This post is a part of the nine-part “ What’s New in Windows Server & System Center 2012 R2 ” series that is featured on Brad Anderson’s In the Cloud blog. Today’s blog post covers how System Center 2012 R2 Configuration Manager and Windows Intune provides the user with a consistent enrollment and resource access experience across devices and how it applies to Brad’s larger topic of “People-centric IT.” To read that post and see the other technologies discussed, read today’s post: “ Making Device Users Productive and Protecting Corporate Information .”
One of the major trends in IT in recent years has been the drive towards the “Consumerization of IT”; where consumer technology such as phones and PCs are being adopted into business organizations. More recently we have seen trends where these new devices are not just being brought into the organization by employees, but that the organization is looking at ways to leverage these device types to support customer-facing tasks. For example in retail situations, where a sales associate can be provided with the latest product information on a simple handheld device.
We refer to these new capabilities as “People-centric IT”. People-centric IT is about helping people to work on the devices they choose and anytime and in any location. Our focus, with People-centric IT, has been to continue to provide valued services that users need, such as applications and data-access on any device anywhere, while providing IT administrators with enough control to ensure that the device is trustworthy, while avoiding any compromise of the user’s privacy and preventing company data loss.
To that end, we have continued to build upon the work we started in Windows 8 RT and expanded the management capabilities of Windows 8.1 RT as well as Windows 8.1 x86 and x64.
Windows 8 RT included a new management client that communicates with a management service in the cloud to deliver line of business (LOB) apps to users.
The management client is built in to the operating system and works alongside a Windows Store app, the company portal. The company portal lets users browse for and install apps that you make available to them.
The management client performs the following functions:
For Windows 8.1, the management client is a built-in system component both for Windows 8.1 RT as well as Windows 8.1 x86 and x64, thus enabling the same management capabilities no matter the processor architecture.
As with Windows 8, we assume that in almost all BYOD scenarios, the end user themselves rather than and IT professional will enroll their device in your management service. The Windows 8 experience was originally hosted in the original desktop and for Windows 8.1, it has been moved to the newly improved PC Settings, to make it easier for users to discover and to provide a more seamless experience.
In the PC Settings panel, the user supplies their company email address, just like they do to set up an Exchange email account. When the user selects to turn on device management, this starts enrollment for the device. The client performs a service lookup to locate the organization’s management service based on the user’s email address.
To enroll their devices in your managemetn service, users simply enter their company email address and turn on device management.
When the management client has found the right address, it establishes a secure connection to the management service and authenticates the user.
If the user is successfully authenticated and has been authorized by the IT department to enroll devices, the management service issues a user certificate to the user who initiated the enrollement. This certificate is sent back to the client along with the organization root certificate and instructions for the client, which it uses to configure its ongoing communications with the management service. All of this happens in a matter of seconds and typically requires no further interaction from the user.
Completing the Enrollment Process
Next, the client automatically initiates a session with the management service, using the user certificate to authenticate. This session and any subsequent sessions are performed using SSL mutual authentication to ensure the security of the connection. This initial session completes the enrollment of the device with the management service by supplying some basic device information such as the make and model, the operating system version, device capabilities, and other hardware information. This allows IT administrators to monitor what types of devices are being used with organization resources, which over time, lets the IT departments improve the apps and services they deliver to users.
After the initial session, the client initiates communication with the management service in two circumstances:
Regardless of whether a session is initiated automatically by a scheduled maintenance task or manually by the user, the management client continues to behave well relative to the state of the battery on the device and its current network conditions.
The functionality we’ve covered so far are obviously focused more on the mechanics of the management client and service along with the needs of the IT department, but ultimately the entire solution exists to benefit the end user by enabling access to their LOB apps. Without such a benefit there's little reason a user would go through the trouble of using the enterprise management service.
The company portal is the day-to-day interface for the corporate user to access their management service. It's from here that they can browse to discover apps that have been made available to them by the IT department. There are actually four different types of apps that IT can publish in the company portal for users:
Since the user specified his or her corporate credentials as part of the initial enrollment with the management service, IT administrators can then specify which apps are published to each user. As a result, the user only sees those apps that are applicable to them in the company portal.
Browsing for LOB apps in the company portal
Browsing for LOB apps in the company portal
Browsing for LOB apps in the company portal
As well as browsing for, and installing apps, users can:
The IT department can brand the company portal to provide a customized experience, as well as publish links to a help desk web site and provide contact numbers and email addresses for support.
Devices and Contact IT information in the Company Portal
Before any LOB apps can be delivered by using the management service, there are two things that happen on the client. First, an activation key is issued by the management service and applied to the device to allow the management client to install apps. Second, any certificates used to sign the apps must be added to the certificate store on the device. In most cases, both the activation key and the root certificates are automatically applied during the first session after establishing the connection with the management service. Otherwise, they are automatically deployed during a subsequent session after an IT administrator has turned on the feature in the management service.
When the user chooses to install an app from the company portal, the request is sent to the management service and a download link is provided to the client. The client then downloads the app, verifies the validity of the content, checks the signature, and installs the app. All of this typically occurs within seconds and is generally invisible to the user. In the event that an error occurs during any part of this process (for example, the location of the content is unavailable), the client queues the app for a retry during its next regularly scheduled maintenance session. In either case, the client reports the state of the installation back to the management service.
The details page of an LOB app in the company portal, where the user can initiate installation
The details page of a web app in the company portal, where the user can launch the app
The details page of a Windows Store app in the company portal
As part of its regular maintenance sessions, the client will inventory which LOB apps are currently installed and report that information back to the management service so the IT department can effectively manage their LOB apps. Only Windows Store apps that were installed via the company portal and the management client are included in this inventory from a device. Apps installed directly from the Windows Store are never reported as part of the inventory.
Anytime an IT administrator publishes an update for an app that has been installed on a device, the client will automatically download and install the update during its next regular maintenance session.
Finally, let’s look at how to retire a device from the management service. Devices can be retired from the service either locally by the user or remotely by an IT administrator. User-initiated retirement is performed much like the initial enrollement, and is initiated from the same location in PC Settings. Users may choose to remove their device from management for any number of reasons, including leaving the company or getting a new device and no longer needing access to their LOB apps on the old device. When an administrator initiates retirement for a device, the client performs this action during its next regular maintenance session. Administrators may choose to retire a user’s device after they’ve left the company or because the device is regularly failing to comply with the organization’s security settings policy.
As part of the device retirement process, the management client does the following:
Users remove their device to retire it from the management service
To see People-centric IT, including System Center 2012 R2 Configuration Manager, Windows Intune, and Windows Server 2012 R2 in action, you can watch a complete presentation and end-to-end demonstration from the TechEd North America Foundational Session . You can also learn more about People-centric IT by downloading the People-centric IT Preview Guide .
-- Craig Marl
To see all of the posts in this series, check out the What’s New in Windows Server & System Center 2012 R2 archive.
This posting is provided "AS IS" with no warranties and confers no rights.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.