Moving from Device Centric to People Centric Management

Corey Hynes

Agenda

• What is User Centric Management and Why do I care?• Device Centric Management• User Centric Management with Configuration Manager 2012• User Centric Management with InTune• Hybrid InTune/Configuration Manager

Introduction to User Centric Management

Management

• The past – Device Centric Management• Today – Mixed Management• Tomorrow – User Centric Management

The times, they are a changing…..

Your computer IS your tool for work

Your computer CONTAINS your tool for work

Circle of influence is shrinking….

From this….

…. To this

Well its really a square…..

Why implement UCMEmpowering User Productivity Unifying Management Infrastructure

• Device Choice• Application Self-service• Personalized Application Experience• Non-intrusive management

• Manage all devices through single interface• Deliver applications to the user, not the device• Integrated security and compliance• Reduced infrastructure complexity

Users IT

Access to corp resources across devices & platforms

Single adminconsole

Managing devices in the enterprise

• More devices and platforms• User-owned• Less depth of support experience• Governance

Today

• Homogenous Environment• Organization-owned devices• IT Knowledge• Control

Way Back Then

Evolution of Microsoft Management

2003

20122012

2011

2007

1999SMS 2.0

1994SMS 1.0

Client Management Infancy (NT Domain) Groups Model Comprehensive

ManagementLaptops, Servers, Enterprise Scale

Consumerization of IT

Management from the Cloud

20122013

+

The User is the FocusUser-centric management

Common user accounts and security groups

Repository for inventory and device data

• Central policy control

• Consistent experience across on-premises or cloud-based services

• Windows Azure AD federates and synchronizes with on-premises AD

• User accounts in Windows Azure AD can access Azure and 3rd party applications

Bring Your Own Device

• Many companies embracing this (if they know it or not)• More users are than administrators know about generally

• The first vast BYOD solution was VDI (VMWare View or XenDesktop)• Offered broad device support to get to a Windows Desktop• Issue is that the Windows Desktop (<8) does not work well with touch• The “desktop” was the “app”

• Today, apps are cross platform, and multi-platform.• You can deliver just the app, without the desktop• You need a way to manage all of this

Moving towards User Centric Management

The process

1. Understand your existing Device Centric models2. Configuration Manager – Move to User Collections3. Configuration Manager – Implement Application Catalog4. InTune – Extend to non-managed devices5. Federation – Single management infrastructure

Device Centric Management

• You (IT) owned the device (PC).• The PC was the “tool” for work.• In manage cases restricted, locked down, and highly controlled.• Encouraged the “Work Computer” and “Home Computer” model• Simplified Access to Work Tools• DA• VPN• VDI

Why it does not work today

• Devices are prolific, cheap, and available.• There is more than one choice in Operating System

• Users are more savvy, and have more devices.• There is a trend towards “apps” as tools instead of “hardware” as

tools.• Blame Apple, “there’s and app for that”.

• The boundaries of “work” are gone• Both physical and chronological

Modern Device Management

Devices & Platforms

IT

Single adminconsole

Mac OS X

Windows PCs(x86/64, Intel SoC),

Windows to GoWindows Embedded

Windows RT, Windows Phone 8

iOS, Android

Windows Embedded Support

• Windows XP Embedded• Windows Embedded Standard 2009• Windows Embedded Standard 7

Thin Clients

Same as Thin Clients, plus • POS Ready 2009• POS Ready 8

POS/Kiosk

• Windows Embedded Standard 2009• Windows Embedded Standard 7Digital Signage

• Windows Thin PCRepurposed PC

Supported Write Filters• File Based Write Filters (FBFW)

(preferred for scalability)• Enhanced Write Filters (EWF) RAM

Ability to force persistence of changes for• Applications• Packages and programs• Software updates• Task sequences• Endpoint Protection client installationEventual persistence of changes for• Client agent settings• Settings management remediation• Power management

Without write filters enabled, embedded devices can be managed like any other Windows client. When write filters are enabled, they require special handling, now provided seamlessly in SP1

Linux & UNIX Servers• Version 4 (x86/x64)• Version 5 (x86/x64)• Version 6 (x86/x64)

Red Hat Enterprise Linux

• Version 9 (SPARC)• Version 10 (SPARC/x86)

Solaris

• Version 9 (x86)• Version 10 SP1 (x86/x64)• Version 11 (x86/x64)

SUSE Linux Enterprise Server

Supported OS’s across both: • Configuration Manager• Operations Manager

Old versions supported as long as vendor provides support

Broader Linux distro support being evaluated for future releases

Hardware and Software Inventory

Software Deployment• Using the Package and Program model• Deploy/patch software, deploy OS patches and run

maintenance scripts that target a collection

Consolidated reports

Mac OS XConfiguration Manager native client10.6 (Snow Leopard)10.7 (Lion)

Key management capabilitiesPush Software DistributionSettings ManagementHardware and Software Inventory

Wider client operating system and application support

• Windows 8 and Windows To Go• Windows Server 2012 site systems and clients• Mac OS clients, Linux and Unix servers• SQL Server 2012 Configuration Manager database

Better feature support

• Metered connections and always on, always connected in Windows 8• New deployment types for Windows 8 applications• Configurable user data and profiles for folder redirection, offline files, and roaming profiles

Greater manageability

• Virtual environment support• PowerShell cmdlets• Client notification• Email alerts for all features

CM 2012 SP1 - Updates

UCM with Configuration Manager

• Deliver best user experience on each device• Define application once

Designing a User Centric Delivery

Delivery Evaluation Criteria

• User• Device type• Network connection

User/Device Relationships

Primary Devices• MSI• App-V• Windows 8 Apps• Windows 8 Apps in the Windows

StoreNon-primary Devices• VDI• Remote Desktop

< >

Detection Method

Install Command

Requirement Rules

Dependencies

Supersedence

Administrator Properties

End User Metadata

User-centric Application DeliveryNew Application Model

Application “Package”

Keep your apps organized and managed

App-V

Windows Script

CAB

Windows Installer

General Information

The “friendly” information for your users (appears in Catalog)

Is app installed?

Deployment Type

Command line and options

Can/cannot install app

Apps that must be present

Application version control

< >

User-centric Application DeliveryEnd User Self-service

IT

Administrators publish software titles to catalog, complete with meta data to enable search• Deliver best user experience

on each device

Users can browse, select and install directly from Catalog• Application model determines

format and policies for delivery

User

Components

• User Collections• User Deployments• Mixed deployment types• Application Catalog• Primary Device settings and rules• User policies

UCM with InTune

Company Portal Application

Windows RT and Windows 8 Phone Application Distribution

What’s New in Windows Intune

User-Based Licensing

Unified Management Solution

Direct Mobile Device Management

Cloud-based Self-service Portal

Securely provision application from anywhere

Single point for application requests

Users only see the software they have permission to request

Company Portal Capabilities

Action user can take through the company portal

Windows RT Windows Phone 8

iOS Android

Enroll local device Rename devices Retire local device Wipe other devices remotely Install line-of-business apps Install apps from the consumer store*

* Stores can be either Windows Store, Windows Phone Store, App Store, or Google Play, depending on the device

Comparing Windows Intune Cloud and Unified ConfigurationsCloud-Only Configuration

Unified Configuration

Up to 100,000 users, computers, and mobile devices in a single management infrastructure

Windows Intune Unified Architecture

EASAndroid

Android App Distribution

Service Pack 1

x86 / x64

Windows 8Windows To Go

Windows 7Windows Embedded

Windows VistaWindows XP

Mac

CorpNet Internet

DirSync

Active Directory

ADFS ADFSProxy

Windows Phone 8

Windows RT

Direct Management & App Distribution

iOS

Android

Unified Management CapabilitiesManaged Through System Center 2012 Configuration Manager Windows Intune

Platform >Capability Windows 8

Windows 7 Windows Vista

Windows XPWindows

To Go Mac OS Windows RTWindows Phone 8 iOS Android

Application management ü ü ü ü ü ü ü ü

Endpoint Protection ü ü ü ü O O O OHardware Inventory ü ü ü ü ü ü ü ü1

Software Inventory ü ü ü ü ü2 ü2 ü2 ü2

Remote control ü ü ü O O O O OReporting ü ü ü ü ü ü ü üSoftware updates ü ü ü O ü ü ü4 OCompliance settings ü ü ü ü ü3 ü3 ü3 ü3

OS deployment ü ü ü O N/A N/A N/A N/A

Out-of-band management ü ü ü O N/A N/A N/A N/A

Power management ü ü ü O O O O OSoftware metering ü ü ü O O O O O

1 = Basic information only through Exchange ActiveSync2 = Managed applications only3 = Compliance reporting but no remediation automation4 = Device User has to accept the update

Comparing the Windows Intune and Exchange Server Connectors

Management Functionality Windows Intune connector

Exchange Server connector

App management/deployment ü OPublic key infrastructure (PKI) security between the mobile device and Configuration Manager ü O

Discovery ü üHardware inventory ü1 üSoftware inventory ü2 OSettings, configuration items and baseline ü3 ü3

1. For Windows RT, Windows Phone 8, and iOS

2. Through reporting3. Both Exchange ActiveSync and

Windows Intune use the same security template for their settings.

Windows Intune Sites and Portals• Account Portal

• https://account.manage.microsoft.com• Manage users, account administrators,

security groups, subscriptions, partners

• Administrator Console– https://

admin.manage.microsoft.com– Configure cloud-based

management

• Company Portal– Download apps, associate users

with devices, contact IT support– Versions for different mobile

device types

Windows Phone 8

Portal

Company Portal Web

Site

Windows RT Portal

System Center 2012 Configuration Manager with

SP1

Unified User Centric Management

• Managed Devices• No real change• Can use “external” porgal

• Big benefit is for “unmanaged” devices/BYOD• You get some management and reporting (varies by device)• You have an easy way to present an application across devices

• This really only works if you have “cross platform” applications• Often the cost of building applications far exceeds the cost of enabling

devices

Examining a functional deployment

• InTune Connector• User Collections• Deployment types for devices• Company Portals• Windows• Andriod• IOS? Anyone?

Federating with InTune

Planning ADFS

• What does ADFS do?• Enables SSO

• Big deal

• Is it needed?• No, but highly recommended• Affects mobile devices (simpler logon)

• What if you don’t use ADFS?• Authenticate to Company Portal using InTune Creds (separate set)• Administration must manage through account portal, not AD

Roadmap for Integrating Configuration Manager 2012 with Windows Intune

Sign up for Windows Intune

account

Add domains to Windows Intune

Deploy ADFS 2.0

Federate with WAAD

Set up Active Directory

Synchronization

Intune App RequirementsAndroid iOS Windows RT Windows Phone 8

There are no configuration requirements for Android devices

1. Download a Certificate Service Request using the Request APNs Certificate Service Request dialog box in Configuration Manager

There are no initial configuration requirements for enabling management of Windows RT devices

Add code-signing certificate .pfx or .p12 file

2. Submit the CSR to the Apple Push Certificate Portal and download the APNs certificate (.pem file)

To enable installation of apps for Windows 8, you need to add a valid code signing certificate and also add sideloading keys to Configuration Manager

Upload signed company portal app

3. Upload the APNs certificate to Windows Intune

No action required prior to setup

No prior action required as process can be completed later in user interface

No action required - a code signing cert and sideloading keys set up in the UI for app publication

Require code signing certificate and signed company portal app

One way process!

Managing InTune via CM

Android Properties

iOS Properties

Windows RT Properties

Summary

• People centric is the future, driven by user behavior, not IT governance.• Start implementing self service as step 1• Understand the deployment options for each LOB application• Use InTune to support mobile/BYOD scenarios• Federate for central management