Desktop and Device ManagementAndy Taylor – [email protected] Smith – [email protected]
Agenda• Introduction• System Center 2012 Configuration Manager• Windows Intune• Close
System Center 2012 Configuration Manager
SYSTEM CENTER 2012 CONFIGURATION MANAGER
Empower Users
Empower people to be more productive
from almost anywhere on almost
any device.
Simplify Administration
Improve IT effectiveness and efficiency.
Unify Infrastructure
Reduce costs by unifying IT management infrastructure.
NEED FOR NEW APPLICATION MODEL
Your end-users are changing – and apps are what they use to do work– Ultra mobility– Lots of devices– New generation with new
expectations
Your apps are changing– AppV– SaaS– Datacenter hosted (VDI,
remote/seamless apps)– Mobile apps/catalogs
Management Server
Traditional Model User Centric Model
APPLICATION MODEL• Manage applications; not scripts• Application Management:
– Detection method – re-evaluated for presence:• Required application – reinstall if missing• Prohibited application – uninstall if detected
– Requirement rules – evaluated at install time to ensure the app only installs in places it can, and should
– Dependencies – relationships with other apps that are all evaluated prior to installing anything
– Supersedence – relationships with other apps that should be uninstalled prior to installing anything
– Update an app – Automatic revision management
• Secure over-the-air enrollment• Monitor and remediate out-of-
compliance devices• Deploy and remove
applications• Inventory• Remote wipe
(WinCE 5.0, 6.0; Windows Mobile 6.0, 6.1, 6.5.x)
7NOKIA
• EAS-based policy delivery• Discovery and inventory• Settings policy• Remote Wipe
Light Management
Depth Management
Mobile Device Management
DEMOAPPLICATION MANAGEMENT
WHAT IS USER DEVICE AFFINITY (UDA)?
• Key feature to help move to User Centric Application Deployment– Provides the ability to define a relationship between
a user and a device, then leverage this in app deployment• Ensure the application is not installed everywhere the
user logs on• Change the “deployment type” based on UDA• Predeploy to systems when the user is not logged in for
workgroup and after-hours deployments
• Configuration Manager 2012 supports:– Single primary user to primary device– Multiple primary devices per user– Multiple primary users per device
<
Windows Embedded
APPLICATION CATALOG
IT
Administrators publish software titles to catalog, complete with meta data to enable search Deliver best user experience
on each device
Users can browse, select and install directly from Catalog Application model determines
format and policies for deliveryUse
r
DEMOINSTALLING SOFTWARE FROM APPLICATION CATALOG
SIMULATE APPLICATIONGoal – build trust in moving to state based dynamic applications Did I do detection method right? Did I get
rules/relationships right? What will my deployment type mix be?
What it does - runs application as required in “rules only” mode No content download, no execution of deployment
type Results – what would the system have done?
Processes detection method, requirement rules, dependencies and supersedence
Does NOT simulate the install!Guidance Run for an app, then delete – these rules are
processed ongoing and will impact scale/perf It’s a REAL piece of policy – so may collide with
other inflight policies Preflight deploy a superseding application – may have
impact on user experience and compliance reporting
DEMOSIMULATE APPLICATION DEPLOYMENT
SIMULATE DEPLOYMENT GRAPH
Functionality ConfigMgr 2007 ConfigMgr 2012What types of objects can I see and what can I do to them?
Class rights Security roles
Which instances can I see and interact with?
Object instance permissions Security scopes
Which resources can I interact with? Site specific resource permissions
Collection limiting
ROLE-BASED ADMINISTRATION
• Central management for security• Role-Based Administration lets you map the organizational
roles of your administrators to defined security roles:
• Removes clutter from the console– Supports “Show me what’s relevant to me” based
on my Security Role and Scope
CLIENT STATUS Goal -> Enable Administrators to monitor the activity and status of ConfigMgr client computers in their hierarchy.
Following two methods have been used to evaluate the overall status of client computers they are managing
• Client Activity: Monitored from the Server:
Configure thresholds to determine if a client is active
• Client Check: Monitored from the Client:
A client evaluation engine is installed with the ConfirMgr client, which periodically evaluates its health and state of dependencies. This engine can also remediate some problems with the client.
SOFTWARE UPDATES• Auto Deployment Rules
– Use filter to identify class of updates to automatically deploy: category, products, language, date revised, article id, bulletin id, etc.
– Schedule content download• State-based Update Groups
– Deploy updates individually or in groups– Updates added to an update group automatically deploy to
collections targeted with the group
Unified Infrastructure
Reduce the cost of maintaining secure
endpoints with unified management
and security infrastructure
SYSTEM CENTER 2012 ENDPOINT PROTECTION
Easy to setup and operate the management infrastructure
Easy client install and migration
Automated deployment of updates using ConfigMgr infrastructure
Simplified deployment of antimalware policies
SETTINGS AND COMPLIANCE MANAGEMENTConfigMgr MP Baseline ConfigMgr Agent
WMI XML
Registry IISMSI
Script SQL
SoftwareUpdatesFile
ActiveDirectory
Baseline Configuration Items
Auto RemediateOR
Create Alert !Deploy baselines
to collections Baseline drift
Improved functionality• Copy settings• Trigger console alerts• Richer reporting
Enhanced versioning and audit tracking• Ability to specify versions to be used in baselines• Audit tracking includes who changed what
Pre-built industry standard baseline templates through IT GRC Solution Accelerator
REPORTING EXPERIENCESReport Viewer
(in-console)Report Manager
(Web)
REMOTE CONTROL• What's New in Remote Control
– Ability to send Ctrl-Alt-Del keystroke to host device
– Able to traverse the all Windows Secure Desktop modes• Winlogon, SAS, UAC, Locked screen,
– Granular client settings per collection
– Lock keyboard and Mouse– Ability to create Firewall exception
rule– Ccmeval monitors and
remediates Remote Control Service
Unified Management; On-Premise and from the Cloud
Active Directory
Windows Intune
WINDOWS INTUNE
Help protect PCs from malware Manage updates
Proactive monitoring and alerts Provide remote assistance Inventory hardware and software Monitor & track licenses Increase insight with reporting Set security policies
Distribute and consume software
MANAGE, SECURE PCS AND DEVICES ANYWHERESimple Web-Based Administration Console and a friendly IW experience
MOBILE CAPABLITIES• Unified experience across all devices
– Automatic discovery of mobile devices that access Exchange– Single console to manage computers and mobile devices– User centric views for device inventory
• Protect corporate data on mobile device– Deploy Active Sync policies to user groups (password, encryption…)– Define mobile device access rules by device family/model– Remove mobile devices that access Exchange (with option to wipe)
• IW empowerment through mobile LOB apps– Hosts & target in-house mobile apps to user groups (e.g. corp app store) – Provide mobile self-service to download mobile apps or contact IT
LOGICAL ARCHITECTURE
EXCHANGE WINDOWS INTUNE
ACTIVE DIRECTORY
EXCHANGE CONNECTOR
IDENTITY CLOUD INFRASTRUCTURE(MSODS)
Sync AD user data into the cloud
Sync managed users to Windows Intune
ActiveSync
Policy/Config
Sync mobile devices for managed users
Apply EAS policies or remediation tasks
ON-PREMISE INFRASTRUCTURE
MICROSOFT CLOUD
POLICY TRACKING• Track compliance against policies
– Unified Policy status across PCs and mobile devices– Consistent look and feel for device settings report
• Policy status for User groups and individual users– Display # of users who have devices with policy issues– Drill down into users and their devices with issues
• Noncompliance action for mobile device– Reports if email access has been allowed or denied to non-
compliant devices
APP MANAGEMENT• Publish
– The IT administrator uploads in-house apps to Windows Intune– The IT administrator deploys each app, specifying which targeted user
groups have access to each app• Consume
– Information workers sign in to the Windows Intune company portal using their corporate credentials
– In the mobile portal, information workers can do the following:• View a detailed list of available apps • Download an app• Contact IT (in case of a problem)
• Track– The IT administrator tracks app adoption, using the aggregated and detailed
statistics provided by Windows Intune
DEMOWINDOWS INTUNE
Device Management Key Points
• User Centric Management• Applications that user needs them on the multiple
devices they use• User empowerment
• Public and Private cloud Management• Windows Intune• System Center 2012 Configuration Manager
• Manage all your devices
Next Steps
Microsoft System Center 2012:http://www.microsoft.com/en-us/server-cloud/system-center/default.aspx
Windows Intune:Current version - http://www.microsoft.com/en-us/windows/windowsintune/try-and-buy.aspxTry the next version - https://account.manage-beta.microsoft.com/Signup/MainSignUp.aspx?OfferId=1A981431-C1CF-1C28-4936-3F8229EC1411&ali=1
System Center Marketplace: http://systemcenter.pinpoint.microsoft.com Blogs: http://blogs.technet.com/systemcenter http://social.technet.microsoft.com/wiki/contents/articles/7075.system-center-2012-configuration-manager-survival-guide-en-us.aspx
Download and Evaluate More Resources
Some information relates to pre-released product which may be substantially modified before it’s commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here
Top Related