View
216
Download
0
Category
Preview:
Citation preview
What’s new in Enterprise Client Management
PCIT-B311
Craig Morris Dave Randall
Senior Program ManagersEnterprise Client
Empowering people-centric IT
Mobile Device and Application Management
Access and information protection
Desktop Virtualization
Hybrid Identity
AgendaThe core needs for today’s enterprise
Microsoft’s Enterprise Client Management solution
What’s next for Enterprise Client Management
Enable people to use the devices they love while keeping the company protected
AppsUsers
DataDevices
What we want
Reality
Mobile Device Management
Enable users
Access to company resources consistently across devices
Simplified registration and enrollment of devices
Synchronized corporate data
Unify your environment
On-premises and cloud-based management of devices within a single console.
Simplified, user-centric application management across devices
Comprehensive settings management across platforms, including certificates, VPNs, and wireless network profiles
Protect your data
Protect corporate information by selectively wiping apps and data from retired/lost devices
A common identity for accessing resources on-premises and in the cloud
Identify which mobile devices have been compromised
√
Empower usersAllow users to work the device of their choice and provide consistent access to corporate resources.
Users can work from anywhere on their devices with access to their corporate resources.
Users can register devices for single sign on, and access to corporate data, with Workplace Join.
IT can publish access to resources with the web application proxy based on device awareness and the users identity.
IT can provide seamless corporate access.
Users can enroll devices for access to the company portal for easy access to corporate applications.
IT can publish desktop virtualization resources for access to centralized resources.
Firewall
Today’s Enterprise Client Solution
Dave Randall
Platform Support Protecting the dataManaging user productivityIncremental Investments
Deep Dive Session Available
Expanded Device SupportWindows 8.1Workplace join and native platform enrollment
Mac OS XNative Clients for 10.6, 10.7, 10.8, 10.9Supports push software distribution, settings management, and inventorySimple enrollment
Linux and UNIX ServersCentOS 5+6, Debian 5+6, Ubuntu 10.4 LTS and 12.4 LTS, Oracle Linux 5+6
Mobile DevicesWindows Phone 8Android 4.0+iOS 6.0+
Expanded Device SupportOS Platform Management Agent End User Experience
Windows 8.1 PC ConfigMgr Agent Or
Management Agent (OMA-DM)
Software Center/Application Catalog
Windows Company Portal app
Windows PC (Win8,Win7,Vista,XP)
ConfigMgr Agent Software Center/Application Catalog
Windows RT Management agent (OMA-DM) Windows Company Portal app
Windows Phone 8 Management agent (OMA-DM) Windows Phone 8 Company Portal app
iOS Apple MDM Protocol iOS Company Portal app
Android Company Portal MDM agent (OMA-DM)
Android Company Portal app
Mac ConfigMgr Agent Limited self service experience
Linux/Unix ConfigMgr Agent N/A
Protecting the data
Enrollment
Device object created upon enrollment.
Automatic sync of content between Configuration Manager and Intune
Web Application Proxy
ADFS
Supported MDM SettingsCategory Windows 8.1 PC
& RTWindows Phone
8/8.1iOS Android
VPN
Wi-Fi
Certificates
Password (*) (*) (*)
Device restrictions (*) (*)
Store access
Browsers (*) (*)
Content Rating
Cloud Sync (*)
Encryption (*) (*) (*)
Security (*) (*) (*)
Roaming (*) (*)
Windows Server Work Folders
Wi-Fi settings
WiFi + Certificates
Manage and distribute certificatesRoot CertificatesSCEP Certificates
Provision networksSetup certificate based authentication
VPN Profiles
Support for major SSL VPN vendors
DNS name-based initiation support for Windows 8.1 and iOSApplication ID based initiation support for Windows 8.1
Automatic VPN connection
Support for VPN standards like PPTP, L2TP, IKEv2Cisco, Juniper, Check
Point, Microsoft, Dell SonicWALL, F5 Windows RT Support*
Sync files and data across devices
Windows 8.1 – Work Folders
Full Support for CM and IntuneNew settings to help provision the work folder discovery settingsSelf-service portals have links to work folders
New feature in Windows 8.1 client and Windows Server 2012 R2
Personal Apps and
Data
Lost or Stolen
Company Apps and Data
Remote App
Centralized Data
Enrollment
Retired
Company Apps and Data
Remote App
Policies
Policies
Lost or Stolen
Company Apps and Data
Remote App
Policies
Personal Apps and
Data
Retired
Personal Apps and
Data
IT can provide a secure and familiar solution for users to access sensitive corporate data from anywhere with VDI and RemoteApp technologies.
Users can access corporate data regardless of device or location with Work Folders for data sync and desktop virtualization for centralized applications.
Selective WipeSelective wipe removes corporate applications, data,
certificates/profiles, and policies as supported by
each platform
Full wipe if supported by each platform
Can be executed by IT or by user via Company Portal
Sensitive data or applications can be kept off device
and accessed via Remote Desktop Services
Managing Policies and SettingsDemo
Enabling user productivity
Deploying Apps – Windows Runs across x86 and Windows RTEasier and faster deploymentSandboxed!
Familiar WorkflowNew objectSame deployment process
Windows RTWindows 8
Windows Store
IT
Firewall
CorporateApplications
Deploying Apps – AdministrationSingle App EntityDeployed to user or device collectionsApps can contain multiple deployment types
Deploying Apps – Company Portals
Intelligent DeploymentUser picks apps they wantCompany Portal picks best deployment method
Consistent Company Portal
Deploying apps
Demo
Deploying Apps – Cloud Distribution
MP
DPWindows AzureDistribution Point
Microsoft Update
Policy
Content
Firewall
Corporate Network
Continuous Improvement
Less InfrastructureCentral Administration Site
• Scale• Support multiple
primary sites
• Future proofing your hierarchy (SP1)
Primary Sites
• Client assignment (up to 100k)
• Reduce impact of a primary site failing
• Political reasons
• Delegated administration• Different client agent settings• Language packs• DMZ/Internet Facing• Untrusted forests (new in R2)
Secondary Sites
• Content fan-out• Manage upward
flow of WAN traffic
• Content routing
• Throttling (now in Distribution Points)
Reaso
ns
Wh
yO
bso
lete
R
easo
ns
Distribution Points
• Distribute Content
• Branch Distribution Points
Ability to reassign clients between ConfigMgr sites within a hierarchy Support for restoring SQL to a different server during recovery
Enhanced Infrastructure
Wake-up Proxy
Software Updates
Task Sequences
Remote Control + Remote Desktop
Software Distribution
File Shares with net use
A reliable wake-on-LAN capability that works in a subnet Works across large networksVariety of uses and applicationsSaves the earth!
Maintenance Window TypesGeneric (all deployments)Task SequenceSoftware Update
SUM MW BehaviorSoftware Update overrides Generic maintenance windowSoftware Update functions same as Generic maintenance window
Install only in software update maintenance windowReboot only in software update maintenance windowOverlapping software update maintenance window will be mergedSingle shot software update schedule same as generic
In past = Never install updates
Software Update Maintenance Windows
SUM MaintenanceWindows
ADR Preview – Ability to view results of ADR filter query (List of patches)
ADR package – Ability to reassign a new package to an existing ADR
Automatic Deployment Rules
Endpoint Protection client installation can honor maintenance windowsEndpoint Protection client installation can install in the overlay, or disable write filters and commit the changesDefinition update deployments through SUM can commit changes or write in overlay
Windows Embedded Optimizations
App-V 5.0 SP2 changes that impact ConfigMgr 2012 SP1 & R2
Support for Windows 8.1Enhanced “In Use” upgrade scenario
Performance Improvements in ConfigMgr 2012 R2Skipping Pre & Post Enforcement DetectionConditional Publishing Server RemovalImproved by 10 – 15 seconds per app
Updates to App-V 5.0 client app model in SDKAuto-upgrade App-V 4.6 RTM and SP1 for co-existenceApp-V 4.6 detection mechanism changeSupport of App-V 5.0 all releases
App-V 5.0/ConfigMgr 2012 Integration
Server side view of client settings impactSimilar to group policy’s resultant set of policyAvailable from the device object in Assets and Compliance node
Resultant Client Settings
Client Settings
In console monitoring – clarity & performanceBandwidth and processing optimizations Enable and Configure BranchCache for a Distribution PointNew report: Distribution Point UsagePowerShell
New: Remove-CMContentDistributionModified: Add-CMDistributionPoint and Set-CMDistributionPoint
New fields for clarity on Distribution Point propertiesNew Distribution Point Job Queue Manager Tool in Toolkit
Content System Improvements
Distribution Point Usage Report
Windows 8.1
Windows Server 2012 R2
Windows ADK for Windows 8.1
Windows PE 3.1
Virtual Hard Disks
New Task Sequence Steps
Operating System Deployment
ConfigMgr 2012 introduced Role-Based AdministrationReporting built on SQL Reporting Services, not RBA-awareWith R2, all reports updated to use RBA configuration
All views have been replaced by fn_rbac_<view name>Custom reports should reference new functions if RBA required
Consistent with ConfigMgr console/”show me” behaviorEnabled by default in R2 via registry/WMI setting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\SRSRP“EnableRbacReporting”
Role-Based Administration For Reporting
Keeping up with the Cloud …New features for Intune are integrated with ConfigMgr
With Intune Extensions- Ability to update via Intune connector- Automatic for all Admin Consoles- May update database if needed
How Intune Extensions work
Extensions shipping today• iO7 settings management• Email Profile• Windows Phone 8.1
Admin is notified that an extension is available
when console is launched
Admin goes to Extensions for Intune in console, and enables the extension
Extension is activated in ConfigMgr
(Extension is downloaded to CAS and
then installed on database)
Admin restarts
console, and console is
updated with the extension
Admin uses feature
delivered by the extension
Admin may wish to
disable the extension
What’s coming in the future…
Looking back…
October 2013
• Depth of settings
• Native Company Portal for iOS and Android
• App management
• Certificates, VPN/WiFi profiles
January 2014
• Standalone MDM
• Email Profiles/Wipe
• iOS 7 Data Protection Settings
• Remote Lock/PIN Reset
May 2014
• Windows Phone 8.1 Support
• Samsung KNOX Standard Support
• Remote to My PC for iOS and Android
Managed Corporate-owned Devices• Enable IT to bulk enroll devices• Device management focused on task-worker scenarios
Conditional Access Policy• Provide access to email and documents only if device is managed• Exchange and OneDrive for Business
Managed Mobile Productivity and Data Protection• Managed Office Mobile Apps• App Wrapper for existing iOS, Android apps• Protected web browser• Managed PDF, audio, video viewers
Q4 Roadmap
Managed Corporate-owned Devices
Bulk Enrollment
• Support for Apple Device Enrollment Program and Apple Configurator
• Service account enrollment
Configuration Policies
• Device lockdown through supervisor mode
• Policies and apps targeted to devices• Application install allow/deny list• URL allow/deny
MOWANative E-mail
Browser
LoB
for Business
Managed Mobile Productivity
Layer 1 – Mobile device lockdown via MDMProtects corporate data by…
Gaps it leaves open
Restricting device behaviors: PIN, encryption, wipe, disable screen capture and cloud backup, track compliance, etc.
Provisioning credentials that enable corporate resource access control
Apps may share corporate data with other apps outside IT control
Apps may save corporate data to consumer cloud services
Layer 2 – Application and data containers Protects corporate data by…
Gaps it leaves open
Preventing apps from sharing data with other apps outside of IT control
Preventing apps from saving data to stores outside of IT control
Encrypting app data to supplement device encryption
Only protects corporate data that resides on devices. Cannot protect data beyond a device.
Applies same protection to all data that an app touches. Does not allow for specific protection per document.
Layer 3 – Data wrappingProtects corporate data by…
Gaps it leaves open
Protecting data wherever it resides
Providing granular, content specific protection – e.g. time bomb vision docs
Requires enlightened applications
Requires all data to be protected if not complemented by Layers 1 and 2
LoB
Protected Corporate Email and Collaboration
Conditional Access Policy
• Access email and documents only if device is managed
• Deny access if device falls out of compliance• Deploy certificates and Wi-Fi, VPN profiles• Configure email profiles across devices
Mobile App & Data
Protection
• Contain corporate data to corporate apps and services
• Push, publish and uninstall apps centrally• Provision iOS managed apps and accounts• App wrapper for protected internal LoB apps• Provide access to internal resources via per-app
VPN• Protected web browser, PDF, audio, video• Selective wipe for managed apps and
documents
Click icon to add picture
Making it real
Getting to unified device management
????
From Configuration Manager 2007
Microsoft System Center 2007 Configuration Manager
Maintain your existing ConfigMgr 2007 deployment
Stand up newConfigMgr 2012 R2+ Windows Intune
Add new devices for management
Migrate
From Configuration Manager 2012Upgrade your existing ConfigMgr 2012 deployment to R2
Add new devices for management
Connect with Intune
From Windows Intune
Add new devices for management
Intune upgrades are available automatically
Mobile Device Management
Enable users
Access to company resources consistently across devices
Simplified registration and enrollment of devices
Synchronized corporate data
Unify your environment
On-premises and cloud-based management of devices within a single console.
Simplified, user-centric application management across devices
Comprehensive settings management across platforms, including certificates, VPNs, and wireless network profiles
Protect your data
Protect corporate information by selectively wiping apps and data from retired/lost devices
A common identity for accessing resources on-premises and in the cloud
Identify which mobile devices have been compromised
√
57
Hybrid Identity Management
Mobile Device Management
Data Protection
• Group management & Self Service Password Reset• Security audit reports & MultiFactor Authentication• Connection between AD / Azure AD
• Information protection• Connection to on-premises assets
• Mobile device settings management• Mobile app management• Selective wipe
Enterprise Mobility Suite
Enterprise Agreement Prices starting at $4 per user per month*
* Limited time EA Level A promo pricing. Requires 250 seat minimum purchase and underlying CAL Suite license (CoreCAL/ECAL/BridgeCAL)
EMS will enable customers with:
Enabled via Azure Active Directory Premium:
Enabled via Windows Intune:
Enabled via Azure Rights Management Service:
Related content – Enterprise ClientCode Title Time
PCIT-B215 What's New in Microsoft System Center 2012 R2 Configuration Manager Infrastructure Mon, May 12 3:00 PM
PCIT-B410 Microsoft System Center 2012 Configuration Manager: MVP Experts Panel Mon, May 12 4:45 PM
PCIT-B216 Infrastructure Deployment for Mobile Device Management with Microsoft System Center Configuration Manager and Windows Intune
Tue, May 13 8:30 AM
PCIT-B317 Enrollment and Management of Mobile Devices with Microsoft System Center Configuration Manager and Windows Intune
Tue, May 13 1:30 PM
PCIT-B320 Microsoft System Center Configuration Manager Community Jewels Tue, May 13 5:00 PM
PCIT-B323 Application Management with Microsoft System Center Configuration Manager and Windows Intune
Wed, May 14 8:30 AM
PCIT-B325 Protecting Your Corporate Data with Microsoft System Center Configuration Manager and Windows Intune
Wed, May 14 10:15 AM
PCIT-B340 What’s New with OS Deployment in Configuration Manager and the Microsoft Deployment Toolkit
Wed May 14 5:00 PM
PCIT-B336 Managing Mac OS X Clients and Linux Servers Using Microsoft System Center Configuration Manager
Thu May 15 8:30 AM
PCIT-B339 How Microsoft IT Manages Their Microsoft System Center Configuration Manager Application Lifecycle with Zero Touch
Thu, May 15 10:15 AM
PCIT-B333 How Microsoft IT Solves BYOD Using Microsoft System Center 2012 R2 Configuration Manager and Windows Intune
Thu, May 15 1:00 PM
Related content - PCITSession Title Timeslot
FDN02 Enabling Enterprise Mobility with Windows Intune, Microsoft Azure, and Windows Server
Monday, May 12 11:00 AM - 12:00 PM
PCIT-B212 Design Considerations for BYOD Tuesday, May 13 10:15 AM - 11:30 AM
PCIT-B213 Access Control in BYOD and Directory Integration in a Hybrid Identity Infrastructure
Wednesday, May 14 3:15 PM - 4:30 PM
PCIT-B310 Empowering Your Users and Protecting Your Corporate Data Monday, May 12 1:15 PM - 2:30 PM
PCIT-B313 Hybrid Identity: Extending Active Directory to the Cloud Monday, May 12 4:45 PM - 6:00 PM
PCIT-B314 Understanding Microsoft’s BYOD Strategy and an Introduction to New Capabilities in Windows Server 2012 R2
Tuesday, May 13 8:30 AM - 9:45 AM
PCIT-B321 Deploying the New RMS for Cloud-Friendly and Cloud-Reluctant Customers Tuesday, May 13 5:00 PM - 6:15 PM
PCIT-B322 Deploying and Managing Work Folders Wednesday, May 14 10:15 AM - 11:30 AM
PCIT-B324 How to Rapidly Design and Deploy an Active Directory Federation Services Farm: The Do's and the Don'ts
Wednesday, May 14 8:30 AM - 9:45 AM
PCIT-B326 Providing SaaS Single Sign-on with Microsoft Azure Active Directory Thursday, May 15 10:15 AM - 11:30 AM
PCIT-B327 Introducing Web Application Proxy in Windows Server 2012 R2: Enable Work from Anywhere
Wednesday, May 14 3:15 PM - 4:30 PM
PCIT-B328 Microsoft Identity Manager vNext Overview Wednesday, May 14 5:00 PM - 6:15 PM
PCIT-B330 Active Directory + BYOD = Peace of Mind Thursday, May 15 8:30 AM - 9:45 AM
Related contentInstructor Led Labs
Code Title Time
PCIT-IL200
Introduction to Microsoft System Center 2012 R2 Configuration Manager Mon, May 12 3:00 PMWed, May 14 5:00 PM
PCIT-IL201
Upgrading from Configuration Manager 2012 SP1 to Microsoft System Center 2012 R2 Configuration Manager
Thu, May 15 10:15 AM
PCIT-IL300
Deploying Windows 8.1 to Bare Metal Clients Wed, May 14 1:30 PMThu, May 15 1:00 PM
PCIT-IL305
Basic Software Distribution with Microsoft System Center 2012 R2 Configuration Manager Tue, May 13 5:00 PMWed, May 14 3:15 PM
PCIT-IL306
Implementing Endpoint Protection in Microsoft System Center 2012 R2 Configuration Manager Tue, May 13 10:15 AMThu, May 15 8:30 AM
PCIT-IL307
Managing Microsoft Software Updates in Microsoft System Center 2012 R2 Configuration Manager Tue, May 13 1:30 PMWed, May 14 8:30 AM
PCIT-IL308
Migrating from Configuration Manager 2007 to Microsoft System Center 2012 R2 Configuration Manager
Wed, May 14 10:15 AM
Related contentHands On Labs
Code Title
PCIT-H302
Deploying a Microsoft System Center 2012 R2 Configuration Manager Hierarchy
PCIT-H303
Deploying Microsoft System Center 2012 R2 Configuration Manager
PCIT-H304
Deploying Windows 8.1 to Bare Metal Clients
PCIT-H309
Implementing App-V 5.0 in Microsoft System Center 2012 R2 Configuration Manager
PCIT-H310
Implementing Endpoint Protection in Microsoft System Center 2012 R2 Configuration Manager
PCIT-H311
Implementing Linux Clients in Microsoft System Center 2012 R2 Configuration Manager
PCIT-H312
Implementing Role-Based Administration in Microsoft System Center 2012 R2 Configuration Manager
PCIT-H314
Managing Clients with Microsoft System Center 2012 R2 Configuration Manager
PCIT-H315
Managing Content in Microsoft System Center 2012 R2 Configuration Manager
PCIT-H316
Managing Software Updates in Microsoft System Center 2012 R2 Configuration Manager
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Complete an evaluation and enter to win!
Evaluate this session
Scan this QR code to evaluate this session.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Recommended