MDM with SC
advertisement
Managing and Securing
Devices using Exchange,
System Center, and Intune
LAWRENCE NOVAK
MICHAEL INDENCE
DMVMUG Reston, VA http://dmvmug.com
Protect and Manage Devices and
Infrastructure
Exchange
Exchange Connecter with Configuration Manager
Configuration Manager with Intune
Exchange - Protecting your
Infrastructure
Set-ActiveSyncOrganizationSettings
New-ActiveSyncDeviceAccessRule
Set-ActiveSyncDeviceAccessRule
Exchange - Protecting your
Infrastructure
Set-ActiveSyncOrganizationSettings
Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Quarantine AdminMailRecipients will@contoso.com, roger@contoso.com
Exchange - Protecting your
Infrastructure
New-ActiveSyncDeviceAccessRule
New-ActiveSyncDeviceAccessRule -QueryString iPhone -Characteristic
DeviceModel -AccessLevel Block
New-ActiveSyncDeviceAccessRule -QueryString
NokiaE521/2.00()MailforExchange -Characteristic UserAgent -AccessLevel Allow
Exchange - Protecting your
Infrastructure
Set-ActiveSyncDeviceAccessRule
Set-ActiveSyncDeviceAccessRule 'ContosoPhone(DeviceModel)' AccessLevel:Quarantine
Get-ActiveSyncDeviceAccessRule | Where {$_.AccessLevel -eq 'Allow'} | SetActiveSyncDeviceAccessRule -AccessLevel:Quarantine
Exchange - Protecting your
Infrastructure
DEMO
Exchange – Managing and Securing
Devices
Mobile
Device Mailbox Policies
When you install Exchange 2013, a default mobile device
mailbox policy is created. All users are automatically assigned
this default mobile device mailbox policy.
Exchange – Managing and Securing
Devices
New-ActiveSyncMailboxPolicy
New-ActiveSyncMailboxPolicy -Name 'All Users' AllowNonProvisionableDevices $false -DevicePasswordEnabled $true AlphanumericDevicePasswordRequired $false -MaxInactivityTimeDeviceLock
'00:15:00' -MinDevicePasswordLength '4' -PasswordRecoveryEnabled $false RequireDeviceEncryption $true -AttachmentsEnabled $true AllowSimpleDevicePassword $true -DevicePasswordExpiration '30.00:00:00' DevicePasswordHistory '0'
Exchange – Managing and Securing
Devices
New-ActiveSyncMailboxPolicy
New-ActiveSyncMailboxPolicy -Name 'All Users' AllowNonProvisionableDevices $false -DevicePasswordEnabled $true AlphanumericDevicePasswordRequired $false -MaxInactivityTimeDeviceLock
'00:15:00' -MinDevicePasswordLength '4' -PasswordRecoveryEnabled $false RequireDeviceEncryption $true -AttachmentsEnabled $true AllowSimpleDevicePassword $true -DevicePasswordExpiration '30.00:00:00' DevicePasswordHistory '0'
Exchange – Managing and Securing
Devices
DEMO
Exchange – Managing and Securing
Devices
Current list of available settings per device OS
http://en.wikipedia.org/wiki/Comparison_of_Exchange_ActiveSync_Clients
Exchange – Managing and Securing
Devices
The enterprise feature pack will include:
S/MIME to sign and encrypt email
Access to corporate resources behind the firewall with app aware, auto-triggered VPN
Enterprise Wi-Fi support with EAP-TLS
Enhanced MDM policies to lock down functionality on the phone for more enterprise
control, in addition to richer application management such as allowing or denying
installation of certain apps
Certificate management to enroll, update, and revoke certificates for user
authentication
Exchange Connector – Managing and
Securing Devices
Use the Exchange Server connector in System Center 2012
Configuration Manager when you want to manage mobile
devices that connect to Exchange Server (on-premises or
online) by using the Microsoft Exchange ActiveSync protocol,
and you cannot enroll them by using Configuration Manager.
Exchange Connector – Managing and
Securing Devices
Settings you can control
General
Password
Email
Management
Security
Application
Exchange Connector – Managing and
Securing Devices
Option to control settings
Exchange Access rules control
Allow,
Block, or Quarantine
Remotely
Self
Wipe via ConfigMgr
Wipe via Application catalog
On-premise
Hosted
automatically added to catalog on sync
requires manual user device affinity before visible
in catalog.
Exchange Connector – Managing and
Securing Devices
When you manage mobile devices by using the Exchange
Server connector, this does not install the Configuration
Manager client on the mobile devices. Some management
functions are therefore limited. For example, you cannot install
software on these devices or use configuration items to
configure these devices.
Exchange Connector – Managing and
Securing Devices
When you use the Exchange Server connector, the mobile devices
can be managed by the settings that you configure in
Configuration Manager instead of being managed by the default
Exchange ActiveSync mailbox policies.
Exchange Connector – Managing and
Securing Devices
Define the settings that you want to use in the following group
settings: General, Password, Email Management, Security, and
Application. For example, in the Password group setting, you can
configure whether mobile devices require a password, the minimum
password length, password complexity, and whether password
recovery is allowed.
Exchange Connector – Managing and
Securing Devices
Decide which account will connect to the Exchange Client Access
server to manage the mobile devices. The account can be the
computer account of the site server or a Windows user account.
The following Exchange Server management roles include the
required cmdlets: Recipient Management, View-Only Organization
Management, and Server Management.
Exchange Connector – Managing and
Securing Devices
DEMO
System Center Intune - Managing and
Securing Devices
System Center Intune has various access points and knowing each one is
important to not confuse users and get the most of the subscription.
Portal.Manage.Microsoft.com (Users)
Account.Manage.Microsoft.com (Subscription Administration)
Manage.Microsoft.com (Intune Administration)
System Center Intune - Managing and
Securing Devices
There are various pre-requisites that must be confgiiured and working before
Intune can manage mobile devices or be connected to System Center
Configuration Manager.
Intune Account
Verified Public Domain
Domain UPN
Dirsync/SSO
DNS Alias (CNAME)
Certificate Keys
System Center Intune - Managing and
Securing Devices
Certificates are used with System Center Intune to secure software
deployments to devices that are either company developed or push or to
allow Notifications. Below is a list by OS type of cert required.
Windows Phone 8 – Code Sign Cert (Symantec)
Support Tool for Windows Intune Trial (temp cert for testing)
Windows devices (Side loading Keys)
IOS – Apple Push Notification (APN)
Android (None)
System Center Intune - Managing and
Securing Devices
System Center Intune support many Mobile devices in Direct Managed mode
or connected with System Center Configuration Manager 2012 R2.
Windows Phone 8 Devices
Windows 8 RT
Windows 8.1 RT
Windows 8.1
iOS 5.0, 6.0, and 7.0
Android Devices 2.3 and Later
System Center Intune - Managing and
Securing Devices
When integrating System Center Intune with System Center Configuration
Manager there is a few configuration changes and system roles to be setup.
Subscription Connector Setup
Windows Intune Connector Role
Logs
ConnectorSetup
CloudMgr
CloudUsersSync
dmpDownloader
dmpuploader
Intune Connector – Managing and
Securing Devices
DEMO
Managing Devices – Managing and
Securing Devices
Company Applications
Deeplinking (Store Apps)
User Enrollment
Deeplinking – Managing and Securing
Devices
Method to deploy Vendor store apps via System Center Configuration
Manager.
ITunes
Google Play
Windows Phone
Windows (Use reference computer)
Software Deployment – Managing and
Securing Devices
DEMO
User Enrollment – Managing and
Securing Devices
Windows Phone (Settings - Company apps)
Windows RT (System Configuration – Company Apps)
Windows 8.1 and RT 8.1 (Workplace)
iOS (ITunes –Windows Intune Company Portal)
If sp1 (m.manage.Microsoft.com)
Android – ( Google Play - Windows Intune Company Portal)
User Enrollment– Managing and
Securing Devices
DEMO
Protect and Manage Devices and
Infrastructure
Exchange
Exchange Connecter with Configuration Manager
Configuration Manager with Intune
Questions?
