LE Novak MCM, MCSE Premier Field Engineer - PowerPoint Presentation

Slide1
Slide2

LE Novak MCM, MCSEPremier Field EngineerMicrosoft

Managing and Securing Devices using Exchange, System Center, and Intune

ARC307

Michael Indence

Senior Premier Field Engineer

MicrosoftSlide3

Contact

L.E. NovakLawrence.Novak@Microsoft.comBlogGeekswithablog.comPodcast

Geeks, Bowties, and TechTwitter@

LE_Novak

@

GeekswithaBlog

Michael Indence

Michael.Indence@microsoft.comSlide4

Exchange

Exchange

Connecter with Configuration

Manager

Configuration Manager with Intune

Protect

and

Manage

Devices and InfrastructureSlide5

ExchangeSlide6

Set-

ActiveSyncOrganizationSettings

New-

ActiveSyncDeviceAccessRule

Set-

ActiveSyncDeviceAccessRule

New-

ActiveSyncMailboxPolicy

Set-

CasMailbox

Exchange

- Protecting your Infrastructure Slide7

Set-

ActiveSyncOrganizationSettings

Set-

ActiveSyncOrganizationSettings

-

DefaultAccessLevel

Quarantine -

AdminMailRecipients

will@contoso.com, roger@contoso.com

Exchange - Protecting your Infrastructure Slide8

New-

ActiveSyncDeviceAccessRule

New-

ActiveSyncDeviceAccessRule

-

QueryString

iPhone -Characteristic

DeviceModel

-

AccessLevel

BlockNew-ActiveSyncDeviceAccessRule -QueryString NokiaE521/2.00()MailforExchange -Characteristic

UserAgent

-

AccessLevel

Allow

Exchange

- Protecting your Infrastructure Slide9

Set-

ActiveSyncDeviceAccessRule

Set-

ActiveSyncDeviceAccessRule

'

ContosoPhone

(

DeviceModel

)' -

AccessLevel:Quarantine

Get-ActiveSyncDeviceAccessRule | Where {$_.AccessLevel -eq 'Allow'} | Set-

ActiveSyncDeviceAccessRule

-

AccessLevel:Quarantine

Exchange

- Protecting your Infrastructure Slide10

Mobile Device Mailbox Policies

When you install Exchange 2013, a default mobile device mailbox policy is created. All users are automatically assigned this default mobile device mailbox policy.

Exchange

- Protecting your Infrastructure Slide11

New-

ActiveSyncMailboxPolicy

New-

ActiveSyncMailboxPolicy

-Name 'All Users' -

AllowNonProvisionableDevices

$false -

DevicePasswordEnabled

$true -

AlphanumericDevicePasswordRequired $false -MaxInactivityTimeDeviceLock '00:15:00' -MinDevicePasswordLength '4' -PasswordRecoveryEnabled $false -RequireDeviceEncryption

$true -

AttachmentsEnabled

$true -

AllowSimpleDevicePassword

Exchange

- Protecting your Infrastructure Slide12

Adding and Removing Users from a Mobile Mailbox Policy

G

et-

CASMailbox

-Identity tony@contoso.com -

ActiveSyncMailboxPolicy

"Sales"

G

et-Mailbox

| where { $_.CustomAttribute1 -match "Manager"} | Set-CASMailbox -activesyncmailboxpolicy(Get-ActiveSyncMailboxPolicy

"Contoso").Identity

Exchange

- Protecting your Infrastructure Slide13

Current list of available settings per device OS

http://en.wikipedia.org/wiki/Comparison_of_Exchange_ActiveSync_Clients

Exchange

- Protecting your Infrastructure Slide14

Demo Device Quarantine

L.E. Novak and Michael IndenceSlide15

Exchange ConnectorSlide16

Use the Exchange Server connector in System Center 2012 Configuration Manager when you want to manage mobile devices that connect to Exchange Server (on-premises or online) by using the Microsoft Exchange ActiveSync protocol, and you cannot enroll them by using Configuration Manager.

Exchange Connector

– Managing and Securing DevicesSlide17

Settings you can

control

General

Password

Email

Management

Security

Application

Exchange Connector

– Managing and Securing DevicesSlide18

Option to control

settings via Active Sync

Exchange

Access rules control

Allow, Block, or

Quarantine

Remotely

Wipe via

ConfigMgr

Self Wipe via Application catalog

On-premise automatically added to catalog on syncHosted requires manual user device affinity before visible in catalog. Exchange Connector – Managing and Securing DevicesSlide19

When you manage mobile devices by using the Exchange Server connector, this does not install the Configuration Manager client on the mobile devices. Some management functions are therefore limited. For example, you

cannot

install software on these devices or use configuration items to configure these devices.

Exchange Connector

– Managing and Securing DevicesSlide20

When you use the Exchange Server connector, the mobile devices

are managed by the settings that you configure in Configuration Manager instead of being managed by the default Exchange ActiveSync mailbox policies.

Exchange Connector

– Managing and Securing DevicesSlide21

An account is required to configure the Exchange Connector in Configuration Manager. The account can be the computer account of the site server or a Windows user account, and must have rights in Exchange to certain cmdlets.

Exchange Connector

– Managing and Securing DevicesSlide22

An account is required to configure the Exchange Connector in Configuration Manager. The account can be the computer account of the site server or a Windows user account, and must have rights in Exchange to certain cmdlets

.

Exchange Server management roles that contain the required cmdlets are the Recipient Management, View-Only Organization Management, Server Management, and above.

Exchange Connector

– Managing and Securing DevicesSlide23

DEMOExchange Connector

Michael IndenceSlide24

IntuneSlide25

System Center Intune has various access points and knowing each one is important to not confuse users and get the most of the subscription.

Portal.Manage.Microsoft.com (Users)

Account.Manage.Microsoft.com (Subscription Administration

)

Manage.Microsoft.com (Intune Administration)

System Center Intune

- Managing and Securing DevicesSlide26

There are various pre-requisites that must be configured

and working before Intune can manage mobile devices or be connected to System Center Configuration Manager.

Intune Account

Verified Public

Domain

Domain UPNDirsync/SSO

DNS Alias (CNAME)

Certificate Keys

System Center Intune

- Managing and Securing DevicesSlide27

Certificates are used with System Center Intune to secure software deployments to devices that are either company developed or push or to allow Notifications. Below is a list by OS type of cert required

. Windows Phone 8 – Code Sign Cert (Symantec)

Support Tool for Windows Intune Trial (temp cert for testing)

Windows devices (Side loading Keys

)

IOS – Apple Push Notification (APN

)

Android (None)

System Center Intune

- Managing and Securing DevicesSlide28

System Center Intune support many Mobile devices in Direct Managed mode or connected with System Center Configuration Manager 2012 R2

.Windows Phone 8 DevicesWindows 8 RT

Windows 8.1 RTWindows 8.1

iOS 5.0, 6.0, and 7.0

Android Devices 2.3 and Later

System Center Intune

- Managing and Securing DevicesSlide29

When integrating System Center Intune with System Center Configuration Manager there is a few configuration changes and system roles to be setup.

Subscription Connector Setup

Windows Intune Connector

Role

Logs

ConnectorSetup

CloudMgr

CloudUsersSync

dmpDownloader

dmpuploader

System Center Intune - Managing and Securing DevicesSlide30

System Center Intune

- Managing and Securing Devices

Source http

://

blogs.technet.com/b/windowsintune/archive/2013/01/18/technet-radio-edition-cloud-based-management-with-windows-intune.aspx

`Slide31

DEMOIntune Initial Configuration

Michael IndenceSlide32

Company Applications

Deeplinking (Store Apps)

User Enrollment

Managing Devices

– Managing and Securing Devices Slide33

Method to deploy Vendor store apps via System Center Configuration Manager.

iTunes

Google Play

Windows

Phone Store

Windows (Use reference computer)

Deeplinking

– Managing and Securing DevicesSlide34

Windows Phone (Settings – Company Apps

)Windows RT (System Configuration – Company Apps)

Windows 8.1 and RT 8.1 (Workplace

)

iOS (ITunes – Windows Intune Company Portal

)

If Service Pack 1 (m.manage.Microsoft.com

)

Android (Google Play – Windows Intune Company Portal)

User Enrollment

– Managing and Securing DevicesSlide35

DEMOUser Enrollment

Michael Indence and L.E. NovakSlide36

The enterprise feature pack will include:

S/MIME to sign and encrypt email

Access to corporate resources behind the firewall with app aware, auto-triggered VPN

Enterprise

Wi-Fi support with EAP-TLS

Enhanced MDM policies to lock down functionality on the phone for more enterprise control, in addition to richer application management such as allowing or denying installation of certain apps

Certificate management to enroll, update, and revoke certificates for user authentication

Windows Phone Enterprise

Feature Pack

– Managing and Securing DevicesSlide37

On February 28th 2014 Samsung announced a partnership with Microsoft to bring some of it’s enterprise services to Knox. Samsung

mobile customers will now be able to take advantage of seamless authentication for access to enterprise resources, and Enterprise IT will be able to manage those devices with Windows Intune.

Samsung Knox and Intune

–

Managing and Securing DevicesSlide38

Exchange

Exchange

Connecter with Configuration

Manager

Configuration Manager with Intune

Protect

and

Manage

Devices and InfrastructureSlide39

QUESTIONSSlide40

Contact

L.E. NovakLawrence.Novak@Microsoft.comBlogGeekswithablog.comPodcast

Geeks, Bowties, and TechTwitter@

LE_Novak

@

GeekswithaBlog

Michael Indence

Michael.Indence@microsoft.comSlide41
Slide42

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.