How Microsoft IT Solves BYOD Using Microsoft System Center Configuration Manager R2 and Windows IntuneKarthik JayavelMarc Hurley
PCIT-B333
Session Objective: Share Microsoft IT’s experiences with implementing Bring Your
Own Device (BYOD) culture with the help of System Center 2012 R2 and Windows Intune
Key TakeawaysLearn from our experience implementing BYOD scenarios in
Microsoft ITUnderstand the intricacies of managing a user’s personal
deviceHow to win over users with Line of Business applications on
their devices and protect corporate data from being compromised at the same time
How to make users more productive by providing access to company resources on their personal devices
Session Objectives And Takeaways
Who is This Session Designed For
People with a basic understanding of System Center 2012 Configuration Manager and a familiarity with Windows Intune
Interested in walking throughHow to embrace the BYOD culture in their enterprise environmentDistribute applications and policies to modern devices like Windows Phone 8 and Windows RTReporting on devices accessing corporate applications
Solution Overview
Solution Overview at Microsoft IT
Solution Benefits Of Adopting Unified
Solution
Goals
Goals
• Management support for Windows 8.x and heterogeneous devices
• Improve user productivity on user owned devices
• Safeguard BYOD assets
• Provide access to LOB apps
• Reduce infrastructure cost
• Central management for all enterprise & BYOD devices
Unified Device Management
• System Center 2012 R2 Configuration Manager
• Windows Intune • System Center 2012
Orchestrator
Better with Both
• Ability to provide users access to LOB apps
• Enforce security policies on devices
• Allows end users to connect from anywhere
• Access corporate resources
• No additional infrastructure required
Device Scope @ Microsoft ITWindows 8.x
Challenges for Heterogeneous devices @ Microsoft IT• Limited LOB
applications for various platforms
• Shift in the technical support model
• User expectations for non domain joined PCs
Heterogeneous Devices
AndroidOut of Scope
Windows 8.x RT
Windows 8.1Non Domain Joined (NDJ) PC
Windows Phone 8.x
Current UDM MetricsWindows Phone
8.xWindows RT/8.x
25033 1643Devices Enrolled
121 247LOB apps published
34 0Deep linked apps
iOS
41
3
16
MSIT UDM setup
Karthik Jayavel
Unified Management Infrastructure @ Microsoft IT
Redmond Site 175k
Clients
Redmond Site 275k
Clients
North & South
America35k Clients
Europe, MidEast, Africa
40k Clients
Australia & Asia
75k Clients
Device Mgmt.
Site
MS Online Directory Services (MSODS)
Active Directory
Federation Server 3.0
MS Online Directory
Sync (DirSync)
ADUser
Discovery corp domains
Intune Subscriptio
n
Connector Site role
Infrastructure• 6 Primary Sites• 13 Secondary Sites• 250 Distribution
PointsPCs & Devices• ~300,000 clients• ~125k mobile
devicesUsers• ~98k FTEs• ~82k Vendors
Built ConfigMgr R2 Standalone Environment Virtual Primary Site in Corp Domain 12GB, 4 Proc PS and 24 GB, 4 Proc SQL
ServerPerformed User Discovery for Entire Corp Forest
MSODS team provisioned Intune Services for Microsoft IT Tenant and set up services Admin
Setup DNS redirection for enterpriseenrollment.Microsoft.com to Intune Beta environment
Apply device specific certificates: Windows Phone 8 code signing cert Windows RT code signing cert &
sideloading iOS Apple push notification cert
Microsoft Corp Active Directory
Federation Server 3.0
MS Online Directory
Sync (DirSync)
Intune Subscriptio
n
Connector Site role
Primary Site
SQL Server
MSODS AD
User Discovery corp domains
1
Windows Intune
2
3
4
5
Microsoft Cloud Services
How MSIT Configured Intune Subscription
Intune Subscription Setup Overview
Directory Sync to synchronize AD data and ADFS setup for single sign on. http://technet.microsoft.com/en-us/library/hh967642.aspx
Perform User Discovery for users you will provide BYOD enrollment in your environment
DNS redirection for enterpriseenrollment.<yourcompany>.com will be needed
What you need to do Obtain a VeriSign certificate. Work with your app/security team
Purchase side loading key from volume license center
Generate request from Configuration Manager console and certificate from Apple's portal
AD Team – Dirsync and ADFS 3.0App Team – App CertificationSecurity Team – Policy definitionRemote Resource Access Team – VPN/WiFi/Cert
What you need to do
Intune Subscription in Configuration Manager
DemoCloud Sync MonitoringKarthik Jayavel
Managing Company Portal Across All Devices
Marc Hurley
Windows Phone 8.x Company Portal
Deployed Company Portal as “Available” to User Collection
Obtained WP8 Company Portal through internal process
Associated the published WP8 Company Portal in the Intune Subscription
Worked with App certification team to sign Company Portal before publishing
Published all LOB applications to All Users and/or Security Groups
Deployed Company Portal as “Required” to User Collection during upgrade scenarios & maintain Company Portal reach
Windows 8.x Company Portal
Deployed Company Portal as “Required” to User Collection
Configured the Intune Connector with Microsoft Internal Root Certificate
Published all LOB applications to All Users and/or Security Groups
Obtained Company Portal appx through internal process
Deployed Company Portal as “Required” to User Collection during upgrade scenarios & maintain Company Portal reach
iOS Company Portal Obtained Company Portal ipa file through internal process
Configured the Intune Connector with APN Certificate
Created an internal website to host Company Portal install file
Published deep linked applications to All Users and/or Security Groups
Deployed Company Portal as “Required” to User Collection during upgrade scenarios & maintain Company Portal reach
Company Portal RecapName Platform Installation MethodWindows Intune Company Portal
Windows 8.x (RT, x86/x64)
IT Deployment - (push to NDJ devices/users at Microsoft; MSIT users should not install the Company Portal from store)
Note: Public will download from Microsoft Store
Windows Intune Company Portal for Windows Phone 8
Windows Phone 8 IT Deployment - (Auto Install post enrollment)
Note: Public will download from Microsoft.com
Windows Intune Company Portal for iOS
iOS Direct User Installation - (We get from Intranet site: http://issp at Microsoft because we are in CTiP, moving to Extranet site)
Note: The public will get it from the App Store.
Windows Intune Company Portal for Android
Android Direct User Installation - (Evaluation in progress).
Note: The public will get it from Google Play.
DemoWP8.1 Enrollment and Company PortalMarc Hurley
Windows Phone 8.1 Enrollment
Modern Application Delivery
Marc Hurley
Modern Application Delivery
Native management of Windows RT, Windows Phone 8.x and iOS through Windows Intune Unified Management
Administration Windows RT Windows Phone 8
Windows Phone 8.1
iOS
Available LOB apps in Portal Required LOB apps Deep Linked apps In console deployment monitoring
Single pane of glass: Manage app deployments to modern devices through integration with the ConfigMgr R2 admin console
Simplified Administration Experience
Advanced Modern Device Management
How We Automated App Publishing in MSIT
Self service of Modern Application publishing
Rapid turnaround time from request time to deployment
Reduction of Configuration Manager Administrative Overhead
Remove manual provisioning and deployment errors
IT DevCenter – application developer’s request portal
Visual Studio 2012 Team Foundation Server
System Center 2012 Orchestrator
System Center 2012 R2 Configuration Manager cmdlets
Custom PowerShell modules
Active Directory cmdlets
Publishing process that mimics the Windows Store process
Use of scripts & templates to enforce standardization
Reduce publishing time from 3 days to 6 hours
Admins can focus on deployment errors rather than publishing
95% of app publishing work completed zero touch
Requirements Technology Benefits
Dev Center Assigns Task
Orch. Runbooks wake on schedule
Check TFS tasks waiting for Automation
Update task Status
“In Process”
Create XML files from TFS
Task
Identify “Activity
Type”
Call Power Shell Modules
Create, Deploy, Create & Deploy, Delete, Pause,
Supersede
Update Task Status
Assigns Task to Dev Center
Pre-Process
Process
End to End Workflow
App owner submits
application to Dev Center
DemoModern App AutomationMarc Hurley
Security Policies -Settings Management
Karthik Jayavel
Setting Management at Microsoft IT
• UDM policies consistent with MSIT EAS policies
• Created password and encryption policies using pre-defined settings in CM
• Set the baseline for remediation to enforce
• Deployed the baseline to users• Provided reports to Security Team
for compliance status
Setting Up Device Policies
WP WinRTWindows
iOS
Device Encryption True Not Supported Not Supported Not Supported
Device Password Enabled Not Supported Not Supported Enabled
Allow Simple Password True Not Supported Not Supported False
Min Password Length 4 6 (local only)8
4
Max inactive time to lock 15 mins 15 mins15
15 mins
Max failed attempts before wipe
5 5 (local)10
5
Password ExpirationNot
configured70 days (local)
70Not Configured
Password History 0 0 24 0
Min Complex Characters 1 1 (local only)1
0
Allow CameraNot
configuredNot configured
Not configuredYes
Maximum grace PeriodNot
configuredNot configured
Not configured3
Allow BrowserNot
configuredNot configured
Not configuredYes
C o r p P o l i c i e s
Company Resource Access
Karthik Jayavel
Certificate Registration Point role Installed at on-premConfig Mgr environment
Configure CRP to communicate with Network Device Enrollment Service
NDES is Internet facing (http://NDESFQDN/certsrv/mscep/mscep.dll)Install plugin on NDES serverConfigure PKI certs on NDES and CRP for cross communication
Troubleshooting Tips Runtime log file : CRP.logSetup logs : CRPMSI.log,CRPSetup.logSQL table : MDMCRPrequests
Simple certificate enrollment protocol
Used KSP to store certs on TPM and cert store based on device types
Windows Phone 8.1 = TPM cert onlyWindows 8.1 = both TPM and non-TPM certsiOS = Non-TPM cert
Cert renewal threshold 92% of 14 days
Deployed Root Certificate first and then individual SCEP certs
Simple certificate enrollment Certificates
VPN radius servers managed by VPN team
Split Tunnel profiles authorized by MSIT VPN teamIKEV2,EAP-TLS connection for WPB Automatic, PEAP for Windows devices (3rd Party connection types like Juniper etc., supported)
Associate VPN profile to relevant SCEP cert with EKUSCEP certs and VPN profile are installed asynchronously
VPN Profiles
Custom IE settings using DCM for single sign on
Used import profile feature for Windows profiles VPN connect for Windows and Windows Phone Smart Card and Phone auth for Windows devices
Custom reports provided to MSIT VPN team
Phone Auth profiles for Windows use different VPN servers
VPN Profiles
Worked with Network team for SSIDsUsing WPA2 enterprise Specify root cert and SCEP certs deployed
MSIT users will get secured Wi-Fi and VPN profiles only through IntuneVPN, Certs and Wi-Fi Profiles are user targeted to cover various platforms
Wi-Fi Profiles
Users can RDP to CM managed PCs from Company Portal
Managed PCs are CM agent installed Device affinity data leveraged to display PCs in Portal
Identified RDG server URL
Deployed Remote Connection profile Enables RDP on CM agent installed machines Access given to primary user for RDP and enable firewall rules
Piloted with Phone factor authenticationNot scoped for Windows Phone 8.1
Remote Connection
DemoCompany Resource AccessVPN and Remote Connection
Karthik Jayavel
UDM Reports
Marc Hurley
Unified Device Management Reports
Best Practices Identified at Microsoft ITActionsLearnings
New experience for users enrolling devices
Helpdesk awareness on modern devices support
Restrict access for Remote Wipe and Retire commands
Monitoring external components like NDES and VPN servers
Call out important apps to users
Educated users with enrollment steps
Created support documentation and trained helpdesk
Use RBAC to control Remote Wipe and Retire access
Work with VPN team to enable monitoring/reports
Use Featured App function when publishing
• WP App Signing Cert expired after 1 year• Had to replace AET with new token• Had to resign and republish applications• No need to resign apps for WP8.1
• Replaced Apple APN certificate• Account used to obtain APN was user specific iTunes account• Had to have all iOS devices un-enroll and re-enroll
• Enrollment certificate expiration happens every year on WP8
• WP8 users need to respond and renew cert before expiration to keep enrollment intact• WP8.1 will update the certificate automatically in the background
• Policies were targeted to devices instead of users• Delay in getting security policies as devices had to register first
• Windows 8.x core OS does not support app Side Loading
• Users had to upgrade OS license to Windows 8.x Pro or Enterprise
Lessons Learned
In Review: Session Objectives And TakeawaysSession Objectives: • Showed how Configuration Manager and Intune helped MSIT users to
access corporate LOB applications over the internet• Shared how you can enforce corporate security policies on Devices• Displayed how to improve user productivity by providing access to
Corporate Resources on their personal devices
Key Takeaways• Understand the straightforward process to maximize value from
implementing Unified Device Management • You can provide access to Corporate Resources and enforcing Corporate
Security is simple by using Settings and Company Resource Access features• Configuration Manager database contains Managed Device information
that can be used for building custom Reports
Related SessionsPCIT-B339 How Microsoft IT Manages Their Microsoft System Center Configuration Manager Application Lifecycle with Zero Touch
FOR MORE INFORMATION
•Microsoft Solves BYOD Using Microsoft System Center Configuration Manager and Windows Intune•http://technet.microsoft.com/en-us/library/dn482435.aspx
• Technical Case Study: User-Centric Client Management with System Center 2012 Configuration Manager in Microsoft IT• http://technet.microsoft.com/en-us/library/hh925141.aspx
•System Center in Action Site• http://blogs.technet.com/b/system_center_in_action/
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Complete an evaluation and enter to win!
Evaluate this session
Scan this QR code to evaluate this session.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.