close

Вход

Забыли?

вход по аккаунту

код для вставкиСкачать
Preparing for the Windows 8.1 MCSA
Module 5: Managing Devices & Resource Access
Microsoft
Virtual
Academy
Module 1: Windows 8.1 in the Enterprise
Module 2: Installing & Upgrading to Windows 8.1
Module 3: Configuring & Managing Windows 8.1
Module 4: Implementing an Application Strategy for Windows 8.1
Module 5: Managing Devices & Resource Access
Module 6: Securing Windows 8.1 Devices
Module Overview
• Options for Managing Non-Domain Member
Devices
• Configuring Workplace Join
• Configuring Work Folders
Options for Managing Non-Domain Member Devices
• Challenges of Managing Non-Domain Member Devices
• Comparing Domain Member and Non-Member Devices
• Managing Data and Settings on Non-Domain Member Devices
• Security Enhancements for Devices That Are Not Joined to a Domain
• Managing Non-Domain Member Devices by Using Windows Intune
and Configuration Manager
Challenges of Managing Non-Domain Member Devices
Users:
•
•
•
Expect to be able to work from any location
Need access to their data and resources from anywhere
Use any device
• Laptops, convertible laptops, tablets, and smart phones
• Device is often not company-owned (BYOD scenario)
• Device is not a member of the company domain
Data access from user-owned devices must be compliant with
company policy
•
Protection, confidentiality, and automatic removal
Companies have limited control over non-domain member devices
•
Traditional management is for domain member devices
Comparing Domain Member and Non-Member Devices
Non-domain member devices
• Do not have an account
• No trust with the domain
• Domain accounts cannot sign in
• Local users unknown to the
domain
• Cannot be managed by Group Policy
• Cannot access company resources
• Need to be managed differently from
domain member devices
Domain member devices
• Have domain account
• Domain accounts can sign in
• Local users not used
• Can have company policies enforced
• Can be centrally administered
• Can access company resources if
permissions are given
• Can be managed by using Group Policy
Managing Data and Settings on Non-Domain Member Devices
• Windows To Go
• Virtual Desktop Infrastructure (VDI)
• Workplace Join
• Open Mobile Device Management protocol
•
Managing devices, enrolled into management system
• Web Application Proxy
•
Publish web applications to external network
• Work Folders
•
Access and synchronize file server data
• Remote Business Data Removal
•
Automatically wipe company data from the device
Security Enhancements for Devices That Are Not Joined to a
Domain
• Mandatory sign-in for all users
• Biometrics as proof of identity
• Pervasive device encryption
• Malware resistance – Windows Defender
• Assigned access (kiosk mode)
• Remote business data removal
• Internet Explorer 11
Managing Non-Domain Member Devices by Using Windows Intune and
Configuration Manager
Windows Intune is a cloud service
•
Requires no infrastructure, only Internet connectivity
Configuration Manager is installed on premises
•
Can be integrated with Windows Intune
Both manage PCs and devices
Windows Intune features:
Configuration Manager allows you to:
•
Updates
•
Deploy applications
•
Endpoint Protection
•
Manage endpoint protection
•
Software deployment
•
Deploy software updates
•
Monitoring and alerting
•
Inventory hardware and software
•
Reporting
•
Reporting
Configuring Workplace Join
• Workplace Join
• Scenarios for Using Workplace Join
• Workplace Join Components
• Registering and Enrolling Devices
• Demo: Enrolling Devices
Workplace Join
Provides access to internal websites and company apps without entering the credentials every
time
Workplace
Joined
AD FS
DC, CA
SSO
Web Server
Scenarios for Using Workplace Join
Access company data from personal devices
•
Consumerization of IT
•
BYOD
•
Devices that cannot or may not be domain members
IT department has some control over the device
•
Which company websites and apps can be accessed
•
Device is represented in AD DS
Device is an additional user authentication factor
•
User can access resources only from known devices
•
A user is associated with Workplace Joined device
•
Multiple users can join the same device by using Workplace Join
Workplace Join Components
Workplace Join Infrastructure requirements:
•
Domain environment
•
PKI
•
•
Devices must trust the certificate authority (CA)
•
Devices must be able to access CRL and AIA
AD FS server
•
Trusted certificate configured with required attributes
•
Device registration service
•
DNS record for a host named Enterpriseregistration
•
Web Application Proxy for external devices
•
Supported operating system on the device
•
Windows 8.1, Windows RT 8.1, and iOS
Workplace Join Components
AD FS
Workplace
Join
Device Registration
Service
DNS
CRL Distribution
Point
AD DS
Domain
Controller
Registering and Enrolling Devices (cont.)
Registering and Enrolling Devices (cont.)
Registering and Enrolling Devices (cont.)
Registering and Enrolling Devices (cont.)
Registering and Enrolling Devices
Configuring Work Folders
• Overview of Work Folders
• Comparing Work Folders with Other File Synchronization
Technologies
• Components Required for Work Folders
• How Work Folders Are Synchronized
• Configuring Work Folders
• Integrating Workplace Join and Work Folders
• Using GPOs to Manage Work Folders
• Demo: Configuring Work Folders
Overview of Work Folders
Work Folders allow users to access their individual company data from
any device
• Work Folders are stored centrally on traditional file servers
•
File servers must be running Windows Server 2012 R2
• Users can use multiple devices to access Work Folders
• You can synchronize local Work Folder data with data on the file
server from any location with connectivity
•
Local copy is available without network connectivity
• Allows you to ensure compliance with company policy
•
Access control, quotas, file screening, classification
•
Local copy of data can be encrypted and remotely wiped
Comparing Work Folders with Other File Synchronization
Technologies
SkyDrive
SkyDrive Pro
Work Folders
Folder
Redirection
Single-user data
Yes, but files
often shared
No
Yes
Yes
Data location
Public cloud
SharePoint,
Office 365
File server
File server
Local server required
No
SharePoint (optional)
Windows
Server 2012 R2
Windows Server
Support included in
Windows 8.1
Yes
No
Yes
Yes
Supported devices
PCs, Macs,
Windows Phone,
iOS, Android
PCs, Windows Phone
PCs, iPad
Domain member
PCs
Components Required for Work Folders
A Work Folders Server
•
The File and Storage Services role must be installed
•
An additional access protocol is added
•
Server Manager for a consolidated view of sync activity
A Sync Share
•
Multiple sync shares per Work Folders server
•
Users can associate with a single sync share
•
Device policy is defined per sync share
User Devices
•
Files stay in sync across all user devices
•
Local changes sync to the server and then to other devices
How Work Folders are Synchronized
Data directory
Version tables
Upload staging directory
• User limited to single Work Folder
• Client always initiates sync
• Device which applies the change is responsible
for conflict resolution
Data directory
Version database
Download staging directory
Data directory
Version database
Download staging directory
Configuring Work Folders
Create a sync share on a file server
• You must install the Work Folders role service first
You can deploy Work Folders in three ways
• Manually
• Auto-discovery of the server based on users’ email addresses
• Users need to manually enter the URL for the Work Folder server
• Opt-in
• Settings delivered by using Group Policy, System Center 2012 R2 Configuration
Manager, or Windows Intune
• Users decide if they want to use Work Folders on their devices
• Mandatory
• Settings delivered by using Group Policy, System Center 2012 R2 Configuration
Manager, or Windows Intune
• No user action required
Integrating Workplace Join and Work Folders
Both features are targeted for non-domain member devices
• Domain member devices can also use Work Folders
Devices must trust the CA to use Work Folders
• Workplace-joined devices already trust the CA
Work Folders work with workplace-joined devices as well as with workgroup or domain
member devices
The Work Folders Server
Workplace-joined Devices
Domain Members
Using GPOs to Manage Work Folders
The Work Folder settings are in Group Policy
• Computer: Force automatic setup for all users
• User: Specify the Work Folders settings
Module 1: Windows 8.1 in the Enterprise
Module 2: Installing & Upgrading to Windows 8.1
Module 3: Configuring & Managing Windows 8.1
Module 4: Implementing an Application Strategy for Windows 8.1
Module 5: Managing Devices & Resource Access
Module 6: Securing Windows 8.1 Devices
Configuring Windows 8.1 (20687)
http://aka.ms/configwin8-1
Supporting Windows 8.1 (20688)
http://aka.ms/mlesvh
Upgrading Your Skills to MCSA Windows 8.1 (20689)
http://aka.ms/Ou31ho
Microsoft Learning: http://aka.ms/Djv62g
TechNet Virtual Labs
Deep technical content and
free product evaluations
Hands-on deep technical labs
Free, online,
technical courses
Download Microsoft software trials
today.
Find Hand On Labs.
Take a free online course.
Technet.microsoft.com/evalcenter
Technet.microsoft.com/virtuallabs
microsoftvirtualacademy.com
©2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered trademarks and/or trademarks in the
U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft
must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
1/--страниц
Пожаловаться на содержимое документа