1. User and Device Management Tomáš „Kanty“ Kantůrek tomaskan@microsoft
User and Device Management Tomáš „Kanty“ Kantůrek

2. System Center Marketing
4/1/2017
Today’s challenges
The explosion of devices is eroding the standards-based approach to corporate IT.
Devices
Users expect to be able to work in any location and have access to all their work resources.
Users
Deploying and managing applications across platforms is difficult.
Apps
Data
Users need to be productive while maintaining compliance and reducing risk.
The explosion in use and number of consumer devices and ubiquitous information access is changing the way that people perceive their technology, in addition to how that technology shapes their personal and work lives. The constant use of information technology throughout the day, along with the easy access of information, is blurring traditional boundaries between work and home life. These shifting boundaries are accompanied by a belief that personal technology— selected and customized to fit user’s personalities, activities, and schedules—should extend into the workplace.
Accommodating the consumerization of IT presents a variety of challenges. Historically, most or all devices used in the workplace were owned, and therefore managed, by the organization. Policies and processes were focused on device management—and usually on a relatively small, tightly controlled, and managed set of corporate-approved hardware that was subject to predetermined corporate replacement cycles.
The consumerization of IT dramatically alters this scenario. There is greatly increased device and operating system diversity and volume in the organization. This can fundamentally change the IT landscape and necessitate a shift in management objectives from tight control over hardware to effective, user-centric governance.
The way resources and applications are accessed and consumed is also changing. With the shift to personal devices and mobility, there is a need to adapt how applications work. IT departments must also now consider authentication of the user, validation of the device, and updated service consumption models when planning their consumerization policies and implementation.
The best organizational response is IT policies that match business realities and priorities, moving toward a people-centric model that replaces the older paradigm of device-centric policies and management. The Microsoft people-centric vision helps IT administrators increase their organizations’ productivity by enabling access to corporate resources, regardless of location or device used. This shift in focus requires policies, processes, and technologies that give people the freedom to select the devices they want to use, along with device-agnostic access to applications and data.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3. Empowering People-centric IT
System Center Marketing
4/1/2017
Empowering People-centric IT
Users
Devices
Apps
Data
Enable users
Allow users to work on the devices of their choice and provide consistent access to corporate resources.
Unify your environment
Deliver a unified application and device management on- premises and in the cloud.
Microsoft has a history of providing rich IT-infrastructure solutions to help manage every aspect of enterprise operations. Microsoft’s people-centric solution consists of products and technologies that can help IT departments handle the influx of consumer-oriented technology and the work style expectations of users, thereby helping increase productivity and satisfaction for the people within their organizations.
Microsoft’s people-centric IT vision helps organizations enable and embrace the consumerization of IT by:
Enabling your end users by allowing users to work on the device(s) of their choice and providing consistent access to corporate resources from those devices.
Helping protect your data by protecting corporate information and managing risk.
Unifying your environment by delivering comprehensive application and device management from both your existing on-premises infrastructure, including System Center Configuration Manager, Windows Server, and Active Directory, as well as cloud-based services, including Windows Intune and Windows Azure.
Let’s discuss each of these areas in more detail.
Protect your data
Help protect corporate information and manage risk.
Management. Access. Protection.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4. User and Device Management
4/1/2017
User and Device Management √
Enable users
Unify your environment
Protect your data
Access to company resources consistently across devices
Simplified registration and enrollment of devices
Synchronized corporate data
On-premises and cloud-based management of devices within a single console.
Simplified, user-centric application management across devices
Comprehensive settings management across platforms, including certificates, VPNs, and wireless network profiles
Protect corporate information by selectively wiping apps and data from retired/lost devices
A common identity for accessing resources on-premises and in the cloud
Identify which mobile devices have been compromised
Today, users want access to corporate applications from anywhere, and on whatever device they choose to use, whether it is their laptop, smartphone, tablet, or home PC. IT departments are challenged to empower users with consistent, rich experiences across a wide spectrum of device types.
Microsoft’s User and Device Management solution helps reduce costs and improve IT efficiency by unifying the management and security for cloud- and on-premise-based PCs and mobile devices in an integrated infrastructure.
With the upcoming releases of Microsoft® Windows Server® R2, Microsoft® System Center 2012 R2 Configuration Manager, and Windows Intune™, Microsoft builds on a comprehensive, people-centric solution that empowers user productivity while supporting the management needs of IT.
For enterprise users, Microsoft solutions enable users’ productivity and provide:
Access to company resources consistently across devices. Users can use the device of their choice to access corporate resources regardless of location.
Simplified registration and enrollment of devices. Users can manage their devices as well as install corporate apps through a consistent company portal.
Synchronized corporate data. Users will have access to data stored on a centralized file server and enable that data to be synchronized onto their mobile device.
For IT professionals, Microsoft solutions unify the environment and provide:
Unified management of on-premises and cloud-based mobile devices. IT can extend its System Center Configuration Manager infrastructure with Windows Intune to support cloud management of mobile devices. This enables IT to publish corporate apps and services across device types, regardless of whether they’re corporate-connected or cloud-based.
Simplified, user-centric application management across devices. IT gains efficiency with a single administration console, where policies can be applied across group and device types.
Comprehensive settings management across platforms, including certificates, virtual private networks (VPNs), and wireless network profiles. Policies can be applied across various devices and operating systems to meet compliance requirements, and IT can provision certificates, VPNs, and Wi-Fi profiles on personal devices within a single administration console.
These solutions also help protect corporate data by providing:
The ability to protect corporate information by selectively wiping apps and data. IT can access managed mobile devices to remove corporate data and applications in the event that the device is lost, stolen, or retired from use.
A common identity for accessing resources on-premises and in the cloud. IT can better protect corporate information and mitigate risk by being able to restrict access to corporate resources based on user, device, and location.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5. System Center Marketing
4/1/2017
Enable users
Challenges
Solutions
Users want to use the device of their choice and have access to both their personal and work-related applications, data, and resources.
Users want an easy way to be able to access their corporate applications from anywhere.
IT departments want to empower users to work this way, but they also need to control access to sensitive information and remain in compliance with regulatory policies.
Users can register their devices, which makes them known to IT, who can then use device authentication as part of providing access to corporate resources.
Users can enroll their devices, which provides them with the company portal for consistent access to applications and data, and to manage their devices.
IT can publish access to corporate resources with conditional access based on the user’s identity, the device they are using, and their location.
First up is “Enable users.”
The challenges that customers are facing are:
Users want to use the device of their choice and have access to both their personal and work-related applications, data, and resources. This blending of work and personal worlds is a challenge for IT because it makes it difficult to distinguish between these, and when a device is lost, sold, or the user leaves the company, how do they ensure no information is lost or made available to people not authorized for it?
Users want an easy way to access their corporate applications from anywhere. After you have a device, when you want to get your work done and integrate it into your personal world, getting access to work- related applications can be challenging, with internal applications not available in public app stores, or not being available for the platform that the device runs on. These devices are also typically connected to public networks and not internal managed networks.
IT departments want to empower users to work this way, but they also need to control access to sensitive information and remain in compliance with regulatory policies.
Microsoft is answering these challenges with the following solutions:
Users can register their devices, which makes them known to IT, who can then use device authentication as part of providing access to corporate resources. Device registration is a “give and get” scenario. The user “gives” by registering the device, and in turn “gets” access to resources. From an IT perspective, after the device is registered, it is now an object in Active Directory, and as such it can be used as a security principal as part of the authentication and access policies.
Additionally, users can enroll their devices with the Windows Intune management service, which provides them with the company portal for consistent access to applications and data, and to be able to manage their devices.
And finally, IT can publish access to corporate resources with conditional access based on the user’s identity, the device the user is using and the user’s location (internal versus external). This provides IT with additional levels of capability to control where information can be sync to and accessed from.
So now we will take a deeper look at how we have approached delivering on these solutions.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6. Helping IT to enable users
System Center Marketing
4/1/2017
Helping IT to enable users
Users can enroll devices for access to the company portal for easy access to corporate applications.
IT can publish desktop virtualization resources for access to centralized resources.
Users can work from anywhere on their devices with access to their corporate resources.
RD Gateway
VDI
Session host
Files
LOB Apps
Web Apps
Firewall
Let’s begin by thinking about we can help IT to enable users, how they can deliver on the users desire to work on their own device and have access to all their apps and data, and yet still retain control so that business and compliance requirements can be met.
Lets start with the ultimate goal: users can work from anywhere on their devices with access to their corporate resources. This can be achieved through native applications for the device platform, web-based applications, and through data sync via Work Folders. Now, there may be some applications and data that you do not want to be available locally on devices; these users can access centralized applications and data through Desktop Virtualization, whether that be VDI, Session Host, or RemoteApp.
You can empower users to register their devices for single sign-on and access to corporate data with Workplace Join. As previously covered, this is a give and get system, and it allows IT to be able to open up access to applications and data that otherwise would not be available, in return for knowing about the device.
An easy way for users to get all their applications in one place is by enrolling their devices for access to the company portal. This enrollment joins the device to the Windows Intune management service and allows the installation of the company portal, which IT can populate with internal line-of-business (LoB) applications as well as links to applications that are available in the public app stores. From within the company portal, users can also manage their devices and perform actions such as wiping a lost or replaced device.
IT can provide seamless corporate access with DirectAccess and automatic connections with automatic VPN connections. DirectAccess allows users to work remotely and always be connected to the corporate network without the need to initiate a VPN connection. New with Windows Server 2012 R2 and Windows 8.1 is the ability to configure applications to initiate the VPN connection when the application is launched.
IT can publish access to resources with the web application proxy based on device awareness and the users identity. New in Windows Server 2012 R2, using the web application proxy, IT can publish access to internal web applications that can be connected to from user devices, either by native applications or a web browser. Additionally, the web application proxy can pre-authenticate the user and the device and enforce access policies such as requiring the device to be registered or invoking multi-factor authentication.
Active Directory
IT can provide seamless corporate access.
IT can publish access to resources with the web application proxy based on device awareness and the users identity.
Users can register devices for single sign-on and access to corporate data with Workplace Join.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7. 4/1/2017
People-centric Application Delivery Accessing apps the right way, on the right device
Target applications based on user role the best way for each device
Windows/Windows RT
Windows Phone
iOS
Android
OS X
Evaluate device capabilities for optimal application delivery
Local installation
Microsoft Application Virtualization
Desktop Virtualization (VDI)
Web applications
Native
App/
App Store
Part of the a consistent user experience is the ability to enable the administrator to deliver applications to the user, regardless of the device being used. Being able to target applications to each user – across their devices – is fundamental. With Configuration Manager and Windows Intune – you can make sure that applications are delivered in the optimal format for each device to ensure worker productivity. Configuration Manager allows the administrator to define the application once and targets it to a user or group. It evaluates the user’s device type and network connection capabilities and then delivers the appropriate format – local installation, App-V, etc. So whether your employee is using a laptop, VDI session, or iPad – or all of those – we’ll deliver the app to that user with the best experience on each device. Because of the integration between Windows Intune and Configuration Manager, you can also extend application deliver to all major device types – while still centrally managing application delivery across devices from a single console. Applications can include locally-installed MSI packages or App-V applications on Windows devices, remote applications using Microsoft virtualization solutions, web links, or public applications stored in the Windows Store, App Store, or Google Play.
App-V
(MDOP)
Remote App
MSI
RDS
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8. System Center Marketing
4/1/2017
Protect your data √
Challenges
Solutions
As users bring their own devices in to use for work, they will also want to access sensitive information and have access to this information locally on the device.
A significant amount of corporate data can only be found locally on user devices.
IT needs to be able to secure, classify, and protect data based on the content it contains, not just where it resides, including maintaining regulatory compliance.
Users can work on the device of their choice and be able to access all their resources, while IT can identify at-risk devices through jailbreak and root detection
IT can enforce a set of central access and audit polices, and be able to protect sensitive information based on the content of the documents.
IT can centrally audit and report on information access.
And lastly, lets take a look at protecting your data.
The challenges that customers are facing are:
Providing users with a common identity when they are accessing resources that are located both on-premises in a corporate environment, and in cloud-based platforms is a challenge.
As users bring their own devices in to use for work, they will also want to access sensitive information and have access to this information locally on the device.
A significant amount of corporate data can only be found locally on user devices, which means it is not backed up or available for compliance classification, and it is unprotected in the event a device is lost, stolen, or sold.
IT needs to be able to secure, classify, and protect data based on the content it contains not just where it resides, including maintaining regulatory compliance.
Microsoft is answering these challenges with the following solutions:
Users can work on the device of their choice and be able to access all their resources, regardless of location or device.
IT can enforce a set of central access and audit polices, and be able to protect sensitive information based on the content of the documents.
IT can centrally audit and report on information access.
So now we will take a deeper look at how Microsoft has approached delivering on these solutions.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9. Help protect corporate information and manage risk
System Center Marketing
4/1/2017
Help protect corporate information and manage risk
Lost or Stolen
Retired
Lost or Stolen
Enrollment
Identify at-risk devices through jailbreak and root detection
Selective wipe removes corporate applications, data, certificates/profiles, and policies based as supported by each platform
Full wipe as supported by each platform
Can be executed by IT or by user via Company Portal
Sensitive data or applications can be kept off device and accessed via Remote Desktop Services
Users can access corporate data regardless of device or location with Work Folders for data sync and desktop virtualization for centralized applications.
Personal Apps and Data
Personal Apps and Data
Company Apps and Data
Company Apps and Data
Company Apps and Data
Retired
Personal Apps and Data
Centralized Data
Remote App
Remote App
Remote App
Users can access corporate data regardless of device or location
Remote working is not just about devices and applications; it’s also about data. Access to distributed data (such as data stored on the local device) or having an integrated way of gaining access back to centralized data is required to ensure the user is productive when working remotely.
Windows Server provides the ability to sync data from a centralized file repository to user devices
Windows Server provides the ability to connect via desktop virtualization from remote devices to centralized data sources
IT can identify which devices are at risk, through jailbreak and root detection, and take appropriate action, including wiping the device
IT can protect corporate information by selectively wiping apps and data
Applications that were installed through Windows Intune
Sideloading keys
Remove MDM policies (not but reset)
Wi-Fi/VPN profiles
Policies
Policies
Policies
IT can provide a secure and familiar solution for users to access sensitive corporate data from anywhere with VDI and RemoteApp technologies.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10. System Center Marketing
4/1/2017
Unify your
environment
Challenges
Solutions
MDM products are typically delivered as point solutions, which do not integrate with the main PC management solution already in use.
Managing multiple identities and keeping the information in sync across environments is a drain on IT resources.
IT has a single “pane of glass” to view and manage all managed devices, whether on-premises or cloud- based, PCs or mobile devices.
Users and IT can leverage their common identity for access to external resources through federation.
Now lets take a look at unifying your environment.
The challenges that customers are facing are:
Providing users with a common identity when they are accessing resources that are located both on-premises in a corporate environment and on cloud-based platforms.
Managing multiple identities and keeping the information in sync across environments is a drain on IT resources.
Microsoft is answering these challenges with the following solutions:
Users have a single sign-on experience when accessing all resources, regardless of location, meaning that users do not have to remember multiple sets of credentials.
Users and IT can leverage their common identity for access to external resources through federation.
So now we will take a deeper look at how Microsoft has approached delivering on these solutions.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11. Providing users with a common identity
4/1/2017
Providing users with a common identity
3rd party services
Apps in Azure
Active Directory
IT can use Active Directory Federation Services to connect with Windows Azure for a consistent cloud-based identity.
Users get access through accounts in Windows Azure Active Directory to Windows Azure, Office 365, and third-party applications.
Users are more productive by having a single sign-on to all their resources.
Just as Windows Intune can act as the cloud-based extension to Configuration Manager, it is important to extend the organization’s directory services into the cloud in order to enable users to authenticate and access resources which are either cloud- or corporate-based.
Microsoft provides solutions that enable customers to achieve this by leveraging their existing investments and connecting out to the cloud-based services.
The goal here is to make users more productive by having a single sign-on to all their resources.
IT can provide users with a common identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Windows Azure Active Directory.
In order to provide this experience to users, IT is able to use Active Directory Federation Services to connect with Windows Azure for a consistent cloud-based identity.
Users can leverage their common identity through accounts in Windows Azure Active Directory to Windows Azure, Office 365, and third-party applications.
Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Windows Azure for cloud-based applications.
Files
LOB Apps
Web Apps
Active Directory
Developers can build applications that leverage the common identity model .
IT can provide users with a common identity across on-premises or cloud- based services, leveraging Windows Server Active Directory and Windows Azure Active Directory.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12. System Center Marketing
4/1/2017
Unify your environment Deliver comprehensive application and device management
User
Single Admin
Console IT
Now that we’ve talked about how you can provide your users access resources from virtually anywhere, on any device, we need to turn to the second section of our discussion – making sure that with all the empowerment you’re providing to your workers, that you can still maintain the corporate security and compliance – as well as the efficiency of your IT processes. Given the explosion of devices that you’ll see coming through the door, it is absolutely essential that you have an infrastructure in place to manage these devices without introducing complexity or astronomical budget increases.
Unified infrastructure enables IT to manage devices “where they live”
The Microsoft solution is focused on helping reducing client management infrastructure costs and complexity. With the integration between Configuration Manager and Windows Intune, we offer a single console that integrates both on-premises and in-the-cloud management. Client management and security are offered in a unified single solution – giving you a streamlined approach to managing devices and applications as well as identifying and remediating threats and non-compliance. If you’re a current Configuration Manager customer, adding the Windows Intune cloud-based management is quick and easy. With this unified solution, organizations are able to manage endpoint devices “where they live.” This also includes connectivity to Office 365 for EAS-based management policies.
Comprehensive settings management across platforms, including certificates, VPNs, and wireless network profiles
Policies can be applied across various devices and operating systems to meet compliance requirements, to the extent of the capabilities exposed on those platforms
Extended native management for Windows RT, iOS and Android
IT can provision certificates, VPNs, and Wi-Fi profiles on personal devices
Full app inventory and application push install for corporate-owned devices, inventory of “managed” apps and publishing of apps for personal devices
Remotely wipe and unregister corporate devices from management system (as supported by each operating system)
IT can manage the device and application life cycle by removing MDM-specific content from devices no longer managed
Selective wipe of managed applications’ data
Applications that were installed through Windows Intune
Sideloading keys
MDM policies
Wi-Fi/VPN profiles
Comprehensive settings management across platforms, including certificates, VPNs, and wireless network profiles
Unified infrastructure enables IT to manage devices “where they live”
IT can manage the device and application lifecycle
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13. Windows Intune – Standalone service
System Center Marketing
4/1/2017
Windows Intune – Standalone service
Windows PCs
(x86/64, Intel SoC)
Windows RT, Windows Phone 8 iOS, Android IT
Using Windows Intune as a standalone service enables the administrator to use a single web-based administration console to manage both Windows PCs and the most popular mobile device platforms.
Web-based Admin
Console
Manage up to 7,000 devices and 4,000 users
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14. Manage and Secure PCs and Devices Anywhere
Simple web-based Administration Console and a richer experience for Information Workers
Help protect PCs from malware
Manage updates
Distribute software
Proactive monitoring and alerts
Provide remote assistance
Inventory hardware and software
Windows Intune provides a rich console to address the needs of managing many aspects of the PC and mobile device environment, such as software distribution and updates, monitoring and reporting
Monitor & track licenses
Increase insight with reporting
Set security policies
Richer Mobile Device Management

15. End User Experience
Consistent self service experience for end user across mobile platforms
Windows RT
Company Portal
Windows Phone 8
Company Portal
iOS
Company Portal
For Windows RT, Windows Phone and iOS a rich Company Portal experience is provided, enabling the user to get easy access to their corporate applications.
For Windows RT and iOS this application is available from the public application stores. For Windows Phone, the Company Portal is provided to the user during their enrollment in Windows Intune.
For Andoird, the user access the Company Portal via a web page.
Native Windows application
Available in the Windows Store
Native Windows Phone 8 app (.xap)
Side-loaded during enrollment
Native iOS application
Available in the Apple App store

16. End User Capabilities for each Platform
System Center Marketing
4/1/2017
End User Capabilities for each Platform
Windows 8 &
Windows 8.1
Windows RT & Windows 8.1 RT
Windows Phone 8
iOS
Android
Enroll (local device)
Yes
EAS
Rename devices No
Retire (un-enroll local device)
Remotely wipe other devices
Install enterprise LOB applications
Install publicly available applications
yes
Browse to web links
Contact IT
Where possible, the end user experience and capabilities of the Company Portal have been kept consistent. There are a few exceptions to this, such as the EAS-managed devices, like Android devices, but the user should be easily able to navigate the Company Portal if they change device platforms.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17. Application Management on Mobile Devices
TechReady12
4/1/2017
Application Management on Mobile Devices
Platforms
Windows 8/Windows RT
Windows Phone 8
iOS
Android
Sideload to install
*.appx
*.xap
*.ipa
*.apk
Deep links to store apps – install from store
Deployment of applications to devices is another key tenant. For each of the four platforms supported we enable sideloading of applications directly through Windows Intune, so if a company has a corporate Line of Business application they wish to deploy it can be uploaded through the Windows Intune administration console and made available to the user.
Additionally , the administrator can provide links to applications in the public app stores, so if there are recommended apps that the company uses, the end users can get them easily from the public stores.
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18. Software Distribution Summary
System Center Marketing
4/1/2017
Software Distribution Summary
Platform
Desktop Apps
(.msi, .exe)
Modern App Types
Side loading
Deep Links
web apps
.appx
.xap
.ipa
.apk
Windows 8 Pro/Ent √
Windows RT **
iOS
Android
WP8
Windows 7 and below **
Windows 8 SSP on WinRT will show MSI/EXE apps that can remotely install to other PCs linked to the user, but not installable on the local Window RT device
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19. Selecting the Management Platform
System Center Marketing
4/1/2017
Selecting the Management Platform
Unified Device Management – System Center 2012 R2 Configuration Manager with Windows Intune
Build on existing Configuration Manager deployment
Full PC management (OS Deployment, Endpoint Protection, application delivery control, rich reporting)
Deep policy control requirements
Scale to 200,000 mobile devices
Extensible administration tools (RBA, Windows PowerShell, SQL Reporting Services)
There are two Microsoft solutions for managing mobile devices:
The first is the unified scenario with System Center 2012 R2 Configuration Manager with Windows Intune. This enables Configuration Manager to extend beyond on-premises PC management to devices that live in the cloud, including Android, iOS and Windows Phones devices, whilst using a single console for the admin experience. This solution provides rich policy management and reporting. It also provides for greater scalability.
The second is using Windows Intune as a standalone solution. This uses the web-based administration console and is ideal when the deployment of a management infrastructure on-premises would be overly complicated.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20. System Center Marketing
4/1/2017
Platform Support
OS Platform
Management Agent
End User Experience
Windows 8.1 PC
ConfigMgr Agent Or
Management Agent(OMA-DM)
Software Center/Application Catalog
Windows Company Portal app
Windows PC (Win8,Win7,Vista,XP)
Windows RT
Management agent (OMA-DM)
Windows Phone 8
Windows Phone 8 Company Portal app
iOS
Apple MDM Protocol
iOS Company Portal app
Android
Android MDM agent (OMA-DM)
Android Company Portal app
Mac
Limited self service experience
Linux/Unix
N/A
Note: Highlighted items are new with System Center 2012 R2 Configuration Manager
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21. Resource Access Configuration
System Center Marketing
4/1/2017
Resource Access Configuration
New Features*
Configure networking profiles VPN profiles
Support for Windows 8.1 Automatic VPN
Wi-Fi protocol and authentication settings
Management and distribution of certificates
Configure remote connection to work PCs
Benefits
End users get access to company resources with no manual steps for them
Support platforms
Windows 8.1
Windows 8.1 RT
iOS
Android
A new capability of System Center 2012 R2 Configuration Manager is the ability to configure corporate resource access for devices. By setting things like VPN and Wi-Fi profiles through Configuration Manager, the end user does not have to worry about how to set up their device for corporate access. There are four areas that can be configured:
Remote Connection Profiles – the ability to expose fully-managed (ConfigMgr client) PCs through the Company Portal. This enables users to open a Remote Desktop Session to their corporate PC from a mobile client, whilst outside of the corporate network.
Certificate Profiles – Root certificates can be distributed to devices to enable verification of certificates. The Simple Certificate Enrollment Protocol can also be configured, enabling user or device specific certificates to be acquired by the mobile client. These can then be used to authenticate the user or the device for scenarios such as VPN access, web application authentication, etc.
VPN Profiles – These can be configured to enable the mobile device to easily connect back in to corporate network without the user having to manage the settings
Wi-Fi profiles – These can be configured to enable the mobile device to attached to corporate Wi-Fi environments without configuration by the user
Note: some of these capabilities vary by device platform
* Varies based on device platform
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22. User-centric Application Delivery Administration
4/1/2017
User-centric Application Delivery Administration
Delivery Evaluation Criteria
User
Device type
Network connection
User/Device Relationships
With Configuration Manager, you can create criteria on application deployments that determine the method of delivery of an application. It may be that on a certain device type, network connection or other attribute, you could choose to deploy a full native application, but other devices will receive a link to a virtual version of the application. This is a great solution for ensuring that corporate data does not leave the data center for devices that are lightly managed or less trusted. Devices that are fully managed and trusted could receive the full application.
Primary Devices
MSI
App-V
Windows 8 Apps
Windows 8 Apps in the Windows Store
Non-primary Devices
VDI
Remote Desktop
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23. User-centric Application Delivery End User Self-Service
System Center Marketing
4/1/2017
User-centric Application Delivery End User Self-Service
Administrators publish software titles to catalog, complete with meta data to enable search
Deliver best user experience on each device IT
Users can browse, select and install directly from Catalog
Application model determines format and policies for delivery
A key aspect of application delivery is the end user experience. A new self service portal is available that gives the user a rich, modern Company Portal, which allows access to all the applications that have been provisioned for the user.
User
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24. Unified Device Management Configuration
System Center Marketing
4/1/2017
Unified Device Management Configuration
Device management integrated directly into console
Simple Windows Intune Subscription set-up
Centralized branding and customization of Company Portal experience
Windows Intune Connector deployed as a Site System Role
Another key tenant of unifying the infrastructure is bringing the mobile device management in to the client management infrastructure. To connect Configuration Manager to Windows Intune there are two simple steps to be carried out:
Configure the Windows Intune Subscription – this sets up the platforms to be managed, and the branding for the Company Portal experience
Deploy the Windows Intune Connector – this is a lightweight Site Server role that can be deployed on an existing server. The Connector requires an outbound HTTPS connection to the Windows Intune cloud service, but does not need to be placed in the DMZ or exposed to the internet in any way.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

25. Security and Compliance Endpoint Protection
System Center Marketing
4/1/2017
Security and Compliance Endpoint Protection
Unified Infrastructure
Simplified server and client deployment.
Streamlined updates.
Consolidated reporting.
Comprehensive Protection Stack
Behavior monitoring.
Antimalware.
Dynamic Translation.
Windows Firewall Management.
The unification of the infrastructure also includes bringing the Endpoint Protection management capabilities within the client management frame. Through the single Configuration Manager administration console, the admin can deploy System Center Endpoint Protection and easily track the health and state of the endpoint clients.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26. Security and Compliance Settings Management
System Center Marketing
4/1/2017
Security and Compliance Settings Management
ConfigMgr MP
Baseline
ConfigMgr Agent
Assignment to collections
Baseline drift
Auto Remediate OR
Create Alert (to Service Manager) !
WMI
XML
Registry
IIS
MSI
Script
SQL
Software
Updates
File
Active
Directory
Baseline Configuration Items
Improved functionality
Pre-built industry standard baseline templates through IT Governance, Risk & Compliance(GRC) Solution Accelerator
Copy settings
Trigger console alerts
Richer reporting
Enhanced versioning and audit tracking
Ability to specify versions to be used in baselines
Audit tracking includes who changed what
Settings Management is also an important part of security and compliance for the enterprise. Configuration Manager contains extensive capabilities for configuration Compliance Baselines, deploying them to clients and monitoring the clients for baseline drift. If a client does go out of compliance this can be reported on in Configuration Manager, an alert could be raised or the client could be configured to auto-remediate the settings that are out of compliance.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27. Security and Compliance Software Update
System Center Marketing
4/1/2017
Security and Compliance Software Update
Auto Deployment
Faster deployment through search.
Schedule content download and deployment to avoid reboot during work hours.
State-based Updates
Allows individual or group deployment.
Updates added to groups auto deploy to targeted collections .
Optimized for New Content Model
Reduce replication and storage.
Expired updates and content deleted.
Microsoft Update
Identifies who needs updates and reports on compliance
Downloads updates
CAS
Primary Site SUP Role/WSUS
To maintain a controlled environment it is important to deploy and monitor the updates to key software components. Configuration Manager integrates with Microsoft Update to enable the deployment and tracking of updates to Microsoft software (including the OS) in a scalable, manageable manner.
Primary Site DP Role
Primary Site MP Role
Distributes updates
Assigns policy to scan for update status or to deploy update
Reports compliance
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28. Role-based Administration
System Center Marketing
4/1/2017
Role-based Administration
Map the organizational roles of your administrators to defined security roles
Security organization role
Geography
Reduces error, defines span of control for the organization
RBA enhancements in R2 include SQL Reporting
Meg - WW Central System Administrator
Louis - Software Update Manager for France
Bob - US and France Security Admin
Can see & update “France” desktops
Cannot modify security settings on “France” desktops
Cannot see “All Systems” or “U.S.” desktops
Can see and modify security settings on “France” and “U.S.” desktops
Cannot update “France” or “U.S.” desktops
Cannot see “All Systems”
Functionality
ConfigMgr 2007
ConfigMgr 2012
What types of objects can I see and what can I do to them?
Class rights
Security roles
Which instances can I see and interact with?
Object instance permissions
Security scopes
Which resources can I interact with?
Site specific resource permissions
Collection limiting
System Center 2012 R2 Configuration Manager builds on top of the existing Role-Based Administration capabilities to now include RBA for SQL Reporting.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29. Operating System Deployment
Multiple Deployment Method Support
PXE initiated deployment allows client computers to request deployment over the network
Multi-cast deployment to conserve network bandwidth
Stand-alone media deployment for no network connectivity or low bandwidth
Pre-staged media deployment allows you to deploy an operating system to a computer that is not fully provisioned
User State Migration Tool (USMT) 4.0 UI integration makes it easier transfer files and user settings from one machine to another
CAS
Primary Site MP Role
Primary Site DP Role
Image
Task Sequence
Report
WDS PXE Server

30. Core Operating System Deployment Scenarios
TechReady 16
4/1/2017
Core Operating System Deployment Scenarios
Scenario
Key Functionality
New computer
Fresh install of a new operating system on client or server system
New or repurposed hardware
PXE boot
Integrate with Windows Deployment Services (WDS) PXE server
Self-provisioning via F12
Wipe-and-load
Install new version of operating system
Reinstall applications and user state under new operating system
Side-by-side
Similar to wipe-and-load, except between two different devices
Offline with removable media
With low bandwidth or no connectivity
Large software packages are on the media
Prestaged Media
Optimized for network bandwidth
Speeds up end to end deployment
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31. Client Activity and Health
In-console view of client health
Threshold-based console alerts
Heartbeat DDRs
HW/SW inventory and status
Remediation

32. Asset Intelligence, Inventory, and Software Metering
Consolidated/simplified reporting that allows you to
Understand software installation profiles
Plan for hardware upgrades
Identify over or under licensing issues
Track custom apps or groups of titles
Software Metering and License Reports
Real-Time Application
and Hardware Intelligence
Asset Intelligence Service
ConfigMgr Inventory
Asset Intelligence Catalog

33. System Center Marketing
4/1/2017
Summary
2012
2012 SP1
2012 R2
Enabled
Modern Device Management
EAS
Unified
Improved
User-centric Application Delivery
User-centric
Win 8 Apps
Web App deployment
Unify
Reduced Infrastructure Requirements
New
Flexible hierarchies
Endpoint Protection
Integrated
Real-time actions
Updated engine
Compliance and Settings Management
Auto remediation
User profile and data
Software Update Management
Improved
Improved
Distribution Point for Windows Azure
New
Content Management
Improved
New
Windows PowerShell
Additional cmdlets
Simplify
Modern Management Console
Role-based Administration
New
RBA in Reporting
Operating System Deployment
Improved
Improved
Windows 8.1 support
Client Health
Improved
Improved
Asset Intelligence, Inventory and Software Metering
Improved
Improved
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

34. Zdroje informací
TechNet Blog: Microsoft Virtual Academy:

35. © 2013 Microsoft Corporation. All rights reserved
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.