Deploying Solutions for Windows Phone 8.1 in the Enterprise Roel Schellens - Mobility Architect
WW Modern Devices CoEMicrosoft Services
WIN-B321
ObjectivesWindows Phone 8.1 Enterprise Management OverviewTypical Infrastructure for Windows Phone Addressing Typical Enterprise Concerns
Windows Phone UpdatesApplications (Data Protection)CertificatesRemote Access SolutionSelective Wipe(Identity)
Agenda
Learning what to expect when deploying Windows Phone 8.1Learn how to overcome the most common concerns and challenges when deploying Windows Phone 8.1Accelerate your Windows Phone deployments through sharing lessons learned
Objectives
Prerequisites for this SessionFamiliarity with the new capabilities of Windows Phone 8.1
Enterprise Mobile Device Management Enrollment Configuration ManagementCertificate ManagementApplication ManagementMonitoring
Secure AccessEnterprise Wi-FiVirtual Private Networks
Exchange Server SupportEASS/MIME
Windows Phone 8.1Enterprise Management Overview
Management lifecycle summaryMobile Device Management with Windows Intune or 3rd Party toolsSimplified and flexible device enrollment, using Web Authentication Broker
Control over collection of enterprise apps, data and settings with MDM PushConfiguration policiesEmail accountsCertificate managementEnterprise Wi-FiVPN profilesCompany portal
Converged app platform for business appsPrivate and secure distribution to managed phones Remote installation, update and removal of business apps
Remote lockRemote RingPassword or PIN resetEnhanced inventory
Server-initiated device wipeManual or server-initiated unenrollmentEnterprise Wipe: removal of LOB apps, email, policies, profiles, certificates and Office documents
General Distribution Release (GDR) 1Enterprise features:
S/MIME non-compliant with “existing” enterprise templatesModify auto select logicCert Picker
CertAuth for LoB AppEnable 3rd party VPN support (Cisco and Mobile Iron) – Please note no plug-in!Support for DFS Channels on 5GhzSeveral minor updates like password protected Word documents
Fixes
GDR2 In development
Windows Phone 8.1 GDR1 and GDR2
Typical Infrastructure forWindows Phone
Intranet DMZ
DC
ConfigMgr2012 R2
AADSync
ADFS
CA NDES
Intune (Azure AD and O365)
Reverse Proxy
SharePoint VPN
ADFS Proxy (WAP)
Typical Windows Phone Infrastructure
Based on Microsoft Technology
DNS
(CNAME)
Blog Pieter Wigleven: Part 3 - Protecting NDES with Web Application Proxy (WAP) in the DMZ
Intranet DMZ
DC, CA, AFDS, AADSync
ConfigMgr2012 R2
Intune (Azure AD, O365)
ADFS Proxy
Demo Windows Phone Infrastructure
DNS
(CNAME)
Demo
EnrollmentPolicies, Profiles, Certificates- GUI- OMA-URI’s
Configuring Settings in CM/IntuneThrough GUI Through OMA-URI
Windows Phone 8.1 MDM protocol documentation: http://technet.microsoft.com/en-us/library/dn499787.aspx
Addressing Typical Enterprise Concerns- Windows Phone Updates- Applications (Data Protection)- Certificates- Remote Access Solution- Selective Wipe- (Identity)
Windows PhoneUpdates
‘Maintenance Releases’AK (OS) UpdatesOEM firmware
What’s in themAddressing customer issues / call driversEnabling new features / services
ProcessRequire testing and Technical AcceptanceProcesses vary by operator, region, market
Windows Phone Update Overview
Update TypesUpdate Type Owner Contributors Contents
OS Update (AK) MSFT MSFT Major OS functionality (Apollo, Blue, Cyan, Denim)
Firmware Update (RFU)
OEM OEM, QCOM, MSFT, MO
Drivers, Custom settings, MO Apps, MS Optional Packages(Apollo, Blue, Cyan, Denim)
Downloadable User Content
MSFT MSFT Downloadable keyboard languages-User initiated
Update Opportunities and Timing
• Major OS updates occur typically every 12-18 months• General Distribution Release (GDR) occurs typically every 4-6 months• Firmware updates (drivers, settings, OEM customizations) can occur at
a more frequent schedule if needed• Quick Fix Engineering (QFE) fixes are reserved for issues that may block
a device, or urgent fix needed.
Final AK GDR2 GDR3GDR1
Major OS Release LifecycleQFE1 QFE2 QFE3 QFE2 QFE3QFE1 QFE3QFE1 QFE2 QFE1 QFE2 QFE3
Note: Nokia MO Updates release information: http://www.nokia.com/global/support/software-update/wp8-software-update/
Windows Phone UpdatesW
P8.0
RT
M
“Apo
llo”
GD
R1
•8.
0.10
211
GD
R2
•8.
0.10
327
or
8.0.
1032
8G
DR3
•8.
0.10
501
or
8.0.
1051
2
WP8
.1
“Blu
e”RT
M
8.10
.12+
• QFE
1 8.
10.1
2359
• QFE
2 8.
10.1
2382
• QFE
3 8.
10.1
2393
• QFE
4 8.
10.1
2397
• QFE
5 8.
10.1
2400
GD
R1
8.10
.14+
• QFE
1 8.
10.1
4141
• QFE
2 8.
10.1
4147
• QFE
3 8.
10.1
4157
• QFE
4 8.
10.1
4176
GD
R2
1. Microsoft provides AK or Update to OEM2. OEM builds their update (like Cyan) and test Update Package (usually their flashing
tools)a. If MO Specific Build: OEM works with MO to include their requirements
3. OEM provides full Update Package to Microsoft to test Over the Air (OTA) update (by OEM).
4. OEM Approves the Update for delivery and Microsoft makes Update Package available
Note1: All updates (OS & OEM/Firmware) to any Windows device are done via Microsoft Update.Note2: Just because a device is unlocked from an MO doesn’t necessarily have to be an Open Market build. It would have to use a designated open-market original install from the OEM.
Update Process
Look for updateMicrosoft Update Server Device Update
Applicability Check:
• OS Version• OEM • MO• OEM Device Name• Firmware Revision
Returns applicability (targeting) details
Download update payload
Applications- Containerization and App Wrapping- Application Management
Containerization and App WrappingWhat is it?Segregating of Corporate Apps and Data from personal Apps and Data, typically in an encrypted and password protected “container”
Why is it important?Leaking of Corporate Data.
Why users don’t like it?User Switching, No Office but Native Apps (Mail, Internet Browser)
What Microsoft’s is doing?- Each App and it’s Data are protected by it’s own container.- Documents outside App Container will use DPM (e.g. Word, PDF)- No sharing of Data allowed except for defined/allowed App
Capabilities- Protection of the Data without “user switching”
Application ManagementCompany PortalMSA/Store AccessStore App Submission RequirementsStore Apps and Data Sharing
Capabilities Claimed in the Manifest
App Allow vs. Deny ListsBased on App GUID and/or Publisher Name
Allow Deny Rule URIAllow Apps from Microsoft and Adobe except for Facebook
<AppPolicy Version="1" xmlns="http://schemas.microsoft.com/phone/2013/policy"> <Allow>
<Publisher PublisherName="Adobe Systems Incorporated" /><Publisher PublisherName="Microsoft" /><Publisher PublisherName="Microsoft Corporation" ><DenyApp ProductId="{82a23635-5bd9-df11-a844-00237de2db9e}" /></Publisher>
</Allow></AppPolicy>
<AppPolicy Version="1" xmlns="http://schemas.microsoft.com/phone/2013/policy"><Allow><Publisher PublisherName="Adobe Systems Incorporated" /><Publisher PublisherName="Microsoft" /><Publisher PublisherName="Microsoft Corporation" ><DenyApp ProductId="{82a23635-5bd9-df11-a844-00237de2db9e}" /></Publisher></Allow></AppPolicy>
Demo
• App Management• Allow and Deny List
Certificates
Where are Certificates Stored?Shared User Certificate Store – (application has SharedUserCertificates capability)App Container – (application does not have SharedUserCertificates capability)
Which Code can access the SharedUserCertificateStore?
1st Party Apps (browser, e-mail client, WiFi, VPN, etc)Line of Business App (sideloaded apps)Store Apps with Exceptions from Microsoft (currently only one App with Exception!)
How Certificates are Protected?Soft certificates – software protection of private keyTPM certificate – private key is stored by TPMVSC certificate – private key is stored by TPM and protected by user PIN
Certificates Overview for Windows Phone
What is SCEP?Introduction to Simple Certificate Enrollment Protocol• SCEP is a very simple certificate enrollment protocol
developed 10 years ago for routers and switches.• SCEP enables network devices that do not run with
domain credentials to enroll for x509 version 3 certificates from a Certification Authority (CA).• As an end result, the network device will have a private
key and associated certificate that is issued by a CA• It has increasingly been used for management of
mobile device certificates via Mobile Device Management (MDM).
Certificate Deployment
DMZ
Understanding the flow
ConfigMgr2012 R2
ADFS
CA
Intune (and Azure AD)
ADFS Proxy
DC
1. Deploy root CA cert2. Deploy SCEP profile
(with challenge)3. Device gets SCEP
profile4. Device contacts NDES
presents challenge5. NDES contacts CRP
and validates6. If valid NDES request
Cert “on behalf”7. Cert delivered to
device8. Private Key generated
as none Exportable
12 3
4
NDES
5 6
7
DirSync
Reverse Proxy
Certificate Management/TroubleshootingS/MIME Encryption (private key non-exportable)Non- Microsoft PKI (MDM and ISV SCEP Proxy)NDES role placement (DMZ vs Internal)NDES Windows Server 2012 R2 required
Challenges with Certificates and SCEP
Remote Access
Intranet DMZ
DC
ConfigMgr2012 R2
DirSync
ADFS
CA NDES
Intune (Azure AD and O365)
Reverse Proxy
SharePoint/
EASVPN
ADFS Proxy
Remote Access
DNS
(CNAME)
VPN Plugin
2 – WAP Cond. Access
2 Types of Remote Access
1 – App Triggered VPN
vSC Support
Kerb.DomJoined
Selective Wipe
Documentation (security audit)What is wiped?
Deployed and Managed by MDMEmail accounts Enterprise-issued certificatesNetwork profilesEnterprise-deployed appsAny data associated with the enterprise-deployed appsEnterprise-issued device policies
Selective Wipe
Demo• Un-Enrollment
• Selective Wipe
Windows (Phone) is a different mobile platform and uses in a different security modelMobile Solutions require new infrastructure to enlighten all the capabilities of Windows PhoneThe supporting infrastructure is often new to organizations and therefor is perceived as complex.The investment made today for mobile solutions prepares your for the future.
Key Takeaways
Breakout SessionsTuesday, October 28 1:30 PM - 2:45: WIN-B351 Enterprise App Deployment for Windows and Windows Phone
Tuesday, October 28th, 3:15 PM-4:30 PM: EM-B216 - Enterprise Client Management with System Center Configuration Manager and Intune
Wednesday, October 29th, 8:30 AM – 9:45 AM: EM-B321 - Infrastructure Deployment for Mobile Device Management with System Center Configuration Manager and Intune
Wednesday, October 29th, 5:00 PM – 6:15 PM - Securing Mobile Device Access to Corporate Resources with Intune
Thursday, October 30 3:15 PM - 4:30 PM: WIN-B354 Windows Phone and Windows 8.1 App Model
Thursday, October 28th, 3:15 PM-4:30 PM: EM-B312 - Mobile Application Management with Intune
Friday, October 31st, 8:30 AM – 9:45 AM: EM-B317 - Configuring Corporate-Owned Mobile Devices with Intune
Related content
Windows 10http://aka.ms/trywin10
Stop by the Windows Booth to sign up for the Windows Insider Program to get a FREE Windows 10 T-shirt, whiles supplies last!
Windows Springboardwindows.com/itpro
Windows Enterprisewindows.com/enterprise
Windows ResourcesMicrosoft Desktop Optimization Package (MDOP)microsoft.com/mdop
Desktop Virtualization (DV)microsoft.com/dv
Windows To Gomicrosoft.com/windows/wtg
Internet Explorer TechNet http://technet.microsoft.com/ie
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
Developer Network
http://developer.microsoft.com
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Please Complete An Evaluation FormYour input is important!TechEd Schedule Builder CommNet station or PC
TechEd Mobile appPhone or Tablet
QR code
Evaluate this session
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.