| Basel Device Mgmt (BYOD) TechNet Event November 25 th , 2013 Martin Weber Technology Solution Professional Microsoft Switzerland Ltd.
| Basel
Device Mgmt (BYOD)TechNet Event November 25th, 2013
Martin Weber
Technology Solution Professional
Microsoft Switzerland Ltd.
Supporting Bring Your Own Device (BYOD) Scenarios
Prioritize objectives, create a
plan, establish identity
profiles, and monitor access
Access, inventory, and manage
devices and applications;
remove corporate data in the
event the device is lost, stolen,
or retired
Fulfill specific usage scenarios
that enable a consistent
experience for users/groups
across devices and platforms
management
Unified management of
mobile devices—IT can
publish corporate apps and
services across device types,
regardless of whether they are
corporate-connected or
cloud-based
User profile User needsCompanion devices Primary devices
Potential device platforms
How many users and
which profiles and needs
are you targeting?
Understand Your Users’ Business Needs (Personas)Scope, types of users, services required
Questions that lay the
foundation for defining your
objectives
Who are the
primary users?
What services will
users actually need
to access?
How many users
do you want to
support?
How many devices
will each user have?
How many and what
types of devices will be
most prevalent?
Manage access to
corporate resources, with
conditional access based
on the user’s identity,
device being used, and
location
Develop common identity
profiles for accessing
resources on-premises and
in the cloud
Provide users with single
sign-on when accessing
all resources, meaning that
users do not have to
remember multiple sets of
credentials
Through federation, users
and IT can take advantage
of their common identity
for access to external
resources
User Identity and Access Management
Access & Information Protection (AIP)
• Device choice
• Application self-service
• Personalized app experience
• Nonintrusive management
• Manage all devices through a single interface
• Deliver apps to the user, not the device
• Integrated security and compliance
• Reduced infrastructure complexity
Access to corporate
resources across devices
and platforms
Single admin
console
2012 R2 Configuration Manager
Users expect to be able to work in any location and have access to all their work resources.
The explosion of devices has eradicated the standards-based approach to corporate IT.
Deploying and managing apps across personal and organization-owned devices is difficult.
Users Devices Apps Data
Enabling users to be productive while maintaining compliance and reducing risk.
Devices AppsUsers
Empowering people-centric IT
Enable users
Allow users to work on the devices of their choice, and provide consistent access to corporate resources.
Protect your data
Help protect corporate information and manage risk.Management. Access. Protection.
Data
Unify your environment
Deliver a unified application and device management on premises and in the cloud.
Empower Bring your Own Device (BYOD)Flexible solutions for your business
Joining workplace with
personal devices
Windows To Go
Virtual
Desktop
Infrastructure
(VDI)
Device
Management
Microsoft Exchange
ActiveSync
Mobile device management (MDM)
via Open Mobile Alliance Device
Management (OMA-DM)
Enterprise
management
Governance Full control
Windows 8.1 provides choices.Choose by device based on scenario or capabilities needed.
Consider employee versus organization-owned, BYOD, connectivity.
Organizations can choose the options that work best for them.
Based on Open StandardsUses OMA-DM protocols Secure communication with cloud-based management Built into Windows 8.1 andWindows RT 8.1
Implemented by multiple independent software vendorsMicrosoft (Windows Intune)AirWatchMobileIron
Open protocol enables implementation by additional vendors
Mobile Device Management
Implements key device management functionality
Hardware and software inventory
Configuration of key settings
Line-of-business modern app installation and updating
Certificate provisioning and deployment
Data protection, including remote business data removal (wipe)
Mobile Device Management
Lightweight registration process for personal devices
Enables access to data when using a registered, trusted device; leverages the user and device identities together
Used with Dynamic Access Control in Windows Server 2012 R2
Primarily a security capability, potentially combined with MDM for manageability
Workplace Join
Simple access to corporate data
Enable offline access to files and folders stored on a Windows Server 2012 R2 file server
Simple Group Policy configuration for domain-joined computers, with easy discoverability for BYOD systems, as well
Leverages Web protocols (HTTP) for easy synchronization through firewalls
A complement to SkyDrive and SkyDrive Pro
Work Folders
Selecting the Management Platform for Your Enterprise
Unified Device Management: System Center 2012 R2 Configuration Manager
with Windows Intune
Cloud-based Management:
Stand-alone Windows Intune
No existing Configuration Manager deployment
Simplified policy control
Fewer than 7,000 devices and 4,000 users
Simple web-based administration console
Windows Intune: Stand-Alone Public Cloud Service
Windows PCs
(x86/x64, Intel SoC)
Windows RT,
Windows Phone 8
Apple iOS, Google Android
Manage up to 7,000 devices and 4,000 users
Manage and secure PCs and devices anywhere
Help protect PCs from malware
Manage updates
Proactive monitoring and alerts
Provide remote assistance
Inventory hardware and software
Monitor and track licenses
Increase insight with reporting
Set security policies
Distribute software
Richer mobile device management (MDM)
Simple web-based administration console and a
richer experience for information workers
Mobile Device Management (MDM) using Windows Intune
Microsoft Exchange ActiveSync–based management
Direct management (Windows RT,
Windows Phone 8, iOS)
End-User ExperienceConsistent self-service experience for users across mobile platforms
Native Windows app
Available in the Windows Store
Windows Phone 8
Company Portal
iOS
Company Portal
Native Windows Phone 8 app (.xap)
Sideloaded during enrollment
Native iOS application
Available in the Apple App store
Windows RT
Company Portal
End-User Capabilities for each Platform
Windows 8
Windows 8.1
Windows RT
Windows RT
8.1
Windows
Phone 8
iOS Android
Enroll (local device) Yes Yes Yes YesExchange
ActiveSync
Rename devices Yes Yes Yes Yes No
Retire (un-enroll local device) Yes Yes Yes Yes No
Remotely wipe other devices Yes Yes No No No
Install enterprise LOB apps Yes Yes Yes Yes Yes
Install publicly available apps Yes Yes Yes Yes yes
Browse to web links Yes Yes Yes Yes Yes
Contact IT Yes Yes Yes Yes Yes
Mobile Device Inventory
Hardware properties for mobile devices are collected through the Device Management Authority as well as Exchange ActiveSync (EAS).
No software inventory for mobile devices to respect the information worker’s privacy on their own device.
IT pros can track storage on
mobile devices, which helps
them anticipate and
troubleshoot issues.
Mobile Device Settings Management
Security policy on devices (iOS, Windows RT, and Windows Phone 8) direct management and Exchange ActiveSync (EAS)
Reporting available on
each setting whether it is
applicable, conformant,
or has an error
The same security policy template is used for both direct management and Exchange ActiveSync to help admins
Android and Windows Phone 8 devices can be managed through Exchange ActiveSync
Application Management on Mobile Devices
Platforms Windows 8.1
Windows RT
Windows
Phone 8
iOS Android
Sideload to
install
*.appx *.xap *.ipa *.apk
Deeplinks to
store apps:
Install from
store
Software Distribution Summary
PlatformDesktop apps
(.msi, .exe)
Modern app types
Sideloading Deep-
links
Web
apps.appx .xap .ipa .apk
Windows 8.1 Pro and
Enterprise√ √ √ √
Windows RT - √ √ √
iOS √ √ √
Android √ √ √
Windows Phone 8 √ √ √
Windows 7 and earlier √ √
Windows Intune Sites and Portals
• Administrator console
• https://admin.manage.microsoft.com
• Configure cloud-based management
• Company Portal
• http://portal.manage.microsoft.com
• Download apps, associate users with
devices, contact IT support
• Versions for different mobile device types
Windows
Phone 8
Portal
Company
Portal
Windows
RT Portal
System Center 2012 R2
Configuration Manager
System Center 2012 R2 Configuration Manager
Enable users
Allow people to be more productive
from almost anywhere on almost
any device.
Simplify administration
Improve IT effectiveness
and efficiency.
Unify infrastructure
Reduce costs by unifying IT
management infrastructure.
SCCM 2012 R2: User- and Full Device Mgmt Capabilities
Unified Device Management
User- & Machine centric App Delivery
Full Operating System Deployment (OSD)
Full Application Lifecycle Management
Rich Reporting & Inventory
Target applications based
on user role the best way for
each device
• Windows/Windows RT
• Windows Phone
• iOS
• Android
• OS X
Evaluate device capabilities
for optimal application
delivery
• Local installation
• Microsoft Application
Virtualization
• Desktop Virtualization (VDI)
• Web applications
People-Centric Application DeliveryAccessing apps the right way, on the right device
MSI RDSApp-V
(MDOP)Remote
App
Native
App/
App Store
Unified Device Management
Mac OS X
Windows PCs
(x86/64, Intel SoC),
Windows to Go
Windows Embedded
Windows RT,
Windows Phone 8
iOS, Android
What’s new in Mobile Device Inventory?
New global condition to
differentiate app installations on
corporate vs. personal devices
App management
Personal devices. Inventory only apps
installed by Configuration Manager or
Windows Intune
Corporate devices. Complete inventory of
all apps on the device
App inventory
By default, user-enrolled devices
are “personal”
Admin can specify corporate-
owned devices
“Compromised” device detection.
Personal vs. corporate-
owned devices
VPN Profile Management
Support for major SSL VPN vendors
DNS name-based initiation
support for Windows 8.1 and iOS
Application ID–based initiation
support for Windows 8.1
Automatic VPN
connectionSupport for VPN
standards like PPTP, L2TP,
IKEv2SSL VPNs from Cisco, Juniper,
Check Point, Microsoft, Dell
SonicWALL, F5
Subset of vendors have Windows
RT VPN plug-in
Wi-Fi and Certificate Profiles
Wi-Fi settingsManage and distribute certificates
Deploy trusted root certificates
Support for the Security Center Endpoint Protection
(SCEP) protocol
Manage Wi-Fi protocol and authentication settings
Provision Wi-Fi networks that device can auto-
connect
Specify certificate to be used for Wi-Fi connection
Work Folders
Sync files and data across devicesConfiguration Manager and
Windows Intune support
New settings to provision Work Folders discovery settings
Self-service portals have links to Work FoldersNew feature in Windows 8.1 and Windows Server 2012 R2