Join David M. Franklyn for an in-depth discussion in this video Microsoft Intune and cloud service security, part of Microsoft System Center Configuration Manager Essential Training.
- [Instructor] Microsoft Intune is often called the Configuration Manager in the Cloud. It is a Microsoft Cloud platform product, which you can use to manage Windows based computers and even mobile devices using Mac iOS, Android, Windows RT and Windows Phone. You can implement Intune in a stand alone, cloud-only mode or you can integrate it with On-Premise's Configuration Manager Current Branch solutions. There are three major features that allow for cloud-based management.
They are the standalone solution. The cloud extension through Configuration Manager. Or, you could use Microsoft's Enterprise Mobility Suite. Let's take a further look into these now. First, the standalone management solution. As a cloud-only service, Intune can manage devices in a bring your own device scenario. Now, in this case, we're not going to be using Configuration Manager at all. We're going to be using just Microsoft Intune for those internet facing devices.
Bring your own device scenario has been quite extensive these past few years where people bring in their iPhones, their Android phones of different types, even Windows Phones and Windows 10 mobile devices so that they can use them, their own device, using the Enterprise level, business level features that you have on your internal computers. So, they might want get to folders in the corporate hierarchy, maybe some shared data, integrate with email and messaging systems that you might have within your corporation and even access modern apps on these devices that plug in and manipulate data or retrieve data within the corporate infastructure.
So, device management itself can be divided up into the following areas. First, we have policy settings. Multiple policy templates are available to help you create various Intune policies. And we have application deployment and software updates. Now, Intune enables you to side load apps into Windows mobile devices. You can deploy applications on other devices and deploy links directly to store apps and that's not just the Microsoft Store, but we're also talking about the Apple Store, the Google Play and other type device operating system infastructure stores.
We have inventory and reporting. You can view information about devices that are registered with Intune and remote wipe, remote lock, and password reset. Intune helps you prevent unauthorized users from viewing data on a lost or stolen device. Intune also provides an application portal for devices with Windows operating systems which you can access through the Intune Company Portal app for Windows 10, Windows 8.x, and Windows RT devices. You can use the Intune Company Portal for Windows Phone to access the Intune Company Portal and the Configuration Manager Company Portal.
Now, a whole 'nother way of doing this is to integrate Configuration Manager and Intune together. So, in this case you can maintain a single management experience for computers and devices, even those that are not joined to a domain. So, in other words, when you use a Configuration Manager console and you see all your domain joined devices and the client agents running on them, and applying software installations or collecting hardware and software inventory.
And all the stuff we would normally do with clients, we also be able to do with those clients that were clients of Windows Intune. We can also manage mobile devices that enrolled through Intune. So, if they're already enrolled in Intune, we do the integration, we now have access to them through the Configuration Manager console. Although the mobile devices connect to the Intune service, you complete the management task in the Configuration Manager console and then apply them to Intune connected devices, through the Intune connector site system role.
However, the Intune connector, doesn't allow you to view in the Configuration Manager console, Intune managed computers that are not domain members. So, this would be those that are mobile devices we can do, but actual computer systems, because as we said before, Microsoft Intune is sometimes called Configuration Manager in the cloud. In other words, we can apply the same techniques we do for regular computers within Configuration Manager, through the Microsoft Intune console when they are connected not to a domain, but independently as work group computers.
An alternative is, and Intune is being put into Microsoft Azure, for mobile device management, you could use the services of Azure and Intune together in the Microsoft Enterprise Mobility Suite. Now, this includes a lot of the Azure functionality. So, it includes the Azure Active Directory Premium. It also gives you Microsoft Intune as part of the Enterprise Mobility Suite and it also gives you the Azure Rights Management Service, but we're not going to cover this further because it really does not involve Configuration Manager.
When clients connect to the site systems located on an internal network, the computers perform mutual authentication by using Kerberos as part of the Active Directory authentication. This is possible 'cause clients and site systems can access the Active Directory infastructure. For internet-based client management, you must assign and install certificates to enable mutual authentication. When you configure certificates for internet-based client management, keep in mind that you must configure each client and each site system involved in internet-based client management with certificates to perform mutual authentication on the internet.
All communication goes cross port 443, which is used by HTTPS, the Hypertext Transfer Protocol Secure. And the Secure Socket Layer, SSL or Transport Layer Security, known as TLS, certificates. You must configure site system roles such as the distribution point that is involved in internet-based client management, with a Public Key Infrastructure or PKI certificate used for server authentication. You must configure all clients that you manage over the internet within a PKI certificate used for client authentication.
Any Certificate Authority, or CA that the client trusts, can issue the certificates. If the certificates are issued by an internal CA, say the Active Directory Certificate Services or ADCS for example. The clients, if they are part of the domain, they can be configured to be enroll automatically for their certificates by using group policy. So, to set up your Configuration Manager site for SSL communications required for On-Premise mobile device management, follow these actions.
First configure your Certificate Authority for a certificate revocation list or CRL publishing. Then, you want to request the web server certificate for each site system role used by On-Premise mobile device management. Next, bind the certificate to the web server on the site system roles and finally you want to export the route of the web server certificate to the mobile or non-domain joined devices. Now, we have three demonstrations in this chapter.
The first two involve configuring PKI and are rather complex and involve a lot of steps. This is because setting up a PKI infastructure and providing for internet-based certificate revocation checking is complex and full of steps. So, the first demonstration shows all the steps to create and publish the CRL and the second then creates the enrollment certificates so they can be used by internet clients. In the third demonstration, we'll create a management solution based on integration between Configuration Manager and Microsoft Intune.
So, let's get started.
- Planning and deploying a standalone primary site
- Ensuring domain and site server prerequisites
- Planning and expanding a standalone primary site
- Planning and deploying a multiple-site hierarchy
- Planning resource discovery and client deployment
- Managing content and replicating data in Configuration Manager
- Configuring Internet and cloud-based client management
- Advanced monitoring
- Upgrading to Configuration Manager current branch