Configuration Manager and InTuneGemeinsam oder einsam?

Introduction

It’s all about me!

• Who am I?• Andrew Craig

• Where am I from?• And now?• Living three years in Switzerland• Working for Syliance IT Services GmbH as System Center

Senior Consultant

• www.syliance.com• andrewdcraig.wordpress.com• Twitter: @mracraig @syliance

Agenda

• Was heisst einsam?• Was heisst gemeinsam?• Warum gemeinsam?• Windows Azure Active Directory (WAAD) integration• How quickly can I set up InTune?• What can I do to my mobile devices?• Apps, hints, tips, tricks

Spoiler

Alert

Was heisst einsam?

Cloud-Only Configuration

8.1

Cloud Management Capabilities

Capability / Platform Windows 8

Windows 7, Windows

Vista, Windows XP

Windows RT

Windows Phone 8 iOS Android

Application management ü ü ü ü ü ü

Endpoint Protection ü ü O O O O

Hardware Inventory ü ü ü ü ü ü

Software Inventory ü ü ü1 ü1 ü1 ü1

Remote control ü3 ü ü3 O O O

Reporting ü ü ü ü ü ü

Software updates ü ü O O O O

Compliance settings ü2 ü2 ü2 ü2 ü2 ü2

1 = Managed applications only 2 = Compliance reporting but no remediation automation3 = Via Remote Assistance

Windows Intune Cloud Architecture

Windows Phone 8

Windows RT

Direct Management & App Publishing

iOS

CorpNet Internet

x86 / x64

x86 / x64

Windows 8Windows 7

Windows VistaWindows XP

Windows 8Windows 7

Windows VistaWindows XP

EAS Policy & Inventory

DirSync

Android App Publishing

Android

Was heisst gemeinsam?

Unified Configuration

R2

8.1

Unified Management Capabilities

Capability / PlatformWindows

8

Windows 7, Windows

Vista, Windows

XPWindows

EmbeddedWindows To

GoMac OS

Windows RT

Windows Phone 8 iOS

Android

Application management ü ü ü ü ü ü ü ü ü

Endpoint Protection ü ü ü ü ü O O O OHardware Inventory ü ü ü ü ü ü ü ü ü1

Software Inventory ü ü ü ü ü ü2 ü2 ü2 ü2

Remote control ü ü ü ü O ü5 O O OReporting ü ü ü ü ü ü ü ü ü

Software updates ü ü ü ü O ü ü ü4 OCompliance settings ü ü ü ü ü ü3 ü3 ü3 ü3

OS deployment ü ü N/A ü O N/A N/A N/A N/A

Out of band management ü ü N/A N/A O N/A N/A N/A N/A

Power management ü ü ü ü O O O O OSoftware metering ü ü ü ü O O O O O

1 = Basic information only through Exchange ActiveSync2 = Managed applications only3 = Compliance reporting but no remediation automation4 = Device User has to accept the update5 = Via Remote Assistance

Windows Intune Unified Architecture

EAS Policy & Inventory Android

Android App Distribution

R2

Windows Phone 8

Windows RT

Direct Management & App Distribution

iOS

x86 / x64

Windows 8Windows To GoWindows 7Windows EmbeddedWindows VistaWindows XPMac

Corporate Net Internet

x86 / x64

Windows 8Windows 7

Windows VistaWindows XP

DirSync

ADFS ADFSProxy

Active Director

y

Warum gemeinsam?

A house with many windowsSingle pane of glass

Exchange Connector/ActiveSync

• EAS – Application layer• InTune MDM – OS Layer• ConfigMgr – Manage Exchange Policies

Unified Management Capabilities

Capability / PlatformWindows

8

Windows 7, Windows

Vista, Windows

XPWindows

EmbeddedWindows To

GoMac OS

Windows RT

Windows Phone 8 iOS

Android

Application management ü ü ü ü ü ü ü ü ü

Endpoint Protection ü ü ü ü ü O O O OHardware Inventory ü ü ü ü ü ü ü ü ü1

Software Inventory ü ü ü ü ü ü2 ü2 ü2 ü2

Remote control ü ü ü ü O ü5 O O OReporting ü ü ü ü ü ü ü ü ü

Software updates ü ü ü ü O ü ü ü4 OCompliance settings ü ü ü ü ü ü3 ü3 ü3 ü3

OS deployment ü ü N/A ü O N/A N/A N/A N/A

Out of band management ü ü N/A N/A O N/A N/A N/A N/A

Power management ü ü ü ü O O O O OSoftware metering ü ü ü ü O O O O O

1 = Basic information only through Exchange ActiveSync2 = Managed applications only3 = Compliance reporting but no remediation automation4 = Device User has to accept the update5 = Via Remote Assistance

Oder doch einsam?

Selection Criteria

Current Infrastructure• On-premise

ConfigMgr?• Something else?

Scale of Solution• Approx. Max of 5000

Users?• Approx. Max of 100,000

Users?

Required Feature Set• Capabilities• Supported Platforms

Windows Azure Active Directory (WAAD) integration

Provisioning UsersAutomatedScriptableManual

WindowsIntune

Contoso customer premises

Cloud-Only / No Integration

AD

Windows Azure Active Directory

Provisioningplatform

LyncOnline

SharePoint Online

Exchange Online

IdP

DirectoryStore

Admin Portal/PowerShell/

GRAPH

Authentication platform

IdP

1. Cloud Only / No Integration2. Directory Synchronization3. Directory and Federated SSO

Joe@contoso.msonline.com

Joe@contoso.com

WindowsIntune

Contoso customer premises

Directory Synchronization

ADDirectory Sync

(DirSync)

Windows Azure Active Directory

Provisioningplatform

LyncOnline

SharePoint Online

Exchange Online

IdPDirectory

Store

Admin Portal/PowerShell/

GRAPH

Authentication platform

IdP

1. No Integration2. Directory Synchronization3. Directory and Single sign-on

(SSO)

WindowsIntune

Contoso customer premises

Directory and Federated SSO

ADDirectory Sync

(DirSync)

Windows Azure Active Directory

Provisioningplatform

LyncOnline

SharePoint Online

Exchange Online

Active Directory Federation Server 2.0

Trust

IdPDirectory

Store

Admin Portal/PowerShell/

GRAPH

Authentication platform

IdP

1. No Integration2. Directory Synchronization3. Directory and Federated SSO

Integration Comparison1. No Integration

Appropriate for• Smaller orgs without

AD on-premisePros• No servers required on-

premise• Same Domain name for

users possibleCons• No SSO• No 2FA• 2 sets of credentials to

manage with differing password policies

• IDs mastered in the cloud

2. Directory Only

Appropriate for• Medium/Large orgs with

AD on-premisePros• Users and groups

mastered on-premise• Enables co-existence

scenariosCons• No SSO• No 2FA• 2 sets of credentials to

manage with differing password policies or manual / 3rd Party password sync

• Single server deployment

3. Directory and SSO

Appropriate for• Larger enterprise orgs

with AD on-premisePros• SSO with corporate cred• IDs mastered on-

premise• Password policy

controlled on-premise• 2FA solutions possible• Enables hybrid scenarios• Location isolation

Cons• Additional Servers

required for ADFS

Activating Windows Intune UsersBuilt-in group associated with a customer’s Windows Intune account

• Membership required for:– Users to appear in administrator

console– Users to access company portal

• Users added to user group– When created– When edited

• Users removed from group– When edited

Online Services Directory Synchronization Tool

Configuring DirSync through the Account Portal

How quickly can I set up InTune?

Sign up for Windows Intune

account

Synchronize your AD with

Windows Azure AD

Configure Windows Intune

Connector

Place the Windows Intune connector site

system role

Setup MDM Properties

Do the paperwork

• Sign up at www.windowsintune.com• Logon at admin.manage.microsoft.com• Public domain and CNAME DNS • User Principal Names (UPNs)

• Active Directory Federated Services (ADFS)

Allow plenty of time for sync

Run Office 365 Deployment Readiness Tool

Synchronize your AD with Windows Azure AD

Demo

Configuring InTune with ConfigMgr

Demo

What can I do to my mobile devices?

Apps, hints, tips, tricks

Apps

• Microsoft Apps• Windows Phone Store• iTunes App Store• Google Play

• In-House• LOB• Visual Studio and Windows Phone SDKs• Xcode and iOS SDK• Eclipse, Android Studio and Android SDK

Available Examples

• Dynamics CRM• Lync• Sharepoint• Office*• Others…

Requirements

• Developer Licenses• Code Signing Certificates• Development Platforms

Hints, Tips, Tricks

• Planning• Domain considerations• Client-side• Troubleshooting. Where are the Logfiles?• Some things happen overnight• Naughty children

Summary

• ConfigMgr has a rich feature set for managing clients• InTune enhances this by adding MDM• Standalone InTune is enhanced by deploying ConfigMgr• Everyone benefits• Take time to plan your implementation properly• Be aware that mobile devices don’tbehave like desktops

and laptops

Danke!