.

BYOD – Strategy, Objectives and and ToolsApteraJan 2014

http://imagesrv.gartner.com/reprints/249800/249820/249820_1.png

The explosion of devices is eroding the standards-based approach to corporate IT.

Devices

Deploying and managing applications across platforms is difficult.

Apps

How Microsoft addresses today’s challenges

Data

Users need to be productive while maintaining compliance and reducing risk.

Users expect to be able to work in any location and have access to all their work resources.

Users

Devices AppsUsers

Empowering People-centric IT

Enable users

Allow users to work on the devices of their choice and provide consistent access to corporate resources.

Protect your data

Help protect corporate information and manage risk.Management. Access. Protection.

Data

Unify your environment

Deliver a unified application and device management on-premises and in the cloud.

Selecting the Management Platform

Unified Device Management – System Center 2012 R2 Configuration Manager with Windows

Intune

Cloud-based Management - Standalone

Windows Intune

No existing Configuration Manager deployment

Simplified policy control

Fewer than 7,000 devices and 4,000 users

Simple web-based administration console

Windows Intune – Standalone service

Windows PCs

(x86/64, Intel SoC)

Windows RT,

Windows Phone 8

iOS, Android

Manage up to 7,000 devices and 4,000 users

Mobile Device Management with Windows Intune

EAS based management

Direct management (Windows RT,

Windows Phone 8, iOS)

Information Worker Self-service Experience

Connect every user ‘s device to the service

Enable them to discover applications

Let users manage their own devices and data

Provide a premium end user experience

End User ExperienceConsistent self service experience for end user across mobile platforms

Native Windows application

Available in the Windows Store

Windows Phone 8

Company Portal

iOS

Company Portal

Native Windows Phone 8 app (.xap)

Side-loaded during enrollment

Native iOS application

Available in the Apple App store

Windows RT

Company Portal

End User Capabilities for each Platform

Windows 8 &

Windows 8.1

Windows RT &

Windows 8.1 RT

Windows

Phone 8

iOS Android

Enroll (local device) Yes Yes Yes Yes EAS

Rename devices Yes Yes Yes Yes No

Retire (un-enroll local device) Yes Yes Yes Yes No

Remotely wipe other devices Yes Yes No No No

Install enterprise LOB applications Yes Yes Yes Yes Yes

Install publicly available applications Yes Yes Yes Yes yes

Browse to web links Yes Yes Yes Yes Yes

Contact IT Yes Yes Yes Yes Yes

Mobile Device Inventory

Hardware properties for mobile devices are collected through the Device Management Authority as well as Exchange ActiveSync.

No software inventory for mobile devices to respect the Information Worker’s privacy on their own device.

IT Pros can track storage on

mobile devices which help them

anticipate/troubleshoot issues.

Settings Management

Security policy on devices (iOS, Windows RT and WP8) Direct management and Exchange ActiveSync.

Reporting available on

each setting whether it is

applicable, conformant or

has an error.

The same security policy template is used for both Direct Management and EAS to help Admins

Android and Windows Phone 7 devices can be managed through EAS

Application Management on Mobile Devices

Platforms Windows

8/Windows RT

Windows Phone

8

iOS Android

Sideload to

install

*.appx *.xap *.ipa *.apk

Deep links to

store apps –

install from

store

Software Distribution Summary

PlatformDesktop Apps

(.msi, .exe)

Modern App Types

Side loading Deep

Links

web

apps.appx .xap .ipa .apk

Windows 8 Pro/Ent √ √ √ √

Windows RT ** √ √ √

iOS √ √ √

Android √ √ √

WP8 √ √ √

Windows 7 and below √ √

** Windows 8 SSP on WinRT will show MSI/EXE apps that can remotely install to other

PCs linked to the user, but not installable on the local Window RT device

Personal Apps and Data

Lost or Stolen

Company Apps and Data

Remote App

Protect your dataHelp protect corporate information and manage risk

Centralized Data

EnrollmentRetired

Company Apps and Data

Remote App

Policies

Policies

Lost or Stolen

Company Apps and Data

Remote App

Policies

Personal Apps and Data

Retired

Personal Apps and

Data

IT can provide a secure and familiar solution for users to access sensitive corporate data from anywhere with VDI and RemoteApp technologies.

Users can access corporate data regardless of device or location with Work Folders for datasync and desktop virtualization for centralized applications.

• Selective wipe removes corporate applications,

data, and policies based as supported by each

platform

• Full wipe if supported by each platform

• Can be executed by IT or by user via Company

Portal

• Sensitive data or applications can be kept off

device and accessed via Remote Desktop Services

Recap: MDM Features per Platform

Management

Feature

Windows RT Windows

Phone 8

iOS Android

Over-the-air

EnrollmentY Y Y

InventoryY Y Y Y

Settings

ManagementY Y Y Y

Software

DistributionY Y Y Y

Remote WipeY Y Y

.

Thank You!

Mark Gordonmarkgo@apterainc.com

Appendix

Windows Intune integrated with System Center 2012 R2 Configuration Manager

Mac OS X

Windows PCs

(x86/64, Intel SoC),

Windows to Go

Windows Embedded

Windows RT,

Windows Phone 8

iOS, Android

Manage and Secure PCs and Devices Anywhere

Help protect PCs from malware

Manage updates

Proactive monitoring and alerts

Provide remote assistance

Inventory hardware and software

Monitor & track licenses

Increase insight with reporting

Set security policies

Distribute software

Richer Mobile Device Management

Simple web-based Administration Console and a

richer experience for Information Workers

Non-intrusive Management

Management tasks can work with the Windows 8 maintenance window

Management tasks do not interrupt if the end user immersed in a modern application

Mobile device wipe and retire

Category Windows 8.1

(MDM managed)

Windows 8 RT Windows Phone iOS Android (EAS)

Full Wipe Not applicable Not applicable

Retire (Selective wipe)

Email (Email through EAS) (Email through EAS) (Email through EAS)

Company apps

and associated

data installed by

using

Configuration

Manager and

Windows Intune

Uninstalled and sideloading

keys are removed.

In addition any apps using

Windows Selective Wipe will

have the encryption key

revoked and data will no

longer be accessible

Sideloading keys

removed but remain

installed

Uninstalled and data

removed

Uninstalled and data

removed

Apps and data remain

installed

Settings Requirements removed Requirements removed Requirements removed Requirements removed Requirements removed

Management

Client

Not applicable. Management

agent is built-in

Not applicable.

Management agent is

built-in

Not applicable.

Management agent is

built-in

Management profile is

removed

Not applicable.

Management agent is

built-in

Setting nameEAS

(Activesync)

WinRT/ WinPh8 iOS

Require a password to unlock mobile devices √ √ √

Required password type √ √ √

Minimum password length √ √ √

Allow simple passwords √ √ √

Number of repeated sign-in failures before device is wiped √ √ √

Minutes of inactivity before device screen is locked √ √ √

Password expiration (days) √ √ √

Remember password history √ √ √

Allow convenience logon (WindowsRT only) √

Allow camera √ √

Allow web browser √ √

Allow backup to iCloud (iOS only) √

Allow documents sync to iCloud (iOS only) √

Allow photostream sync to icloud (iOS only) √

Maximum size of e-mail attachments √

E-mail synchronization for last (days) √

Allow mobile devices that don’t fully support these settings to

synchronize with Exchange√

Require encryption on mobile device √

Require encryption on storage cards √

Password

Device restrictions

Email

Encryption

Mobile Device Settings

Mobile Device Inventory

Property Win RT WP8 iOS Android (EAS)

Device name Y Y Y Y

Unique device ID Y Y Y

Serial number Y

Email address Y Y Y Y

OS type Y Y Y

OS version Y Y Y Y

OS language Y Y

Total storage space (GB) Y Y

Free Storage space (GB) Y Y

System enclosure Chassis Y

System enclosure IMEI Y

Manufacturer Y Y

Model Y Y Y Y

Phone number (masked except last 4 digits) Y Y

Subscriber carrier Y

Cellular technology(none, GSM, CDMA) Y

WiFI MAC Y Y

Enrolled date (local time) Y Y Y

Last contact (local time) Y Y Y Y

Last Exchange status Y

Last Policy update status Y

Access State Y

Access state reason Y

Management state Y

ActiveSync ID Y

Flexible Licensing that Fits Your Needs

Already have Configuration Manager

Windows Intune

(Add-On)($4 per user per month)

Don’t Have Configuration Manager

Windows Intune

(includes Configuration Manager license)($6 per user per month)

Windows Intune & Windows Enterprise

(includes Configuration Manager license)($11 per user per month)

• Single License: Windows Intune and Configuration Manager

• Per User Licensing

• Up to 5 devices/user

http://www.microsoft.com/workstyle

http://www.microsoft.com/server-cloud/user-device-management

More Resources:

System Center 2012 Configuration Manager

http://technet.microsoft.com/en-

us/evalcenter/hh667640.aspx?wt.mc_id=TEC_105_1_33

Windows Intune

http://www.microsoft.com/en-us/windows/windowsintune/try-and-

buy

Windows Server 2012 http://www.microsoft.com/en-us/server-cloud/windows-server

For More Information