Solution Benefits Of Adopting Unified Solution Goals Management support for Windows 8.x and heterogeneous devices Improve user productivity on user owned devices Safeguard BYOD assets Provide access to LOB apps Reduce infrastructure cost Central management for all enterprise & BYOD devices Unified Device Management System Center 2012 R2 Configuration Manager Windows Intune System Center 2012 Orchestrator Better with Both Ability to provide users access to LOB apps Enforce security policies on devices Allows end users to connect from anywhere Access corporate resources No additional infrastructure required

Challenges for Heterogeneous Microsoft IT Limited LOB applications for various platforms Shift in the technical support model User expectations for non domain joined PCs

Windows Phone 8.x Windows RT/8.x Devices Enrolled LOB apps published Deep linked apps iOS

Redmond Site 1 75k Clients Redmond Site 2 75k Clients North & South America 35k Clients Europe, MidEast, Africa 40k Clients Australia & Asia 75k Clients Device Mgmt. Site MS Online Directory Services (MSODS) Active Directory Federation Server 3.0 MS Online Directory Sync (DirSync) AD User Discovery corp domains Intune Subscription Connector Site role Infrastructure 6 Primary Sites 13 Secondary Sites 250 Distribution Points PCs & Devices ~300,000 clients ~125k mobile devices Users ~98k FTEs ~82k Vendors

Built ConfigMgr R2 Standalone Environment  Virtual Primary Site in Corp Domain  12GB, 4 Proc PS and 24 GB, 4 Proc SQL Server Performed User Discovery for Entire Corp Forest MSODS team provisioned Intune Services for Microsoft IT Tenant and set up services Admin Setup DNS redirection for enterpriseenrollment.Microsoft.com to Intune Beta environment Apply device specific certificates:  Windows Phone 8 code signing cert  Windows RT code signing cert & sideloading  iOS Apple push notification cert Microsoft Corp Active Directory Federation Server 3.0 MS Online Directory Sync (DirSync) Intune Subscription Connector Site role Primary Site SQL Server MSODS AD User Discovery corp domains 1 Windows Intune Microsoft Cloud Services

Directory Sync to synchronize AD data and ADFS setup for single sign on. us/library/hh aspx us/library/hh aspx Perform User Discovery for users you will provide BYOD enrollment in your environment DNS redirection for enterpriseenrollment.. com will be needed What you need to do Obtain a VeriSign certificate. Work with your app/security team Purchase side loading key from volume license center Generate request from Configuration Manager console and certificate from Apple's portal AD Team – Dirsync and ADFS 3.0 App Team – App Certification Security Team – Policy definition Remote Resource Access Team – VPN/WiFi/Cert What you need to do

Managing Company Portal Across All Devices Marc Hurley

Deployed Company Portal as “Available” to User Collection Obtained WP8 Company Portal through internal process Associated the published WP8 Company Portal in the Intune Subscription Worked with App certification team to sign Company Portal before publishing Published all LOB applications to All Users and/or Security Groups Deployed Company Portal as “Required” to User Collection during upgrade scenarios & maintain Company Portal reach

Deployed Company Portal as “Required” to User Collection Configured the Intune Connector with Microsoft Internal Root Certificate Published all LOB applications to All Users and/or Security Groups Obtained Company Portal appx through internal process Deployed Company Portal as “Required” to User Collection during upgrade scenarios & maintain Company Portal reach

Obtained Company Portal ipa file through internal process Configured the Intune Connector with APN Certificate Created an internal website to host Company Portal install file Published deep linked applications to All Users and/or Security Groups Deployed Company Portal as “Required” to User Collection during upgrade scenarios & maintain Company Portal reach

NamePlatformInstallation Method Windows Intune Company PortalWindows 8.x (RT, x86/x64) IT Deployment - (push to NDJ devices/users at Microsoft; MSIT users should not install the Company Portal from store) Note: Public will download from Microsoft Store Windows Intune Company Portal for Windows Phone 8 Windows Phone 8IT Deployment - (Auto Install post enrollment) Note: Public will download from Microsoft.com Windows Intune Company Portal for iOS iOSDirect User Installation - (We get from Intranet site: at Microsoft because we are in CTiP, moving to Extranet site) Note: The public will get it from the App Store. Windows Intune Company Portal for Android AndroidDirect User Installation - (Evaluation in progress). Note: The public will get it from Google Play.

Simplified Administration Experience Advanced Modern Device Management

Self service of Modern Application publishing Rapid turnaround time from request time to deployment Reduction of Configuration Manager Administrative Overhead Remove manual provisioning and deployment errors IT DevCenter – application developer’s request portal Visual Studio 2012 Team Foundation Server System Center 2012 Orchestrator System Center 2012 R2 Configuration Manager cmdlets Custom PowerShell modules Active Directory cmdlets Publishing process that mimics the Windows Store process Use of scripts & templates to enforce standardization Reduce publishing time from 3 days to 6 hours Admins can focus on deployment errors rather than publishing 95% of app publishing work completed zero touch RequirementsTechnologyBenefits

Dev Center Assigns Task Orch. Runbooks wake on schedule Check TFS tasks waiting for Automation Update task Status “In Process” Create XML files from TFS Task Identify “Activity Type” Call Power Shell Modules Create, Deploy, Create & Deploy, Delete, Pause, Supersede Update Task Status Assigns Task to Dev Center Pre-Process Process App owner submits application to Dev Center

Security Policies - Settings Management

Setting Management at Microsoft IT UDM policies consistent with MSIT EAS policies Created password and encryption policies using pre-defined settings in CM Set the baseline for remediation to enforce Deployed the baseline to users Provided reports to Security Team for compliance status Setting Up Device Policies WPWinRT Windows iOS Device EncryptionTrueNot Supported Device PasswordEnabledNot Supported Enabled Allow Simple PasswordTrueNot Supported False Min Password Length46 (local only) 8 4 Max inactive time to lock15 mins mins Max failed attempts before wipe 55 (local) 10 5 Password ExpirationNot configured70 days (local) 70 Not Configured Password History Min Complex Characters11 (local only) 1 0 Allow CameraNot configured Yes Maximum grace PeriodNot configured 3 Allow BrowserNot configured Yes Corp Policies

UDM Reports Marc Hurley

Unified Device Management Reports

ActionsLearnings New experience for users enrolling devices Helpdesk awareness on modern devices support Restrict access for Remote Wipe and Retire commands Monitoring external components like NDES and VPN servers Call out important apps to users Educated users with enrollment steps Created support documentation and trained helpdesk Use RBAC to control Remote Wipe and Retire access Work with VPN team to enable monitoring/reports Use Featured App function when publishing

WP App Signing Cert expired after 1 year Had to replace AET with new token Had to resign and republish applications No need to resign apps for WP8.1 Replaced Apple APN certificate Account used to obtain APN was user specific iTunes account Had to have all iOS devices un-enroll and re-enroll Enrollment certificate expiration happens every year on WP8 WP8 users need to respond and renew cert before expiration to keep enrollment intact WP8.1 will update the certificate automatically in the background Policies were targeted to devices instead of users Delay in getting security policies as devices had to register first Windows 8.x core OS does not support app Side Loading Users had to upgrade OS license to Windows 8.x Pro or Enterprise