Moving from Device Centric to a User Centric Management
1.
2. Agenda
• What is User Centric Management and Why do I care?
• Device Centric Management
• User Centric Management with Configuration Manager 2012
• User Centric Management with InTune
• Hybrid InTune/Configuration Manager
4. Management
• The past – Device Centric Management
• Today – Mixed Management
• Tomorrow – User Centric Management
5. The times, they are a changing…..
Your computer IS your tool for work
Your computer CONTAINS your tool for work
6. Circle of influence is shrinking….
…. To this
From this….
Well its really a
square…..
7. Why implement UCM
• Device Choice • Manage all devices through single interface
• Application Self-service • Deliver applications to the user, not the device
• Personalized Application Experience • Integrated security and compliance
• Non-intrusive management • Reduced infrastructure complexity
Single admin
console
Access to corp resources
across devices & platforms
9. Evolution of Microsoft Management
2012 2012
+
Client Management Infancy Laptops, Servers, Comprehensive Management Consumerization
Groups Model
(NT Domain) Enterprise Scale Management from the Cloud of IT
11. Bring Your Own Device
• Many companies embracing this (if they know it or not)
• More users are than administrators know about generally
• The first vast BYOD solution was VDI (VMWare View or XenDesktop)
• Offered broad device support to get to a Windows Desktop
• Issue is that the Windows Desktop (<8) does not work well with touch
• The “desktop” was the “app”
• Today, apps are cross platform, and multi-platform.
• You can deliver just the app, without the desktop
• You need a way to manage all of this
13. The process
1. Understand your existing Device Centric models
2. Configuration Manager – Move to User Collections
3. Configuration Manager – Implement Application Catalog
4. InTune – Extend to non-managed devices
5. Federation – Single management infrastructure
14. Device Centric Management
• You (IT) owned the device (PC).
• The PC was the “tool” for work.
• In manage cases restricted, locked down, and highly controlled.
• Encouraged the “Work Computer” and “Home Computer” model
• Simplified Access to Work Tools
• DA
• VPN
• VDI
15. Why it does not work today
• Devices are prolific, cheap, and available.
• There is more than one choice in Operating System
• Users are more savvy, and have more devices.
• There is a trend towards “apps” as tools instead of “hardware” as
tools.
• Blame Apple, “there’s and app for that”.
• The boundaries of “work” are gone
• Both physical and chronological
17. Windows Embedded Support
• Windows XP Embedded Supported Write Filters
Thin Clients • Windows Embedded Standard 2009 • File Based Write Filters (FBFW)
• Windows Embedded Standard 7 (preferred for scalability)
• Enhanced Write Filters (EWF) RAM
Same as Thin Clients, plus Ability to force persistence of changes for
POS/Kiosk • POS Ready 2009 • Applications
• POS Ready 8 • Packages and programs
• Software updates
• Task sequences
• Endpoint Protection client installation
• Windows Embedded Standard 2009 Eventual persistence of changes for
Digital Signage • Windows Embedded Standard 7 • Client agent settings
• Settings management remediation
• Power management
Repurposed PC • Windows Thin PC Without write filters enabled, embedded devices can be managed like
any other Windows client. When write filters
are enabled, they require special handling, now provided seamlessly in
SP1
18. Linux & UNIX Servers
• Version 4 (x86/x64) Supported OS’s across both:
Red Hat Enterprise
Linux • Version 5 (x86/x64) • Configuration Manager
• Version 6 (x86/x64) • Operations Manager
Old versions supported as long as vendor provides support
• Version 9 (SPARC)
Solaris • Version 10 (SPARC/x86)
Broader Linux distro support being evaluated
for future releases
• Version 9 (x86)
SUSE Linux
• Version 10 SP1 (x86/x64)
Enterprise Server • Version 11 (x86/x64)
Hardware and Software Inventory
Software Deployment
• Using the Package and Program model
• Deploy/patch software, deploy OS patches and run
maintenance scripts that target a collection
Consolidated reports
19. Mac OS X
10.6 (Snow Leopard)
10.7 (Lion)
Push Software Distribution
Settings Management
Hardware and Software Inventory
20. CM 2012 SP1 - Updates
Wider client operating system and application support
• Windows 8 and Windows To Go
• Windows Server 2012 site systems and clients
• Mac OS clients, Linux and Unix servers
• SQL Server 2012 Configuration Manager database
Better feature support
• Metered connections and always on, always connected in Windows 8
• New deployment types for Windows 8 applications
• Configurable user data and profiles for folder redirection, offline files, and roaming profiles
Greater manageability
• Virtual environment support
• PowerShell cmdlets
• Client notification
• Email alerts for all features
22. Designing a User Centric Delivery
• Deliver best user experience on each device Delivery Evaluation Criteria
• Define application once
• User
• Device type
< >
• Network connection
User/Device Relationships
Primary Devices
• MSI
• App-V
• Windows 8 Apps
• Windows 8 Apps in the Windows Store
Non-primary Devices
• VDI
• Remote Desktop
23. User-centric Application Delivery
New Application Model
General Information
Application Administrator Properties
“Package”
End User Metadata
< >
Deployment Type
App-V Detection Method
Windows Script Install Command
Windows Installer Requirement Rules
CAB Dependencies
Supersedence
24. User-centric Application Delivery
End User Self-service
Administrators publish software titles
to catalog, complete with meta data to
enable search
• Deliver best user experience
on each device
IT
Users can browse, select and install
directly from Catalog
• Application model determines
format and policies for delivery
User
25. Components
• User Collections
• User Deployments
• Mixed deployment types
• Application Catalog
• Primary Device settings and rules
• User policies
27. What’s New in Windows Intune
Unified Management Solution Company Portal Application
Windows RT and Windows 8 Phone
User-Based Licensing
Application Distribution
Direct Mobile Device Management
28. Cloud-based Self-service Portal
Securely provision application
from anywhere
Single point for application
requests
Users only see the software
they have permission to
request
29. Company Portal Capabilities
Action user can take through the Windows RT Windows iOS Android
company portal Phone 8
Enroll local device
Rename devices
Retire local device
* Stores can be either
Wipe other devices remotely
Windows Store, Windows
Phone Store, App Store, or Install line-of-business apps
Google Play, depending on Install apps from the consumer store*
the device
30. Comparing Windows Intune Cloud and
Unified Configurations Cloud-Only Configuration
Unified Configuration
Up to 100,000 users, computers, and mobile
devices in a single management infrastructure
31. Windows Intune Unified Architecture
Windows RT
Windows Phone 8
iOS
Android
Android App
Distribution Direct Management & App
Distribution
Android
32. Unified Management Capabilities
Managed Through System Center 2012 Configuration Manager Windows Intune
Windows 7
Platform > Windows Vista Windows Windows
Capability Windows 8 Windows XP To Go Mac OS Windows RT Phone 8 iOS Android
Application management
Endpoint Protection O O O O
Hardware Inventory 1
Software Inventory 2 2 2 2
Remote control O O O O O
Reporting
Software updates O 4 O
1 = Basic information
only through Exchange Compliance settings 3 3 3 3
ActiveSync
2 = Managed OS deployment O N/A N/A N/A N/A
applications only
3 = Compliance Out-of-band management O N/A N/A N/A N/A
reporting but no
remediation automation Power management O O O O O
4 = Device User has to
accept the update Software metering O O O O O
33. Comparing the Windows Intune and
Exchange Server Connectors
Management Functionality Windows Exchange
Intune Server
connector connector
App management/deployment O
Public key infrastructure (PKI) security between the O
mobile device and Configuration Manager
1. For Windows RT, Windows
Phone 8, and iOS
Discovery
2. Through reporting
3. Both Exchange ActiveSync and
Hardware inventory 1
Windows Intune use the same Software inventory 2 O
security template for their
settings. Settings, configuration items and baseline 3 3
34. Windows Intune Sites and Portals
• Account Portal
• https://account.manage.microsoft.com
• Manage users, account administrators,
security groups, subscriptions, partners
System Center 2012 • Administrator Console
Configuration Manager with SP1
– https://admin.manage.microsoft.com
– Configure cloud-based management
Windows RT
Portal
• Company Portal
Windows – Download apps, associate users with
Phone 8
Portal devices, contact IT support
– Versions for different mobile device
Company
Portal Web
types
Site
35. Unified User Centric Management
• Managed Devices
• No real change
• Can use “external” porgal
• Big benefit is for “unmanaged” devices/BYOD
• You get some management and reporting (varies by device)
• You have an easy way to present an application across devices
• This really only works if you have “cross platform” applications
• Often the cost of building applications far exceeds the cost of enabling
devices
36. Examining a functional deployment
• InTune Connector
• User Collections
• Deployment types for devices
• Company Portals
• Windows
• Andriod
• IOS? Anyone?
38. Planning ADFS
• What does ADFS do?
• Enables SSO
• Big deal
• Is it needed?
• No, but highly recommended
• Affects mobile devices (simpler logon)
• What if you don’t use ADFS?
• Authenticate to Company Portal using InTune Creds (separate set)
• Administration must manage through account portal, not AD
39. Roadmap for Integrating Configuration
Manager 2012 with Windows Intune
Sign up for Set up Active
Add domains to Federate with
Windows Intune Deploy ADFS 2.0 Directory
Windows Intune WAAD
account Synchronization
Place the Windows Configure
Enroll and manage Verify single sign-
Intune connector Windows Intune
mobile devices on
site system role Subscription
40. Intune App Requirements
Android iOS Windows RT Windows Phone 8
There are no 1. Download a Certificate Service There are no initial configuration Add code-signing certificate
configuration Request using the Request APNs requirements for enabling management of .pfx or .p12 file
requirements for Certificate Service Request dialog Windows RT devices
Android devices box in Configuration Manager
2. Submit the CSR to the Apple Push To enable installation of apps for Windows Upload signed company
Certificate Portal and download the 8, you need to add a valid code signing portal app
APNs certificate (.pem file) certificate and also add sideloading keys to
Configuration Manager
3. Upload the APNs certificate to
Windows Intune
No action required No prior action required as process No action required - a code signing cert Require code signing
prior to setup can be completed later in user and sideloading keys set up in the UI for certificate and signed
interface app publication company portal app
45. Summary
• People centric is the future, driven by user behavior, not IT
governance.
• Start implementing self service as step 1
• Understand the deployment options for each LOB application
• Use InTune to support mobile/BYOD scenarios
• Federate for central management
Editor's Notes
People-centric IT is predicated on being able to identify who the user is and what their permissions are for accessing data and resources. Active Directory is a critical tool to enable this, with common user accounts and security groups, a repository for inventory and device data, and central policy control. It also gives you a way to manage users consistently across the datacenter and the cloud, with federation to synchronize identity and the ability to access user accounts for third-party applications. Our management solutions – Configuration Manager and Windows Intune – leverage this consistent identity to manage and secure user activity appropriately.
Apart from Windows Intune integration, SP1 for Configuration Manager brings a range of other improvements. These improvements include the following:You can install the Configuration Manager client on Windows 8 computers and deploy Windows 8 to new computers or to upgrade previous client operating versions. Configuration Manager SP1 also supports Windows To Go.Configuration Manager supports Windows 8 features, such as metered Internet connections and Always On Always Connected.You can configure user data and profiles configuration items for folder redirection, offline files, and roaming profiles.You can configure new deployment types for Windows 8 applications, which support standalone applications (.appx files) and links to the Windows Store.Other significant changes include the following enhancements:Support for Windows Server 2012 on site systems and clients, and support for SQL Server 2012 for the Configuration Manager database. Clients are now supported on Mac computers, and on Linux and UNIX servers.Windows PowerShell cmdlets are available to automate Configuration Manager operations by using Windows PowerShell scripts.More flexible hierarchy management with support to expand a stand-alone primary site into a hierarchy that includes a new central administration site, and the migration of a Configuration Manager SP1 hierarchy to another Configuration Manager SP1 hierarchy.Support for multiple software update points for a site to provide automatic redundancy for clients in the same way as you can configure multiple management points. Client notification to initiate some client operations from the Configuration Manager console, which include downloading computer policy and initiating a malware scan to be performed as soon as possible, instead of during the normal client policy polling interval.Support for virtual environments that allow multiple virtual applications to share file system and registry information instead of running in an isolated space.Email alert subscriptions are now supported for all features, not just Endpoint Protection.
The latest release of Windows Intune includes a number of changes that enhance the management of people, PCs, and devices. With a unified configuration, the following added features are of interest:Unified management solution with System Center 2012 Configuration Manager with Service Pack 1 (SP1).With this update, you can now manage devices either from the existing cloud-based Windows Intune management solution or through a new connector, by using Microsoft System Center 2012 Configuration Manager with SP1. User-based licensing.This release of Windows Intune updates the licensing conditions and adds two new licensing options to help organizations with managed users who employ multiple devices, rather than focusing on one device at a time. The licensing changes are explained later in this course.Direct Mobile Device Management.This release of Windows Intune provides a new direct management capability that implements Mobile Device Management (MDM) features to Windows RT, Windows Phone 8, and iOS devices. Hence, modern devices no longer require an Exchange ActiveSync (EAS) connection in place to support the MDM solution.Company Portal Application. In the previous release of Windows Intune, administrators accessed company applications, device management and IT support features through an online web portal. In this new release, Windows 8 Phone and Windows RT devices can access these features through a new secure Self-service Portal (SSP) application. Windows RT and Windows Phone 8 Application Distribution. Microsoft has extended the software distribution feature of Windows Intune to support both Windows RT and Windows Phone 8 applications. In a unified environment,you can now publish line-of-business applications to Windows RT devices and Windows Phone 8 devices by using the same wizard.
Further, WindowsIntune offers a cloud-based self-service portal that allows users a central place to request to securely provision applications on any device. This one central place makes it easy for them to request the applications they need to stay productive – and they’ll only see the software they have permission to use.
Each portal has differing management capabilities, depending on the platform. The table summarizes these management capabilities.
With this update, you can now manage devices either from the existing cloud-based Windows Intune management solution or through a new connector, by using Microsoft System Center 2012 Configuration Manager with SP1. This slide provides an overview of how these two configurations can manage devices either directly through the cloud or through Configuration Manager on-premises.This first figure shows the classic cloud-based configuration, and existing users of Windows Intune will be familiar with this approach. With this arrangement, IT administrators use the Windows Intune web-based Administrator console to access the management features on the client computers and mobile devices. This configuration is covered in the other course in this series.[Click]The second figure shows the new unified on-premises configuration, where the administrator uses the Configuration Manager 2012 SP1 management console to access the management features for the supported clients. Using this configuration, an administrator can manage all the organization’s devices through a single console and get an unprecedented insight into the ways employees use their mobile devices to access company data.Another benefit of this solution is that the Configuration Manager infrastructure enables support for very large installations. This release supports installations of up to approximately 100,000 users, computers, and mobile devices in a single management infrastructure.
So now let’s walk through exactly how both these products can work together in the Enterprise. Integration between Configuration Manager with SP1 and this release of Windows Intune enable you to manage many different device types, all from the Configuration Manager management console:[Click] For your PCs – Mac, Linux, Windows 8 x86 – these can be managed through the existing on-premises infrastructure.[Click] For your mobile devices – RT, WP8, iOS, Android – we see an enhanced management experience through the cloud.[Click] User management happens by using Active Directory Federation Services (optional) for single sign-on and DirSync to synchronize user accounts.[Click] Exchange Server managed devices can still interoperate in this hybrid environment.But now with SP1 the admin from the CM console will be able to manage all these devices in a single pane. They will be able to keep their on-premises deployment and quickly realize the benefits of the cloud in terms of managing highly mobile devices.Note: It is possible to integrate Configuration Manager with Office 365 to help manage Office 365-based environments.
SystemCenter 2012 Configuration Manager offers an enhanced range of management features that result from the greater capabilities of this on-premise solution. Windows Intune extends a subset of these management capabilities to mobile devices, as shown in this table.
You may already be using Exchange ActiveSync to manage your mobile devices, so it is useful to compare the two management types to highlight the benefits of using the Windows Intune connector.Using Configuration Manager and Windows Intune, you can manage user settings, hardware inventory, and device lifecycle on Windows RT, Windows Phone 8, and iOS. To manage user settings for hardware inventory, and device lifecycle for Android you can manage user settings using Exchange ActiveSync by using the Exchange connector in Configuration Manager. Note that you can still manage devices through EAS and Windows Intune. However, when a device is receiving security settings from both the Exchange ActiveSync and Windows Intune, the most restrictive settings apply.
When you have signed up for a Windows Intune account, you will have access to a number of portals. With Configuration Manager unified management, you do not often need to use these portals; however, it is useful that you know about them and the functionality that they provide.The first is the account portal. In a cloud-based environment, account administrators use this portal to manage users, other account administrators, security groups, and subscriptions. Partner organization can also access Microsoft cloud services offerings to customers from the Partner tab of the account portal. With a unified configuration, you use the Account portal only for user verification and adding domains.[Click] The second site is the Windows Intune administrator console. This is the console that Windows Intune administrators use in cloud-based configurations to manage users and devices, monitor the health of devices, manage policies and updates, and define the apps that users can download from the company portal. In a unified configuration, you don't use this console.[Click] The third site is the company portal. Company portals are portals that let users have control over their devices. The company portals are tailored to devices. For example, the company portals are where users are able to view and download sideloaded apps. For Windows RT and Windows Phone 8, there are company portal apps that let users manage line of business apps on their devices. For iOS and Android devices the company portal is a web portal that allows users to manage line-of-business apps on their devices.
This diagram shows one possible road map for integrating Configuration Manager with Windows Intune. The steps you carry out are as follows:Sign up for a Windows Intune account. Note that you may not need to sign up for this account through the web portal, depending on your licensing arrangements.Add your internal domain to Windows Intune by demonstrating that you own the domain name. This process also helps ensure that your Active Directory UPNs match your planned Windows Intune logon names.Deploy ADFS 2.0 if you want to implement single sign-on (SSO). Federate your internal Active Directory implementation with Windows Azure Active Directory (WAAD), which provides the directory service for Office 365.Set up DirSync and synchronize your user accounts into Windows Intune.Verify that SSO works correctly and that users can authenticate to Windows intune with their corporate credentials.Configure the Windows Intune subscription to set Configuration Manager as the management authority for Windows Intune and specify the mobile platforms that Windows Intune will manage.Specify which server and site in the hierarchy will host the Windows Intune connector site system role.Finally, users can enroll their mobile devices into Windows Intune and you can manage them through the Configuration Manager console.
When you have set up ADFS and Directory Synchronization, your next stage is to set up the Windows Intune subscription. You do this in the Configuration Manager console by clicking Administration, then clicking Hierarchy Configuration, and click Windows Intune Subscriptions. You then click the Create Windows Intune Subscription button.Along with the general settings, there are four management options that you can enable or disable as required. However, enabling each management option requires varied levels of preparation before you can complete the process. In summary, the requirements are as follows:Android: There are no configuration requirements for Android devices.iOS: To enable management of iOS devices, you need to carry out a three-phase process. The actions in this process are:Click the Request APNs Certificate Service Request button in Configuration Manager to download a Certificate Service Request file (a .CSR file). You will have to log on to the Windows Intune service with your administrator credentials.Click the link for the Apple Push Certificate Portal and log on to the Apple portal with your Apple ID. You then submit the .CSR file and can then download the APNs certificate. Note that you need to close Internet Explorer before downloading the APNs certificate, otherwise you get a file with a .json extension, instead of a .pem file.Select the .pem file to upload it to Windows Intune.Windows RT: With Windows RT, there are no specific management requirements, but you need to obtain a valid code signing certificate and create sideloading keys in Configuration Manager to deploy applications.Windows Phone 8: With Windows Phone 8, you must both add a code-signed .pfx or .p12 certificate and upload a correctly signed company portal app. This process is covered in detail later in the course.The bottom row shows the actions you need to carry out before you set up that platform in the Windows Intune subscription.
When you click the button to create a Windows Intune Subscription, you see a seven-step wizard that takes you through the process of setting up the subscription. The process is as follows:Sign into Windows Intune with your administrative account and select the option to allow Configuration Manager to manage this subscription.Specify general settings, such as the Configuration Manager collection of users who will be enrolling their mobile devices for management through Windows Intune, the company name, portal color, documentation URL and Configuration Manager site code where devices will be assigned.You can then select the platforms to enable for management. Each platform has additional requirements as set out in the previous slide. Note: to add a subscription with minimum configuration, enable the Android platform.The final pages summarize the settings and show the progress completing.Note that the option to Allow the Configuration Manager Console to manage the subscription is a one-way setting and cannot be undone.
As mentioned previously, the Android setting requires minimal configuration.
With iOS, you need to download the CSR, upload it back to Apple, download the APNs certificate and then upload the APNs certificate back to Windows Intune.
Windows RT does not require any prior settings, but if you want to deploy applications, you need to specify the code signing certificate. You configure sideloading keys in the Configuration Manager console by clicking Software Library, clicking Application Management, and then clicking Windows RT Sideloading Keys.