How Microsoft IT Solves BYOD Using Microsoft System Center Configuration Manager R2 and Windows IntuneKarthik JayavelMarc Hurley

PCIT-B333

Session Objective: Share Microsoft IT’s experiences with implementing Bring Your

Own Device (BYOD) culture with the help of System Center 2012 R2 and Windows Intune

Key TakeawaysLearn from our experience implementing BYOD scenarios in

Microsoft ITUnderstand the intricacies of managing a user’s personal

deviceHow to win over users with Line of Business applications on

their devices and protect corporate data from being compromised at the same time

How to make users more productive by providing access to company resources on their personal devices

Session Objectives And Takeaways

Who is This Session Designed For

People with a basic understanding of System Center 2012 Configuration Manager and a familiarity with Windows Intune

Interested in walking throughHow to embrace the BYOD culture in their enterprise environmentDistribute applications and policies to modern devices like Windows Phone 8 and Windows RTReporting on devices accessing corporate applications

Solution Overview

Solution Overview at Microsoft IT

Solution Benefits Of Adopting Unified

Solution

Goals

Goals

• Management support for Windows 8.x and heterogeneous devices

• Improve user productivity on user owned devices

• Safeguard BYOD assets

• Provide access to LOB apps

• Reduce infrastructure cost

• Central management for all enterprise & BYOD devices

Unified Device Management

• System Center 2012 R2 Configuration Manager

• Windows Intune • System Center 2012

Orchestrator

Better with Both

• Ability to provide users access to LOB apps

• Enforce security policies on devices

• Allows end users to connect from anywhere

• Access corporate resources

• No additional infrastructure required

Device Scope @ Microsoft ITWindows 8.x

Challenges for Heterogeneous devices @ Microsoft IT• Limited LOB

applications for various platforms

• Shift in the technical support model

• User expectations for non domain joined PCs

Heterogeneous Devices

AndroidOut of Scope

Windows 8.x RT

Windows 8.1Non Domain Joined (NDJ) PC

Windows Phone 8.x

Current UDM MetricsWindows Phone

8.xWindows RT/8.x

25033 1643Devices Enrolled

121 247LOB apps published

34 0Deep linked apps

iOS

41

3

16

MSIT UDM setup

Karthik Jayavel

Unified Management Infrastructure @ Microsoft IT

Redmond Site 175k

Clients

Redmond Site 275k

Clients

North & South

America35k Clients

Europe, MidEast, Africa

40k Clients

Australia & Asia

75k Clients

Device Mgmt.

Site

MS Online Directory Services (MSODS)

Active Directory

Federation Server 3.0

MS Online Directory

Sync (DirSync)

ADUser

Discovery corp domains

Intune Subscriptio

n

Connector Site role

Infrastructure• 6 Primary Sites• 13 Secondary Sites• 250 Distribution

PointsPCs & Devices• ~300,000 clients• ~125k mobile

devicesUsers• ~98k FTEs• ~82k Vendors

Built ConfigMgr R2 Standalone Environment Virtual Primary Site in Corp Domain 12GB, 4 Proc PS and 24 GB, 4 Proc SQL

ServerPerformed User Discovery for Entire Corp Forest

MSODS team provisioned Intune Services for Microsoft IT Tenant and set up services Admin

Setup DNS redirection for enterpriseenrollment.Microsoft.com to Intune Beta environment

Apply device specific certificates: Windows Phone 8 code signing cert Windows RT code signing cert &

sideloading iOS Apple push notification cert

Microsoft Corp Active Directory

Federation Server 3.0

MS Online Directory

Sync (DirSync)

Intune Subscriptio

n

Connector Site role

Primary Site

SQL Server

MSODS AD

User Discovery corp domains

1

Windows Intune

2

3

4

5

Microsoft Cloud Services

How MSIT Configured Intune Subscription

Intune Subscription Setup Overview

Directory Sync to synchronize AD data and ADFS setup for single sign on. http://technet.microsoft.com/en-us/library/hh967642.aspx

Perform User Discovery for users you will provide BYOD enrollment in your environment

DNS redirection for enterpriseenrollment.<yourcompany>.com will be needed

What you need to do Obtain a VeriSign certificate. Work with your app/security team

Purchase side loading key from volume license center

Generate request from Configuration Manager console and certificate from Apple's portal

AD Team – Dirsync and ADFS 3.0App Team – App CertificationSecurity Team – Policy definitionRemote Resource Access Team – VPN/WiFi/Cert

What you need to do

Intune Subscription in Configuration Manager

DemoCloud Sync MonitoringKarthik Jayavel

Managing Company Portal Across All Devices

Marc Hurley

Windows Phone 8.x Company Portal

Deployed Company Portal as “Available” to User Collection

Obtained WP8 Company Portal through internal process

Associated the published WP8 Company Portal in the Intune Subscription

Worked with App certification team to sign Company Portal before publishing

Published all LOB applications to All Users and/or Security Groups

Deployed Company Portal as “Required” to User Collection during upgrade scenarios & maintain Company Portal reach

Windows 8.x Company Portal

Deployed Company Portal as “Required” to User Collection

Configured the Intune Connector with Microsoft Internal Root Certificate

Published all LOB applications to All Users and/or Security Groups

Obtained Company Portal appx through internal process

Deployed Company Portal as “Required” to User Collection during upgrade scenarios & maintain Company Portal reach

iOS Company Portal Obtained Company Portal ipa file through internal process

Configured the Intune Connector with APN Certificate

Created an internal website to host Company Portal install file

Published deep linked applications to All Users and/or Security Groups

Deployed Company Portal as “Required” to User Collection during upgrade scenarios & maintain Company Portal reach

Company Portal RecapName Platform Installation MethodWindows Intune Company Portal

Windows 8.x (RT, x86/x64) 

IT Deployment  - (push to NDJ devices/users at Microsoft; MSIT users should not install the Company Portal from store)

Note: Public will download from Microsoft Store

Windows Intune Company Portal for Windows Phone 8

Windows Phone 8 IT Deployment - (Auto Install post enrollment)

Note: Public will download from Microsoft.com

Windows Intune Company Portal for iOS

iOS Direct User Installation  - (We get from Intranet site: http://issp at Microsoft because we are in CTiP, moving to Extranet site) 

Note:  The public will get it from the App Store. 

Windows Intune Company Portal for Android

Android Direct User Installation  - (Evaluation in progress). 

Note: The public will get it from Google Play. 

DemoWP8.1 Enrollment and Company PortalMarc Hurley

Windows Phone 8.1 Enrollment

Modern Application Delivery

Marc Hurley

Modern Application Delivery

Native management of Windows RT, Windows Phone 8.x and iOS through Windows Intune Unified Management

Administration Windows RT Windows Phone 8

Windows Phone 8.1

iOS

Available LOB apps in Portal Required LOB apps Deep Linked apps In console deployment monitoring

Single pane of glass: Manage app deployments to modern devices through integration with the ConfigMgr R2 admin console

Simplified Administration Experience

Advanced Modern Device Management

How We Automated App Publishing in MSIT

Self service of Modern Application publishing

Rapid turnaround time from request time to deployment

Reduction of Configuration Manager Administrative Overhead

Remove manual provisioning and deployment errors

IT DevCenter – application developer’s request portal

Visual Studio 2012 Team Foundation Server

System Center 2012 Orchestrator

System Center 2012 R2 Configuration Manager cmdlets

Custom PowerShell modules

Active Directory cmdlets

Publishing process that mimics the Windows Store process

Use of scripts & templates to enforce standardization

Reduce publishing time from 3 days to 6 hours

Admins can focus on deployment errors rather than publishing

95% of app publishing work completed zero touch

Requirements Technology Benefits

Dev Center Assigns Task

Orch. Runbooks wake on schedule

Check TFS tasks waiting for Automation

Update task Status

“In Process”

Create XML files from TFS

Task

Identify “Activity

Type”

Call Power Shell Modules

Create, Deploy, Create & Deploy, Delete, Pause,

Supersede

Update Task Status

Assigns Task to Dev Center

Pre-Process

Process

End to End Workflow

App owner submits

application to Dev Center

DemoModern App AutomationMarc Hurley

Security Policies -Settings Management

Karthik Jayavel

Setting Management at Microsoft IT

• UDM policies consistent with MSIT EAS policies

• Created password and encryption policies using pre-defined settings in CM

• Set the baseline for remediation to enforce

• Deployed the baseline to users• Provided reports to Security Team

for compliance status

Setting Up Device Policies

WP WinRTWindows 

iOS

Device Encryption True Not Supported Not Supported Not Supported

Device Password Enabled Not Supported Not Supported Enabled

Allow Simple Password True Not Supported Not Supported False

Min Password Length 4 6 (local only)8

4

Max inactive time to lock 15 mins 15 mins15

15 mins

Max failed attempts before wipe

5 5 (local)10

5

Password ExpirationNot

configured70 days (local)

70Not Configured

Password History 0 0 24 0

Min Complex Characters 1 1 (local only)1

0

Allow CameraNot

configuredNot configured

Not configuredYes

Maximum grace PeriodNot

configuredNot configured

Not configured3

Allow BrowserNot

configuredNot configured

Not configuredYes

C o r p P o l i c i e s

Company Resource Access

Karthik Jayavel

Certificate Registration Point role Installed at on-premConfig Mgr environment

Configure CRP to communicate with Network Device Enrollment Service

NDES is Internet facing (http://NDESFQDN/certsrv/mscep/mscep.dll)Install plugin on NDES serverConfigure PKI certs on NDES and CRP for cross communication

Troubleshooting Tips Runtime log file : CRP.logSetup logs : CRPMSI.log,CRPSetup.logSQL table : MDMCRPrequests

Simple certificate enrollment protocol

Used KSP to store certs on TPM and cert store based on device types

Windows Phone 8.1 = TPM cert onlyWindows 8.1 = both TPM and non-TPM certsiOS = Non-TPM cert

Cert renewal threshold 92% of 14 days

Deployed Root Certificate first and then individual SCEP certs

Simple certificate enrollment Certificates

VPN radius servers managed by VPN team

Split Tunnel profiles authorized by MSIT VPN teamIKEV2,EAP-TLS connection for WPB Automatic, PEAP for Windows devices (3rd Party connection types like Juniper etc., supported)

Associate VPN profile to relevant SCEP cert with EKUSCEP certs and VPN profile are installed asynchronously

VPN Profiles

Custom IE settings using DCM for single sign on

Used import profile feature for Windows profiles VPN connect for Windows and Windows Phone Smart Card and Phone auth for Windows devices

Custom reports provided to MSIT VPN team

Phone Auth profiles for Windows use different VPN servers

VPN Profiles

Worked with Network team for SSIDsUsing WPA2 enterprise Specify root cert and SCEP certs deployed

MSIT users will get secured Wi-Fi and VPN profiles only through IntuneVPN, Certs and Wi-Fi Profiles are user targeted to cover various platforms

Wi-Fi Profiles

Users can RDP to CM managed PCs from Company Portal

Managed PCs are CM agent installed Device affinity data leveraged to display PCs in Portal

Identified RDG server URL

Deployed Remote Connection profile Enables RDP on CM agent installed machines Access given to primary user for RDP and enable firewall rules

Piloted with Phone factor authenticationNot scoped for Windows Phone 8.1

Remote Connection

DemoCompany Resource AccessVPN and Remote Connection

Karthik Jayavel

UDM Reports

Marc Hurley

Unified Device Management Reports

Best Practices Identified at Microsoft ITActionsLearnings

New experience for users enrolling devices

Helpdesk awareness on modern devices support

Restrict access for Remote Wipe and Retire commands

Monitoring external components like NDES and VPN servers

Call out important apps to users

Educated users with enrollment steps

Created support documentation and trained helpdesk

Use RBAC to control Remote Wipe and Retire access

Work with VPN team to enable monitoring/reports

Use Featured App function when publishing

• WP App Signing Cert expired after 1 year• Had to replace AET with new token• Had to resign and republish applications• No need to resign apps for WP8.1

• Replaced Apple APN certificate• Account used to obtain APN was user specific iTunes account• Had to have all iOS devices un-enroll and re-enroll

• Enrollment certificate expiration happens every year on WP8

• WP8 users need to respond and renew cert before expiration to keep enrollment intact• WP8.1 will update the certificate automatically in the background

• Policies were targeted to devices instead of users• Delay in getting security policies as devices had to register first

• Windows 8.x core OS does not support app Side Loading

• Users had to upgrade OS license to Windows 8.x Pro or Enterprise

Lessons Learned

In Review: Session Objectives And TakeawaysSession Objectives: • Showed how Configuration Manager and Intune helped MSIT users to

access corporate LOB applications over the internet• Shared how you can enforce corporate security policies on Devices• Displayed how to improve user productivity by providing access to

Corporate Resources on their personal devices

Key Takeaways• Understand the straightforward process to maximize value from

implementing Unified Device Management • You can provide access to Corporate Resources and enforcing Corporate

Security is simple by using Settings and Company Resource Access features• Configuration Manager database contains Managed Device information

that can be used for building custom Reports

Related SessionsPCIT-B339 How Microsoft IT Manages Their Microsoft System Center Configuration Manager Application Lifecycle with Zero Touch

FOR MORE INFORMATION

•Microsoft Solves BYOD Using Microsoft System Center Configuration Manager and Windows Intune•http://technet.microsoft.com/en-us/library/dn482435.aspx

• Technical Case Study: User-Centric Client Management with System Center 2012 Configuration Manager in Microsoft IT• http://technet.microsoft.com/en-us/library/hh925141.aspx

•System Center in Action Site• http://blogs.technet.com/b/system_center_in_action/

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

msdn

Resources for Developers

http://microsoft.com/msdn

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Complete an evaluation and enter to win!

Evaluate this session

Scan this QR code to evaluate this session.

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.