Microsoft Managing and Securing Devices using Exchange System Center and Intune ARC307 Michael Indence Senior Premier Field Engineer Microsoft Contact LE Novak LawrenceNovakMicrosoftcom ID: 735474
Download Presentation The PPT/PDF document "LE Novak MCM, MCSE Premier Field Engine..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
LE Novak MCM, MCSEPremier Field EngineerMicrosoft
Managing and Securing Devices using Exchange, System Center, and Intune
ARC307
Michael Indence
Senior Premier Field Engineer
MicrosoftSlide3
Contact
L.E. NovakLawrence.Novak@Microsoft.comBlogGeekswithablog.comPodcast
Geeks, Bowties, and TechTwitter@
LE_Novak
@
GeekswithaBlog
Michael Indence
Michael.Indence@microsoft.comSlide4
Exchange
Exchange
Connecter with Configuration
Manager
Configuration Manager with Intune
Protect
and
Manage
Devices and InfrastructureSlide5
ExchangeSlide6
Set-
ActiveSyncOrganizationSettings
New-
ActiveSyncDeviceAccessRule
Set-
ActiveSyncDeviceAccessRule
New-
ActiveSyncMailboxPolicy
Set-
CasMailbox
Exchange
- Protecting your Infrastructure Slide7
Set-
ActiveSyncOrganizationSettings
Set-
ActiveSyncOrganizationSettings
-
DefaultAccessLevel
Quarantine -
AdminMailRecipients
will@contoso.com, roger@contoso.com
Exchange - Protecting your Infrastructure Slide8
New-
ActiveSyncDeviceAccessRule
New-
ActiveSyncDeviceAccessRule
-
QueryString
iPhone -Characteristic
DeviceModel
-
AccessLevel
BlockNew-ActiveSyncDeviceAccessRule -QueryString NokiaE521/2.00()MailforExchange -Characteristic
UserAgent
-
AccessLevel
Allow
Exchange
- Protecting your Infrastructure Slide9
Set-
ActiveSyncDeviceAccessRule
Set-
ActiveSyncDeviceAccessRule
'
ContosoPhone
(
DeviceModel
)' -
AccessLevel:Quarantine
Get-ActiveSyncDeviceAccessRule | Where {$_.AccessLevel -eq 'Allow'} | Set-
ActiveSyncDeviceAccessRule
-
AccessLevel:Quarantine
Exchange
- Protecting your Infrastructure Slide10
Mobile Device Mailbox Policies
When you install Exchange 2013, a default mobile device mailbox policy is created. All users are automatically assigned this default mobile device mailbox policy.
Exchange
- Protecting your Infrastructure Slide11
New-
ActiveSyncMailboxPolicy
New-
ActiveSyncMailboxPolicy
-Name 'All Users' -
AllowNonProvisionableDevices
$false -
DevicePasswordEnabled
$true -
AlphanumericDevicePasswordRequired $false -MaxInactivityTimeDeviceLock '00:15:00' -MinDevicePasswordLength '4' -PasswordRecoveryEnabled $false -RequireDeviceEncryption
$true -
AttachmentsEnabled
$true -
AllowSimpleDevicePassword
Exchange
- Protecting your Infrastructure Slide12
Adding and Removing Users from a Mobile Mailbox Policy
G
et-
CASMailbox
-Identity tony@contoso.com -
ActiveSyncMailboxPolicy
"Sales"
G
et-Mailbox
| where { $_.CustomAttribute1 -match "Manager"} | Set-CASMailbox -activesyncmailboxpolicy(Get-ActiveSyncMailboxPolicy
"Contoso").Identity
Exchange
- Protecting your Infrastructure Slide13
Current list of available settings per device OS
http://en.wikipedia.org/wiki/Comparison_of_Exchange_ActiveSync_Clients
Exchange
- Protecting your Infrastructure Slide14
Demo Device Quarantine
L.E. Novak and Michael IndenceSlide15
Exchange ConnectorSlide16
Use the Exchange Server connector in System Center 2012 Configuration Manager when you want to manage mobile devices that connect to Exchange Server (on-premises or online) by using the Microsoft Exchange ActiveSync protocol, and you cannot enroll them by using Configuration Manager.
Exchange Connector
– Managing and Securing DevicesSlide17
Settings you can
control
General
Password
Email
Management
Security
Application
Exchange Connector
– Managing and Securing DevicesSlide18
Option to control
settings via Active Sync
Exchange
Access rules control
Allow, Block, or
Quarantine
Remotely
Wipe via
ConfigMgr
Self Wipe via Application catalog
On-premise automatically added to catalog on syncHosted requires manual user device affinity before visible in catalog. Exchange Connector – Managing and Securing DevicesSlide19
When you manage mobile devices by using the Exchange Server connector, this does not install the Configuration Manager client on the mobile devices. Some management functions are therefore limited. For example, you
cannot
install software on these devices or use configuration items to configure these devices.
Exchange Connector
– Managing and Securing DevicesSlide20
When you use the Exchange Server connector, the mobile devices
are managed by the settings that you configure in Configuration Manager instead of being managed by the default Exchange ActiveSync mailbox policies.
Exchange Connector
– Managing and Securing DevicesSlide21
An account is required to configure the Exchange Connector in Configuration Manager. The account can be the computer account of the site server or a Windows user account, and must have rights in Exchange to certain cmdlets.
Exchange Connector
– Managing and Securing DevicesSlide22
An account is required to configure the Exchange Connector in Configuration Manager. The account can be the computer account of the site server or a Windows user account, and must have rights in Exchange to certain cmdlets
.
Exchange Server management roles that contain the required cmdlets are the Recipient Management, View-Only Organization Management, Server Management, and above.
Exchange Connector
– Managing and Securing DevicesSlide23
DEMOExchange Connector
Michael IndenceSlide24
IntuneSlide25
System Center Intune has various access points and knowing each one is important to not confuse users and get the most of the subscription.
Portal.Manage.Microsoft.com (Users)
Account.Manage.Microsoft.com (Subscription Administration
)
Manage.Microsoft.com (Intune Administration)
System Center Intune
- Managing and Securing DevicesSlide26
There are various pre-requisites that must be configured
and working before Intune can manage mobile devices or be connected to System Center Configuration Manager.
Intune Account
Verified Public
Domain
Domain UPNDirsync/SSO
DNS Alias (CNAME)
Certificate Keys
System Center Intune
- Managing and Securing DevicesSlide27
Certificates are used with System Center Intune to secure software deployments to devices that are either company developed or push or to allow Notifications. Below is a list by OS type of cert required
. Windows Phone 8 – Code Sign Cert (Symantec)
Support Tool for Windows Intune Trial (temp cert for testing)
Windows devices (Side loading Keys
)
IOS – Apple Push Notification (APN
)
Android (None)
System Center Intune
- Managing and Securing DevicesSlide28
System Center Intune support many Mobile devices in Direct Managed mode or connected with System Center Configuration Manager 2012 R2
.Windows Phone 8 DevicesWindows 8 RT
Windows 8.1 RTWindows 8.1
iOS 5.0, 6.0, and 7.0
Android Devices 2.3 and Later
System Center Intune
- Managing and Securing DevicesSlide29
When integrating System Center Intune with System Center Configuration Manager there is a few configuration changes and system roles to be setup.
Subscription Connector Setup
Windows Intune Connector
Role
Logs
ConnectorSetup
CloudMgr
CloudUsersSync
dmpDownloader
dmpuploader
System Center Intune - Managing and Securing DevicesSlide30
System Center Intune
- Managing and Securing Devices
Source http
://
blogs.technet.com/b/windowsintune/archive/2013/01/18/technet-radio-edition-cloud-based-management-with-windows-intune.aspx
`Slide31
DEMOIntune Initial Configuration
Michael IndenceSlide32
Company Applications
Deeplinking (Store Apps)
User Enrollment
Managing Devices
– Managing and Securing Devices Slide33
Method to deploy Vendor store apps via System Center Configuration Manager.
iTunes
Google Play
Windows
Phone Store
Windows (Use reference computer)
Deeplinking
– Managing and Securing DevicesSlide34
Windows Phone (Settings – Company Apps
)Windows RT (System Configuration – Company Apps)
Windows 8.1 and RT 8.1 (Workplace
)
iOS (ITunes – Windows Intune Company Portal
)
If Service Pack 1 (m.manage.Microsoft.com
)
Android (Google Play – Windows Intune Company Portal)
User Enrollment
– Managing and Securing DevicesSlide35
DEMOUser Enrollment
Michael Indence and L.E. NovakSlide36
The enterprise feature pack will include:
S/MIME to sign and encrypt email
Access to corporate resources behind the firewall with app aware, auto-triggered VPN
Enterprise
Wi-Fi support with EAP-TLS
Enhanced MDM policies to lock down functionality on the phone for more enterprise control, in addition to richer application management such as allowing or denying installation of certain apps
Certificate management to enroll, update, and revoke certificates for user authentication
Windows Phone Enterprise
Feature Pack
– Managing and Securing DevicesSlide37
On February 28th 2014 Samsung announced a partnership with Microsoft to bring some of it’s enterprise services to Knox. Samsung
mobile customers will now be able to take advantage of seamless authentication for access to enterprise resources, and Enterprise IT will be able to manage those devices with Windows Intune.
Samsung Knox and Intune
–
Managing and Securing DevicesSlide38
Exchange
Exchange
Connecter with Configuration
Manager
Configuration Manager with Intune
Protect
and
Manage
Devices and InfrastructureSlide39
QUESTIONSSlide40
Contact
L.E. NovakLawrence.Novak@Microsoft.comBlogGeekswithablog.comPodcast
Geeks, Bowties, and TechTwitter@
LE_Novak
@
GeekswithaBlog
Michael Indence
Michael.Indence@microsoft.comSlide41Slide42
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.