Modern Management for Identiteter og Enheter – Azure AD, Intune og Windows 10
•
3 j'aime•1,009 vues
I denne sesjonen vil vi se på hvordan hvordan vi tilrettelegger for Modern Management med Azure Active Directory, Microsoft Intune og Windows 10. Vi vil se på hvordan vi med Azure AD etablerer Identitets- og Tilgangskontroll, Selvbetjening og tilgang til Applikasjoner. Videre vil vi se på hvordan nye Azure AD sammen med Intune fungerer i […]
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (19)
Similaire à Modern Management for Identiteter og Enheter – Azure AD, Intune og Windows 10
Similaire à Modern Management for Identiteter og Enheter – Azure AD, Intune og Windows 10 (20)
Dernier
Dernier (20)
Modern Management for Identiteter og Enheter – Azure AD, Intune og Windows 10
- 1. http://mvpdagen.no #MVPdagen Moderne Management for Identiteter og Enheter Jan Vidar Elven Cloud & Datacenter Architect, Skill MVP Enterprise Mobility @skillriver Nicolai Henriksen Principle Solution Architect, Lumagate MVP Enterprise Mobility @nicolaitwitt
- 2. MODERN MANAGEMENT MED EMS + OFFICE 365 2
- 3. Administrators Intune Azure Information Protection Protect your users, devices, and apps Detect problems early with visibility and threat analytics Protect your data, everywhere Extend enterprise-grade security to your cloud and SaaS apps Manage identity with hybrid integration to protect application access from identity attacks ENTERPRISE MOBILITY + SECURITY Advanced Threat Analytics Microsoft Cloud App Security Azure Active Directory Identity Protection Users Privileged Identity Management
- 4. EMS OG EU GDPR COMPLIANCE
- 5. IDENTITET SOM KJERNE FOR MOBILITET Single sign-onSelf-service Simple connection On-premises Other directories Windows Server Active Directory SaaSAzure Public cloud CloudMicrosoft Azure Active Directory
- 6. KONTROLLERTTILGANG MED CONDITIONAL ACCESS Conditions Device state • Allow • Remediate • Block access • Wipe device Actions User MFA Microsoft Azure Location (IP range) User group Risk On-premises applications • Enforce MFA
- 7. AZURE AD MANAGEMENT Azure Portal: https://portal.azure.com GA Mai 2017 Classic Portal: https://manage.windowsazure.com -> snart RIP Azure Active Directory Admin Center: https://aad.portal.azure.com Office 365 Admin: http://portal.office.com Azure AD PowerShell V1 (MSOL) –V2 Microsoft Graph! 7
- 8. DEMO – AZURE AD PORTAL https://aad.portal.azure.com https://portal.azure.com 8
- 9. AZURE AD POWERSHELL MSOnline Module (v1) AzureAD Module (v2) Anbefales å bruke v2, som det er 2 versjoner av: AzureAD (GA) AzureADPreview Tett koblet mot GraphAPI *AD* forAzureAD Graph API *ADMS* for Microsoft GraphAPI
- 11. DEMO – AZURE AD POWERSHELL & GRAPH PowerShell Scripts: https://gist.github.com/skillriver https://docs.microsoft.com/en-us/powershell/module/Azuread/?view=azureadps-2.0 11
- 15. Job Loss No More Control IT Pro’s will become Helpdesk Costs No More Security ….
- 19. Configuration Manager console Mobile devices and PCs Mobile devices System Center Configuration Manager Domain-joined PCs Intune hybridIntune cloud only IT IT Intune Admin Portal Intune MAM-WE IT Azure Admin Portal Mobile devices Intune MAM apps
- 21. EVEN MY GRANDMOTHER HAS WINDOWS 10 NOW!!! Why don´t we?
- 22. SCCM Central Administration Site • Central primary site administration • Reporting Primary Sites • Client management and settings • Delegated administration Secondary Sites • Content routing • Distributions points SCCM Central Administration Site SCCM Primary Site SCCM Primary Site Secondary Site Secondary Site Secondary Site Secondary Site Secondary Site Secondary Site
- 24. Microsoft Intune in Azure – Ibiza portal
- 25. DEMO
- 26. Prerequisites for mobile device management in Intune2017-2-21 9min to read Contributors •In this article Step 1: Enable connections Step 2: Set MDM authority Step 3: Create groups Step 4: Configure Company Portal Step 5: Assign user licenses Step 6: Enable enrollment Step 7: Next steps..
- 27. • iOS and Mac • Android • Android for Work • Windows 10 Mobile and Windows Phone • Windows PCs and laptops (Intune client software) • + • You can also enable enrollment of corporate-owned devices. MDM ENROLLMENT PLATFORMS
- 29. http://sccm.biz
- 30. • iOS and Mac OS X: Every 6 hours. • Android: Every 8 hours. • Windows Phone: Every 8 hours. • Windows 8.1 and Windows 10 PCs enrolled as devices: Every 8 hours. • If the device has just enrolled, the check-in frequency will be more frequent, as follows: • iOS and Mac OS X: Every 15 minutes for 6 hours, and then every 6 hours. • Android: Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then every 8 hours. • Windows Phone: Every 5 minutes for 15 minutes, then every 15 minutes for 2 hours, and then every 8 hours. • Windows PCs enrolled as devices: Every 3 minutes for 30 minutes, and then every 8 hours. SYNC???
- 31. • Create Windows 10 installation media • Windows Configuration Designer (ADK/Store App) • Azure Active Directory join in bulk • MBR2GPT.EXE • Windows Defender Advanced Threat Protection • Windows Defender Antivirus • Device Guard and Credential Guard • Windows Update for Business • Optimize update delivery
- 32. New CSP in Windows Creators Update • DynamicManagement CSP (location, network, time) • CleanPC CSP • BitLocker CSP • NetworkProxy CSP • EnterpriseAppVManagement CSP
- 33. New CSP in Windows Creators Update • Office CSP • Policy CSP - ADMX-backed policies • MDM Migration Analysis Tool (MMAT)
- 34. Protect your data Enable your users Unify Your Environment Devices Apps Data Help organizations enable their users to be productive on the devices they love while helping ensure corporate assets are secure
- 35. Manage mobile productivity and protect data with Office Mobile apps for iOS and Android Manage policy for existing iOS line of business apps (so called “app wrapping”) Managed browser and PDF/Audio/Video viewers Provide access to Exchange and OneDrive for Business resources only to managed devices Deny access if a device falls out of compliance Enable IT to bulk enroll corporate-owned task-worker devices Support for Apple Configurator Manage mobile productivity without compromising compliance Conditional Access Policy to Email and Documents Enroll and Manage Corporate-owned Devices Manage Mobile Productivity and Protect Data with Office Personal Corporate
- 36. Enterprise Mobility Lifecycle Manage and Protect Measure device and app compliance Block access if policy violated (eg: jailbreak) Contain data to prevent leaks Self service portal for users Retire Revoke company resource access Selective wipe Audit lost/stolen devices etc Employees Enroll Enroll devices in AD and MDM Block email/SharePoint etc until enrolled Customizable Terms & Conditions Simple end user experience Provision Provision access to corporate resources Install VPN, Wifi, Certificates Deploy device security policy settings Install mandatory apps Deploy app restriction policies Deploy data protection policies
- 37. The End User Experience Family
- 43. Available Choices Identity Active Directory; Azure Active Directory Management Group Policy, System Center Configuration Manager, 3rd party PC management; Intune, 3rd party MDM Updates Windows Update; Windows Server Update Services (WSUS); Intune, 3rd party MDM Infrastructure On-premises or in the cloud Ownership Corporate-owned, CYOD; BYOD Organizations may mix and match, depending on their specific scenario
- 44. Exchange ActiveSync Basic Windows Update BYOD (personal) devices E-mail access only Active Directory and/or Azure Active Directory Mobile Device Management Lightweight Windows Update/MDM Company-owned and BYOD devices Internet-facing or corporate network Active Directory Group Policy System Center Full Control WSUS Company-owned devices Corporate network
Notes de l'éditeur
- Azure AD, Intune og Windows 10 I denne sesjonen vil vi se på hvordan hvordan vi tilrettelegger for Modern Management med Azure Active Directory, Microsoft Intune og Windows 10. Vi vil se på hvordan vi med Azure AD etablerer Identitets- og Tilgangskontroll, Selvbetjening og tilgang til Applikasjoner. Videre vil vi se på hvordan nye Azure AD sammen med Intune fungerer i et Deployment and Provisioning scenario, hvor man dynamisk konfigurerer og administrerer Windows 10 uten reimaging. I sesjonen vil vi se på Applikasjonshåndtering, Windows Update, Servicing og Antimalware, samt at vi også vil se nærmere på Bring Your Own Device.
- The new Azure AD PowerShell v2.0 module don’t provide full functional parity with the older MSOL module yet. We’re working hard to make that happen in the coming months and will keep you updated on our progress. We are not planning to publish new functionality in the MSOL PowerShell module. Over time we will implement all the functionality of the old MSOL cmdlets in the new module, and this new module contains quite a few new cmdlets that haven’t been available before. Maintain equivalent capabilities between our Graph API and our PowerShell cmdlets. To make sure that happens, all these new cmdlets are built on top of the Graph API.
- Learn more at microsoft.com/intune
- JV: Er dette noe du kan vise?
- New CSP in Windows 10 Creators Update : DynamicManagement CSP allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. CleanPC CSP allows removal of user-installed and pre-installed applications, with the option to persist user data. BitLocker CSP is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives. NetworkProxy CSP is used to configure a proxy server for ethernet and Wi-Fi connections. Office CSP enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see Configuration options for the Office Deployment Tool. EnterpriseAppVManagement CSP is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM.
- New CSP in Windows 10 Creators Update : DynamicManagement CSP allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. CleanPC CSP allows removal of user-installed and pre-installed applications, with the option to persist user data. BitLocker CSP is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives. NetworkProxy CSP is used to configure a proxy server for ethernet and Wi-Fi connections. Office CSP enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see Configuration options for the Office Deployment Tool. EnterpriseAppVManagement CSP is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM.
- New CSP in Windows 10 Creators Update : Policy CSP - ADMX-backed policies https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/understanding-admx-backed-policies IT pros can use the new MDM Migration Analysis Tool (MMAT) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents.
- But really there’s more to it than just what management tool you use. There are choices in several areas. For identity we will continue supporting Active Directory and domain-joined computers, while also directly supporting Azure Active Directory and “logon to the cloud.” From a management perspective, Group Policy and Configuration Manager (or other 3rd party PC management tools) will continue to provide the greatest functionality, while Intune and third-party MDM services will provide lightweight mechanisms for managing Windows devices in appropriate scenarios. For updating Windows systems, we’ll continue supporting Windows Update (where we automatically update devices as those updates are released) and WSUS (including with System Center Configuration Manager) where you control when updates are deployed. But we’ll also add new MDM capabilities, where Intune and third-party MDM services can also control the Windows updating process. Overall these choices reflect the type of infrastructure being used to manage the devices. Whether on-premises or in the cloud, Windows 10 will support your choices. We this this scenarios also align well with device ownership – you may choose to manage corporate-owned devices (including “choose your own device” (CYOD) scenarios) differently from “bring your own device” (BYOD) employee-owned devices. We don’t expect a one-size-fits-all solution, as you can pick the combination that makes the most sense for specific device usage scenarios.
- When we look at how these technologies are typically used together, we see three groupings: Basic controls, provided through Exchange ActiveSync for the most basic needs, e.g. e-mail access; Lightweight controls, for either company-owned or personal devices where more management is needed or desired; and Full Control where Group Policy, System Center, and WSUS provide extensive capabilities that target company-owned devices (typically connected to the corporate network).