applicationand Hardware Intelligence
ConfigMgr Inventory
SummaryEn
ab
led
Un
ify
Sim
plify Role-based Administration
Content Management
Software Update Management
Reduced Infrastructure Requirements
User-centric Application Delivery
Modern Device Management
Compliance and Settings Management
Endpoint Protection
Operating System Deployment
Asset Intelligence, Inventory and Software Metering
2012
EAS
User-centric
Updated engine
Improved
RBA in Reporting
Windows 8.1 support
2012 R2
Improved
Web App deployment
New
Integrated
Auto remediation
Improved
New
Improved
Improved
2012 SP1
Unified
Win 8 Apps
Flexible hierarchies
Real-time actions
User profile and data
Improved
Improved
Improved
Modern Management Console Additional cmdletsNew Windows PowerShell
Client Health Improved Improved
Distribution Point for Windows Azure New
TechNet Blog:http://www.technetblog.cz/system-centerhttp://www.technetblog.cz/intune
Microsoft Virtual Academy:http://www.microsoftvirtualacademy.com
Zdroje informací
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.