Managing and Securing Mobile Devices using Exchange, System ...
42
-
Upload
trinhnguyet -
Category
Documents
-
view
231 -
download
0
Transcript of Managing and Securing Mobile Devices using Exchange, System ...
LE Novak MCM, MCSEPremier Field EngineerMicrosoft
Managing and Securing Devices using Exchange, System Center, and Intune
ARC307
Michael IndenceSenior Premier Field EngineerMicrosoft
ContactL.E. [email protected]
BlogGeekswithablog.comPodcastGeeks, Bowties, and TechTwitter@LE_Novak@GeekswithaBlog
Michael [email protected]
Exchange
Exchange Connecter with Configuration Manager
Configuration Manager with Intune
Protect and Manage Devices and Infrastructure
Exchange
Set-ActiveSyncOrganizationSettings New-ActiveSyncDeviceAccessRule
Set-ActiveSyncDeviceAccessRule
New-ActiveSyncMailboxPolicy
Set-CasMailbox
Exchange - Protecting your Infrastructure
Set-ActiveSyncOrganizationSettings Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Quarantine -AdminMailRecipients [email protected], [email protected]
Exchange - Protecting your Infrastructure
New-ActiveSyncDeviceAccessRule
New-ActiveSyncDeviceAccessRule -QueryString iPhone -Characteristic DeviceModel -AccessLevel Block
New-ActiveSyncDeviceAccessRule -QueryString NokiaE521/2.00()MailforExchange -Characteristic UserAgent -AccessLevel Allow
Exchange - Protecting your Infrastructure
Set-ActiveSyncDeviceAccessRule
Set-ActiveSyncDeviceAccessRule 'ContosoPhone(DeviceModel)' -AccessLevel:Quarantine
Get-ActiveSyncDeviceAccessRule | Where {$_.AccessLevel -eq 'Allow'} | Set-ActiveSyncDeviceAccessRule -AccessLevel:Quarantine
Exchange - Protecting your Infrastructure
Mobile Device Mailbox Policies
When you install Exchange 2013, a default mobile device mailbox policy is created. All users are automatically assigned this default mobile device mailbox policy.
Exchange - Protecting your Infrastructure
New-ActiveSyncMailboxPolicy
New-ActiveSyncMailboxPolicy -Name 'All Users' -AllowNonProvisionableDevices $false -DevicePasswordEnabled $true -AlphanumericDevicePasswordRequired $false -MaxInactivityTimeDeviceLock '00:15:00' -MinDevicePasswordLength '4' -PasswordRecoveryEnabled $false -RequireDeviceEncryption $true -AttachmentsEnabled $true -AllowSimpleDevicePassword
Exchange - Protecting your Infrastructure
Adding and Removing Users from a Mobile Mailbox Policy
Get-CASMailbox -Identity [email protected] -ActiveSyncMailboxPolicy "Sales"
Get-Mailbox | where { $_.CustomAttribute1 -match "Manager"} | Set-CASMailbox -activesyncmailboxpolicy(Get-ActiveSyncMailboxPolicy "Contoso").Identity
Exchange - Protecting your Infrastructure
Current list of available settings per device OS
http://en.wikipedia.org/wiki/Comparison_of_Exchange_ActiveSync_Clients
Exchange - Protecting your Infrastructure
Demo Device QuarantineL.E. Novak and Michael Indence
Exchange Connector
Use the Exchange Server connector in System Center 2012 Configuration Manager when you want to manage mobile devices that connect to Exchange Server (on-premises or online) by using the Microsoft Exchange ActiveSync protocol, and you cannot enroll them by using Configuration Manager.
Exchange Connector – Managing and Securing Devices
Settings you can control
GeneralPasswordEmail ManagementSecurityApplication
Exchange Connector – Managing and Securing Devices
Option to control settings via Active Sync
Exchange Access rules controlAllow, Block, or Quarantine
Remotely Wipe via ConfigMgrSelf Wipe via Application catalog
On-premise automatically added to catalog on syncHosted requires manual user device affinity before visible in catalog.
Exchange Connector – Managing and Securing Devices
When you manage mobile devices by using the Exchange Server connector, this does not install the Configuration Manager client on the mobile devices. Some management functions are therefore limited. For example, you cannot install software on these devices or use configuration items to configure these devices.
Exchange Connector – Managing and Securing Devices
When you use the Exchange Server connector, the mobile devices are managed by the settings that you configure in Configuration Manager instead of being managed by the default Exchange ActiveSync mailbox policies.
Exchange Connector – Managing and Securing Devices
An account is required to configure the Exchange Connector in Configuration Manager. The account can be the computer account of the site server or a Windows user account, and must have rights in Exchange to certain cmdlets.
Exchange Connector – Managing and Securing Devices
An account is required to configure the Exchange Connector in Configuration Manager. The account can be the computer account of the site server or a Windows user account, and must have rights in Exchange to certain cmdlets.
Exchange Server management roles that contain the required cmdlets are the Recipient Management, View-Only Organization Management, Server Management, and above.
Exchange Connector – Managing and Securing Devices
DEMOExchange ConnectorMichael Indence
Intune
System Center Intune has various access points and knowing each one is important to not confuse users and get the most of the subscription.
Portal.Manage.Microsoft.com (Users)
Account.Manage.Microsoft.com (Subscription Administration)
Manage.Microsoft.com (Intune Administration)
System Center Intune - Managing and Securing Devices
There are various pre-requisites that must be configured and working before Intune can manage mobile devices or be connected to System Center Configuration Manager.
Intune AccountVerified Public DomainDomain UPNDirsync/SSODNS Alias (CNAME)Certificate Keys
System Center Intune - Managing and Securing Devices
Certificates are used with System Center Intune to secure software deployments to devices that are either company developed or push or to allow Notifications. Below is a list by OS type of cert required. Windows Phone 8 – Code Sign Cert (Symantec)
Support Tool for Windows Intune Trial (temp cert for testing)
Windows devices (Side loading Keys)
IOS – Apple Push Notification (APN)
Android (None)
System Center Intune - Managing and Securing Devices
System Center Intune support many Mobile devices in Direct Managed mode or connected with System Center Configuration Manager 2012 R2.
Windows Phone 8 DevicesWindows 8 RTWindows 8.1 RTWindows 8.1iOS 5.0, 6.0, and 7.0Android Devices 2.3 and Later
System Center Intune - Managing and Securing Devices
When integrating System Center Intune with System Center Configuration Manager there is a few configuration changes and system roles to be setup.
Subscription Connector Setup
Windows Intune Connector Role
LogsConnectorSetupCloudMgrCloudUsersSyncdmpDownloaderdmpuploader
System Center Intune - Managing and Securing Devices
System Center Intune - Managing and Securing Devices
Source http://blogs.technet.com/b/windowsintune/archive/2013/01/18/technet-radio-edition-cloud-based-management-with-windows-intune.aspx`
DEMOIntune Initial ConfigurationMichael Indence
Company Applications
Deeplinking (Store Apps)
User Enrollment
Managing Devices – Managing and Securing Devices
Method to deploy Vendor store apps via System Center Configuration Manager.
iTunes
Google Play
Windows Phone Store
Windows (Use reference computer)
Deeplinking – Managing and Securing Devices
Windows Phone (Settings – Company Apps)
Windows RT (System Configuration – Company Apps)
Windows 8.1 and RT 8.1 (Workplace)
iOS (ITunes – Windows Intune Company Portal)If Service Pack 1 (m.manage.Microsoft.com)
Android (Google Play – Windows Intune Company Portal)
User Enrollment – Managing and Securing Devices
DEMOUser EnrollmentMichael Indence and L.E. Novak
The enterprise feature pack will include:
S/MIME to sign and encrypt email
Access to corporate resources behind the firewall with app aware, auto-triggered VPN
Enterprise Wi-Fi support with EAP-TLS
Enhanced MDM policies to lock down functionality on the phone for more enterprise control, in addition to richer application management such as allowing or denying installation of certain apps
Certificate management to enroll, update, and revoke certificates for user authentication
Windows Phone Enterprise Feature Pack – Managing and Securing Devices
On February 28th 2014 Samsung announced a partnership with Microsoft to bring some of it’s enterprise services to Knox. Samsung mobile customers will now be able to take advantage of seamless authentication for access to enterprise resources, and Enterprise IT will be able to manage those devices with Windows Intune.
Samsung Knox and Intune– Managing and Securing Devices
Exchange
Exchange Connecter with Configuration Manager
Configuration Manager with Intune
Protect and Manage Devices and Infrastructure
QUESTIONS
ContactL.E. [email protected]
BlogGeekswithablog.comPodcastGeeks, Bowties, and TechTwitter@LE_Novak@GeekswithaBlog
Michael [email protected]
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
