It was challenging enough to make sure everyone had access to the software and files they needed back in the days when we all worked on desktops in the office. But with your employees working on their own devices, both in and out of the office, it’s even harder to keep them fully equipped. Plus, you have the added challenge of making sure sensitive or proprietary information stays secure as people come and go with their own laptops, tablets, and smart phones. Fortunately, cloud technologies like Windows Intune are already available to help your business meet these challenges.

1. BYOD – Strategy,
Objectives and
and Tools
Aptera
Jan 2014
.

15. http://imagesrv.gartner.com/reprints/249800/249820/249820_1.png

18. How Microsoft addresses today’s challenges
Users
Devices
Apps
Data
Users expect to be able to
work in any location and
have access to all their
work resources.
The explosion of devices is
eroding the standards-based
approach to corporate IT.
Deploying and managing
applications across
platforms is difficult.
Users need to be productive
while maintaining
compliance and reducing
risk.

19. Empowering People-centric IT
Enable users
Allow users to work on the
devices of their choice and
provide consistent access to
corporate resources.
Unify your environment
Users
Devices
Apps
Data
Deliver a unified application and
device management onpremises and in the cloud.
Protect your data
Management. Access. Protection.
Help protect corporate
information and manage risk.

20. Selecting the Management Platform
Unified Device Management – System Center
2012 R2 Configuration Manager with Windows
Intune
Cloud-based Management - Standalone
Windows Intune
No existing Configuration Manager deployment
Simplified policy control
Fewer than 7,000 devices and 4,000 users
Simple web-based administration console

21. Windows Intune – Standalone service
Windows PCs
(x86/64, Intel SoC)
Windows RT,
Windows Phone 8
iOS, Android
Manage up to 7,000 devices and 4,000 users

23. Mobile Device Management with Windows Intune
Direct management (Windows RT,
Windows Phone 8, iOS)
EAS based management

24. Information Worker Self-service Experience
Connect every user ‘s device to the service
Enable them to discover applications
Let users manage their own devices and data
Provide a premium end user experience

25. End User Experience
Consistent self service experience for end user across mobile platforms
Windows RT
Company Portal
Windows Phone 8
Company Portal
iOS
Company Portal
Native Windows application
Native Windows Phone 8 app (.xap)
Native iOS application
Available in the Windows Store
Side-loaded during enrollment
Available in the Apple App store

26. End User Capabilities for each Platform
Windows 8 &
Windows 8.1
Windows RT &
Windows 8.1 RT
Windows
Phone 8
iOS
Android
Enroll (local device)
Yes
Yes
Yes
Yes
EAS
Rename devices
Yes
Yes
Yes
Yes
No
Retire (un-enroll local device)
Yes
Yes
Yes
Yes
No
Remotely wipe other devices
Yes
Yes
No
No
No
Install enterprise LOB applications
Yes
Yes
Yes
Yes
Yes
Install publicly available applications
Yes
Yes
Yes
Yes
yes
Browse to web links
Yes
Yes
Yes
Yes
Yes
Contact IT
Yes
Yes
Yes
Yes
Yes

27. Mobile Device Inventory
Hardware properties for mobile
devices are collected through the
Device Management Authority as
well as Exchange ActiveSync.
No software inventory for mobile
devices to respect the Information
Worker’s privacy on their own
device.
IT Pros can track storage on
mobile devices which help them
anticipate/troubleshoot issues.

28. Settings Management
Security policy on devices
(iOS, Windows RT and WP8)
Direct management and
Exchange ActiveSync.
Reporting available on
each setting whether it is
applicable, conformant or
has an error.
The same security policy
template is used for
both Direct
Management and EAS
to help Admins
Android and Windows
Phone 7 devices can be
managed through EAS

29. Application Management on Mobile Devices
Platforms
Windows
8/Windows RT
Windows Phone
8
iOS
Android
Sideload to
install
*.appx
*.xap
*.ipa
*.apk
Deep links to
store apps –
install from
store

30. Software Distribution Summary
Desktop Apps
(.msi, .exe)
Platform
Modern App Types
Side loading
.appx
.xap
.ipa
.apk
Deep
Links
web
apps
Windows 8 Pro/Ent
√
√
√
√
Windows RT
**
√
√
√
√
√
√
√
√
√
√
iOS
√
Android
√
WP8
Windows 7 and below
**
√
Windows 8 SSP on WinRT will show MSI/EXE apps that can remotely install to other
PCs linked to the user, but not installable on the local Window RT device
√

31. Protect your data
Help protect corporate information and manage risk
Lost or Stolen
Retired
Lost or
Enrollment Stolen
• Selective wipe removes corporate applications,
data, and policies based as supported by each
Users can access
corporate data regardless
of device or location with
Work Folders for data
sync and desktop
virtualization for
centralized applications.
IT can provide a secure and
familiar solution for users to
access sensitive corporate data
from anywhere with VDI and
RemoteApp technologies.
platform
Personal Apps
and Data
Personal
Apps and
Data
Company Apps
and Data
Company Apps
• Full wipe if supported by each platform
and Data
• Can be executed by IT or by user via Company
Portal
Retired
Remote App
Centralized
Data
Remote App
• Sensitive data or applications can be kept off
Policies
Policies
device and accessed via Remote Desktop Services

32. Recap: MDM Features per Platform
Management
Feature
Windows RT
Windows
Phone 8
iOS
Y
Y
Y
Y
Y
Y
Y
Settings
Management
Y
Y
Y
Y
Software
Distribution
Y
Y
Y
Y
Y
Y
Y
Over-the-air
Enrollment
Inventory
Remote Wipe
Android

33. Thank You!
Mark Gordon
markgo@apterainc.com
.

34. Appendix

35. Windows Intune integrated with System Center 2012 R2
Configuration Manager
Windows PCs
(x86/64, Intel SoC),
Windows to Go
Windows Embedded
Mac OS X
Windows RT,
Windows Phone 8
iOS, Android

36. Manage and Secure PCs and Devices Anywhere
Simple web-based Administration Console and a
richer experience for Information Workers
 Help protect PCs from malware
 Manage updates
 Distribute software
 Proactive monitoring and alerts
 Provide remote assistance
 Inventory hardware and software
 Monitor & track licenses
 Increase insight with reporting
 Set security policies
 Richer Mobile Device Management

37. Non-intrusive Management
Management tasks can work with the Windows 8 maintenance window
Management tasks do not interrupt if the end user immersed in a modern application

38. Mobile device wipe and retire
Category
Full Wipe
Windows 8.1
(MDM managed)
Not applicable
Windows 8 RT
Not applicable
Windows Phone

iOS
Android (EAS)


Retire (Selective wipe)
 (Email through EAS)
 (Email through EAS)
Company apps
and associated
data installed by
using
Configuration
Manager and
Windows Intune
Uninstalled and sideloading
keys are removed.
In addition any apps using
Windows Selective Wipe will
have the encryption key
revoked and data will no
longer be accessible
Sideloading keys
removed but remain
installed
Settings
Requirements removed
Management
Client
Not applicable. Management
agent is built-in
Email
 (Email through EAS)
Uninstalled and data
removed
Uninstalled and data
removed
Apps and data remain
installed
Requirements removed Requirements removed Requirements removed Requirements removed
Not applicable.
Management agent is
built-in
Not applicable.
Management agent is
built-in
Management profile is
removed
Not applicable.
Management agent is
built-in

39. Mobile Device
Settings
Setting name
EAS
WinRT/ WinPh8
iOS
(Activesync)
Require a password to unlock mobile devices
√
√
Required password type
√
√
√
Minimum password length
√
√
√
Allow simple passwords
√
√
√
Number of repeated sign-in failures before device is wiped
√
√
√
Minutes of inactivity before device screen is locked
√
√
√
Password expiration (days)
√
√
√
Remember password history
Password
√
√
√
√
√
Allow convenience logon (WindowsRT only)
Allow camera
√
Allow web browser
Device restrictions
√
√
√
Allow backup to iCloud (iOS only)
√
Allow documents sync to iCloud (iOS only)
√
Allow photostream sync to icloud (iOS only)
√
Maximum size of e-mail attachments
Encryption
E-mail synchronization for last (days)
√
Allow mobile devices that don’t fully support these settings to
synchronize with Exchange
Email
√
√
Require encryption on mobile device
√
Require encryption on storage cards
√

40. Mobile Device
Inventory
Property
Win RT
WP8
iOS
Android (EAS)
Device name
Y
Y
Y
Y
Unique device ID
Y
Y
Y
Serial number
Y
Email address
Y
Y
OS type
Y
Y
OS version
Y
Y
OS language
Y
Y
Y
Y
Y
Y
Y
Total storage space (GB)
Y
Y
Free Storage space (GB)
Y
Y
System enclosure Chassis
Y
System enclosure IMEI
Y
Manufacturer
Y
Y
Model
Y
Y
Y
Y
Phone number (masked except last 4 digits)
Y
Y
Subscriber carrier
Y
Cellular technology(none, GSM, CDMA)
Y
WiFI MAC
Y
Enrolled date (local time)
Y
Y
Y
Last contact (local time)
Y
Y
Y
Y
Y
Last Exchange status
Y
Last Policy update status
Y
Access State
Y
Access state reason
Y
Management state
Y
ActiveSync ID
Y

41. Flexible Licensing that Fits Your Needs
Don’t Have
Configuration
Manager
Windows Intune
(includes Configuration Manager license)
($6 per user per month)
Windows Intune & Windows Enterprise
(includes Configuration Manager license)
($11 per user per month)
Already have
Configuration
Manager
Windows Intune
(Add-On)
($4 per user per month)
• Single License: Windows Intune
and Configuration Manager
• Per User Licensing
• Up to 5 devices/user

42. For More Information
System Center 2012 Configuration Manager
http://technet.microsoft.com/enus/evalcenter/hh667640.aspx?wt.mc_id=TEC_105_1_33
Windows Intune
http://www.microsoft.com/en-us/windows/windowsintune/try-andbuy
Windows Server 2012
http://www.microsoft.com/en-us/server-cloud/windowsserver
More Resources:
http://www.microsoft.com/workstyle
http://www.microsoft.com/server-cloud/user-device-management