Microsoft has a history of providing rich IT-infrastructure solutions to help manage every aspect of enterprise operations. Microsoft’s people-centric solution consists of products and technologies that can help IT departments handle the influx of consumer-oriented technology and the work style expectations of users, thereby helping increase productivity and satisfaction for the people within their organizations.
Microsoft’s people-centric IT vision helps organizations enable and embrace the consumerization of IT by:
1. Enabling your end users by allowing users to work on the device(s) of their choice and providing consistent access to corporate resources from those devices.
2. Helping protect your data by protecting corporate information and managing risk.
3. Unifying your environment by delivering comprehensive application and device management from both your existing on-premises infrastructure, including System Center Configuration Manager, Windows Server, and Active Directory, as well as cloud-based services, including Windows Intune and Windows Azure.
Let’s discuss each of these areas in more detail.
Take control of your SAP testing with UiPath Test Suite
System Center 2012 R2 Configuration Manager (SCCM) with Windows Intune
1. System Center 2012 R2
Configuration Manager with
Windows Intune
Amit Gatenyo
CEO, Dario
Microsoft Regional Director – Management & Windows Server
054-2492499
Amit.g@dario.co.il
2. The explosion of devices is
eroding the standards-based
approach to corporate IT.
Devices
Deploying and managing
applications across
platforms is difficult.
Apps
Today’s challenges
Data
Users need to be productive
while maintaining
compliance and reducing
risk.
Users expect to be able to
work in any location and
have access to all their
work resources.
Users
3. Devices AppsUsers
Empowering People-centric IT
Enable users
Allow users to work on the
devices of their choice and
provide consistent access to
corporate resources.
Protect your data
Help protect corporate
information and manage risk.Management. Access. Protection.
Data
Unify your environment
Deliver a unified application and
device management on-
premises and in the cloud.
4. Selecting the Management Platform
Unified Device Management – System Center
2012 R2 Configuration Manager with Windows
Intune
Cloud-based Management - Standalone
Windows Intune
No existing Configuration Manager deployment
Simplified policy control
Simple web-based administration console
5. System Center 2012 R2 Configuration Manager
Enable Users
Allow people to be more productive
from almost anywhere on almost any
device.
Simplify Administration
Improve IT effectiveness
and efficiency.
Unify Infrastructure
Reduce costs by unifying IT
management infrastructure.
7. Unified Device Management
Mac OS X
Windows PCs
(x86/64, Intel SoC),
Windows to Go
Windows Embedded
Windows RT,
Windows Phone 8.x
iOS, Android
8. Platform Support
OS Platform Management Agent End User Experience
Windows 8.1 PC ConfigMgr Agent
Or
Management Agent(OMA-DM)
Software Center/Application Catalog
Windows Company Portal app
Windows PC
(Win8,Win7,Vista,XP)
ConfigMgr Agent Software Center/Application Catalog
Windows RT Management agent (OMA-DM) Windows Company Portal app
Windows Phone 8
Windows Phone 8.1
Management agent (OMA-DM) Windows Phone 8 Company Portal app
iOS Apple MDM Protocol iOS Company Portal app
Android Android MDM agent (OMA-DM) Android Company Portal app
Mac ConfigMgr Agent Limited self service experience
Linux/Unix ConfigMgr Agent N/A
9. Registering and Enrolling Devices
IT can publish access to corporate resources with
the Web Application Proxy based on device
awareness and the users identity. Multi-factor
authentication can be used through Windows
Azure Active Authentication.
Users can register BYO
devices for single sign-on
and access to corporate
data with Workplace Join.
As part of this, a certificate
is installed on the device
Users can enroll devices which
configure the device for management
with Windows Intune. The user can
then use the Company Portal for easy
access to corporate applications
As part of the registration
process, a new device object is
created in Active Directory,
establishing a link between the
user and their device
Data from Windows Intune is
sync with Configuration
Manager which provides unified
management across both on-
premises and in the cloud
10. What’s New in Mobile Device Inventory?
* Inventory capability varies by device platform
Global condition to differentiate
app installs on corporate versus
personal
App Management
Personal devices – Inventory only apps
installed by ConfigMgr/Intune
Corporate devices – Complete inventory of
all applications on the device*
App inventory
By default, user-enrolled devices
are “Personal”
Admin can specify corporate-
owned devices
“Compromised” device detection
Personal vs Corporate
Owned Devices
11. Extensions for Windows Intune
Admin is
notified that
an extension
is available
when
console is
launched
Admin goes
to
Extensions
for Intune in
console, and
enables the
extension
Extension is
activated in
ConfigMgr
• (Extension
enables on all
site system,
then console
updates are
avail)
Admin
restarts
console, and
console is
updated with
the extension
Admin uses
feature
delivered by
the extension
Admin may
wish to
disable the
extension
12. Mobile Device Settings in ConfigMgr 2012 R2
Category Windows 8.1 PC & RT Windows Phone 8.1 iOS Android
VPN
Wi-Fi
Certificates
Email Profiles
Password (*) (*) (*)
Device restrictions (*) (*) (*)
Store access
Browsers (*) (*) (*)
Content Rating
Cloud Sync (*)
Encryption (*) (*) (*)
Security (*) (*) (*) (*)
Roaming (*) (*)
Windows Server Work Folders
* Device platform supports a subset of the settings
13. Resource Access Configuration
Support platforms
Windows 8.1
Windows 8.1 RT
Windows Phone 8.1
iOS
Android
Benefits
End users get access to
company resources with no
manual steps for them
Features*
Management and distribution of certificates
Corporate email profile provisioning
Configure networking profiles VPN profiles
Support for Windows 8.1 Automatic VPN
Wi-Fi protocol and authentication settings
Configure remote connection to work PCs
14. VPN Profile Management
Support for major SSL
VPN vendors
DNS name-based initiation
support for Windows 8.1,
Windows Phone 8.1 and iOS
Application ID based initiation
support for Windows 8.1
Automatic VPN
connection
Support for VPN
standards like PPTP, L2TP,
IKEv2
SSL VPNs from Cisco, Juniper,
Check Point, Microsoft, Dell
SonicWALL, F5
Subset of vendors have Windows
Windows RT VPN plug-in
15. Wi-Fi and Certificate Profiles
Wi-Fi settings Manage and distribute certificates
Deploy trusted root certificates
Support for Simple Certificate Enrollment Protocol (SCEP)
Manage Wi-Fi protocol and authentication settings
Provision Wi-Fi networks that device can auto connect
Specify certificate to be used for Wi-Fi connection
16. Email profile management
Manage Exchange ActiveSync accounts
New in January 2014 release!
Configure account settings and security restrictions
Enable certificate authentication
Support for iOS and Windows Phone 8
Enables selective wipe of managed email profile (if
platform supports it)
Delivered as Configuration Manager Extension for
Windows Intune
17. Work Folders
Sync files and data across devices Configuration Manager and Windows
Intune support
New settings to help provision the Work Folder
discovery settings
Company Portals have links to work folders
New feature in Windows 8.1 client and Windows
Server 2012 R2
18. Full and Selective Wipe
Windows 8.1 (x86/RT
OMA-DM managed)
Windows 8 RT Windows Phone
8.1
iOS Android
Full Wipe
Selective Wipe
Email (Mail App) (Mail App)
Company apps
and data
Apps uninstalled.
Sideloading keys removed.
Data removed.
Sideloading keys
removed but apps
remain installed.
Uninstalled and data
removed.
Uninstalled and data
removed.
Apps and data remain
installed.
VPN and Wi-Fi
profiles
Removed. Not applicable. Removed. Removed.
VPN: Not applicable.
Wi-Fi: Not removed.
Certificates Removed and revoked. Not applicable. Removed. Removed and revoked. Revoked.
Settings Requirements removed. Requirements removed. Requirements removed. Requirements removed. Requirements removed.
Management
Client
Not applicable. Management
agent is built-in.
Not applicable.
Management agent is
built-in.
Not applicable.
Management agent is
built-in.
Management profile is
removed.
Device Administrator
privilege is revoked.
19. Unified Device Management Recap
Unregistered Registered MDM Enrolled Fully Managed
Publish email to users (EAS) Yes Yes Yes Yes
Publish work folders to users Yes Yes Yes Yes
Conditional access based on user, device, location Block device only Yes Yes Yes
Audit logging and monitoring Yes Yes Yes
Unified Device Management Yes Yes
Unified Application Management Yes Yes
Selective data wipe Yes Yes
Compliance reporting Yes Yes
Group Policy and login scripts Yes
OS deployment and imaging Yes
Configuration management Yes
Patch management Yes
Anti malware management Yes
Full application management Yes
BitLocker management Yes
20. User-centric Application Delivery
Windows 8 Apps
Benefits
Software distribution updated
End user installation same
as today
End users have one location
for all enterprise apps
Windows RTWindows 8
Windows Store
Firewall
Corporate
Applications
21. User-centric Application Delivery
Administration
Delivery Evaluation Criteria
• User
• Device type
• Network connection
User/Device Relationships
Primary Devices
• MSI
• App-V
• Windows 8 Apps
• Windows 8 Apps in the Windows Store
Non-primary Devices
• VDI
• Remote Desktop
22. User-centric Application Delivery
End User Self-Service
IT
Administrators publish software
titles to catalog, complete with
meta data to enable search
• Deliver best user experience
on each device
Users can browse, select and install
directly from Catalog
• Application model determines
format and policies for delivery
User
23. Unify Infrastructure
Reduced Infrastructure
Requirements
Endpoint Protection
Compliance and Settings
Management
Distribution Point for
Windows Azure
Software Update
Management
Content
ManagementUnify Infrastructure
Reduce costs by unifying
IT management
infrastructure.
24. Reduced Infrastructure Requirements
Central Administration Site
• Scale
• Support multiple primary
sites
• Future proofing your
hierarchy (SP1)
Primary Sites
• Client assignment (up to 100k)
• Reduce impact of a primary site
failing
• Political reasons
• Delegated administration
• Different client agent settings
• Language packs
• DMZ/Internet Facing
• Untrusted forests (new in R2)
Secondary Sites
• Content fan-out
• Manage upward
flow of WAN
traffic
• Content routing
• Throttling (now in
Distribution
Points)
ReasonsWhyObsoleteReasons
Distribution Points
• Distribute Content
• Branch Distribution
Points
25. “We spend almost [U.S.] $800 per server on annual maintenance activities. Configuration Manager scales to our
organization size and now we are able to reduce the number of servers from 110 to 35, thus saving on the
maintenance costs.” – Systems management administrator at a US based manufacturing company
Cross-platform Integration
Manage non-Windows desktops including Mac OS X
Manage non-Windows servers including Linux and
UNIX
Access business apps on non-Windows machines via
Citrix XenApp integration
* Cross-platform integration enhancements are
available with Configuration Manager Service Pack 1
(beta released in September 2012)
Consolidation and Cross-platform Integration
Consolidation
Co-locating site system roles onto
single server.
Eliminating servers required for
client security.
Simplifying system architecture by
reducing number of sites.
600 hours or U.S. $30,000 saved each year due to reduced administration
overhead
Business Value of Microsoft® System Center 2012 Configuration Manager
26. Unified Device Management Configuration
Device management integrated
directly into console
Simple Windows Intune Subscription
set-up
Centralized branding and
customization of Company Portal
experience
Windows Intune Connector deployed
as a Site System Role
27. Security and Compliance
Endpoint Protection
Unified Infrastructure
Simplified server
and client deployment.
Streamlined updates.
Consolidated reporting.
Comprehensive
Protection Stack
Behavior monitoring.
Antimalware.
Dynamic Translation.
Windows Firewall Management.
28. Security and Compliance
Settings Management
ConfigMgr MP Baseline ConfigMgr Agent
WMI XML
Registry IISMSI
Script SQL
Software
Updates
File
Active
Directory
Baseline Configuration Items
Auto Remediate
OR
Create Alert
(to Service Manager)!
Improved functionality
Copy settings
Trigger console alerts
Richer reporting
Enhanced versioning and audit tracking
Ability to specify versions to be used in baselines
Audit tracking includes who changed what
Pre-built industry standard baseline templates
through IT Governance, Risk & Compliance(GRC) Solution
Accelerator
Assignment to
collections Baseline drift
29. CAS
Primary Site
MP Role
Primary Site
DP Role
Assigns policy to scan for
update status or to deploy
update
Distributes updates
Reports
compliance
Microsoft Update
Primary Site
SUP Role/WSUS
Identifies who needs updates
and reports on complianceDownloads updates
Auto Deployment
Faster deployment through search.
Schedule content download and deployment to avoid
reboot during work hours.
State-based Updates
Allows individual or group deployment.
Updates added to groups auto deploy to targeted
collections .
Optimized for New Content Model
Reduce replication and storage.
Expired updates and content deleted.
Security and Compliance
Software Update
30. Distribution Point for Windows Azure
Rich feature set
PR1
MP
MP
DP
Windows Azure
Distribution Point
Microsoft Update
Policy
Content
Firewall
Corporate NetworkIntegrated monitoring
In-console content monitoring
Ability to monitor storage and traffic out
usage
Content is fully encrypted
31. Content Management in R2
monitoring
The sources for a pull DP can be randomized to achieve load balancing and flexibility.
Pull DP in-console monitoring on par with standard DP.
Enable pull distribution point to send state messages via MP.
Pull DP
improvements
Reduced the amount of interaction between remote DPs and the Distribution Manager.
Optimized content distribution by adding distribution point priority and keeping send requests in SQL.
New report: Distribution Point Usage – shows how much a particular DP gets used.
Infrastructure
improvements
33. Intuitive ribbon interface
In-console alerts
Global search capability
New collection membership
rules allow better filtering
of members
Windows PowerShell
enablement
Modern Management Console
34. Unified Device Management Console
Mobile device management integrated
directly in to console experience
Common tools for policy and
application management
Unified reporting across device
platforms
User collections enable user-centric
setting and application deployment
across device types
35. Role-based Administration
Functionality ConfigMgr 2007 ConfigMgr 2012
What types of objects can
I see and what can I do to
them?
Class rights Security roles
Which instances can I see
and interact with?
Object instance
permissions
Security scopes
Which resources can I
interact with?
Site specific resource
permissions
Collection limiting
Meg - WW Central System
Administrator
Louis - Software Update
Manager for France
Bob - US and France
Security Admin
• Can see & update “France”
desktops
• Cannot modify security settings
on “France” desktops
• Cannot see “All Systems”
or “U.S.” desktops
• Can see and modify
security settings on
“France” and “U.S.”
desktops
• Cannot update “France”
or “U.S.” desktops
• Cannot see “All Systems”
Map the organizational roles of your administrators
to defined security roles
• Security organization role
• Geography
Reduces error, defines span of control for the organization
RBA enhancements in R2 include SQL Reporting
36. Operating System Deployment
Multiple Deployment
Method Support
PXE initiated deployment allows client computers to
request deployment over the network
Multi-cast deployment to conserve
network bandwidth
Stand-alone media deployment for no network
connectivity or low bandwidth
Pre-staged media deployment allows you to deploy
an operating system to a computer that
is not fully provisioned
User State Migration Tool (USMT) 4.0 UI integration
makes it easier transfer files and user settings from one
machine to another
CAS
Primary Site
MP Role
Primary Site
DP Role
Image Task Sequence
Report
WDS PXE Server
37. Core Operating System Deployment Scenarios
Scenario Key Functionality
New computer
• Fresh install of a new operating system on client or server system
• New or repurposed hardware
PXE boot
• Integrate with Windows Deployment Services (WDS) PXE server
• Self-provisioning via F12
Wipe-and-load
• Install new version of operating system
• Reinstall applications and user state under new operating system
Side-by-side • Similar to wipe-and-load, except between two different devices
Offline with
removable media
• With low bandwidth or no connectivity
• Large software packages are on the media
Prestaged Media
• Optimized for network bandwidth
• Speeds up end to end deployment
38. Client Activity and Health
In-console view of client health
Threshold-based console alerts
Heartbeat DDRs
HW/SW inventory and status
Remediation
39. Asset Intelligence, Inventory, and Software Metering
Consolidated/simplified reporting that allows you to
Understand software installation profiles
Plan for hardware upgrades
Identify over or under licensing issues
Track custom apps or groups of titles
Software Metering
and License Reports
Asset Intelligence
Service
Asset Intelligence Catalog
Real-Time Application
and Hardware Intelligence
ConfigMgr Inventory
40. SummaryEnabledUnifySimplify
Role-based Administration
Content Management
Software Update Management
Reduced Infrastructure Requirements
User-centric Application Delivery
Modern Device Management
Compliance and Settings Management
Endpoint Protection
Operating System Deployment
Asset Intelligence, Inventory and Software
Metering
2012
EAS
User-centric
Updated engine
Improved
RBA in Reporting
Windows 8.1 support
2012 R2
Improved
Web App deployment
New
Integrated
Auto remediation
Improved
New
Improved
Improved
2012 SP1
Unified
Win 8 Apps
Flexible hierarchies
Real-time actions
User profile and data
Improved
Improved
Improved
Modern Management Console Additional cmdletsNew Windows PowerShell
Client Health Improved Improved
Distribution Point for Windows Azure New
41. System Center 2012 R2
Configuration Manager with
Windows Intune
Amit Gatenyo
CEO, Dario
Microsoft Regional Director – Management & Windows Server
054-2492499
Amit.g@dario.co.il
42. Windows Embedded Support
• Windows Thin PC
Repurposed PC
Supported Write Filters
• File Based Write Filters (FBFW)
(preferred for scalability)
• Enhanced Write Filters (EWF) RAM
Ability to force persistence of changes for
• Applications
• Packages and programs
• Software updates
• Task sequences
• Endpoint Protection client installation
Eventual persistence of changes for
• Client agent settings
• Settings management remediation
• Power management
Without write filters enabled, embedded devices can be
managed like any other Windows client. When write filters
are enabled, they require special handling, now provided
seamlessly.
• Windows XP Embedded
• Windows Embedded Standard 2009
• Windows Embedded Standard 7
• Windows Embedded Standard 8
Thin Clients
Same as Thin Clients, plus
• POS Ready 2009
• POS Ready 8
POS/Kiosk
• Windows Embedded Standard 2009
• Windows Embedded Standard 7
• Windows Embedded Standard 8
Digital
Signage
43. Linux and UNIX Servers
• Version 4 (x86/x64)
• Version 5 (x86/x64)
• Version 6 (x86/x64)
Red Hat
Enterprise
Linux
• Version 9 (SPARC)
• Version 10 (SPARC/x86)
• Version 11 (SPARC/x86)
Solaris
• Version 9 (x86)
• Version 10 SP1 (x86/x64)
• Version 11 SP1 (x86/x64)
SUSE Linux
Enterprise
Server
Supported Operating System’s across both:
• Configuration Manager
• Operations Manager
Earlier versions supported as long as vendor provides support
Broader Linux distro support being evaluated
for future releases
Hardware and Software Inventory
Software Deployment
• Using the Package and Program model
• Deploy/patch software, deploy OS patches and run
maintenance scripts that target a collection
Consolidated reports
• CentOS 5, 6
• Debian 5, 6, 7
• Ubuntu 10.4 LTS, 12.4 LTS
• Oracle Linux 5, 6
• HP-UX 11iv2, 11iv3
• AIX 5.3, 6.1, 7.1
Recently
Added
44. Mac OS X
Configuration Manager native client
Key management capabilities
Improved enrollment in R2
45. Scenarios Hybrid Standalone
Default browser Yes Yes
Disable Copy and paste functionality Yes Yes
Disable Telemetry/Diagnostic data Submission (SQM/Watson) -
Granular
Yes Yes
Screen Capture Yes Yes
File encryption on mobile device Yes Yes
Allow simple password Yes Yes
Alphanumeric Password required Yes Yes
Idle time before mobile device is locked (minutes) Yes Yes
Minimum complex characters Yes Yes
Minimum password length (characters) Yes Yes
Number of failed logon attempts before device is wiped Yes Yes
Number of passwords remembered Yes Yes
Password complexity Yes Yes
Password expiration in days Yes Yes
46. Scenarios Hybrid Standalone
Bluetooth Yes Yes
Camera Yes Yes
Disable Internet Explorer Yes Yes
Disable USB sync No No
Disable WiFi Yes Yes
Near field communication (NFC) Yes Yes
Prevent user initiated un-enrollment/ disable PC settings No No
Removable storage (Any external storage device) Yes Yes
Disable Application Store Yes Yes
Disable Internet Sharing over WiFi (Tethering) Yes Yes
Disable Wi-Fi Offloading Yes Yes
Wi-Fi Hotspot reporting Yes Yes
Disable Custom Email Account (all or nothing) Yes Yes
Allow Microsoft Account Yes Yes – Roadmap
Turn on/off location awareness (cellular or GPS) Yes Yes
Notes de l'éditeur
The explosion in use and number of consumer devices and ubiquitous information access is changing the way that people perceive their technology, in addition to how that technology shapes their personal and work lives. The constant use of information technology throughout the day, along with the easy access of information, is blurring traditional boundaries between work and home life. These shifting boundaries are accompanied by a belief that personal technology—selected and customized to fit user’s personalities, activities, and schedules—should extend into the workplace.
Accommodating the consumerization of IT presents a variety of challenges. Historically, most or all devices used in the workplace were owned, and therefore managed, by the organization. Policies and processes were focused on device management—and usually on a relatively small, tightly controlled, and managed set of corporate-approved hardware that was subject to predetermined corporate replacement cycles.
The consumerization of IT dramatically alters this scenario. There is greatly increased device and operating system diversity and volume in the organization. This can fundamentally change the IT landscape and necessitate a shift in management objectives from tight control over hardware to effective, user-centric governance.
The way resources and applications are accessed and consumed is also changing. With the shift to personal devices and mobility, there is a need to adapt how applications work. IT departments must also now consider authentication of the user, validation of the device, and updated service consumption models when planning their consumerization policies and implementation.
The best organizational response is IT policies that match business realities and priorities, moving toward a people-centric model that replaces the older paradigm of device-centric policies and management. The Microsoft people-centric vision helps IT administrators increase their organizations’ productivity by enabling access to corporate resources, regardless of location or device used. This shift in focus requires policies, processes, and technologies that give people the freedom to select the devices they want to use, along with device-agnostic access to applications and data.
Microsoft has a history of providing rich IT-infrastructure solutions to help manage every aspect of enterprise operations. Microsoft’s people-centric solution consists of products and technologies that can help IT departments handle the influx of consumer-oriented technology and the work style expectations of users, thereby helping increase productivity and satisfaction for the people within their organizations.
Microsoft’s people-centric IT vision helps organizations enable and embrace the consumerization of IT by:
Enabling your end users by allowing users to work on the device(s) of their choice and providing consistent access to corporate resources from those devices.
Helping protect your data by protecting corporate information and managing risk.
Unifying your environment by delivering comprehensive application and device management from both your existing on-premises infrastructure, including System Center Configuration Manager, Windows Server, and Active Directory, as well as cloud-based services, including Windows Intune and Windows Azure.
Let’s discuss each of these areas in more detail.
There are two Microsoft solutions for managing mobile devices:
The first is the unified scenario with System Center 2012 R2 Configuration Manager with Windows Intune. This enables Configuration Manager to extend beyond on-premises PC management to devices that live in the cloud, including Android, iOS and Windows Phones devices, whilst using a single console for the admin experience. This solution provides rich policy management and reporting. It also provides for greater scalability.
The second is using Windows Intune as a standalone solution. This uses the web-based administration console and is ideal when the deployment of a management infrastructure on-premises would be overly complicated.
There are three main focus areas that are addressed with System Center 2012 R2 Configuration Manager:
Enable Users – allowing people to get access to their corporate applications and data, providing them with the tools to manage their own devices (for example, wipe), and get easy access to support, across multiple device platforms
Unify Infrastructure – bring together management in a common infrastructure, whether it is for on-premises PCs, virtual applications or mobile devices.
Simplify Administration - Provide a single pane of glass view for managing the corporate estate, including flexibility for role-based administration and scripting (through PowerShell).
To begin with Enable Users, there are two aspects to look at:
Unified device management, enabling the users regardless of what device they are using, and providing a compliance environment that helps manage corporate data protection
User-centric Application Delivery – providing the user with the appropriate application for the device they are using, whether it is a PC application, a native mobile application or a virtual or web-based application
The SP1 release of System Center 2012 Configuration Manager introduced the ability to connect Configuration Manager to Windows Intune to enable management of cloud-based mobile devices. The R2 release builds upon this to increase the management capabilities and provide support for new platforms such as Windows 8.1.
Note: Highlighted items are new with System Center 2012 R2 Configuration Manager
When a user wants to use their own device, this immediately raises requirements from both the user and IT. The user needs access to apps and data, and IT needs to ensure that corporate information remains secure and that the business continues to deliver on it’s compliance and regulatory requirements.
With Windows Server 2012 R2, we introduce a new concept known as device registration. Users can register their BYO devices for single sign-on and access to corporate data using Workplace Join. As part of this registration process, a certificate is installed on the device, and a new device object is created in Active Directory. This device object establishes a link between the user and their device, making it known to IT, and allowing the device to be authenticated, effectively a seamless 2nd factor authentication. In return for registering their device and making in known to IT, the user gains access to corporate resources that were previously not available outside of their domain joined PC.
IT can publish access to corporate resources with the Web Application Proxy based on device awareness (i.e. is it registered) and the users identity. Multi-factor authentication can be used through Windows Azure Active Authentication (previously known as PhoneFactor).
Users can enroll devices which configures the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications, data and to be able to manage their own devices, performing tasks such as remote wiping them in the event they are lost, stolen or replaced.
And in order to provide administrators with a unified view of their entire environment, the data from Windows Intune is synchronized with Configuration Manager which provides unified management across both on-premises and in the cloud
An important concept in managing Bring Your Own Device scenarios is the ownership of the device. System Center 2012 R2 Configuration Manager introduces the ability to denote whether devices are corporate owned or personal devices.
If a device is personally owned, then a limited set of inventory is collected from the device, to ensure the enterprise does not stray over privacy limits.
If a device is corporate owned, then a complete inventory of the device is collected (where permitted by the device platform)
Also, the ownership can be used as a condition for deployment of compliance items or applications, so if you wish to deploy a specific set of policies to corporate devices, or if you wish to deny a particular application from personal devices, you can use the new global condition to control the deployment based on the ownership flag.
A new capability of System Center 2012 R2 Configuration Manager is the ability to configure corporate resource access for devices. By setting things like VPN and Wi-Fi profiles through Configuration Manager, the end user does not have to worry about how to set up their device for corporate access. There are four areas that can be configured:
Remote Connection Profiles – the ability to expose fully-managed (ConfigMgr client) PCs through the Company Portal. This enables users to open a Remote Desktop Session to their corporate PC from a mobile client, whilst outside of the corporate network.
Certificate Profiles – Root certificates can be distributed to devices to enable verification of certificates. The Simple Certificate Enrollment Protocol can also be configured, enabling user or device specific certificates to be acquired by the mobile client. These can then be used to authenticate the user or the device for scenarios such as VPN access, web application authentication, etc.
VPN Profiles – These can be configured to enable the mobile device to easily connect back in to corporate network without the user having to manage the settings
Wi-Fi Profiles – These can be configured to enable the mobile device to attached to corporate Wi-Fi environments without configuration by the user
Email Profiles – These can be configured to enable the user to quick access preconfigured enterprise email. It also enables removal of the corporate email during a selective wipe (if the device platform supports it).
Note: some of these capabilities vary by device platform
System Center 2012 R2 Configuration Manager supports a number of third party VPN solutions, as well as Microsoft’s own VPNs. Support is also available for standards based VPNs such as PPTP, L2TP and IKEv2.
In addition, the VPN can be configured to automatically connect with a specific resource is accessed by DNS name , or when a specific application is launched on Windows 8.1
System Center 2012 R2 Configuration Manager also includes support for preconfiguring the new Windows 8.1 and Windows Server 2012 R2 Work Folders feature. This allows the admin to set up the users devices for Work Folder synchronization easily and without end user involvement.
How the device is registered or managed provides a different level of capability:
Unregistered – devices that are not registered (via Workplace Join) and are not managed have a very limited set of management capabilities
Registered – enabling a device with Workplace Join provides some addition access control and auditing, but is still a unmanaged, untrusted device
MDM Enrolled – when a mobile device is enrolled for management there are a number of additional management capabilities that light up, ensuring the device is compliant and providing a rich experience for the end user
Fully Managed – for clients that can be fully managed, this provides the deepest, most comprehensive level of management with Configuration Manager
System Center 2012 Configuration Manager SP1 introduced the ability to deploy and manage Windows 8 (modern) applications. These can run across both traditional x86 PCs and the ARM-based Windows RT devices.
Windows 8 applications can either be deployed through Configuration Manager directly to the clients, or Configuration Manager can provide a link to the application if it resides in the public Windows Store.
With Configuration Manager, you can create criteria on application deployments that determine the method of delivery of an application. It may be that on a certain device type, network connection or other attribute, you could choose to deploy a full native application, but other devices will receive a link to a virtual version of the application. This is a great solution for ensuring that corporate data does not leave the data center for devices that are lightly managed or less trusted. Devices that are fully managed and trusted could receive the full application.
A key aspect of application delivery is the end user experience. A new self service portal is available that gives the user a rich, modern Company Portal, which allows access to all the applications that have been provisioned for the user.
With prior versions of Configuration Manager, there were a number of reasons for expanding the hierarchy with additional primary sites or secondary sites. Many of these reasons are now obsolete, listed in the bottom half of the table, due to new functionality that came with the SP1 and R2 releases of Configuration Manager. There are still a handful or reasons for expanding the hierarchy, and these are captured in the top half of the table. The reduction in reasons means that many customers with existing hierarchies can actually consolidate their infrastructure as they move to R2.
From: http://download.microsoft.com/download/6/9/2/6929CB82-0FD4-49C9-897D-717B2AF9AE5E/System_Center_Configuration_Manager_2012_Business_Value_White_Paper.pdf
Consolidation: Organizations were able to cut down on the number of physical servers by…
Co-locating site system roles onto single server instead of spreading these across multiple servers;
Eliminating the servers required for client security as System Center 2012 Endpoint Protection integrates with Configuration Manager; and
Simplifying system architecture by reducing the number of primary and secondary sites and the distribution points.
Moreover, Configuration Manager now supports configuring distribution points that run as a cloud service in Microsoft® Windows Azure. This eliminates the need to plan for, purchase, and maintain the hardware for installing the site system roles – further reducing the infrastructure requirements and costs.
[Note: Above feature requires System Center 2012 Configuration Manager SP1 (beta available September 2012). Also requires subscription to Windows Azure cloud service. All costs are determined by the customer’s Windows Azure licensing, and the volume of data that is stored and downloaded by clients. No additional licensing costs are added by Configuration Manager.]
Cross-platform Integration: With Service Pack 1, Configuration Manager supports installation of the client on computers that run Mac OS X and servers running various Linux or UNIX operating systems. This allows administrators to perform compliance settings, deploy software, and include these devices in the hardware inventory collection tasks. Furthermore, through integration with Citrix XenApp, non-Windows users can still access business applications that are compatible with Configuration Manager.
Another key tenant of unifying the infrastructure is bringing the mobile device management in to the client management infrastructure. To connect Configuration Manager to Windows Intune there are two simple steps to be carried out:
Configure the Windows Intune Subscription – this sets up the platforms to be managed, and the branding for the Company Portal experience
Deploy the Windows Intune Connector – this is a lightweight Site Server role that can be deployed on an existing server. The Connector requires an outbound HTTPS connection to the Windows Intune cloud service, but does not need to be placed in the DMZ or exposed to the internet in any way.
The unification of the infrastructure also includes bringing the Endpoint Protection management capabilities within the client management frame. Through the single Configuration Manager administration console, the admin can deploy System Center Endpoint Protection and easily track the health and state of the endpoint clients.
Settings Management is also an important part of security and compliance for the enterprise. Configuration Manager contains extensive capabilities for configuration Compliance Baselines, deploying them to clients and monitoring the clients for baseline drift. If a client does go out of compliance this can be reported on in Configuration Manager, an alert could be raised or the client could be configured to auto-remediate the settings that are out of compliance.
To maintain a controlled environment it is important to deploy and monitor the updates to key software components. Configuration Manager integrates with Microsoft Update to enable the deployment and tracking of updates to Microsoft software (including the OS) in a scalable, manageable manner.
For clients that are frequently outside of the corporate network, you can now deploy a distribution point to Windows Azure. The reduces the need for staging content on a distribution point in your own perimeter network and means that you can take advantage of Windows Azure Content Distribution Network capabilities.
There have been a couple of key improvements to content management in System Center 2012 R2 Configuration Manager that help with the management of content within the hierarchy. In-console monitoring and improved reporting help give an overview of the content status in the environment. There have also been a number of improvements around managing the content flow and behavior of the Pull Distribution Points.
System Center 2012 R2 Configuration Manager builds on top of the existing Role-Based Administration capabilities to now include RBA for SQL Reporting.