Moving from Device Centric to a User Centric Management
Post on 19-Oct-2014
1310 Views
Preview:
DESCRIPTION
Transcript
Moving from Device Centric to People Centric Management
Corey Hynes
Agenda
• What is User Centric Management and Why do I care?• Device Centric Management• User Centric Management with Configuration Manager 2012• User Centric Management with InTune• Hybrid InTune/Configuration Manager
Introduction to User Centric Management
Management
• The past – Device Centric Management• Today – Mixed Management• Tomorrow – User Centric Management
The times, they are a changing…..
Your computer IS your tool for work
Your computer CONTAINS your tool for work
Circle of influence is shrinking….
From this….
…. To this
Well its really a square…..
Why implement UCMEmpowering User Productivity Unifying Management Infrastructure
• Device Choice• Application Self-service• Personalized Application Experience• Non-intrusive management
• Manage all devices through single interface• Deliver applications to the user, not the device• Integrated security and compliance• Reduced infrastructure complexity
Users IT
Access to corp resources across devices & platforms
Single adminconsole
Managing devices in the enterprise
• More devices and platforms• User-owned• Less depth of support experience• Governance
Today
• Homogenous Environment• Organization-owned devices• IT Knowledge• Control
Way Back Then
Evolution of Microsoft Management
2003
20122012
2011
2007
1999SMS 2.0
1994SMS 1.0
Client Management Infancy (NT Domain) Groups Model Comprehensive
ManagementLaptops, Servers, Enterprise Scale
Consumerization of IT
Management from the Cloud
20122013
+
The User is the FocusUser-centric management
Common user accounts and security groups
Repository for inventory and device data
• Central policy control
• Consistent experience across on-premises or cloud-based services
• Windows Azure AD federates and synchronizes with on-premises AD
• User accounts in Windows Azure AD can access Azure and 3rd party applications
Bring Your Own Device
• Many companies embracing this (if they know it or not)• More users are than administrators know about generally
• The first vast BYOD solution was VDI (VMWare View or XenDesktop)• Offered broad device support to get to a Windows Desktop• Issue is that the Windows Desktop (<8) does not work well with touch• The “desktop” was the “app”
• Today, apps are cross platform, and multi-platform.• You can deliver just the app, without the desktop• You need a way to manage all of this
Moving towards User Centric Management
The process
1. Understand your existing Device Centric models2. Configuration Manager – Move to User Collections3. Configuration Manager – Implement Application Catalog4. InTune – Extend to non-managed devices5. Federation – Single management infrastructure
Device Centric Management
• You (IT) owned the device (PC).• The PC was the “tool” for work.• In manage cases restricted, locked down, and highly controlled.• Encouraged the “Work Computer” and “Home Computer” model• Simplified Access to Work Tools• DA• VPN• VDI
Why it does not work today
• Devices are prolific, cheap, and available.• There is more than one choice in Operating System
• Users are more savvy, and have more devices.• There is a trend towards “apps” as tools instead of “hardware” as
tools.• Blame Apple, “there’s and app for that”.
• The boundaries of “work” are gone• Both physical and chronological
Modern Device Management
Devices & Platforms
IT
Single adminconsole
Mac OS X
Windows PCs(x86/64, Intel SoC),
Windows to GoWindows Embedded
Windows RT, Windows Phone 8
iOS, Android
Windows Embedded Support
• Windows XP Embedded• Windows Embedded Standard 2009• Windows Embedded Standard 7
Thin Clients
Same as Thin Clients, plus • POS Ready 2009• POS Ready 8
POS/Kiosk
• Windows Embedded Standard 2009• Windows Embedded Standard 7Digital Signage
• Windows Thin PCRepurposed PC
Supported Write Filters• File Based Write Filters (FBFW)
(preferred for scalability)• Enhanced Write Filters (EWF) RAM
Ability to force persistence of changes for• Applications• Packages and programs• Software updates• Task sequences• Endpoint Protection client installationEventual persistence of changes for• Client agent settings• Settings management remediation• Power management
Without write filters enabled, embedded devices can be managed like any other Windows client. When write filters are enabled, they require special handling, now provided seamlessly in SP1
Linux & UNIX Servers• Version 4 (x86/x64)• Version 5 (x86/x64)• Version 6 (x86/x64)
Red Hat Enterprise Linux
• Version 9 (SPARC)• Version 10 (SPARC/x86)
Solaris
• Version 9 (x86)• Version 10 SP1 (x86/x64)• Version 11 (x86/x64)
SUSE Linux Enterprise Server
Supported OS’s across both: • Configuration Manager• Operations Manager
Old versions supported as long as vendor provides support
Broader Linux distro support being evaluated for future releases
Hardware and Software Inventory
Software Deployment• Using the Package and Program model• Deploy/patch software, deploy OS patches and run
maintenance scripts that target a collection
Consolidated reports
Mac OS XConfiguration Manager native client10.6 (Snow Leopard)10.7 (Lion)
Key management capabilitiesPush Software DistributionSettings ManagementHardware and Software Inventory
Wider client operating system and application support
• Windows 8 and Windows To Go• Windows Server 2012 site systems and clients• Mac OS clients, Linux and Unix servers• SQL Server 2012 Configuration Manager database
Better feature support
• Metered connections and always on, always connected in Windows 8• New deployment types for Windows 8 applications• Configurable user data and profiles for folder redirection, offline files, and roaming profiles
Greater manageability
• Virtual environment support• PowerShell cmdlets• Client notification• Email alerts for all features
CM 2012 SP1 - Updates
UCM with Configuration Manager
• Deliver best user experience on each device• Define application once
Designing a User Centric Delivery
Delivery Evaluation Criteria
• User• Device type• Network connection
User/Device Relationships
Primary Devices• MSI• App-V• Windows 8 Apps• Windows 8 Apps in the Windows
StoreNon-primary Devices• VDI• Remote Desktop
< >
Detection Method
Install Command
Requirement Rules
Dependencies
Supersedence
Administrator Properties
End User Metadata
User-centric Application DeliveryNew Application Model
Application “Package”
Keep your apps organized and managed
App-V
Windows Script
CAB
Windows Installer
General Information
The “friendly” information for your users (appears in Catalog)
Is app installed?
Deployment Type
Command line and options
Can/cannot install app
Apps that must be present
Application version control
< >
User-centric Application DeliveryEnd User Self-service
IT
Administrators publish software titles to catalog, complete with meta data to enable search• Deliver best user experience
on each device
Users can browse, select and install directly from Catalog• Application model determines
format and policies for delivery
User
Components
• User Collections• User Deployments• Mixed deployment types• Application Catalog• Primary Device settings and rules• User policies
UCM with InTune
Company Portal Application
Windows RT and Windows 8 Phone Application Distribution
What’s New in Windows Intune
User-Based Licensing
Unified Management Solution
Direct Mobile Device Management
Cloud-based Self-service Portal
Securely provision application from anywhere
Single point for application requests
Users only see the software they have permission to request
Company Portal Capabilities
Action user can take through the company portal
Windows RT Windows Phone 8
iOS Android
Enroll local device Rename devices Retire local device Wipe other devices remotely Install line-of-business apps Install apps from the consumer store*
* Stores can be either Windows Store, Windows Phone Store, App Store, or Google Play, depending on the device
Comparing Windows Intune Cloud and Unified ConfigurationsCloud-Only Configuration
Unified Configuration
Up to 100,000 users, computers, and mobile devices in a single management infrastructure
Windows Intune Unified Architecture
EASAndroid
Android App Distribution
Service Pack 1
x86 / x64
Windows 8Windows To Go
Windows 7Windows Embedded
Windows VistaWindows XP
Mac
CorpNet Internet
DirSync
Active Directory
ADFS ADFSProxy
Windows Phone 8
Windows RT
Direct Management & App Distribution
iOS
Android
Unified Management CapabilitiesManaged Through System Center 2012 Configuration Manager Windows Intune
Platform >Capability Windows 8
Windows 7 Windows Vista
Windows XPWindows
To Go Mac OS Windows RTWindows Phone 8 iOS Android
Application management ü ü ü ü ü ü ü ü
Endpoint Protection ü ü ü ü O O O OHardware Inventory ü ü ü ü ü ü ü ü1
Software Inventory ü ü ü ü ü2 ü2 ü2 ü2
Remote control ü ü ü O O O O OReporting ü ü ü ü ü ü ü üSoftware updates ü ü ü O ü ü ü4 OCompliance settings ü ü ü ü ü3 ü3 ü3 ü3
OS deployment ü ü ü O N/A N/A N/A N/A
Out-of-band management ü ü ü O N/A N/A N/A N/A
Power management ü ü ü O O O O OSoftware metering ü ü ü O O O O O
1 = Basic information only through Exchange ActiveSync2 = Managed applications only3 = Compliance reporting but no remediation automation4 = Device User has to accept the update
Comparing the Windows Intune and Exchange Server Connectors
Management Functionality Windows Intune connector
Exchange Server connector
App management/deployment ü OPublic key infrastructure (PKI) security between the mobile device and Configuration Manager ü O
Discovery ü üHardware inventory ü1 üSoftware inventory ü2 OSettings, configuration items and baseline ü3 ü3
1. For Windows RT, Windows Phone 8, and iOS
2. Through reporting3. Both Exchange ActiveSync and
Windows Intune use the same security template for their settings.
Windows Intune Sites and Portals• Account Portal
• https://account.manage.microsoft.com• Manage users, account administrators,
security groups, subscriptions, partners
• Administrator Console– https://
admin.manage.microsoft.com– Configure cloud-based
management
• Company Portal– Download apps, associate users
with devices, contact IT support– Versions for different mobile
device types
Windows Phone 8
Portal
Company Portal Web
Site
Windows RT Portal
System Center 2012 Configuration Manager with
SP1
Unified User Centric Management
• Managed Devices• No real change• Can use “external” porgal
• Big benefit is for “unmanaged” devices/BYOD• You get some management and reporting (varies by device)• You have an easy way to present an application across devices
• This really only works if you have “cross platform” applications• Often the cost of building applications far exceeds the cost of enabling
devices
Examining a functional deployment
• InTune Connector• User Collections• Deployment types for devices• Company Portals• Windows• Andriod• IOS? Anyone?
Federating with InTune
Planning ADFS
• What does ADFS do?• Enables SSO
• Big deal
• Is it needed?• No, but highly recommended• Affects mobile devices (simpler logon)
• What if you don’t use ADFS?• Authenticate to Company Portal using InTune Creds (separate set)• Administration must manage through account portal, not AD
Roadmap for Integrating Configuration Manager 2012 with Windows Intune
Sign up for Windows Intune
account
Add domains to Windows Intune
Deploy ADFS 2.0
Federate with WAAD
Set up Active Directory
Synchronization
Intune App RequirementsAndroid iOS Windows RT Windows Phone 8
There are no configuration requirements for Android devices
1. Download a Certificate Service Request using the Request APNs Certificate Service Request dialog box in Configuration Manager
There are no initial configuration requirements for enabling management of Windows RT devices
Add code-signing certificate .pfx or .p12 file
2. Submit the CSR to the Apple Push Certificate Portal and download the APNs certificate (.pem file)
To enable installation of apps for Windows 8, you need to add a valid code signing certificate and also add sideloading keys to Configuration Manager
Upload signed company portal app
3. Upload the APNs certificate to Windows Intune
No action required prior to setup
No prior action required as process can be completed later in user interface
No action required - a code signing cert and sideloading keys set up in the UI for app publication
Require code signing certificate and signed company portal app
One way process!
Managing InTune via CM
Android Properties
iOS Properties
Windows RT Properties
Summary
• People centric is the future, driven by user behavior, not IT governance.• Start implementing self service as step 1• Understand the deployment options for each LOB application• Use InTune to support mobile/BYOD scenarios• Federate for central management
top related