This post is a part of the nine-part “What’s New in Windows Server & System Center 2012 R2” series that is featured on Brad Anderson’s In the Cloud blog. Today’s blog post covers how System Center 2012 R2 Configuration Manager and Windows Intune provides the user with a consistent enrollment and resource access experience across devices and how it applies to Brad’s larger topic of “People-centric IT.” To read that post and see the other technologies discussed, read today’s post: “Making Device Users Productive and Protecting Corporate Information.”
One of the major trends in IT in recent years has been the drive towards the “Consumerization of IT”; where consumer technology such as phones and PCs are being adopted into business organizations. More recently we have seen trends where these new devices are not just being brought into the organization by employees, but that the organization is looking at ways to leverage these device types to support customer-facing tasks. For example in retail situations, where a sales associate can be provided with the latest product information on a simple handheld device.
We refer to these new capabilities as “People-centric IT”. People-centric IT is about helping people to work on the devices they choose and anytime and in any location. Our focus, with People-centric IT, has been to continue to provide valued services that users need, such as applications and data-access on any device anywhere, while providing IT administrators with enough control to ensure that the device is trustworthy, while avoiding any compromise of the user’s privacy and preventing company data loss.
To that end, we have continued to build upon the work we started in Windows 8 RT and expanded the management capabilities of Windows 8.1 RT as well as Windows 8.1 x86 and x64.
Windows Management Client
Windows 8 RT included a new management client that communicates with a management service in the cloud to deliver line of business (LOB) apps to users.
The management client is built in to the operating system and works alongside a Windows Store app, the company portal. The company portal lets users browse for and install apps that you make available to them.
The management client performs the following functions:
- Communicates with the organization’s management service
- Periodically synchronizes with the management service to check for any updated apps
- Applies to the device the latest settings policies configured by the IT department
- Facilitates the download and installation of any apps that the user wants to install
- If the user or the administrator chooses to retire the device from the management service, it clears the client configuration and disables any LOB apps that the user installed from the company portal.
For Windows 8.1, the management client is a built-in system component both for Windows 8.1 RT as well as Windows 8.1 x86 and x64, thus enabling the same management capabilities no matter the processor architecture.
Improvements to the User Experience
As with Windows 8, we assume that in almost all BYOD scenarios, the end user themselves rather than and IT professional will enroll their device in your management service. The Windows 8 experience was originally hosted in the original desktop and for Windows 8.1, it has been moved to the newly improved PC Settings, to make it easier for users to discover and to provide a more seamless experience.
In the PC Settings panel, the user supplies their company email address, just like they do to set up an Exchange email account. When the user selects to turn on device management, this starts enrollment for the device. The client performs a service lookup to locate the organization’s management service based on the user’s email address.
To enroll their devices in your managemetn service, users simply enter their company email address and turn on device management.
When the management client has found the right address, it establishes a secure connection to the management service and authenticates the user.
If the user is successfully authenticated and has been authorized by the IT department to enroll devices, the management service issues a user certificate to the user who initiated the enrollement. This certificate is sent back to the client along with the organization root certificate and instructions for the client, which it uses to configure its ongoing communications with the management service. All of this happens in a matter of seconds and typically requires no further interaction from the user.
Completing the Enrollment Process
Next, the client automatically initiates a session with the management service, using the user certificate to authenticate. This session and any subsequent sessions are performed using SSL mutual authentication to ensure the security of the connection. This initial session completes the enrollment of the device with the management service by supplying some basic device information such as the make and model, the operating system version, device capabilities, and other hardware information. This allows IT administrators to monitor what types of devices are being used with organization resources, which over time, lets the IT departments improve the apps and services they deliver to users.
After the initial session, the client initiates communication with the management service in two circumstances:
- First, as a maintenance task that runs daily at a time that the user can configure on the client. The activities performed during these maintenance sessions focus on reporting updated hardware information to the management service, applying changes to the settings policies for the device, reporting compliance back to the management service, and applying app updates to LOB apps, or retrying any previously failed LOB app installations initiated from the company portal.
- Secondly, the client will communicate with the management service anytime the user initiates an app installation from the company portal. These user-initiated sessions are solely focused on app installation and do not perform the maintenance and management activities described in the first case.
Regardless of whether a session is initiated automatically by a scheduled maintenance task or manually by the user, the management client continues to behave well relative to the state of the battery on the device and its current network conditions.
The Company Portal
The functionality we’ve covered so far are obviously focused more on the mechanics of the management client and service along with the needs of the IT department, but ultimately the entire solution exists to benefit the end user by enabling access to their LOB apps. Without such a benefit there’s little reason a user would go through the trouble of using the enterprise management service.
The company portal is the day-to-day interface for the corporate user to access their management service. It’s from here that they can browse to discover apps that have been made available to them by the IT department. There are actually four different types of apps that IT can publish in the company portal for users:
- Internally-developed Windows Store apps that are not published in the Windows Store
- Apps produced by independent software vendors that are licensed to the organization for internal distribution
- Web links that launch websites and web-based apps directly in the browser
- Links to app listings in the Windows Store. This is a convenient way for IT to make users aware of useful business apps that are publicly available.
Since the user specified his or her corporate credentials as part of the initial enrollment with the management service, IT administrators can then specify which apps are published to each user. As a result, the user only sees those apps that are applicable to them in the company portal.
Browsing for LOB apps in the company portal
Browsing for LOB apps in the company portal
Browsing for LOB apps in the company portal
As well as browsing for, and installing apps, users can:
- See their managed devices
- Provide a friendly name for their devices
- Remove devices
- Perform a remote wipe or factory reset of their devices if lost or stolen (not available on all devices)
The IT department can brand the company portal to provide a customized experience, as well as publish links to a help desk web site and provide contact numbers and email addresses for support.
Devices and Contact IT information in the Company Portal
Before any LOB apps can be delivered by using the management service, there are two things that happen on the client. First, an activation key is issued by the management service and applied to the device to allow the management client to install apps. Second, any certificates used to sign the apps must be added to the certificate store on the device. In most cases, both the activation key and the root certificates are automatically applied during the first session after establishing the connection with the management service. Otherwise, they are automatically deployed during a subsequent session after an IT administrator has turned on the feature in the management service.
When the user chooses to install an app from the company portal, the request is sent to the management service and a download link is provided to the client. The client then downloads the app, verifies the validity of the content, checks the signature, and installs the app. All of this typically occurs within seconds and is generally invisible to the user. In the event that an error occurs during any part of this process (for example, the location of the content is unavailable), the client queues the app for a retry during its next regularly scheduled maintenance session. In either case, the client reports the state of the installation back to the management service.
The details page of an LOB app in the company portal, where the user can initiate installation
The details page of a web app in the company portal, where the user can launch the app
The details page of a Windows Store app in the company portal
As part of its regular maintenance sessions, the client will inventory which LOB apps are currently installed and report that information back to the management service so the IT department can effectively manage their LOB apps. Only Windows Store apps that were installed via the company portal and the management client are included in this inventory from a device. Apps installed directly from the Windows Store are never reported as part of the inventory.
Anytime an IT administrator publishes an update for an app that has been installed on a device, the client will automatically download and install the update during its next regular maintenance session.
Retiring Devices from the Management Service
Finally, let’s look at how to retire a device from the management service. Devices can be retired from the service either locally by the user or remotely by an IT administrator. User-initiated retirement is performed much like the initial enrollement, and is initiated from the same location in PC Settings. Users may choose to remove their device from management for any number of reasons, including leaving the company or getting a new device and no longer needing access to their LOB apps on the old device. When an administrator initiates retirement for a device, the client performs this action during its next regular maintenance session. Administrators may choose to retire a user’s device after they’ve left the company or because the device is regularly failing to comply with the organization’s security settings policy.
As part of the device retirement process, the management client does the following:
- Removes the activation key that allowed the client to install LOB apps. After this is removed, any Windows Store apps that were installed from the company portal and the management client are deactivated. Note, however, that the apps are not automatically removed from the device, but they can no longer be launched and the user is no longer able to install additional LOB apps.
- Removes any certificates that the client has initiated.
- Ceases enforcement of the settings policies that the management service has applied.
- Reports successful deactivation to the management service if the administrator initiated the process.
- Removes the client configuration, including the scheduled maintenance task. After this is completed, the client remains dormant unless the user re-enrolls their device in the management service.
Users remove their device to retire it from the management service
To see People-centric IT, including System Center 2012 R2 Configuration Manager, Windows Intune, and Windows Server 2012 R2 in action, you can watch a complete presentation and end-to-end demonstration from the TechEd North America Foundational Session. You can also learn more about People-centric IT by downloading the People-centric IT Preview Guide.
To see all of the posts in this series, check out the What’s New in Windows Server & System Center 2012 R2 archive.
This posting is provided “AS IS” with no warranties and confers no rights.