Gareth KitsonDr. Alexander Bruns
UEM1745BE
#VMworld #UEM1745BE
An Insiders View Into Windows 10 Management Technical with VMware AirWatch
VMworld 2017 Content: Not fo
r publication or distri
bution
Speaker Introduction
2
Gareth Kitson, Senior Systems Engineer, VMware
Dr. Alexander Bruns, Digital Workplace Services & Solutionsm - Workplace Architecture & Consulting, DB Systel GmbH
Understanding the Windows 10 modern IT architecture for today’s workforce
Who
Why
#UEM1745BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
3#UEM1745BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Session Agenda
1 Introduction
2 Simplifying Windows Deployments
3 Delivering Software at Scale
4 Windows Updates and the Cloud
5 Zero Trust and the New Security Paradigm
4#UEM1745BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Modern Workforce Requirements have Changed
© 2017 VMware Inc. All rights reserved. Confidential – Not for Distribution© 2017 VMware Inc. All rights reserved. Confidential – Not for Distribution
PC Lifecycle Management (PCLM) Has Not
Remote users and devices
Mobile-cloud OS and apps
New device type and ownership
Legacy, on-premises PCLM tools fall short of new OS and remote workforce demands! VMworld 2017 Content: N
ot for publicatio
n or distribution
Traditional PC Management
© 2017 VMware Inc. All rights reserved. Confidential – Not for Distribution
Falls short for your modern OS & workforce demands
Compromised SecuritySlow to identify non-compliance
Unreliable Software DistributionResource intensive packaging and deployment
© 2017 VMware Inc. All rights reserved. Confidential – Not for Distribution
Poor User ExperienceLocked down experience and no self-service
Limited VisibilityPolicies and updates pending
Tra
dit
ion
al
Syste
ms M
an
ag
em
en
t
OS UpdateServers (WSUS)
Software Distribution
Servers
GPO PolicyServers
(AD)
VMworld 2017 Content: Not fo
r publication or distri
bution
Unified Endpoint Management
© 2017 VMware Inc. All rights reserved. Confidential – Not for Distribution
Enables a modern approach to PC management
Security Across NetworksBacked by a powerful compliance engine
Scalable Software DistributionFrom the cloud, eliminate physical infrastructure
© 2017 VMware Inc. All rights reserved. Confidential – Not for Distribution
Better User ExperienceSelf-service and peak user experience
Real-time VisibilityPolicy and updates in seconds, not months
Un
ifie
d E
nd
po
int
Man
ag
em
en
t
Store B
Configuration, Apps,
Updates, Security
VMworld 2017 Content: Not fo
r publication or distri
bution
But PC Management Presents Certain Unique Challenges…
Thousands of settings in Windows
Group Policy Object (GPO)
Network constraints prevent using an MDM tool for software distribution
Limited Win32 software distribution capabilities
Can’t provide inventory data for traditional Win32 apps
Situations where we cannot use an in-place OS upgrade
Using built-in image means incompatibility risk
Application packaging of legacy apps will be a barrier
““““
“““
© 2017 VMware Inc. All rights reserved. Confidential – Not for Distribution
VMworld 2017 Content: Not fo
r publication or distri
bution
Extending EMM with Critical PC Management NeedsComprehensive unified endpoint management (UEM) features transforming the way IT manages Windows 10
Self-Service Access & SSO
Co-exist with Systems
Management
Deploy Updates Off the Network
Device HealthAttestation
Win32 AppLifecycle
Management
Instant Push Configuration for Policies
GPOs On or Off the Domain
Windows Information Protection
Patch Auditing
Granular Updates
Management
5. Client Health & Security
3. OS Patch Management
4. SoftwareDistribution
2. ConfigurationManagement
1. MDM for Windows
Asset Tracking
Device and OS Lifecycle ManagementApp Management and
DeliveryEnd-to-end Security
Management
App Inventory
BitLocker Encryption
Enterprise App Store
Imageless Provisioning
In-place or custom image
migration
Modern Management
© 2017 VMware Inc. All rights reserved. Confidential – Not for Distribution
Intelligent Insights and Rules Engine
BIOS Management
DeliveryOptimization
AutomatedCompliance
VMworld 2017 Content: Not fo
r publication or distri
bution
OLD IMAGE
11
MODERN TRUSTED IMAGE
Customized OS
Company Required Apps
User/Role Specific Apps
Company Required Policies
Base OEM OS(Preloaded)
Apps Policies OS Updates
AirWatch MicrosoftUpdates
Secured real-time and over-the-airHigh Touch – Expensive – Not Scalable
#UEM1745BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Configure Devices Over-the-Air
13
Wi-Fi, VPN, Certificates, Email, Passcodes, Restrictions,
Encryption, Firewall, Antivirus, OS Licenses…
Modern
MDM Settings
Group Policy Objects (GPOs), Security Baselines and ADMX Templates, BIOS / Firmware
configuration…
Legacy
PC Configuration
Task sequence PowerShell commands, custom scripts, files, applications, runtime conditions and actions…
Advanced
Task Automation
#UEM1745BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
AirWatch Extends Cloud-Management to the Hardware Level
15
Dell Command and AirWatch integration enables cloud-management of Dell commercial system BIOS
OS and App Level
End-to-End Security Management
Device and OS Lifecyle Management
App management and Delivery
Battery lifecycle and power
Hardware error reporting
BIOS health and password
Asset management
Security and virtualization
System Level
Dell Command |
Monitor
#UEM1745BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Windows Update Servicing Has Changed
© 2017 VMware Inc. All rights reserved. Confidential – Not for Distribution
Challenges:
• Updates delivered more frequently
• Management infrastructure upgrade with each new version
• Application combability testing with each new version
• Bandwidth utilization with Cumulative Updates
• Reporting of Device Status
• Reaching Remote WorkersSource: Microsoft
18
VMworld 2017 Content: Not fo
r publication or distri
bution
WUAS Requires a New Architecture
19
4
Update metadata
Report update metadata
Authorize approved KBs
Peer to peer delivery across Windows 10 Devices
Query available updates
List of KBs/Updates
Fetch authorized updates
Update as a Service
5
Approve updates based on smart group assignments
8
88
6
3
72
1
#UEM1745BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Windows Update Analytics & AutomationContextual Intelligence for your Windows 10 updates
Business
Live dashboards enable
immediate compliance actions
and remediation
IT
Make informed deployment
decisions and rules for hands free
remediation
© 2017 VMware Inc. All rights reserved. Confidential – Not for Distribution
Decideoptimize rollouts - target when to install, which group
Viewinstall status by patch, patch type, distribution rings
Predictaverage time to patch; rollout completion
Remediatecreate rules to deploy missing critical updates
20
VMworld 2017 Content: Not fo
r publication or distri
bution
How IT Deploys Apps Today…
23
Special Request
Role Based
Company Wide
Manual provisioning on user request
User group or role specific images
OEM and device specific images
#UEM1745BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Simplified Application Deployment Strategy With AirWatch
24
Special Request
Role Based
Company Wide
Allow access through self-service
Enable request work flows through integration
Push to single users
User group mapping makes role assignment easy
Create subgroups through AirWatch
Easy to manage updates
Can push over-the-air or manage on image
Can use WIP to add additional security to files
associated with company wide apps
#UEM1745BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Deliver a Unified End User Experience Across All App Types
25
Internally developed mobile apps
Native public mobile apps
SaaS apps
Internal web apps
Modern Windows apps
Legacy Windows apps
Virtualized management desktops
#UEM1745BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Simplify Management Across All App Types
26
Bring cloud apps and access management to AirWatch
Cloud Apps
2
Integrate with Microsoft Store and Business Store Portal
Store Apps
3
Full lifecycle management of Win32 or desktop applications
Desktop Apps
1
#UEM1745BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Win32 Application Management Capabilities
27
• EXE, MSI, ZIP, APPX
• Framework + Libraries
• Dependency Mapping
• Device + User assignment
• Define Install Criteria
• MST Support
• Managed app settings
• Custom Packaging
• Cumulative and Additive Patching (MSP)
• Self Service Versioning Controls
• List of apps per device
• App adoption status
• Installation status
• Pre-defined reports
Simplified Configuration
Advanced Lifecycle Mgmt.
Inventory and Reporting
2 3 4
Native Application Support
1
#UEM1745BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
CDN
CDN + P2P Distribution Technology
29
Drive down costs by using peer-to-peer
technology to eliminate the need for
costly on-premises servers
Protect your network by downloading
content only once at each site
Manage all endpoints from one unified solution, across any device, from anywhere – cloud and on-premises
Replace servers with Adaptiva’s
breakthrough peer-to-peer
software deployment technology
Adaptiva OneSite
VMware AirWatch UEM
Microsoft Windows
#UEM1745BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
The New World
33
Private
Clouds
Securing Interactions is Getting Increasingly Complex
Hybrid
Clouds
Infrastructure
Devices
Apps
Traditional Apps Cloud-Native Apps SaaS Apps
Typical App Connects
to 7 Cloud Services
Public
Clouds
#UEM1745BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware’s Approach to Security
TRANSFORM SECURITY
New apps and
delivery models can’t
be easily protected
with perimeter-
centric network
security.
Proliferating and
diverse endpoints
access a range of
apps and IT services.
Increasingly complex
threat ecosystem
and slow to identify
non-compliance.
Secure Applications
and DataProtect Identity
and Endpoints
Streamline
Compliance
Intrinsic Security from Device to Data Center
34
VMworld 2017 Content: Not fo
r publication or distri
bution
Ensure desired OS state with
over the air configuration of
hardware and OS
Harden OS with real-time device
and OS health data; block access
for compromised endpoints
Protect Identity and Endpoints
35
Safeguard user identities and endpoints
Establish user trust with new
identity features; multifactor
authentication based on context
Across any user, application and device
VMworld 2017 Content: Not fo
r publication or distri
bution
Minimize Risk, Ensure Compliance
36
Manage governance, risk and compliance
Develop the rules, policies, and
management around security
requirements
Maintain and evolve compliance;
automate remediation for hands
free IT
Cloud patching of devices across
any network, on or off domain
On-demand visibility, reporting
and compliance auditing of all
endpoints
Real-time remediation and compliance
VMworld 2017 Content: Not fo
r publication or distri
bution
Secure Access Based on Device Posture and Health Attestation
37
Managed and Compliant
Not Managed or Compliant
ACCESS DENIED
COMPLIANT
User identity validated
Cloud or
On-Premises Resources
Secure Boot
BitLocker Encryption
Antivirus and Firewall
Code Integrity
Windows Version
TPM 2.0 or Higher
✔
✔
✔
✔
✔
✔
X
#UEM1745BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Secure access to any app with
context of identity, endpoint and
app interactions
Secure Apps and Data
38
Gain transformative insights into application infrastructure
Across any app, app type, and location
Lock down access to un-
approved and un-trusted apps
and malware
Protect data with encryption,
native DLP, per-app tunneling,
and traffic filtering
Remote wipe company data from
admin console or self-service
portal
VMworld 2017 Content: Not fo
r publication or distri
bution
Unlock the Power of BitLocker
• Use built-in TPM for secure authentication at lower cost
(no need for additional startup flash drives) and also
ensure pre-startup OS integrity
• Enforce login PIN in conjunction with TPM for
multifactor authentication and lock out the OS from
auto-resume
• Set recovery password rotation meeting compliance
requirements and protecting against the key falling into
the wrong hands
• Display recovery password URL and escrow in self-
service portal to reduce helpdesk tickets
• Suspend BitLocker temporarily for scheduled
maintenance tasks so the user isn’t constantly
prompted for password / PIN
39#UEM1745BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
New Level of Data Security with Windows Information Protection
40
Setting Policy LevelsConfigure how enterprise data is handled (encrypt, block, audit)
Configuring Per-App VPNDefine which apps can access internal network through VPN
Tagging DataDefine data sources to classify as enterprise (IP, domain, SharePoint, and more)
Defining Privileged AppsConfigure privileged apps that can handle enterprise data
#UEM1745BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
App Level VPN
Granular App Tunneling with AirWatch Tunnel
41
Restrict access to defined servers
instead of the entire network
#UEM1745BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Für externe Präsentationen bitte immer eine Titelfolie mit der Ressort-Farbe verwenden.
Foto: Volker Emersleben
VMworld 2017 Content: Not fo
r publication or distri
bution
Ways to Learn More
Sessions
• UEM1359BE - Best Practices in Migrating Windows 7 to Windows 10 - 9/13 5:00pm
• UEM3155SE - The Evolution of Endpoint Management Within a Digital Workspace -9/13 3:30pm
Meet the Expert
• Stop by our booth
• MTE4825U - Taking a Cloud First, Modern IT Approach to Windows 10 Management with Morgan Abaziou - 9/13 11:15am
Content
• www.workspaceone.com
• www.airwatch.com/solutions/windows
Hands-on Labs
• Stop by our hands on labs at VMworld
• https://www.vmware.com/try-vmware/try-hands-on-labs.html
ASK THE EXPERTS
47#UEM1745BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution