mdm with config mgr nico
TRANSCRIPT
Mobile Device Management with ConfigMgr\Intune: a complete overviewNico SienaertLead Infrastructure Consultant, GetronicsV-Technology Solutions Professional, Microsoft
Microsoft NDA Confidential
Key Takeaways1. Configuration Overview
2. Management Capabilities
3. Device Experience
Simplifying Management Across Platforms
Devices & Platforms
IT
Single adminconsole
Mac OS X
Windows PCs(x86/64, Intel SoC),
Windows to GoWindows Embedded
Windows RT, Windows Phone 8
iOS, Android
Service Pack 1
Microsoft NDA Confidential
High-level overview of Process1. Create Windows Intune Subscription2. Verify Users have Public Domain UPNs and perform AD User
Discovery3. Deploy and Configure AD Directory Synchronization4. Verify Public Domain 5. Deploy and Configure AD Federated Services (ADFS 2.0) 6. Activate User in Intune (Reset User Password, if not using ADFS)7. Configure Configuration Manager for Mobile Device Management8. Verification of Configuration Manager successfully connecting to
Windows Intune Service
1. Windows Intune Configuration
Sign In with username & password provided
Microsoft Online Services Console
Without ADFS
BestOfMMS.onmicrosoft.com
Modify Users’s [email protected]
User Discovery
Sync users into Intune
Reset Intune Password
IntuneOn Prem: BestOfMMS.COM
With ADFS
BestOfMMS.onmicrosoft.com
Register Public DomainBestOfMMS.COM
User Discovery
Sync to Users into Intune Sin
gle S
ign-
on
IntuneOn Prem: BestOfMMS.COM
Microsoft NDA Confidential
Deploy and Configure AD Federated Services• Prepare Single Sign-
on• Deploy ADFS 2.0 or
2.1
Not required but strongly recommended!
Microsoft NDA Confidential
Create Verifiable Public DomainIn order to ensure users are synchronized correctly you must create a verified public domain within Windows Intune Account Portal.
• This is a public domain for the company• This domain must be able to be verified as a registered domain by an external source
Microsoft NDA Confidential
Deploy and Configure AD Directory Synchronization• Activate “AD Synchronization” in Intune
Console• Download, install, run DirSync Tool
Microsoft NDA Confidential
Verify User Details and Perform AD User Discovery
Intune Portal
DEMO
2. Let’s configure ConfigMgr
Microsoft NDA Confidential
Functions of ConfigMgr Windows Intune Objects
Windows Intune Subscription, used by admin to:1. Retrieve certificate needed by connector to connect to Windows Intune Service (background
process)2. Define User Collection that enables members to enroll mobile devices3. Define and configure mobile platforms organization wants to support
Windows Intune ConnectorConnects to Windows Intune Cloud Server
• Sends policy for Settings Mgt and Software Distribution• Receives state/status messages back from clients
Windows Intune Service (not visible to admin)Contains Device MP like functionality
• MP with local DB for storage of Policies• Gateway/Proxy to communicate to Mobile Devices
Platforms and Certificates/KeysPlatform Certificates or keys
Windows Phone 8 Code signing certificate: All sideloaded apps must be code-signed.
Windows RT
Sideloading Keys: Windows RT devices have to be provisioned with sideloading keys to enable installation of sideloaded apps.
All sideloaded apps must be code-signed.
iOS Apple Push Notification service certificate
Android None
Creating Windows Intune Subscription & Connector in Configuration ManagerDEMO
Microsoft NDA Confidential
RECAP: High-level overview of Process1. Create Windows Intune Subscription2. Verify Users have Public Domain UPNs and perform AD User
Discovery3. Deploy and Configure AD Directory Synchronization4. Verify Public Domain 5. Deploy and Configure AD Federated Services (ADFS 2.0) 6. Activate User in Intune (Reset User Password, if not using ADFS)7. Configure Configuration Manager for Mobile Device Management8. Verification of Configuration Manager successfully connecting to
Windows Intune Service
3. Management Capabilities
Application Model Changes
Windows8/Windows RT
Windows Phone 8
iOS Android Mac OS X
Install *.APPX *.XAP *.IPA *.APK *.DMG*.MPKG*.PKG*. APP
Deep links to the store
Improvements in
R2
Settings Management
• Settings can be be applied to devices managed in Windows Intune and devices managed through the Exchange Server Connector
• If a device is receiving policy from more than 1 authority, the most secure value for a setting is applied.
• Reporting available on each setting
• Applicable settings strongly depend on platform• There are some lists coming up at TechNet• Fastest way is to use the Wizard in ConfigMgr “Platform
Applicability”
Improvements in
R2
Hardware & Software Invenotry
• Hardware properties for mobile devices are collected through Device Management as well as Exchange ActiveSync
• Software inventory for apps installed via MDM. For privacy reasons, we do not collect app inventory for apps installed through other means on the device
• Inventory is not extensible for mobile devices
Retire & Wipe OptionsRetire
• User or Admin initiated• Disables further MDM app installation and settings management on
the device
Wipe effects depend on the platform and management type (EAS or native)
• iOS and WP8: Complete wipe and reset to factory defaults • Android: EAS mailbox removal only • Windows RT: Only EAS mailbox removal if managed through EAS
Improvements in
R2
Single-Pane-Of-Glass ManagementDEMO
4. Device enrollment experience
Enroll Windows 8 Device
Windows Phone Dev Center Account to get a Publisher ID
Request with that Publisher ID an Enterprise Code Signing Certificate
Download Windows Phone 8 Company Portal App and sign
Upload the signed Company Portal App & Symantec Certificate in Intune\ConfigMgr and deploy to all users.
Browse on the Device to CompanyApps
Install Company PortalWindows Intune Trail Mgmt for
WP8
Sign with Powershell
Run Powershell as Administrator
Set-ExecutionPolicy -ExecutionPolicy Unrestricted cd ‘C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.0\Tools\MDILXAPCompile\’ .\BuildMDILXap.ps1 -xapfilename c:\path\filename.xap' -pfxfilename 'c:\pathtocertificate\certificatefilename.pfx' -password mypassword
1.Install Certificate from Symantec2.Export with Private Key (Password)3.Sign App with Powershell
Experience on Windows Phone
Enroll iOS Device
Download an APNs certificate Request
Get a APNs Certificate (via Apple ID)
Upload the APNs certificate into Intune\ConfigMgr
Browse on the Apple device to the Windows Intune Portal
Experience on iOS
Enroll Windows RTGet a certificate (for instance internal PKI) to sign your Apps
Sign your Apps with the certificate
Upload the certificate into ConfigMgr\Intune
Upload Sideloading key into ConfigMgr\Intune
Go on the Windows RT device to “Company Applications”
Install Company Portal
Experience on Windows RT
5. Troubleshooting
Troubleshooting• Admin has not configured mobile device management
• Admin has not enabled enrollment for specific device types
• User is trying to enroll several devices at the same time or has more than 20 mobile devices in the system
• User is not provisioned by their IT admin
• Interesting Log filesDMPUPLOADERDMPDOWNLOADER
CLOUDUSERSYNC
Cloud User Sync – under the hood
User not licensed to enroll device
User previously licensed but not a member of device management collection anymore Non-zero guid indicates user is licensed to enroll device
MISC
• Force policy WinRT: Task Scheduler\Microsoft\Windows\Enterprise Mgmt WP8: Sync button under Company Apps iOS: no option to check immediately, fallback on next time it goes to the MP
• Wipe Immediate wipe on a Windows Phone device is not made available to management systems. If you enabled the Exchange Connector in ConfigMgr this will trigger an immediate wipe. Configmgr\Intune will attempt to wipe each 8 hours.
RECAP
• Nice integration with ConfigMgr (Single Pane of Glass of MDM)Room for improvement regarding UDM
• There are competitors with more featuresFor most companies available features are more than
enough
• Intune is cloud servcie, so features will be added fast
Thank You to our SPONSORS
Q and A
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.