Preparing for the Windows 8.1 MCSA Module 5: Managing Devices & Resource Access Microsoft Virtual Academy Module 1: Windows 8.1 in the Enterprise Module 2: Installing & Upgrading to Windows 8.1 Module 3: Configuring & Managing Windows 8.1 Module 4: Implementing an Application Strategy for Windows 8.1 Module 5: Managing Devices & Resource Access Module 6: Securing Windows 8.1 Devices Module Overview • Options for Managing Non-Domain Member Devices • Configuring Workplace Join • Configuring Work Folders Options for Managing Non-Domain Member Devices • Challenges of Managing Non-Domain Member Devices • Comparing Domain Member and Non-Member Devices • Managing Data and Settings on Non-Domain Member Devices • Security Enhancements for Devices That Are Not Joined to a Domain • Managing Non-Domain Member Devices by Using Windows Intune and Configuration Manager Challenges of Managing Non-Domain Member Devices Users: • • • Expect to be able to work from any location Need access to their data and resources from anywhere Use any device • Laptops, convertible laptops, tablets, and smart phones • Device is often not company-owned (BYOD scenario) • Device is not a member of the company domain Data access from user-owned devices must be compliant with company policy • Protection, confidentiality, and automatic removal Companies have limited control over non-domain member devices • Traditional management is for domain member devices Comparing Domain Member and Non-Member Devices Non-domain member devices • Do not have an account • No trust with the domain • Domain accounts cannot sign in • Local users unknown to the domain • Cannot be managed by Group Policy • Cannot access company resources • Need to be managed differently from domain member devices Domain member devices • Have domain account • Domain accounts can sign in • Local users not used • Can have company policies enforced • Can be centrally administered • Can access company resources if permissions are given • Can be managed by using Group Policy Managing Data and Settings on Non-Domain Member Devices • Windows To Go • Virtual Desktop Infrastructure (VDI) • Workplace Join • Open Mobile Device Management protocol • Managing devices, enrolled into management system • Web Application Proxy • Publish web applications to external network • Work Folders • Access and synchronize file server data • Remote Business Data Removal • Automatically wipe company data from the device Security Enhancements for Devices That Are Not Joined to a Domain • Mandatory sign-in for all users • Biometrics as proof of identity • Pervasive device encryption • Malware resistance – Windows Defender • Assigned access (kiosk mode) • Remote business data removal • Internet Explorer 11 Managing Non-Domain Member Devices by Using Windows Intune and Configuration Manager Windows Intune is a cloud service • Requires no infrastructure, only Internet connectivity Configuration Manager is installed on premises • Can be integrated with Windows Intune Both manage PCs and devices Windows Intune features: Configuration Manager allows you to: • Updates • Deploy applications • Endpoint Protection • Manage endpoint protection • Software deployment • Deploy software updates • Monitoring and alerting • Inventory hardware and software • Reporting • Reporting Configuring Workplace Join • Workplace Join • Scenarios for Using Workplace Join • Workplace Join Components • Registering and Enrolling Devices • Demo: Enrolling Devices Workplace Join Provides access to internal websites and company apps without entering the credentials every time Workplace Joined AD FS DC, CA SSO Web Server Scenarios for Using Workplace Join Access company data from personal devices • Consumerization of IT • BYOD • Devices that cannot or may not be domain members IT department has some control over the device • Which company websites and apps can be accessed • Device is represented in AD DS Device is an additional user authentication factor • User can access resources only from known devices • A user is associated with Workplace Joined device • Multiple users can join the same device by using Workplace Join Workplace Join Components Workplace Join Infrastructure requirements: • Domain environment • PKI • • Devices must trust the certificate authority (CA) • Devices must be able to access CRL and AIA AD FS server • Trusted certificate configured with required attributes • Device registration service • DNS record for a host named Enterpriseregistration • Web Application Proxy for external devices • Supported operating system on the device • Windows 8.1, Windows RT 8.1, and iOS Workplace Join Components AD FS Workplace Join Device Registration Service DNS CRL Distribution Point AD DS Domain Controller Registering and Enrolling Devices (cont.) Registering and Enrolling Devices (cont.) Registering and Enrolling Devices (cont.) Registering and Enrolling Devices (cont.) Registering and Enrolling Devices Configuring Work Folders • Overview of Work Folders • Comparing Work Folders with Other File Synchronization Technologies • Components Required for Work Folders • How Work Folders Are Synchronized • Configuring Work Folders • Integrating Workplace Join and Work Folders • Using GPOs to Manage Work Folders • Demo: Configuring Work Folders Overview of Work Folders Work Folders allow users to access their individual company data from any device • Work Folders are stored centrally on traditional file servers • File servers must be running Windows Server 2012 R2 • Users can use multiple devices to access Work Folders • You can synchronize local Work Folder data with data on the file server from any location with connectivity • Local copy is available without network connectivity • Allows you to ensure compliance with company policy • Access control, quotas, file screening, classification • Local copy of data can be encrypted and remotely wiped Comparing Work Folders with Other File Synchronization Technologies SkyDrive SkyDrive Pro Work Folders Folder Redirection Single-user data Yes, but files often shared No Yes Yes Data location Public cloud SharePoint, Office 365 File server File server Local server required No SharePoint (optional) Windows Server 2012 R2 Windows Server Support included in Windows 8.1 Yes No Yes Yes Supported devices PCs, Macs, Windows Phone, iOS, Android PCs, Windows Phone PCs, iPad Domain member PCs Components Required for Work Folders A Work Folders Server • The File and Storage Services role must be installed • An additional access protocol is added • Server Manager for a consolidated view of sync activity A Sync Share • Multiple sync shares per Work Folders server • Users can associate with a single sync share • Device policy is defined per sync share User Devices • Files stay in sync across all user devices • Local changes sync to the server and then to other devices How Work Folders are Synchronized Data directory Version tables Upload staging directory • User limited to single Work Folder • Client always initiates sync • Device which applies the change is responsible for conflict resolution Data directory Version database Download staging directory Data directory Version database Download staging directory Configuring Work Folders Create a sync share on a file server • You must install the Work Folders role service first You can deploy Work Folders in three ways • Manually • Auto-discovery of the server based on users’ email addresses • Users need to manually enter the URL for the Work Folder server • Opt-in • Settings delivered by using Group Policy, System Center 2012 R2 Configuration Manager, or Windows Intune • Users decide if they want to use Work Folders on their devices • Mandatory • Settings delivered by using Group Policy, System Center 2012 R2 Configuration Manager, or Windows Intune • No user action required Integrating Workplace Join and Work Folders Both features are targeted for non-domain member devices • Domain member devices can also use Work Folders Devices must trust the CA to use Work Folders • Workplace-joined devices already trust the CA Work Folders work with workplace-joined devices as well as with workgroup or domain member devices The Work Folders Server Workplace-joined Devices Domain Members Using GPOs to Manage Work Folders The Work Folder settings are in Group Policy • Computer: Force automatic setup for all users • User: Specify the Work Folders settings Module 1: Windows 8.1 in the Enterprise Module 2: Installing & Upgrading to Windows 8.1 Module 3: Configuring & Managing Windows 8.1 Module 4: Implementing an Application Strategy for Windows 8.1 Module 5: Managing Devices & Resource Access Module 6: Securing Windows 8.1 Devices Configuring Windows 8.1 (20687) http://aka.ms/configwin8-1 Supporting Windows 8.1 (20688) http://aka.ms/mlesvh Upgrading Your Skills to MCSA Windows 8.1 (20689) http://aka.ms/Ou31ho Microsoft Learning: http://aka.ms/Djv62g TechNet Virtual Labs Deep technical content and free product evaluations Hands-on deep technical labs Free, online, technical courses Download Microsoft software trials today. Find Hand On Labs. Take a free online course. Technet.microsoft.com/evalcenter Technet.microsoft.com/virtuallabs microsoftvirtualacademy.com ©2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.