UNIFIED MANAGEMENT OF

Olav Tvedt

Chief Consultant

MVP -

Twitter: @olavtwitt – Blog: http://olavtvedt.blogspot.com

CLIENTS

AGENDA:

Data Access

Remote System Access

Client Control

Data Access

Data Access

• SkyDrive

• SkyDrive Pro

• Folder Redirection

• Work Folders

5

Consumer /

personal data

Individual work

data

Team / group

work data

Personal

devicesAccess protocol Data location

SkyDrive X X HTTPS Public cloud

SkyDrive Pro X X X HTTPSSharePoint / Office

365

Work Folders X X HTTPS File server

Folder

Redirection /

Client-Side

Caching

X

SMB (only from on-

prem or using

VPN/DA)

File server

http://blogs.technet.com/b/filecab/archive/2013/07/10/introducing-work-folders-on-windows-server-2012-r2.aspx

7

Work Folders

8

Work Folders Requirements

• A server running Windows Server 2012 R2 for hosting sync shares and user files

• A volume formatted with the NTFS file system for storing user files

• Work Folders has the following software requirements for client PCs:

• Client side (More client OS support to come):- Windows 8.1- Windows RT 8.1- Enough free space on a local, NTFS-formatted drive to store all files in Work Folders. Work Folders uses the %USERPROFILE%\Work Folders location by default, although users can change the location during setup (microSD cards and USB drives are supported locations). The maximum size for individual files is 10 GB by default and there is no per-user storage limit, though administrators can use File Server Resource Manager to implement quotas.

9

Work Folders Offline Files SkyDrive Pro SkyDrive

Intended for providing

user access to work filesYes Yes Yes No

Summary

Syncs files stored on a file

server with PCs and

devices

Syncs files stored on a file

server with PCs that have

access to the corporate

network (can be replaced

by Work Files)

Syncs files stored in Office

365 or in SharePoint with

PCs and Windows

Phones inside or outside a

corporate network and

provides document

collaboration functionality

Syncs personal files

stored in SkyDrive with

PCs and popular devices

Cloud service None None Office 365 Microsoft SkyDrive

Internal network servers

File servers running

Windows Server 2012 R2

Preview

File serversSharePoint server

(optional)None

Supported clients

PCs inside or outside of a

corporate network,

popular devices*

PCs in a corporate

network (or connected via

DirectAcces, VPNs, or

other remote access

technologies)

PCs, Windows PhonePCs, Macs, Windows

Phone, iOS, Android

11

.

*Work Folders apps not yet announced.

Work Folders Requirements

• To enable users to sync across the Internet, there are additional requirements:- A server certificate from a certification authority (CA) that is trusted by your users – ideally a public CA- The ability to make a server accessible from the Internet by creating publishing rules in your organization’s reverse proxy or network gateway- A publicly registered domain name and the ability to create additional public DNS records for the domain

• (Optional) An Active Directory Domain Services forest with the Windows Server 2012 R2 schema extensions to support automatically referring client PCs and devices to the correct sync server when using multiple sync servers

• (Optional) Active Directory Federation Services (AD FS) infrastructure, when using AD FS authentication

12

13

Windows Server 2012 R2 - Web Application Proxy

http://technet.microsoft.com/en-us/library/dn280944.aspx

1

5

More Info: Work folder

• Introducing Work Folders On Windows Server 2012 R2:http://blogs.technet.com/b/filecab/archive/2013/07/10/introducing-work-folders-on-windows-server-2012-r2.aspx

• Technet:http://technet.microsoft.com/en-us/library/dn265974.aspx

• Work Folder Best Practices Analyser:http://technet.microsoft.com/en-us/library/dn292741.aspx

• Work Folders Test Lab Deployment:http://blogs.technet.com/b/filecab/archive/2013/07/10/work-folders-test-lab-deployment.aspx

• Work Folders Certificate Management:http://blogs.technet.com/b/filecab/archive/2013/08/09/work-folders-certificate-management.aspx

16

Remote System Access

WORKPLACE JOIN

18

IT can publish access to resources with the Web Application Proxybased on device awareness and the users identity

IT can provide seamless corporate access with DirectAccess and automatic VPN connections.

Users can work from anywhere on their device with access to their corporate resources.

Users can register devices for single sign-on and access to corporate data with Workplace Join

Users can enroll devices for access to the Company Portal for easy access to corporate applications

IT can publish Desktop Virtualization (VDI) for access to centralized resources

IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the users identity. Multi-factor authentication can be used through Windows Azure Active Authentication.

Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificateis installed on the device

Users can enroll devices which configure the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications

As part of the registration process, a new device object is created in Active Directory, establishing a link between the user and their device

Data from Windows Intune is sync with Configuration Manager which provides unified management across both on-premises and in the cloud

Not Joined Workplace Joined Domain Joined

User provided devices are “unknown” and IT has no control. Partial access may be provided to corporate information.

Registered devices are “known” and device authentication allows IT to provide conditional access to corporate information

Domain joined computers are under the full control of IT and can be provided with complete access to corporate information

Browser session single

sign-on

Seamless 2-Factor Auth

for web apps

Enterprise apps single

sign-on

Desktop Single Sign-On

DIRECTACCESS

23

24

25

DirectAccess Limitations

Supported Clients

• Windows 8 Enterprise

• Windows 7 Enterprise

• Windows 7 Ultimate

• Domain-Joined

Non-Supported Clients

• Windows 8 Professional

• Windows Vista

• Windows XP

• Non Domain-Joined

DirectAccess Limitations

• Protocols with Embedded IPv4 Addresses

• Applications with Hard Coded IPv4 Addresses

• IP Protocol Communication

Client Compatibility Issues

DIRECTACCESS

28

29

30

31

32

33

34

35

DIRECTACCESS

36

Client Control

Controlling With Group Policy

Controlling The Group Policy

•

•

•

•

•

•

• Intune • System Center Config Manager w/Intune

43

Client Control

Windows Intune Alone

44

SCCM With Windows Intune

45

User Actions

Company portal actions available

to users From Windows 8.1 Preview From Windows Phone 8 From iOS From Android

Enroll device. Yes Yes Yes No

Retire local device. Yes Yes No No

Wipe mobile devices remotely. Yes No No No

Install line-of-business apps. Yes Yes Yes Yes

Install apps from the store that the

device connects to for Windows

Store, Windows Phone Store,

App Store, or Google Play.

Yes Yes Yes Yes

Administrator Management Options

Management tasks Windows RT Windows Phone 8 iOS Android

Device life cycle management

such as the ability to retire, wipe,

remote wipe, remove, and block

devices.

Yes Yes Yes No

Compliance settings that include

settings for password settings,

email management, security,

roaming, encryption, and

wireless communication.

Yes Yes Yes No

Line-of-business app

management.Yes Yes Yes Yes

App installation from the store

that the device connects to

(Windows Store, Windows Phone

Store, App Store, Google Play).

Yes Yes Yes Yes

Hardware inventory. Yes Yes Yes No

Why Use Intune

• Get Controll

• Office365 Exchange Integration (built-in connector)

• On Premies Active Directory Integration

• SCCM Integration

48

Why Use Configuration Manager?

• One Interface

o Servers

o Computers

o Tablet

o Phones

• Line-Of-Business Apps Sideloading

• Extended Features

o Multipe Client settings

o Wipe Company Content (Sideloaded App And Stuff Controlled By SCCM)

49

50

SCCM Mobile Management

51

SCCM Or Intune Mobile Management

Hardware Inventory Not Available With The Exchange Server Connector

52

Hardware Inventory Class Windows Phone 8 Windows RT iOS

Serial Number Not applicable Not applicable Device_ComputerSystem.SerialNumber

Build Version Not applicable Win32_OperatingSystem.BuildNumber Not applicable

Service Pack Major Version Not applicableWin32_OperatingSystem.ServicePackMajorVersi

onNot applicable

Operating System Language Device_OSInformation.Language Not applicable Not applicable

Total Storage Space Not applicable Win32_PhysicalMemory.Capacity Device_Memory.DeviceCapacity

Free Storage Space Not applicable Win32_OperatingSystem.FreePhysicalMemory Device_Memory.AvailableDeviceCapacity

Mobile Equipment Identifier (MEID) Not applicable Not applicable Device_ComputerSystem.MEID

Manufacturer Device_ComputerSystem.DeviceManufacturer Win32_ComputerSystem.Manufacturer Not applicable

Cellular Technology Not applicable Not applicable Device_ComputerSystem.CellularTechnology

Wi-Fi MAC Not applicable Win32_NetworkAdapter.MACAddress Device_WLAN.WiFiMAC

5

3