Configuration Manager and InTuneGemeinsam oder einsam?
Introduction
It’s all about me!
• Who am I?• Andrew Craig
• Where am I from?• And now?• Living three years in Switzerland• Working for Syliance IT Services GmbH as System Center
Senior Consultant
• www.syliance.com• andrewdcraig.wordpress.com• Twitter: @mracraig @syliance
Agenda
• Was heisst einsam?• Was heisst gemeinsam?• Warum gemeinsam?• Windows Azure Active Directory (WAAD) integration• How quickly can I set up InTune?• What can I do to my mobile devices?• Apps, hints, tips, tricks
Spoiler
Alert
Was heisst einsam?
Cloud-Only Configuration
8.1
Cloud Management Capabilities
Capability / Platform Windows 8
Windows 7, Windows
Vista, Windows XP
Windows RT
Windows Phone 8 iOS Android
Application management ü ü ü ü ü ü
Endpoint Protection ü ü O O O O
Hardware Inventory ü ü ü ü ü ü
Software Inventory ü ü ü1 ü1 ü1 ü1
Remote control ü3 ü ü3 O O O
Reporting ü ü ü ü ü ü
Software updates ü ü O O O O
Compliance settings ü2 ü2 ü2 ü2 ü2 ü2
1 = Managed applications only 2 = Compliance reporting but no remediation automation3 = Via Remote Assistance
Windows Intune Cloud Architecture
Windows Phone 8
Windows RT
Direct Management & App Publishing
iOS
CorpNet Internet
x86 / x64
x86 / x64
Windows 8Windows 7
Windows VistaWindows XP
Windows 8Windows 7
Windows VistaWindows XP
EAS Policy & Inventory
DirSync
Android App Publishing
Android
Was heisst gemeinsam?
Unified Configuration
R2
8.1
Unified Management Capabilities
Capability / PlatformWindows
8
Windows 7, Windows
Vista, Windows
XPWindows
EmbeddedWindows To
GoMac OS
Windows RT
Windows Phone 8 iOS
Android
Application management ü ü ü ü ü ü ü ü ü
Endpoint Protection ü ü ü ü ü O O O OHardware Inventory ü ü ü ü ü ü ü ü ü1
Software Inventory ü ü ü ü ü ü2 ü2 ü2 ü2
Remote control ü ü ü ü O ü5 O O OReporting ü ü ü ü ü ü ü ü ü
Software updates ü ü ü ü O ü ü ü4 OCompliance settings ü ü ü ü ü ü3 ü3 ü3 ü3
OS deployment ü ü N/A ü O N/A N/A N/A N/A
Out of band management ü ü N/A N/A O N/A N/A N/A N/A
Power management ü ü ü ü O O O O OSoftware metering ü ü ü ü O O O O O
1 = Basic information only through Exchange ActiveSync2 = Managed applications only3 = Compliance reporting but no remediation automation4 = Device User has to accept the update5 = Via Remote Assistance
Windows Intune Unified Architecture
EAS Policy & Inventory Android
Android App Distribution
R2
Windows Phone 8
Windows RT
Direct Management & App Distribution
iOS
x86 / x64
Windows 8Windows To GoWindows 7Windows EmbeddedWindows VistaWindows XPMac
Corporate Net Internet
x86 / x64
Windows 8Windows 7
Windows VistaWindows XP
DirSync
ADFS ADFSProxy
Active Director
y
Warum gemeinsam?
A house with many windowsSingle pane of glass
Exchange Connector/ActiveSync
• EAS – Application layer• InTune MDM – OS Layer• ConfigMgr – Manage Exchange Policies
Unified Management Capabilities
Capability / PlatformWindows
8
Windows 7, Windows
Vista, Windows
XPWindows
EmbeddedWindows To
GoMac OS
Windows RT
Windows Phone 8 iOS
Android
Application management ü ü ü ü ü ü ü ü ü
Endpoint Protection ü ü ü ü ü O O O OHardware Inventory ü ü ü ü ü ü ü ü ü1
Software Inventory ü ü ü ü ü ü2 ü2 ü2 ü2
Remote control ü ü ü ü O ü5 O O OReporting ü ü ü ü ü ü ü ü ü
Software updates ü ü ü ü O ü ü ü4 OCompliance settings ü ü ü ü ü ü3 ü3 ü3 ü3
OS deployment ü ü N/A ü O N/A N/A N/A N/A
Out of band management ü ü N/A N/A O N/A N/A N/A N/A
Power management ü ü ü ü O O O O OSoftware metering ü ü ü ü O O O O O
1 = Basic information only through Exchange ActiveSync2 = Managed applications only3 = Compliance reporting but no remediation automation4 = Device User has to accept the update5 = Via Remote Assistance
Oder doch einsam?
Selection Criteria
Current Infrastructure• On-premise
ConfigMgr?• Something else?
Scale of Solution• Approx. Max of 5000
Users?• Approx. Max of 100,000
Users?
Required Feature Set• Capabilities• Supported Platforms
Windows Azure Active Directory (WAAD) integration
Provisioning UsersAutomatedScriptableManual
WindowsIntune
Contoso customer premises
Cloud-Only / No Integration
AD
Windows Azure Active Directory
Provisioningplatform
LyncOnline
SharePoint Online
Exchange Online
IdP
DirectoryStore
Admin Portal/PowerShell/
GRAPH
Authentication platform
IdP
1. Cloud Only / No Integration2. Directory Synchronization3. Directory and Federated SSO
WindowsIntune
Contoso customer premises
Directory Synchronization
ADDirectory Sync
(DirSync)
Windows Azure Active Directory
Provisioningplatform
LyncOnline
SharePoint Online
Exchange Online
IdPDirectory
Store
Admin Portal/PowerShell/
GRAPH
Authentication platform
IdP
1. No Integration2. Directory Synchronization3. Directory and Single sign-on
(SSO)
WindowsIntune
Contoso customer premises
Directory and Federated SSO
ADDirectory Sync
(DirSync)
Windows Azure Active Directory
Provisioningplatform
LyncOnline
SharePoint Online
Exchange Online
Active Directory Federation Server 2.0
Trust
IdPDirectory
Store
Admin Portal/PowerShell/
GRAPH
Authentication platform
IdP
1. No Integration2. Directory Synchronization3. Directory and Federated SSO
Integration Comparison1. No Integration
Appropriate for• Smaller orgs without
AD on-premisePros• No servers required on-
premise• Same Domain name for
users possibleCons• No SSO• No 2FA• 2 sets of credentials to
manage with differing password policies
• IDs mastered in the cloud
2. Directory Only
Appropriate for• Medium/Large orgs with
AD on-premisePros• Users and groups
mastered on-premise• Enables co-existence
scenariosCons• No SSO• No 2FA• 2 sets of credentials to
manage with differing password policies or manual / 3rd Party password sync
• Single server deployment
3. Directory and SSO
Appropriate for• Larger enterprise orgs
with AD on-premisePros• SSO with corporate cred• IDs mastered on-
premise• Password policy
controlled on-premise• 2FA solutions possible• Enables hybrid scenarios• Location isolation
Cons• Additional Servers
required for ADFS
Activating Windows Intune UsersBuilt-in group associated with a customer’s Windows Intune account
• Membership required for:– Users to appear in administrator
console– Users to access company portal
• Users added to user group– When created– When edited
• Users removed from group– When edited
Online Services Directory Synchronization Tool
Configuring DirSync through the Account Portal
How quickly can I set up InTune?
Sign up for Windows Intune
account
Synchronize your AD with
Windows Azure AD
Configure Windows Intune
Connector
Place the Windows Intune connector site
system role
Setup MDM Properties
Do the paperwork
• Sign up at www.windowsintune.com• Logon at admin.manage.microsoft.com• Public domain and CNAME DNS • User Principal Names (UPNs)
• Active Directory Federated Services (ADFS)
Allow plenty of time for sync
Run Office 365 Deployment Readiness Tool
Synchronize your AD with Windows Azure AD
Demo
Configuring InTune with ConfigMgr
Demo
What can I do to my mobile devices?
Apps, hints, tips, tricks
Apps
• Microsoft Apps• Windows Phone Store• iTunes App Store• Google Play
• In-House• LOB• Visual Studio and Windows Phone SDKs• Xcode and iOS SDK• Eclipse, Android Studio and Android SDK
Available Examples
• Dynamics CRM• Lync• Sharepoint• Office*• Others…
Requirements
• Developer Licenses• Code Signing Certificates• Development Platforms
Hints, Tips, Tricks
• Planning• Domain considerations• Client-side• Troubleshooting. Where are the Logfiles?• Some things happen overnight• Naughty children
Summary
• ConfigMgr has a rich feature set for managing clients• InTune enhances this by adding MDM• Standalone InTune is enhanced by deploying ConfigMgr• Everyone benefits• Take time to plan your implementation properly• Be aware that mobile devices don’tbehave like desktops
and laptops
Danke!