I denne sesjonen vil vi se på hvordan hvordan vi tilrettelegger for Modern Management med Azure Active Directory, Microsoft Intune og Windows 10. Vi vil se på hvordan vi med Azure AD etablerer Identitets- og Tilgangskontroll, Selvbetjening og tilgang til Applikasjoner. Videre vil vi se på hvordan nye Azure AD sammen med Intune fungerer i […]
3. Administrators
Intune
Azure Information
Protection
Protect your users,
devices, and apps
Detect problems
early with visibility
and threat analytics
Protect your data,
everywhere
Extend enterprise-grade security
to your cloud and SaaS apps
Manage identity with hybrid
integration to protect application
access from identity attacks
ENTERPRISE MOBILITY + SECURITY
Advanced Threat Analytics
Microsoft Cloud App Security
Azure Active Directory
Identity Protection
Users
Privileged Identity Management
5. IDENTITET SOM KJERNE FOR MOBILITET
Single sign-onSelf-service
Simple connection
On-premises
Other
directories
Windows Server
Active Directory
SaaSAzure
Public
cloud
CloudMicrosoft Azure Active Directory
7. AZURE AD MANAGEMENT
Azure Portal: https://portal.azure.com
GA Mai 2017
Classic Portal: https://manage.windowsazure.com -> snart RIP
Azure Active Directory Admin Center:
https://aad.portal.azure.com
Office 365 Admin: http://portal.office.com
Azure AD PowerShell
V1 (MSOL) –V2
Microsoft Graph!
7
8. DEMO – AZURE AD PORTAL
https://aad.portal.azure.com
https://portal.azure.com
8
9. AZURE AD POWERSHELL
MSOnline Module (v1)
AzureAD Module (v2)
Anbefales å bruke v2, som det er 2 versjoner av:
AzureAD (GA)
AzureADPreview
Tett koblet mot GraphAPI
*AD* forAzureAD Graph API
*ADMS* for Microsoft GraphAPI
15. Job Loss
No More Control
IT Pro’s will become Helpdesk
Costs
No More Security
….
16.
17.
18.
19. Configuration Manager console
Mobile devices and PCs Mobile devices
System Center
Configuration
Manager
Domain-joined PCs
Intune hybridIntune cloud only
IT IT
Intune Admin Portal
Intune MAM-WE
IT
Azure Admin Portal
Mobile devices
Intune
MAM apps
22. SCCM
Central Administration Site
• Central primary site administration
• Reporting
Primary Sites
• Client management and settings
• Delegated administration
Secondary Sites
• Content routing
• Distributions points
SCCM Central
Administration
Site
SCCM Primary
Site
SCCM Primary
Site
Secondary Site Secondary Site Secondary Site Secondary Site Secondary Site Secondary Site
26. Prerequisites for mobile device
management in Intune2017-2-21 9min to read Contributors
•In this article
Step 1: Enable connections
Step 2: Set MDM authority
Step 3: Create groups
Step 4: Configure Company Portal
Step 5: Assign user licenses
Step 6: Enable enrollment
Step 7: Next steps..
27. • iOS and Mac
• Android
• Android for Work
• Windows 10 Mobile and Windows Phone
• Windows PCs and laptops (Intune client software)
• +
• You can also enable enrollment of corporate-owned devices.
MDM ENROLLMENT PLATFORMS
30. • iOS and Mac OS X: Every 6 hours.
• Android: Every 8 hours.
• Windows Phone: Every 8 hours.
• Windows 8.1 and Windows 10 PCs enrolled as devices: Every 8 hours.
•
If the device has just enrolled, the check-in frequency will be more frequent, as follows:
• iOS and Mac OS X: Every 15 minutes for 6 hours, and then every 6 hours.
• Android: Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then
every 8 hours.
• Windows Phone: Every 5 minutes for 15 minutes, then every 15 minutes for 2 hours, and
then every 8 hours.
• Windows PCs enrolled as devices: Every 3 minutes for 30 minutes, and then every 8 hours.
SYNC???
31. • Create Windows 10 installation media
• Windows Configuration Designer (ADK/Store App)
• Azure Active Directory join in bulk
• MBR2GPT.EXE
• Windows Defender Advanced Threat Protection
• Windows Defender Antivirus
• Device Guard and Credential Guard
• Windows Update for Business
• Optimize update delivery
32. New CSP in Windows Creators Update
• DynamicManagement CSP (location, network, time)
• CleanPC CSP
• BitLocker CSP
• NetworkProxy CSP
• EnterpriseAppVManagement CSP
33. New CSP in Windows Creators Update
• Office CSP
• Policy CSP - ADMX-backed policies
• MDM Migration Analysis Tool (MMAT)
34. Protect
your data
Enable
your users Unify Your Environment
Devices Apps Data
Help organizations enable their users to be productive on the devices they love while
helping ensure corporate assets are secure
35. Manage mobile productivity and protect data with Office Mobile
apps for iOS and Android
Manage policy for existing iOS line of business apps (so called
“app wrapping”)
Managed browser and PDF/Audio/Video viewers
Provide access to Exchange and OneDrive for Business resources
only to managed devices
Deny access if a device falls out of compliance
Enable IT to bulk enroll corporate-owned task-worker devices
Support for Apple Configurator
Manage mobile productivity without compromising compliance
Conditional Access
Policy to Email and
Documents
Enroll and Manage
Corporate-owned
Devices
Manage Mobile
Productivity and
Protect Data
with Office
Personal
Corporate
36. Enterprise Mobility Lifecycle
Manage and Protect
Measure device and app compliance
Block access if policy violated (eg: jailbreak)
Contain data to prevent leaks
Self service portal for users
Retire
Revoke company resource access
Selective wipe
Audit lost/stolen devices etc
Employees
Enroll
Enroll devices in AD and MDM
Block email/SharePoint etc until enrolled
Customizable Terms & Conditions
Simple end user experience
Provision
Provision access to corporate resources
Install VPN, Wifi, Certificates
Deploy device security policy settings
Install mandatory apps
Deploy app restriction policies
Deploy data protection policies
43. Available Choices
Identity Active Directory; Azure Active Directory
Management
Group Policy, System Center Configuration Manager,
3rd party PC management; Intune, 3rd party MDM
Updates
Windows Update; Windows Server Update Services (WSUS);
Intune, 3rd party MDM
Infrastructure On-premises or in the cloud
Ownership Corporate-owned, CYOD; BYOD
Organizations may mix and match, depending on their specific scenario
44. Exchange ActiveSync
Basic
Windows Update
BYOD (personal) devices
E-mail access only
Active Directory and/or
Azure Active Directory
Mobile Device Management
Lightweight
Windows Update/MDM
Company-owned
and BYOD devices
Internet-facing
or corporate network
Active Directory
Group Policy
System Center
Full Control
WSUS
Company-owned devices
Corporate network
Azure AD, Intune og Windows 10
I denne sesjonen vil vi se på hvordan hvordan vi tilrettelegger for Modern Management med Azure Active Directory, Microsoft Intune og Windows 10.
Vi vil se på hvordan vi med Azure AD etablerer Identitets- og Tilgangskontroll, Selvbetjening og tilgang til Applikasjoner.
Videre vil vi se på hvordan nye Azure AD sammen med Intune fungerer i et Deployment and Provisioning scenario, hvor man dynamisk konfigurerer og administrerer Windows 10 uten reimaging.
I sesjonen vil vi se på Applikasjonshåndtering, Windows Update, Servicing og Antimalware, samt at vi også vil se nærmere på Bring Your Own Device.
The new Azure AD PowerShell v2.0 module don’t provide full functional parity with the older MSOL module yet. We’re working hard to make that happen in the coming months and will keep you updated on our progress.
We are not planning to publish new functionality in the MSOL PowerShell module. Over time we will implement all the functionality of the old MSOL cmdlets in the new module, and this new module contains quite a few new cmdlets that haven’t been available before.
Maintain equivalent capabilities between our Graph API and our PowerShell cmdlets. To make sure that happens, all these new cmdlets are built on top of the Graph API.
Learn more at microsoft.com/intune
JV: Er dette noe du kan vise?
New CSP in Windows 10 Creators Update :
DynamicManagement CSP allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
CleanPC CSP allows removal of user-installed and pre-installed applications, with the option to persist user data.
BitLocker CSP is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives.
NetworkProxy CSP is used to configure a proxy server for ethernet and Wi-Fi connections.
Office CSP enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see Configuration options for the Office Deployment Tool.
EnterpriseAppVManagement CSP is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM.
New CSP in Windows 10 Creators Update :
DynamicManagement CSP allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
CleanPC CSP allows removal of user-installed and pre-installed applications, with the option to persist user data.
BitLocker CSP is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives.
NetworkProxy CSP is used to configure a proxy server for ethernet and Wi-Fi connections.
Office CSP enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see Configuration options for the Office Deployment Tool.
EnterpriseAppVManagement CSP is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM.
New CSP in Windows 10 Creators Update :
Policy CSP - ADMX-backed policies
https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/understanding-admx-backed-policies
IT pros can use the new MDM Migration Analysis Tool (MMAT) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents.
But really there’s more to it than just what management tool you use. There are choices in several areas.
For identity we will continue supporting Active Directory and domain-joined computers, while also directly supporting Azure Active Directory and “logon to the cloud.”
From a management perspective, Group Policy and Configuration Manager (or other 3rd party PC management tools) will continue to provide the greatest functionality, while Intune and third-party MDM services will provide lightweight mechanisms for managing Windows devices in appropriate scenarios.
For updating Windows systems, we’ll continue supporting Windows Update (where we automatically update devices as those updates are released) and WSUS (including with System Center Configuration Manager) where you control when updates are deployed. But we’ll also add new MDM capabilities, where Intune and third-party MDM services can also control the Windows updating process.
Overall these choices reflect the type of infrastructure being used to manage the devices. Whether on-premises or in the cloud, Windows 10 will support your choices.
We this this scenarios also align well with device ownership – you may choose to manage corporate-owned devices (including “choose your own device” (CYOD) scenarios) differently from “bring your own device” (BYOD) employee-owned devices.
We don’t expect a one-size-fits-all solution, as you can pick the combination that makes the most sense for specific device usage scenarios.
When we look at how these technologies are typically used together, we see three groupings: Basic controls, provided through Exchange ActiveSync for the most basic needs, e.g. e-mail access; Lightweight controls, for either company-owned or personal devices where more management is needed or desired; and Full Control where Group Policy, System Center, and WSUS provide extensive capabilities that target company-owned devices (typically connected to the corporate network).