More info on http://techdays.be.

2. Agenda
• What is User Centric Management and Why do I care?
• Device Centric Management
• User Centric Management with Configuration Manager 2012
• User Centric Management with InTune
• Hybrid InTune/Configuration Manager

3. Introduction to User Centric
Management

4. Management
• The past – Device Centric Management
• Today – Mixed Management
• Tomorrow – User Centric Management

5. The times, they are a changing…..
Your computer IS your tool for work
Your computer CONTAINS your tool for work

6. Circle of influence is shrinking….
…. To this
From this….
Well its really a
square…..

7. Why implement UCM
• Device Choice • Manage all devices through single interface
• Application Self-service • Deliver applications to the user, not the device
• Personalized Application Experience • Integrated security and compliance
• Non-intrusive management • Reduced infrastructure complexity
Single admin
console
Access to corp resources
across devices & platforms

8. Managing devices in the enterprise

9. Evolution of Microsoft Management
2012 2012
+
Client Management Infancy Laptops, Servers, Comprehensive Management Consumerization
Groups Model
(NT Domain) Enterprise Scale Management from the Cloud of IT

10. The User is the Focus
•
•
•
•

11. Bring Your Own Device
• Many companies embracing this (if they know it or not)
• More users are than administrators know about generally
• The first vast BYOD solution was VDI (VMWare View or XenDesktop)
• Offered broad device support to get to a Windows Desktop
• Issue is that the Windows Desktop (<8) does not work well with touch
• The “desktop” was the “app”
• Today, apps are cross platform, and multi-platform.
• You can deliver just the app, without the desktop
• You need a way to manage all of this

12. Moving towards User Centric
Management

13. The process
1. Understand your existing Device Centric models
2. Configuration Manager – Move to User Collections
3. Configuration Manager – Implement Application Catalog
4. InTune – Extend to non-managed devices
5. Federation – Single management infrastructure

14. Device Centric Management
• You (IT) owned the device (PC).
• The PC was the “tool” for work.
• In manage cases restricted, locked down, and highly controlled.
• Encouraged the “Work Computer” and “Home Computer” model
• Simplified Access to Work Tools
• DA
• VPN
• VDI

15. Why it does not work today
• Devices are prolific, cheap, and available.
• There is more than one choice in Operating System
• Users are more savvy, and have more devices.
• There is a trend towards “apps” as tools instead of “hardware” as
tools.
• Blame Apple, “there’s and app for that”.
• The boundaries of “work” are gone
• Both physical and chronological

16. Modern Device Management
Devices & Platforms
Single admin
console

17. Windows Embedded Support
• Windows XP Embedded Supported Write Filters
Thin Clients • Windows Embedded Standard 2009 • File Based Write Filters (FBFW)
• Windows Embedded Standard 7 (preferred for scalability)
• Enhanced Write Filters (EWF) RAM
Same as Thin Clients, plus Ability to force persistence of changes for
POS/Kiosk • POS Ready 2009 • Applications
• POS Ready 8 • Packages and programs
• Software updates
• Task sequences
• Endpoint Protection client installation
• Windows Embedded Standard 2009 Eventual persistence of changes for
Digital Signage • Windows Embedded Standard 7 • Client agent settings
• Settings management remediation
• Power management
Repurposed PC • Windows Thin PC Without write filters enabled, embedded devices can be managed like
any other Windows client. When write filters
are enabled, they require special handling, now provided seamlessly in
SP1

18. Linux & UNIX Servers
• Version 4 (x86/x64) Supported OS’s across both:
Red Hat Enterprise
Linux • Version 5 (x86/x64) • Configuration Manager
• Version 6 (x86/x64) • Operations Manager
Old versions supported as long as vendor provides support
• Version 9 (SPARC)
Solaris • Version 10 (SPARC/x86)
Broader Linux distro support being evaluated
for future releases
• Version 9 (x86)
SUSE Linux
• Version 10 SP1 (x86/x64)
Enterprise Server • Version 11 (x86/x64)
Hardware and Software Inventory
Software Deployment
• Using the Package and Program model
• Deploy/patch software, deploy OS patches and run
maintenance scripts that target a collection
Consolidated reports

19. Mac OS X
10.6 (Snow Leopard)
10.7 (Lion)
Push Software Distribution
Settings Management
Hardware and Software Inventory

20. CM 2012 SP1 - Updates
Wider client operating system and application support
• Windows 8 and Windows To Go
• Windows Server 2012 site systems and clients
• Mac OS clients, Linux and Unix servers
• SQL Server 2012 Configuration Manager database
Better feature support
• Metered connections and always on, always connected in Windows 8
• New deployment types for Windows 8 applications
• Configurable user data and profiles for folder redirection, offline files, and roaming profiles
Greater manageability
• Virtual environment support
• PowerShell cmdlets
• Client notification
• Email alerts for all features

21. UCM with Configuration Manager

22. Designing a User Centric Delivery
• Deliver best user experience on each device Delivery Evaluation Criteria
• Define application once
• User
• Device type
< >
• Network connection
User/Device Relationships
Primary Devices
• MSI
• App-V
• Windows 8 Apps
• Windows 8 Apps in the Windows Store
Non-primary Devices
• VDI
• Remote Desktop

23. User-centric Application Delivery
New Application Model
General Information
Application Administrator Properties
“Package”
End User Metadata
< >
Deployment Type
App-V Detection Method
Windows Script Install Command
Windows Installer Requirement Rules
CAB Dependencies
Supersedence

24. User-centric Application Delivery
End User Self-service
Administrators publish software titles
to catalog, complete with meta data to
enable search
• Deliver best user experience
on each device
IT
Users can browse, select and install
directly from Catalog
• Application model determines
format and policies for delivery
User

25. Components
• User Collections
• User Deployments
• Mixed deployment types
• Application Catalog
• Primary Device settings and rules
• User policies

26. UCM with InTune

27. What’s New in Windows Intune
Unified Management Solution Company Portal Application
Windows RT and Windows 8 Phone
User-Based Licensing
Application Distribution
Direct Mobile Device Management

28. Cloud-based Self-service Portal
Securely provision application
from anywhere
Single point for application
requests
Users only see the software
they have permission to
request

29. Company Portal Capabilities
Action user can take through the Windows RT Windows iOS Android
company portal Phone 8
Enroll local device   
Rename devices 
Retire local device  
* Stores can be either
Wipe other devices remotely 
Windows Store, Windows
Phone Store, App Store, or Install line-of-business apps    
Google Play, depending on Install apps from the consumer store*    
the device

30. Comparing Windows Intune Cloud and
Unified Configurations Cloud-Only Configuration
Unified Configuration
Up to 100,000 users, computers, and mobile
devices in a single management infrastructure

31. Windows Intune Unified Architecture
Windows RT
Windows Phone 8
iOS
Android
Android App
Distribution Direct Management & App
Distribution
Android

32. Unified Management Capabilities
Managed Through System Center 2012 Configuration Manager Windows Intune
Windows 7
Platform > Windows Vista Windows Windows
Capability Windows 8 Windows XP To Go Mac OS Windows RT Phone 8 iOS Android
Application management        
Endpoint Protection     O O O O
Hardware Inventory        1
Software Inventory     2 2 2 2
Remote control    O O O O O
Reporting        
Software updates    O   4 O
1 = Basic information
only through Exchange Compliance settings     3 3 3 3
ActiveSync
2 = Managed OS deployment    O N/A N/A N/A N/A
applications only
3 = Compliance Out-of-band management    O N/A N/A N/A N/A
reporting but no
remediation automation Power management    O O O O O
4 = Device User has to
accept the update Software metering    O O O O O

33. Comparing the Windows Intune and
Exchange Server Connectors
Management Functionality Windows Exchange
Intune Server
connector connector
App management/deployment  O
Public key infrastructure (PKI) security between the  O
mobile device and Configuration Manager
1. For Windows RT, Windows
Phone 8, and iOS
Discovery  
2. Through reporting
3. Both Exchange ActiveSync and
Hardware inventory 1 
Windows Intune use the same Software inventory 2 O
security template for their
settings. Settings, configuration items and baseline 3 3

34. Windows Intune Sites and Portals
• Account Portal
• https://account.manage.microsoft.com
• Manage users, account administrators,
security groups, subscriptions, partners
System Center 2012 • Administrator Console
Configuration Manager with SP1
– https://admin.manage.microsoft.com
– Configure cloud-based management
Windows RT
Portal
• Company Portal
Windows – Download apps, associate users with
Phone 8
Portal devices, contact IT support
– Versions for different mobile device
Company
Portal Web
types
Site

35. Unified User Centric Management
• Managed Devices
• No real change
• Can use “external” porgal
• Big benefit is for “unmanaged” devices/BYOD
• You get some management and reporting (varies by device)
• You have an easy way to present an application across devices
• This really only works if you have “cross platform” applications
• Often the cost of building applications far exceeds the cost of enabling
devices

36. Examining a functional deployment
• InTune Connector
• User Collections
• Deployment types for devices
• Company Portals
• Windows
• Andriod
• IOS? Anyone?

37. Federating with InTune

38. Planning ADFS
• What does ADFS do?
• Enables SSO
• Big deal
• Is it needed?
• No, but highly recommended
• Affects mobile devices (simpler logon)
• What if you don’t use ADFS?
• Authenticate to Company Portal using InTune Creds (separate set)
• Administration must manage through account portal, not AD

39. Roadmap for Integrating Configuration
Manager 2012 with Windows Intune
Sign up for Set up Active
Add domains to Federate with
Windows Intune Deploy ADFS 2.0 Directory
Windows Intune WAAD
account Synchronization
Place the Windows Configure
Enroll and manage Verify single sign-
Intune connector Windows Intune
mobile devices on
site system role Subscription

40. Intune App Requirements
Android iOS Windows RT Windows Phone 8
There are no 1. Download a Certificate Service There are no initial configuration Add code-signing certificate
configuration Request using the Request APNs requirements for enabling management of .pfx or .p12 file
requirements for Certificate Service Request dialog Windows RT devices
Android devices box in Configuration Manager
2. Submit the CSR to the Apple Push To enable installation of apps for Windows Upload signed company
Certificate Portal and download the 8, you need to add a valid code signing portal app
APNs certificate (.pem file) certificate and also add sideloading keys to
Configuration Manager
3. Upload the APNs certificate to
Windows Intune
No action required No prior action required as process No action required - a code signing cert Require code signing
prior to setup can be completed later in user and sideloading keys set up in the UI for certificate and signed
interface app publication company portal app

41. Managing InTune via CM
One way process!

42. Android Properties

43. iOS Properties

44. Windows RT Properties

45. Summary
• People centric is the future, driven by user behavior, not IT
governance.
• Start implementing self service as step 1
• Understand the deployment options for each LOB application
• Use InTune to support mobile/BYOD scenarios
• Federate for central management