Managing and Securing Devices using Exchange, System Center, and Intune LAWRENCE NOVAK MICHAEL INDENCE DMVMUG Reston, VA

Protect and Manage Devices and Infrastructure  Exchange  Exchange Connecter with Configuration Manager  Configuration Manager with Intune

Exchange - Protecting your Infrastructure  Set-ActiveSyncOrganizationSettings  New-ActiveSyncDeviceAccessRule  Set-ActiveSyncDeviceAccessRule

Exchange - Protecting your Infrastructure  Set-ActiveSyncOrganizationSettings Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Quarantine - AdminMailRecipients

Exchange - Protecting your Infrastructure  New-ActiveSyncDeviceAccessRule New-ActiveSyncDeviceAccessRule -QueryString iPhone -Characteristic DeviceModel -AccessLevel Block New-ActiveSyncDeviceAccessRule -QueryString NokiaE521/2.00()MailforExchange -Characteristic UserAgent -AccessLevel Allow

Exchange - Protecting your Infrastructure  Set-ActiveSyncDeviceAccessRule Set-ActiveSyncDeviceAccessRule 'ContosoPhone(DeviceModel)' - AccessLevel:Quarantine Get-ActiveSyncDeviceAccessRule | Where {$_.AccessLevel -eq 'Allow'} | Set-ActiveSyncDeviceAccessRule -AccessLevel:Quarantine

Exchange - Protecting your Infrastructure DEMO

Exchange – Managing and Securing Devices  Mobile Device Mailbox Policies When you install Exchange 2013, a default mobile device mailbox policy is created. All users are automatically assigned this default mobile device mailbox policy.

Exchange – Managing and Securing Devices  New-ActiveSyncMailboxPolicy New-ActiveSyncMailboxPolicy -Name 'All Users' - AllowNonProvisionableDevices $false -DevicePasswordEnabled $true - AlphanumericDevicePasswordRequired $false - MaxInactivityTimeDeviceLock '00:15:00' -MinDevicePasswordLength '4' -PasswordRecoveryEnabled $false -RequireDeviceEncryption $true - AttachmentsEnabled $true -AllowSimpleDevicePassword $true - DevicePasswordExpiration '30.00:00:00' -DevicePasswordHistory '0'

Exchange – Managing and Securing Devices  New-ActiveSyncMailboxPolicy New-ActiveSyncMailboxPolicy -Name 'All Users' - AllowNonProvisionableDevices $false -DevicePasswordEnabled $true - AlphanumericDevicePasswordRequired $false - MaxInactivityTimeDeviceLock '00:15:00' -MinDevicePasswordLength '4' -PasswordRecoveryEnabled $false -RequireDeviceEncryption $true - AttachmentsEnabled $true -AllowSimpleDevicePassword $true - DevicePasswordExpiration '30.00:00:00' -DevicePasswordHistory '0'

Exchange – Managing and Securing Devices DEMO

Exchange – Managing and Securing Devices Current list of available settings per device OS ts

Exchange – Managing and Securing Devices  The enterprise feature pack will include:  S/MIME to sign and encrypt  Access to corporate resources behind the firewall with app aware, auto-triggered VPN  Enterprise Wi-Fi support with EAP-TLS  Enhanced MDM policies to lock down functionality on the phone for more enterprise control, in addition to richer application management such as allowing or denying installation of certain apps  Certificate management to enroll, update, and revoke certificates for user authentication

Exchange Connector – Managing and Securing Devices Use the Exchange Server connector in System Center 2012 Configuration Manager when you want to manage mobile devices that connect to Exchange Server (on-premises or online) by using the Microsoft Exchange ActiveSync protocol, and you cannot enroll them by using Configuration Manager.

Exchange Connector – Managing and Securing Devices  Settings you can control  General  Password  Management  Security  Application

Exchange Connector – Managing and Securing Devices  Option to control settings  Exchange Access rules control  Allow, Block, or Quarantine  Remotely Wipe via ConfigMgr  Self Wipe via Application catalog  On-premise automatically added to catalog on sync  Hosted requires manual user device affinity before visible in catalog.

Exchange Connector – Managing and Securing Devices When you manage mobile devices by using the Exchange Server connector, this does not install the Configuration Manager client on the mobile devices. Some management functions are therefore limited. For example, you cannot install software on these devices or use configuration items to configure these devices.

Exchange Connector – Managing and Securing Devices When you use the Exchange Server connector, the mobile devices can be managed by the settings that you configure in Configuration Manager instead of being managed by the default Exchange ActiveSync mailbox policies.

Exchange Connector – Managing and Securing Devices Define the settings that you want to use in the following group settings: General, Password, Management, Security, and Application. For example, in the Password group setting, you can configure whether mobile devices require a password, the minimum password length, password complexity, and whether password recovery is allowed.

Exchange Connector – Managing and Securing Devices Decide which account will connect to the Exchange Client Access server to manage the mobile devices. The account can be the computer account of the site server or a Windows user account. The following Exchange Server management roles include the required cmdlets: Recipient Management, View-Only Organization Management, and Server Management.

Exchange Connector – Managing and Securing Devices DEMO

System Center Intune - Managing and Securing Devices System Center Intune has various access points and knowing each one is important to not confuse users and get the most of the subscription.  Portal.Manage.Microsoft.com (Users)  Account.Manage.Microsoft.com (Subscription Administration)  Manage.Microsoft.com (Intune Administration)

System Center Intune - Managing and Securing Devices There are various pre-requisites that must be confgiiured and working before Intune can manage mobile devices or be connected to System Center Configuration Manager.  Intune Account  Verified Public Domain  Domain UPN  Dirsync/SSO  DNS Alias (CNAME)  Certificate Keys

System Center Intune - Managing and Securing Devices Certificates are used with System Center Intune to secure software deployments to devices that are either company developed or push or to allow Notifications. Below is a list by OS type of cert required.  Windows Phone 8 – Code Sign Cert (Symantec)  Support Tool for Windows Intune Trial (temp cert for testing)  Windows devices (Side loading Keys)  IOS – Apple Push Notification (APN)  Android (None)

System Center Intune - Managing and Securing Devices System Center Intune support many Mobile devices in Direct Managed mode or connected with System Center Configuration Manager 2012 R2.  Windows Phone 8 Devices  Windows 8 RT  Windows 8.1 RT  Windows 8.1  iOS 5.0, 6.0, and 7.0  Android Devices 2.3 and Later

System Center Intune - Managing and Securing Devices When integrating System Center Intune with System Center Configuration Manager there is a few configuration changes and system roles to be setup.  Subscription Connector Setup  Windows Intune Connector Role  Logs  ConnectorSetup  CloudMgr  CloudUsersSync  dmpDownloader  dmpuploader

Intune Connector – Managing and Securing Devices DEMO

Managing Devices – Managing and Securing Devices  Company Applications  Deeplinking (Store Apps)  User Enrollment

Deeplinking – Managing and Securing Devices  Method to deploy Vendor store apps via System Center Configuration Manager.  ITunes  Google Play  Windows Phone  Windows (Use reference computer)

Software Deployment – Managing and Securing Devices DEMO

User Enrollment – Managing and Securing Devices  Windows Phone (Settings - Company apps)  Windows RT (System Configuration – Company Apps)  Windows 8.1 and RT 8.1 (Workplace)  iOS (ITunes –Windows Intune Company Portal)  If sp1 (m.manage.Microsoft.com)  Android – ( Google Play - Windows Intune Company Portal)

User Enrollment – Managing and Securing Devices DEMO

Protect and Manage Devices and Infrastructure  Exchange  Exchange Connecter with Configuration Manager  Configuration Manager with Intune

Questions?