Microsoft Virtual Academy Free, online, technical courses Take a free online course. http://www.microsoftvirtualacademy.com
Module 1: Introduction to Role Based Administration Andrew McMurray Technical Evangelist – Windows Infrastructure Microsoft Corporation Microsoft Virtual Academy
Agenda Client Management Strategy Role Based Administration Resources
Client Management Strategy
Enable people to use the devices they love while keeping the company protected
Devices Apps Data Users What we want Reality
Mobile Device Management 5/18/2019 Mobile Device Management √ Enable users Unify your environment Protect your data Access to company resources consistently across devices Simplified registration and enrollment of devices Synchronized corporate data On-premises and cloud-based management of devices within a single console. Simplified, user-centric application management across devices Comprehensive settings management across platforms, including certificates, VPNs, and wireless network profiles Protect corporate information by selectively wiping apps and data from retired/lost devices A common identity for accessing resources on-premises and in the cloud Identify which mobile devices have been compromised © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
TechEd 2013 5/18/2019 6:06 AM Empower users Allow users to work the device of their choice and provide consistent access to corporate resources. IT can publish access to resources with the web application proxy based on device awareness and the users identity. IT can provide seamless corporate access. Users can enroll devices for access to the company portal for easy access to corporate applications. IT can publish desktop virtualization resources for access to centralized resources. VDI Session host RD gateway Firewall Files LOB apps Web apps Users can work from anywhere on their devices with access to their corporate resources. Users can register devices for single sign on, and access to corporate data, with Workplace Join. Active Directory © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Selecting the Management Platform 5/18/2019 Selecting the Management Platform Unified Device Management System Center 2012 R2 Configuration Manager with Windows Intune Build on existing Configuration Manager deployment Full PC management (OS Deployment, Endpoint Protection, application delivery control, rich reporting) Deep policy control requirements Scale to 300,000 devices Extensible administration tools (RBA, PowerShell, SQL Reporting Services) Cloud-based Management Standalone Windows Intune No existing Configuration Manager deployment Simplified policy control Less than 28,000 devices and 7,000 users Simple web-based administration console © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Windows 8.1 Windows Phone 8.x iOS, Android TechEd 2013 5/18/2019 6:06 AM Windows Intune integrated with System Center 2012 R2 Configuration Manager Windows PCs (x86/64, Intel SoC), Windows to Go Windows Embedded Mac OS X IT Single Admin Console Windows 8 RT Windows 8.1 Windows Phone 8.x iOS, Android © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Role Based Administration
Role-Based Administration Role-Based Administration allows: Mapping organizational roles of administrators to security roles Hierarchy-wide security management from a single console RBA is global data Don’t think about sites! Removing clutter from the console “Show me what’s relevant to me”!
Administrative Segmentation Security Roles What types of objects can I see and what can I do to them? Example: the “Software Update Manager” role gives rights to read and deploy software updates to specific collections Security Scopes Which instances can I see and interact with? Collections Which resources can I interact with?
Data Segmentation of the Past Configuration Manager 2007 Meg wishes to distribute a package to all of her EMEA users in the West region France Primary Site Louis “French Admin” French collections Create advertisement for French collections England Primary Site Meg Collins “Central Admin” Anthony “English Admin” Create and distribute package English collections Create advertisement for English collections
Segmentation Using Role Based Administration Configuration Manager 2012 Meg wishes to distribute an application to all of her EMEA users in the West region Central Admin Site Louis “French Admin” Anthony “English Admin” Meg Collins “Central Admin” Create and distribute application French collection(s) Create deployment for French collection(s) English collection(s) Create deployment for English collection(s)
Collection Limiting Louis Meg gives Louis permissions to “French Systems” All Systems Louis can read French Systems and all collections limited to French Systems cannot see All Systems and English Systems can modify and delete French Desktops can create new collections limited to French Systems or French Desktops French Systems English Systems French Desktops French Servers
Collection Limiting Every collection is limited by another Assigning a collection to an administrator automatically assigns all limited collections Ship with two read-only root collections All Systems All Users and User Groups
Role Based Administration Simplify Map the organizational roles of your administrators to defined security roles Security organization role Geography Reduces error, defines span of control for the organization Meg- WW Central System Administrator Louis-Software Update Manager for France Bob- US & France Security Admin Can see & update “France” desktops Cannot modify security settings on “France” desktops Cannot see “All Systems” or “U.S.” desktops Can see & modify security settings on “France” and “U.S.” desktops Cannot update “France” or “U.S.” desktops Cannot see “All Systems” Functionality ConfigMgr 2007 ConfigMgr 2012 What types of objects can I see and what can I do to them? Class rights Security roles Which instances can I see and interact with? Object instance permissions Security scopes Which resources can I interact with? Site specific resource permissions Collection limiting
Role-Based Administration For Reporting TechReady 18 5/18/2019 Role-Based Administration For Reporting ConfigMgr 2012 introduced Role-Based Administration Reporting built on SQL Reporting Services, not RBA-aware With R2, all reports updated to use RBA configuration All views have been replaced by fn_rbac_<view name> Custom reports should reference new functions if RBA required Consistent with ConfigMgr console/”show me” behavior Enabled by default in R2 via registry/WMI setting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\SRSRP “EnableRbacReporting” © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
TechNet Virtual Labs Deep technical content and free product evaluations Hands-on deep technical labs Free, online, technical courses At the TechNet Evaluation Center you can download free, trial versions of Microsoft software, with no feature limits. Dozens of trials are available – all at no cost. Try Windows Server 2012 for up to 180 days. Download the Windows 8 Enterprise 90-day evaluation. Or try Windows Azure at no-cost for up to 90 days. Microsoft Hands On Labs offer virtual environments that will take you through guided, technically deep product learning experience. Learn at your own pace in labs that you can complete in 90 minutes or less. There is no complex setup or installation is required to use TechNet Virtual Labs. Microsoft Virtual Academy provides free online training on the IT scenarios that are important to your company and your career. Learn at your own pace and boost your IT skills with over 100 courses across more than 15 Microsoft technologies including Windows Server, Windows 8, Windows Azure, Office 365, virtualization, Windows Phone, and more. Download Microsoft software trials today. Find Hand On Labs. Take a free online course. Technet.microsoft.com/evalcenter Technet.microsoft.com/virtuallabs microsoftvirtualacademy.com
5/18/2019 6:06 AM © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.