SlideShare a Scribd company logo

Getting started with the Enterprise Mobility Suite (EMS)

Download as PPTX, PDF
Ronni Pedersen, profile picture
Ronni Pedersen

This document summarizes an Enterprise Mobility Suite roadshow presentation. It discusses key topics like why mobile management is important, what EMS is and why enterprises need it, and how to configure and get started with EMS. The presentation provides an overview of EMS components like Microsoft Intune, Azure Active Directory Premium, and Azure Rights Management. It demonstrates how to set up subscriptions, configure Azure AD sync, enroll devices, and manage settings and applications with Intune.

Technology
1 of 87
Downloaded 153 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
MVP Roadshow 2015 Enterprise Mobility Suite
Key Takeaways Why is mobile management important? What is EMS and why do you need it is your Enterprise? How do we configure and get started with EMS? © EG A/S 2
Ronni Pedersen Microsoft MVP: Enterprise Client Management Senior Infrastructure Architect Founder: System Center User Group Denmark Microsoft Certified Trainer Microsoft TechNet Moderator Twitter: https://twitter.com/ronnipedersen Blog: http://www.ronnipedersen.com/ Mail: Ronni.Pedersen@eg.dk © EG A/S 3
Kenny Buntinx Managing Consultant Kenny.Buntinx@kbsolutions.be © EG A/S https://twitter.com/KennyBuntinx http://be.linkedin.com/KennyBuntinx http://scug.be/blogs/sccm
Demo Environment Powered by Hyper-V in the Cloud DC01 Domain Controller DNS Server DHCP Server CLIENT02 Windows 10 TP CM01 SQL 2012 ConfigMgr 2012 R2 CLIENT01 Windows 8.1 MDT01
Enterprise Mobility Suite
2015 Enterprise Mobility Predictions Say goodbye to BOYD Say Hello to Data Protection Organizations will generally have three types of devices Employee Owned, Company Managed (EOCM) Company Owned, Company Managed (COCM) Company Owned, Company Dictated (COOD) Source: http://simon-may.com/yet-another-predictions-post-mobility-2015/ © EG A/S 7
• SCCM is undisputed winner of PC Mgmt w/ >70% share • You need to look into a MDM solution today • We believe Microsoft is the long-term winner Growth is all in Mobile Devices 349 315 296 294 293 292 725 1,010 1,131 1,283 1,434 1,579 162 231 270 308 340 368 0 500 1,000 1,500 2,000 2,500 1 2 3 4 5 6 Series3 Series2 Series1 Devices Shipments (MM) Source: IDC
Licensing Microsoft Intune (Standalone) Enterprise Mobility Suite Microsoft Intune Azure Active Directory Premium Azure Rights Management Enterprise Cloud Suite Enterprise Mobility Suite Office 365 Enterprise E3 Windows Software Assurance (Per http://www.microsoft.com/licensing/about- licensing/briefs/enterprise-cloud-suite.aspx © EG A/S 9
Enterprise Mobility Suite Microsoft Intune Mobile and Device Management Azure Active Directory Premium Hybrid Identity Management Azure Rights Management Information Protection © EG A/S 10
Microsoft Intune Mobile Device Management Windows, Windows Phone, IOS and Android Policy and Application Management Compliance reporting Conditional Access to resources Selective Wipe Devices Hybrid / Cloud solution © EG A/S 11
Azure Active Directory Premium Active Directory in the cloud Federation and identity provisioning Centrally managed identities Synchronization Single User Identity (SSO) Monitoring and protect access to cloud apps Authentication and Security reports Multi-Factor Authentication (MFA) Empower end Users Self-Service password reset © EG A/S 12
Microsoft Rights Management Encrypt and control Documents Mails Prevent unwanted viewing/printing or access to Corporate data © EG A/S 13
Getting Started with Intune Setting up the environment
Subscription requirements © EG A/S 15
Process Overview Prepare • Create Accounts for cloud services • Create Subscriptions Deploy • Add Public DNS • Configure AD Users with Public Domain UPNs • Deploy and Configure Azure AD Sync Configure • Configure Configuration Manager for Mobile Device Management • Configure Device Enrolment © EG A/S 16
Create accounts for the cloud Start by creating dedicated admin accounts: Microsoft account: https://signup.live.com/ Apple ID: https://appleid.apple.com/account Google account: https://accounts.google.com/Signup © EG A/S 17
Create the trial subscriptions Microsoft Office 365: http://aka.ms/ITcampO365Trial Microsoft Intune: http://aka.ms/tryintune Microsoft Azure Active Directory (AD) Premium: http://azure.microsoft.com/en-us/pricing/free-trial Azure Rights Management: https://manage.windowsazure.com © EG A/S 18
DEMO Create accounts and subscriptions
Azure AD Sync and ADFS Connect your Active Directory to the Cloud
Domain, DNS, and UPN management 21 Tony Allen tonyallen@contoso.com Add external domain contoso.com tonyallen@contoso.onmicrosoft.com Tony Allen tonyallen@contoso.com tonyallen@contoso.onmicrosoft.com Add UPN suffix to Active Directory contoso.onmicrosoft.com Change UPNs toSynchronise with Directory synchronization Alternative approachRecommended option User name and UPN must match Active Directory Windows Azure AD contoso.onmicrosoft.comcontoso.com Default domain Default UPN suffix Domain name @contoso.com @contoso.onmicrosoft.comAccounts created as
Planning for Azure AD Sync (DirSync) / ADFS Azure AD Sync with Hash The Password hash is stored in Azure Azure AD Sync without the Hash Password are stored in Azure Multiple user ID and password Azure AD Sync without the hash + ADFS Requires wildcard certificate Passwords are only stored in AD © EG A/S 22
Azure AD Sync Accounts Create a dedicated Accounts for Azure AD Sync Azure AD: AzureSync@domain.onmicrosoft.com On-Prem: AD: DOMAINSA-AzureADSync © EG A/S 23
Disable password expiry on Sync Account $MsolCredential = get-credential $ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange - ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $MsolCredential -Authentication Basic -AllowRedirection Import-PSSession $ExchangeSession Connect-MsolService -Credential $MsolCredential Set-MsolUser -UserPrincipalName 365Sync@domain.onmicrosoft.com - PasswordNeverExpires $true © EG A/S 24
DEMO Setting up Azure AD Sync
Single management console for IT admins © EG A/S 26
Is your ConfigMgr Environment ready for UDM? Cumulative Update 4 http://support.microsoft.com/kb/3026739 Why CU’s Matter? http://blogs.technet.com/b/configmgrteam/archiv e/2015/02/26/updates-for-managing-mobile- devices-with-configuration-manager-and- microsoft-intune.aspx http://scug.be/sccm/2014/12/29/hybrid-scenarios- with-system-center-configuration-manager-2012- r2-windows-intune-adfs-wap-ndes-workplace- join-hotfixes-you-really-need-in-your- environment/ © EG A/S
DEMO Configuring Microsoft Intune
Single management console for IT admins © EG A/S 29
Company Portal(s)
Company portal self-service experience Consistent experience across: Windows Windows Phone Android iOS Discover and install corporate apps Manage devices and data Customizable terms and conditions Ability to contact IT Force the Policy refresh © EG A/S 3131
Mobile Device – Portals All portals offer the same experience (except for Windows Phone)
Device Enrollment
Enrolling Devices Users can enroll devices that configure the device for management with Windows Intune; the user can then use the Company Portal for easy access to corporate applications Data from Windows Intune is in sync with Configuration Manager, which provides unified management across both on- premises and in the cloud Dirsync w Pwd Sync Connector Internal Connector
Expanding device support with Workplace Join Limited access No IT Control Active Directory Not Joined to AD Workplace Joined Domain Joined
Lost Device Protection Devices registered via Workplace Join are registered within Active Directory in the container : CN=<Device ID>,CN=RegisteredDevices,DC=mydomain,DC=com. Lost devices can be denied access by disabling or deleting the appropriate object within AD. Access through AD FS is immediately revoked for the workplace joined client. From testing thus far, devices joined, left and re-registered via Workplace Join are not currently cleaned up within the RegisteredDevices container. Some PowerShell scripting is currently required to enforce this. © EG A/S
As a side note… ADFS with Workplace join? Windows Phone 8.1 requires GDR 2 v 8.10.14192.280 © EG A/S 37
Mobile Device – Personal vs Corporate App Management  By default, user-enrolled devices are “Personal”  Complete inventory of all Apps on the device only when set to Corporate  Only the admin can specify corporate-owned devices ! Personal vs. Corporate Owned Devices
Collecting IMEI from devices Retrieve International Mobile Equipment Identity (IMEI) Through custom MOF Windows Phone 8.1 Full Details: http://blogs.technet.com/b/configmgrteam/archive/2014/07/30/collecting-imei-from- devices-enrolled-in-windows-intune-with-sc-2012-r2-configmgr.aspx © EG A/S
DEMO Enrollment Walkthrough / Workplace Join / Lost Devices
Workplace Join Hitman tool Beta available via TechNet Galleries: http://gallery.technet.microsoft.com/WorkPlace-Join-Hitman-8c691238#content
Settings Management
Key Concepts
Mobile device setting categories © EG A/S 44 Category Win 8.1 PC & RT Windows Phone 8.1 iOS Android/KNOX Exchange ActiveSync Password ● ● ● ● Encryption ● ● ● Malware ● System Settings ● ● ● ● Cloud ● ● Window Server Work Folders ● Accounts and Sync ● ● Email ● ● ● Browser ● ● ● ● Store Applications & Gaming ● ● ● Device Hardware ● ● ● Device Cellular/Roaming ● ● ● Device Features ● ● ●
DEMO Settings Management
Intune Extensions
Configuration Manager Extensions for Intune Rapid delivery of Configuration Manager features to support new Mobile Device Management features through Microsoft Intune Updates are automatically downloaded and optionally enabled through admin console. © EG A/S 47 Admin is notified that an extension is available when console is launched Admin goes to Extensions for Intune in console, and enables the extension Extension is activated in ConfigMgr • (Extension enables on all site system, then console updates are avail) Admin restarts console, and console is updated with the extension Admin uses feature delivered by the extension Admin may wish to disable the extension
As a side note … Permissions ! Local Admin Required Security Scope: All Instances See: http://scug.be/sccm/2014/02/11/cm12-extensions-for- windows-intune-resources-and-gotchas/ © EG A/S
Extending Settings management Through OMA-DM
OMA-DM Specification designed for management of mobile devices • Mobile Phones • PDA’s • Tablets Supporting following use case scenarios • Provisioning – Configuration of the device (including first time use), enabling and disabling features • Device Configuration – Allow changes to settings and parameters of the device • Software Upgrades – Provide for new software and/or bug fixes to be loaded on the device, including applications and system software • Fault Management – Report errors from the device, query about status of device OMA-DM for WP8.1: • http://technet.microsoft.com/en-us/library/dn499787.aspx © EG A/S
DEMO Extending Settings Management
Business Scenario At a customer during a Windows Intune UDM Proof of concept : Customer was ordering 1000 corporate owned (COPE) Nokia Lumia 630 Windows Phones He wanted us to provide the option when a ‘device owner’ in CM12 R2 is set to “corporate” , a user can’t unenroll a “corporate” device. Unless you are the ConfigMgr 2012 MDM admin , you can’t. Read the full story here : http://scug.be/sccm/2014/04/24/configmgr-2012-r2-windows-intune-udm-how-to-prevent-an-end-user-can-un-enroll-his- corporate-windows-phone-8-1/ © EG A/S
Solution Outline • Create configuration item “Deny WP8.1 MDM UnEnrollment’ • Select the checkbox : ‘Configure additional settings that are not in the default settings groups’ • Hit the “Create Setting” tab. 1. Give it a Name 2. Settings Type : OMA-URI 3. Data Type : Integer 4. OMA-URI : ./Vendor/MSFT/PolicyManager/My/Experience/AllowManualMDMUnenrollment • Highlight your recently created ‘Deny MDM Unenrollment’ and hit the ‘Select’ button 1. Rule Type : Value 2. Data Type : 0 (0 = un-enroll not allowed / 1 = enroll allowed) 3. Set ‘Remediate noncompliant rules when supported’ 4. Set Noncompliance severity for reports to ‘Warning’ • Create the baseline • Create the collection • Deploy the baseline • Wait 5 minutes © EG A/S
Resource Access Configuration
Resource Access Configuration © EG A/S Benefits • End users get access to company resources with no manual steps for them Features* • Configure VPN profiles • Support for Windows 8.1 Automatic VPN • Wi-Fi protocol and authentication settings • Email account profiles • Management and distribution of certificates • Conditional Access
VPN Profile Management DNS name-based initiation support for Windows 8.1 and iOS Application ID based initiation support for Windows 8.1 Automatic VPN connection Support for VPN standards SSL VPNs from Cisco, Juniper, Check Point, Microsoft, Dell SonicWALL, F5 Subset of vendors have Windows VPN plug-in PPTP ,L2TP, IKEv2 Support for Major SSL VPN Vendors
Wi-Fi and Certificate Profiles Manage and distribute certificates Deploy trusted root certificates Support for Simple Certificate Enrollment Protocol (SCEP) Manage Wi-Fi protocol and authentication settings Provision Wi-Fi networks that device can auto connect Specify certificate to be used for Wi-Fi connection Wi-Fi Settings
DEMO Resource Access Configurations
N-What ? NDES ? SCEP ??? WTH …
Certificate Profiles Manage and distribute certificates Deploy trusted root certificates Support for Simple Certificate Enrollment Protocol (SCEP)
This is not a next, next, finish configuration
Certificate enrollment via NDES 1. Certificate profile deployed to device 2. Device sends SCEP request 3. Challenge is validated 4. Certificate is issued © EG A/S
Why CU’s Matter (again) CU4 improvements for NDES Target to user instead of devices > Ensures fastest delivery Pre CU3 templates need to be recreated > Re-targetting from device to user is not sufficient © EG A/S
As a side note … Certificate deployment to iOS 8 Required modification to template: Remove Signature in proof of origin See: http://blog.coretech.dk/kea/troubleshooting- certificate-deployment-on-ios-devices-with- configmgr-intune/ © EG A/S
As a side note … (2) User based Certificate deployment to iOS 8 Required modification to “subject name format” for user deployments: Only “Common name” supported © EG A/S
DEMO Certificate deployment
End result : © EG A/S
Custom iOS policy © EG A/S 68
Application Management
Mobile Application Management © EG A/S 70 Personal apps
Mobile Application Management © EG A/S 71
Conditional access for Office 365 © EG A/S 72 7 5 4 2 1 3 6
DEMO Mobile Application Management
Allow or block apps Prevent unauthorized apps from being used on devices © EG A/S 74
Business Scenario © EG A/S http://scug.be/nico/2014/05/22/deny-windows-phone-apps-with-configuration-manager-intune/
Solution Outline • Create configuration item “Deny Windows Phone Apps” • Select the checkbox : ‘Configure additional settings that are not in the default settings groups’ • Hit the “Create Setting” tab. - Give it a Name - Settings Type : OMA-URI - Data Type : String - OMA-URI : ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions - <AppPolicy Version=”1″ xmlns=”http://schemas.microsoft.com/phone/2013/policy”><Deny><App ProductId=”{2e59d843-22e4-4df1-869e- 22adadb8005b}”/></Deny></AppPolicy> • Highlight your recently created ‘Deny Windows Phone Apps’ and hit the ‘Select’ button - Rule Type : Value - Data Type : 0 (0 = application not allowed / 1 = application allowed) - Set ‘Remediate noncompliant rules when supported’ - Set Noncompliance severity for reports to ‘Warning’ • Create the baseline • Create the collection • Deploy the baseline • Wait 5 minutes © EG A/S
WorkFolders
Work Folders Simple access to corporate data • Enable offline access to files and folders stored on a Windows Server 2012 R2 file server • Simple Group Policy configuration for domain-joined computers, with easy discoverability for BYOD systems, as well • Leverages web protocols (HTTP) for easy synchronization through firewalls • A complement to OneDrive and OneDrive for Business
Make corporate data available to users with Work Folders
Https://support.microsoft.com/kb/2891638 Windows 7 support 1. Must be joined to the domain 2. Install the Work Folders client Ipad support Https://itunes.apple.com/us/app/work- folders/id950878067?mt=8
DEMO Work Folders
Corporate Data Removal Full Wipe vs. Selective Wipe
Options for corporate data removal © EG A/S 83
Selective wipe for business data
DEMO Selective/Full Wipe
Questions © EG A/S 86
© EG A/S 87

More Related Content

PDF
Microsoft Enterprise Mobility Suite Presented by Atidan
David J Rosenthal
 
PDF
Microsoft Enterprise Mobility Suite Launch Presentation - Atidan
David J Rosenthal
 
PDF
Enterprise Mobility Suite
Peter Daalmans
 
PPTX
Microsoft Enterprise Mobility Suite | Getting started....
Thomas Godsted Rysgaard
 
PPTX
What is Microsoft Enterprise Mobility Suite and how to deploy it
Peter De Tender
 
PPTX
Enterprise mobility suite
Ali Mkahal
 
PDF
IT/Dev Connections: Intune, ConfigMgr, or Both: Choose the Right Tool for the...
Peter Daalmans
 
PPTX
Microsoft EMS - Everybody Together Now - Edge Pereira - Microsoft Office 365 ...
Edge Pereira
 
Microsoft Enterprise Mobility Suite Presented by Atidan
David J Rosenthal
 
Microsoft Enterprise Mobility Suite Launch Presentation - Atidan
David J Rosenthal
 
Enterprise Mobility Suite
Peter Daalmans
 
Microsoft Enterprise Mobility Suite | Getting started....
Thomas Godsted Rysgaard
 
What is Microsoft Enterprise Mobility Suite and how to deploy it
Peter De Tender
 
Enterprise mobility suite
Ali Mkahal
 
IT/Dev Connections: Intune, ConfigMgr, or Both: Choose the Right Tool for the...
Peter Daalmans
 
Microsoft EMS - Everybody Together Now - Edge Pereira - Microsoft Office 365 ...
Edge Pereira
 

What's hot (20)

PDF
Empower Enterprise Mobility with Microsoft EMS
Kris Wagner
 
PPTX
Agile IT EMS webinar series, session 1
AgileIT
 
PDF
MMS 2015: What is ems and how to configure it
Peter Daalmans
 
PPTX
Protecting corporate data with Enterprise Mobility Suite
Ronny de Jong
 
PPTX
Windows 10 and EMS better together @ Windows 10 Partner Technical Bootcamp Mi...
Jan Ketil Skanke
 
PDF
Windows 10 A Guide to Secure Mobility in the Enterprise
Gerard Konan
 
PDF
Windows Intune webinar
Sentri
 
PDF
Microsoft Windows Intune getting started guide dec 2012 release
David J Rosenthal
 
PDF
Microsoft Intune - Empowering Enterprise Mobility - Presented by Atidan
David J Rosenthal
 
PPTX
EPC Group Intune Practice and Capabilities Overview
EPC Group
 
PDF
Microsoft Enterprise Mobility Suite Poster
David J Rosenthal
 
PPTX
EMS-HPT Template-v.1.0
Huy Pham
 
PDF
Mobile Device Management for Office 365 - Atidan
David J Rosenthal
 
PDF
Empower Enterprise Mobility- Maximize Mobile Control- Presented by Atidan
David J Rosenthal
 
PDF
Get Ahead of Cyber Attacks with Microsoft Enterprise Mobility + Security
David J Rosenthal
 
PDF
Taking conditional access to the next level
Ronny de Jong
 
PDF
Airwatch od VMware
MarketingArrowECS_CZ
 
PDF
Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...
David J Rosenthal
 
PPTX
Enterprise Mobility Suite- Azure AD Premium
Lai Yoong Seng
 
PDF
Focusing on security with Microsoft 365 Business
Robert Crane
 
Empower Enterprise Mobility with Microsoft EMS
Kris Wagner
 
Agile IT EMS webinar series, session 1
AgileIT
 
MMS 2015: What is ems and how to configure it
Peter Daalmans
 
Protecting corporate data with Enterprise Mobility Suite
Ronny de Jong
 
Windows 10 and EMS better together @ Windows 10 Partner Technical Bootcamp Mi...
Jan Ketil Skanke
 
Windows 10 A Guide to Secure Mobility in the Enterprise
Gerard Konan
 
Windows Intune webinar
Sentri
 
Microsoft Windows Intune getting started guide dec 2012 release
David J Rosenthal
 
Microsoft Intune - Empowering Enterprise Mobility - Presented by Atidan
David J Rosenthal
 
EPC Group Intune Practice and Capabilities Overview
EPC Group
 
Microsoft Enterprise Mobility Suite Poster
David J Rosenthal
 
EMS-HPT Template-v.1.0
Huy Pham
 
Mobile Device Management for Office 365 - Atidan
David J Rosenthal
 
Empower Enterprise Mobility- Maximize Mobile Control- Presented by Atidan
David J Rosenthal
 
Get Ahead of Cyber Attacks with Microsoft Enterprise Mobility + Security
David J Rosenthal
 
Taking conditional access to the next level
Ronny de Jong
 
Airwatch od VMware
MarketingArrowECS_CZ
 
Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...
David J Rosenthal
 
Enterprise Mobility Suite- Azure AD Premium
Lai Yoong Seng
 
Focusing on security with Microsoft 365 Business
Robert Crane
 
Ad

Similar to Getting started with the Enterprise Mobility Suite (EMS) (20)

PPTX
CoLabora - Protecting Company data using EMS - June 2015
CoLaboraDK
 
PPTX
SCUG.DK: Protecting Company Data using EMS, April 2015
Ronni Pedersen
 
PPTX
Sysctr Track: Managing your hybrid Mobile cloud Workforce Demystified with Sy...
ITProceed
 
PDF
ECMDay2015 - Nico Sienaert – Enterprise Mobility Suite – What it’s all about?
Kenny Buntinx
 
PDF
ECMDay2015 - Peter Daalmans – Master your Mac OS X Operating System with Conf...
Kenny Buntinx
 
PDF
Experts Live Europe 2017 - Windows 10 and the cloud - why the future needs hy...
Alexander Benoit
 
PDF
Windows 8.1 a closer look
Microsoft TechNet - Belgium and Luxembourg
 
PPTX
Windows azure infrastructure services and share point 2013 farm case study
Mahmoud Hamed Mahmoud
 
PPTX
Plastic SCM: Entreprise Version Control Platform for Modern Applications and ...
Kiko Monteverde
 
DOC
jnandag detailed profile
Jatin Nanda
 
PPTX
Atea ems the next level
Per Larsen
 
DOCX
Sudheendra
Sudheendra P
 
PDF
Power apps - Cloud business applications platform
Vladimir Ljubibratic
 
PDF
September 2021 Microsoft 365 Need to Know Webinar
Robert Crane
 
DOC
Gajendra kumar
Gajendra Kumar
 
PDF
Nordics IBM Mobile Foundation Integration in Action
IBM Danmark
 
PPTX
3° Sessione - VMware Airwatch, la gestione della mobilità nelle organizzazion...
Jürgen Ambrosi
 
PDF
Windows Autopilot (1).pdf
abhipotdar
 
PPTX
Azure AD B2C An Introduction - DogFoodCon 2018
Jeremy Gray
 
PDF
Building Cloud-Enabled Cross-Platform Mobile Apps in C# with Azure App Services
Nick Landry
 
CoLabora - Protecting Company data using EMS - June 2015
CoLaboraDK
 
SCUG.DK: Protecting Company Data using EMS, April 2015
Ronni Pedersen
 
Sysctr Track: Managing your hybrid Mobile cloud Workforce Demystified with Sy...
ITProceed
 
ECMDay2015 - Nico Sienaert – Enterprise Mobility Suite – What it’s all about?
Kenny Buntinx
 
ECMDay2015 - Peter Daalmans – Master your Mac OS X Operating System with Conf...
Kenny Buntinx
 
Experts Live Europe 2017 - Windows 10 and the cloud - why the future needs hy...
Alexander Benoit
 
Windows 8.1 a closer look
Microsoft TechNet - Belgium and Luxembourg
 
Windows azure infrastructure services and share point 2013 farm case study
Mahmoud Hamed Mahmoud
 
Plastic SCM: Entreprise Version Control Platform for Modern Applications and ...
Kiko Monteverde
 
jnandag detailed profile
Jatin Nanda
 
Atea ems the next level
Per Larsen
 
Sudheendra
Sudheendra P
 
Power apps - Cloud business applications platform
Vladimir Ljubibratic
 
September 2021 Microsoft 365 Need to Know Webinar
Robert Crane
 
Gajendra kumar
Gajendra Kumar
 
Nordics IBM Mobile Foundation Integration in Action
IBM Danmark
 
3° Sessione - VMware Airwatch, la gestione della mobilità nelle organizzazion...
Jürgen Ambrosi
 
Windows Autopilot (1).pdf
abhipotdar
 
Azure AD B2C An Introduction - DogFoodCon 2018
Jeremy Gray
 
Building Cloud-Enabled Cross-Platform Mobile Apps in C# with Azure App Services
Nick Landry
 
Ad

More from Ronni Pedersen (13)

PDF
Troubleshooting The Modern Managed Client - Workplace Nijna Summit 2020
Ronni Pedersen
 
PDF
Windows Autopilot - Workplace Nijna Summmit 2020
Ronni Pedersen
 
PDF
Azure saturday 2017 - Protecting cloud identities using ems
Ronni Pedersen
 
PPTX
Windows 10 deployment using ConfigMgr and MDT
Ronni Pedersen
 
PPTX
SCUG.DK - Welcome - September 2015
Ronni Pedersen
 
PPTX
SCUG.dk Windows 10 Management - September 2015
Ronni Pedersen
 
PPTX
SCUG.DK - Welcome - June 2015
Ronni Pedersen
 
PPTX
SCUG.DK - 1E Nomad Overview - April 2015
Ronni Pedersen
 
PPTX
SCUG.DK - Windows 10 Planning - April 2015
Ronni Pedersen
 
PPTX
SCUG.DK - Automation Strategy - April 2015
Ronni Pedersen
 
PPTX
SCUG.DK: Visualizing Your Data, April 2015
Ronni Pedersen
 
PPTX
SCUG.DK: Welcome, April 2015
Ronni Pedersen
 
PPTX
Deploying windows 10 in the Enterprise
Ronni Pedersen
 
Troubleshooting The Modern Managed Client - Workplace Nijna Summit 2020
Ronni Pedersen
 
Windows Autopilot - Workplace Nijna Summmit 2020
Ronni Pedersen
 
Azure saturday 2017 - Protecting cloud identities using ems
Ronni Pedersen
 
Windows 10 deployment using ConfigMgr and MDT
Ronni Pedersen
 
SCUG.DK - Welcome - September 2015
Ronni Pedersen
 
SCUG.dk Windows 10 Management - September 2015
Ronni Pedersen
 
SCUG.DK - Welcome - June 2015
Ronni Pedersen
 
SCUG.DK - 1E Nomad Overview - April 2015
Ronni Pedersen
 
SCUG.DK - Windows 10 Planning - April 2015
Ronni Pedersen
 
SCUG.DK - Automation Strategy - April 2015
Ronni Pedersen
 
SCUG.DK: Visualizing Your Data, April 2015
Ronni Pedersen
 
SCUG.DK: Welcome, April 2015
Ronni Pedersen
 
Deploying windows 10 in the Enterprise
Ronni Pedersen
 

Recently uploaded (20)

PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 

Getting started with the Enterprise Mobility Suite (EMS)

  • 2. Key Takeaways Why is mobile management important? What is EMS and why do you need it is your Enterprise? How do we configure and get started with EMS? © EG A/S 2
  • 3. Ronni Pedersen Microsoft MVP: Enterprise Client Management Senior Infrastructure Architect Founder: System Center User Group Denmark Microsoft Certified Trainer Microsoft TechNet Moderator Twitter: https://twitter.com/ronnipedersen Blog: http://www.ronnipedersen.com/ Mail: Ronni.Pedersen@eg.dk © EG A/S 3
  • 4. Kenny Buntinx Managing Consultant Kenny.Buntinx@kbsolutions.be © EG A/S https://twitter.com/KennyBuntinx http://be.linkedin.com/KennyBuntinx http://scug.be/blogs/sccm
  • 5. Demo Environment Powered by Hyper-V in the Cloud DC01 Domain Controller DNS Server DHCP Server CLIENT02 Windows 10 TP CM01 SQL 2012 ConfigMgr 2012 R2 CLIENT01 Windows 8.1 MDT01
  • 7. 2015 Enterprise Mobility Predictions Say goodbye to BOYD Say Hello to Data Protection Organizations will generally have three types of devices Employee Owned, Company Managed (EOCM) Company Owned, Company Managed (COCM) Company Owned, Company Dictated (COOD) Source: http://simon-may.com/yet-another-predictions-post-mobility-2015/ © EG A/S 7
  • 8. • SCCM is undisputed winner of PC Mgmt w/ >70% share • You need to look into a MDM solution today • We believe Microsoft is the long-term winner Growth is all in Mobile Devices 349 315 296 294 293 292 725 1,010 1,131 1,283 1,434 1,579 162 231 270 308 340 368 0 500 1,000 1,500 2,000 2,500 1 2 3 4 5 6 Series3 Series2 Series1 Devices Shipments (MM) Source: IDC
  • 9. Licensing Microsoft Intune (Standalone) Enterprise Mobility Suite Microsoft Intune Azure Active Directory Premium Azure Rights Management Enterprise Cloud Suite Enterprise Mobility Suite Office 365 Enterprise E3 Windows Software Assurance (Per http://www.microsoft.com/licensing/about- licensing/briefs/enterprise-cloud-suite.aspx © EG A/S 9
  • 10. Enterprise Mobility Suite Microsoft Intune Mobile and Device Management Azure Active Directory Premium Hybrid Identity Management Azure Rights Management Information Protection © EG A/S 10
  • 11. Microsoft Intune Mobile Device Management Windows, Windows Phone, IOS and Android Policy and Application Management Compliance reporting Conditional Access to resources Selective Wipe Devices Hybrid / Cloud solution © EG A/S 11
  • 12. Azure Active Directory Premium Active Directory in the cloud Federation and identity provisioning Centrally managed identities Synchronization Single User Identity (SSO) Monitoring and protect access to cloud apps Authentication and Security reports Multi-Factor Authentication (MFA) Empower end Users Self-Service password reset © EG A/S 12
  • 13. Microsoft Rights Management Encrypt and control Documents Mails Prevent unwanted viewing/printing or access to Corporate data © EG A/S 13
  • 14. Getting Started with Intune Setting up the environment
  • 16. Process Overview Prepare • Create Accounts for cloud services • Create Subscriptions Deploy • Add Public DNS • Configure AD Users with Public Domain UPNs • Deploy and Configure Azure AD Sync Configure • Configure Configuration Manager for Mobile Device Management • Configure Device Enrolment © EG A/S 16
  • 17. Create accounts for the cloud Start by creating dedicated admin accounts: Microsoft account: https://signup.live.com/ Apple ID: https://appleid.apple.com/account Google account: https://accounts.google.com/Signup © EG A/S 17
  • 18. Create the trial subscriptions Microsoft Office 365: http://aka.ms/ITcampO365Trial Microsoft Intune: http://aka.ms/tryintune Microsoft Azure Active Directory (AD) Premium: http://azure.microsoft.com/en-us/pricing/free-trial Azure Rights Management: https://manage.windowsazure.com © EG A/S 18
  • 19. DEMO Create accounts and subscriptions
  • 20. Azure AD Sync and ADFS Connect your Active Directory to the Cloud
  • 21. Domain, DNS, and UPN management 21 Tony Allen tonyallen@contoso.com Add external domain contoso.com tonyallen@contoso.onmicrosoft.com Tony Allen tonyallen@contoso.com tonyallen@contoso.onmicrosoft.com Add UPN suffix to Active Directory contoso.onmicrosoft.com Change UPNs toSynchronise with Directory synchronization Alternative approachRecommended option User name and UPN must match Active Directory Windows Azure AD contoso.onmicrosoft.comcontoso.com Default domain Default UPN suffix Domain name @contoso.com @contoso.onmicrosoft.comAccounts created as
  • 22. Planning for Azure AD Sync (DirSync) / ADFS Azure AD Sync with Hash The Password hash is stored in Azure Azure AD Sync without the Hash Password are stored in Azure Multiple user ID and password Azure AD Sync without the hash + ADFS Requires wildcard certificate Passwords are only stored in AD © EG A/S 22
  • 23. Azure AD Sync Accounts Create a dedicated Accounts for Azure AD Sync Azure AD: AzureSync@domain.onmicrosoft.com On-Prem: AD: DOMAINSA-AzureADSync © EG A/S 23
  • 24. Disable password expiry on Sync Account $MsolCredential = get-credential $ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange - ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $MsolCredential -Authentication Basic -AllowRedirection Import-PSSession $ExchangeSession Connect-MsolService -Credential $MsolCredential Set-MsolUser -UserPrincipalName 365Sync@domain.onmicrosoft.com - PasswordNeverExpires $true © EG A/S 24
  • 26. Single management console for IT admins © EG A/S 26
  • 27. Is your ConfigMgr Environment ready for UDM? Cumulative Update 4 http://support.microsoft.com/kb/3026739 Why CU’s Matter? http://blogs.technet.com/b/configmgrteam/archiv e/2015/02/26/updates-for-managing-mobile- devices-with-configuration-manager-and- microsoft-intune.aspx http://scug.be/sccm/2014/12/29/hybrid-scenarios- with-system-center-configuration-manager-2012- r2-windows-intune-adfs-wap-ndes-workplace- join-hotfixes-you-really-need-in-your- environment/ © EG A/S
  • 29. Single management console for IT admins © EG A/S 29
  • 31. Company portal self-service experience Consistent experience across: Windows Windows Phone Android iOS Discover and install corporate apps Manage devices and data Customizable terms and conditions Ability to contact IT Force the Policy refresh © EG A/S 3131
  • 32. Mobile Device – Portals All portals offer the same experience (except for Windows Phone)
  • 34. Enrolling Devices Users can enroll devices that configure the device for management with Windows Intune; the user can then use the Company Portal for easy access to corporate applications Data from Windows Intune is in sync with Configuration Manager, which provides unified management across both on- premises and in the cloud Dirsync w Pwd Sync Connector Internal Connector
  • 35. Expanding device support with Workplace Join Limited access No IT Control Active Directory Not Joined to AD Workplace Joined Domain Joined
  • 36. Lost Device Protection Devices registered via Workplace Join are registered within Active Directory in the container : CN=<Device ID>,CN=RegisteredDevices,DC=mydomain,DC=com. Lost devices can be denied access by disabling or deleting the appropriate object within AD. Access through AD FS is immediately revoked for the workplace joined client. From testing thus far, devices joined, left and re-registered via Workplace Join are not currently cleaned up within the RegisteredDevices container. Some PowerShell scripting is currently required to enforce this. © EG A/S
  • 37. As a side note… ADFS with Workplace join? Windows Phone 8.1 requires GDR 2 v 8.10.14192.280 © EG A/S 37
  • 38. Mobile Device – Personal vs Corporate App Management  By default, user-enrolled devices are “Personal”  Complete inventory of all Apps on the device only when set to Corporate  Only the admin can specify corporate-owned devices ! Personal vs. Corporate Owned Devices
  • 39. Collecting IMEI from devices Retrieve International Mobile Equipment Identity (IMEI) Through custom MOF Windows Phone 8.1 Full Details: http://blogs.technet.com/b/configmgrteam/archive/2014/07/30/collecting-imei-from- devices-enrolled-in-windows-intune-with-sc-2012-r2-configmgr.aspx © EG A/S
  • 40. DEMO Enrollment Walkthrough / Workplace Join / Lost Devices
  • 41. Workplace Join Hitman tool Beta available via TechNet Galleries: http://gallery.technet.microsoft.com/WorkPlace-Join-Hitman-8c691238#content
  • 44. Mobile device setting categories © EG A/S 44 Category Win 8.1 PC & RT Windows Phone 8.1 iOS Android/KNOX Exchange ActiveSync Password ● ● ● ● Encryption ● ● ● Malware ● System Settings ● ● ● ● Cloud ● ● Window Server Work Folders ● Accounts and Sync ● ● Email ● ● ● Browser ● ● ● ● Store Applications & Gaming ● ● ● Device Hardware ● ● ● Device Cellular/Roaming ● ● ● Device Features ● ● ●
  • 47. Configuration Manager Extensions for Intune Rapid delivery of Configuration Manager features to support new Mobile Device Management features through Microsoft Intune Updates are automatically downloaded and optionally enabled through admin console. © EG A/S 47 Admin is notified that an extension is available when console is launched Admin goes to Extensions for Intune in console, and enables the extension Extension is activated in ConfigMgr • (Extension enables on all site system, then console updates are avail) Admin restarts console, and console is updated with the extension Admin uses feature delivered by the extension Admin may wish to disable the extension
  • 48. As a side note … Permissions ! Local Admin Required Security Scope: All Instances See: http://scug.be/sccm/2014/02/11/cm12-extensions-for- windows-intune-resources-and-gotchas/ © EG A/S
  • 50. OMA-DM Specification designed for management of mobile devices • Mobile Phones • PDA’s • Tablets Supporting following use case scenarios • Provisioning – Configuration of the device (including first time use), enabling and disabling features • Device Configuration – Allow changes to settings and parameters of the device • Software Upgrades – Provide for new software and/or bug fixes to be loaded on the device, including applications and system software • Fault Management – Report errors from the device, query about status of device OMA-DM for WP8.1: • http://technet.microsoft.com/en-us/library/dn499787.aspx © EG A/S
  • 52. Business Scenario At a customer during a Windows Intune UDM Proof of concept : Customer was ordering 1000 corporate owned (COPE) Nokia Lumia 630 Windows Phones He wanted us to provide the option when a ‘device owner’ in CM12 R2 is set to “corporate” , a user can’t unenroll a “corporate” device. Unless you are the ConfigMgr 2012 MDM admin , you can’t. Read the full story here : http://scug.be/sccm/2014/04/24/configmgr-2012-r2-windows-intune-udm-how-to-prevent-an-end-user-can-un-enroll-his- corporate-windows-phone-8-1/ © EG A/S
  • 53. Solution Outline • Create configuration item “Deny WP8.1 MDM UnEnrollment’ • Select the checkbox : ‘Configure additional settings that are not in the default settings groups’ • Hit the “Create Setting” tab. 1. Give it a Name 2. Settings Type : OMA-URI 3. Data Type : Integer 4. OMA-URI : ./Vendor/MSFT/PolicyManager/My/Experience/AllowManualMDMUnenrollment • Highlight your recently created ‘Deny MDM Unenrollment’ and hit the ‘Select’ button 1. Rule Type : Value 2. Data Type : 0 (0 = un-enroll not allowed / 1 = enroll allowed) 3. Set ‘Remediate noncompliant rules when supported’ 4. Set Noncompliance severity for reports to ‘Warning’ • Create the baseline • Create the collection • Deploy the baseline • Wait 5 minutes © EG A/S
  • 55. Resource Access Configuration © EG A/S Benefits • End users get access to company resources with no manual steps for them Features* • Configure VPN profiles • Support for Windows 8.1 Automatic VPN • Wi-Fi protocol and authentication settings • Email account profiles • Management and distribution of certificates • Conditional Access
  • 56. VPN Profile Management DNS name-based initiation support for Windows 8.1 and iOS Application ID based initiation support for Windows 8.1 Automatic VPN connection Support for VPN standards SSL VPNs from Cisco, Juniper, Check Point, Microsoft, Dell SonicWALL, F5 Subset of vendors have Windows VPN plug-in PPTP ,L2TP, IKEv2 Support for Major SSL VPN Vendors
  • 57. Wi-Fi and Certificate Profiles Manage and distribute certificates Deploy trusted root certificates Support for Simple Certificate Enrollment Protocol (SCEP) Manage Wi-Fi protocol and authentication settings Provision Wi-Fi networks that device can auto connect Specify certificate to be used for Wi-Fi connection Wi-Fi Settings
  • 59. N-What ? NDES ? SCEP ??? WTH …
  • 60. Certificate Profiles Manage and distribute certificates Deploy trusted root certificates Support for Simple Certificate Enrollment Protocol (SCEP)
  • 61. This is not a next, next, finish configuration
  • 62. Certificate enrollment via NDES 1. Certificate profile deployed to device 2. Device sends SCEP request 3. Challenge is validated 4. Certificate is issued © EG A/S
  • 63. Why CU’s Matter (again) CU4 improvements for NDES Target to user instead of devices > Ensures fastest delivery Pre CU3 templates need to be recreated > Re-targetting from device to user is not sufficient © EG A/S
  • 64. As a side note … Certificate deployment to iOS 8 Required modification to template: Remove Signature in proof of origin See: http://blog.coretech.dk/kea/troubleshooting- certificate-deployment-on-ios-devices-with- configmgr-intune/ © EG A/S
  • 65. As a side note … (2) User based Certificate deployment to iOS 8 Required modification to “subject name format” for user deployments: Only “Common name” supported © EG A/S
  • 67. End result : © EG A/S
  • 68. Custom iOS policy © EG A/S 68
  • 70. Mobile Application Management © EG A/S 70 Personal apps
  • 72. Conditional access for Office 365 © EG A/S 72 7 5 4 2 1 3 6
  • 74. Allow or block apps Prevent unauthorized apps from being used on devices © EG A/S 74
  • 75. Business Scenario © EG A/S http://scug.be/nico/2014/05/22/deny-windows-phone-apps-with-configuration-manager-intune/
  • 76. Solution Outline • Create configuration item “Deny Windows Phone Apps” • Select the checkbox : ‘Configure additional settings that are not in the default settings groups’ • Hit the “Create Setting” tab. - Give it a Name - Settings Type : OMA-URI - Data Type : String - OMA-URI : ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions - <AppPolicy Version=”1″ xmlns=”http://schemas.microsoft.com/phone/2013/policy”><Deny><App ProductId=”{2e59d843-22e4-4df1-869e- 22adadb8005b}”/></Deny></AppPolicy> • Highlight your recently created ‘Deny Windows Phone Apps’ and hit the ‘Select’ button - Rule Type : Value - Data Type : 0 (0 = application not allowed / 1 = application allowed) - Set ‘Remediate noncompliant rules when supported’ - Set Noncompliance severity for reports to ‘Warning’ • Create the baseline • Create the collection • Deploy the baseline • Wait 5 minutes © EG A/S
  • 78. Work Folders Simple access to corporate data • Enable offline access to files and folders stored on a Windows Server 2012 R2 file server • Simple Group Policy configuration for domain-joined computers, with easy discoverability for BYOD systems, as well • Leverages web protocols (HTTP) for easy synchronization through firewalls • A complement to OneDrive and OneDrive for Business
  • 79. Make corporate data available to users with Work Folders
  • 80. Https://support.microsoft.com/kb/2891638 Windows 7 support 1. Must be joined to the domain 2. Install the Work Folders client Ipad support Https://itunes.apple.com/us/app/work- folders/id950878067?mt=8
  • 82. Corporate Data Removal Full Wipe vs. Selective Wipe
  • 83. Options for corporate data removal © EG A/S 83
  • 84. Selective wipe for business data
  • 87. © EG A/S 87