SCCM (Configuration Manager Features)

PART -3

Enterprise Mobility + Security 

Configuration Manager Features

Before you can begin planning to deploy Configuration Manager, you need a basic understanding of the features it provides. Configuration Manager has its own administrator console.

Application Management

The Application Management feature of Configuration Manager allows you to create, manage, and deploy applications in your environment. This feature also provides monitoring capabilities that allow you to monitor application deployments and take appropriate action in the event of any issues.

Collections

Collections are simply a way of grouping resources together that share a common criterion such as “Which resources are running Windows 8 with more than 2GB of RAM, with more than 1GB of free disk space, and with a certain BIOS version?”. Typically collections are based on queries, allowing them to be update dynamically based on a configurable schedule or by directly assigning resources. Collections can consist of computes, users, user groups, or any discovered resources in the Configuration Manager site database.

Company Resource Access

Using the Company Resource Access feature, you can create and deploy profiles to control access to your company’s resources. Profiles that you can create and deploy include: Certificates, Email, VPN, Wi-Fi.

Compliance Settings

The Compliance Settings feature is designed to address configuration drift within the enterprise. Enterprise administrators (for workstations and servers) as well as security teams need a tool that enables them to set configurations baselines (based on the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, or other compliancy regulations), that contain configuration items detailing how a specific item should be configured (for example, the local guest account should be disabled, Windows Integrated Security for SQL Server should be enable, and so on). These configuration baselines are then deployed to the appropriate resources and the results reported backup to provide details of any configuration drift, thus allowing the appropriate action to be taken.

Endpoint Protection

The Endpoint Protection feature allows you to manage antimalware policies and Windows Firewall Security for your Configuration Manager client computers. Endpoint Protection requires a separate license because it install its own client that is separate from the Configuration Manager client.

Inventory

Configuration Manager offers you the ability to inventory the hardware and software of devices in your enterprise. Hardware inventory can gather information from your systems such as processor information, the computer manufacturer, and the amount of installed memory. Software inventory can gather lists of file types and their version installed on your computers, with EXE files as the default. Combine this with extensive information in the Asset Intelligence (AI) knowledge base, and you can use Configuration Manage to get a good handle on what hardware and software is being used in your environment.

Mobile Device Management

Configuration Manager Current Branch includes two types of mobile device management:

-                              Mobile Device Management with Windows Intune

-                              On-Premise Mobile Device Management

Mobile Device Management with Windows Intune

Mobile Device Management (MDM) with Windows Intune allows you to use Configuration Manager to manage Windows Phone, iOS, Android (including Samsung KNOX), and even Windows devices using the Microsoft Intune service over the Internet.

Using MDM provides the following management capabilities on devices:

• -     Retire and wipe
• -     Deployment of line of business application to devices
• -     Collect hardware inventory
• -     Collect software inventory by sung built-in reports
• -  Deploy applications to devices that connect to Windows Store, Windows Phone Store, App Store, or Google Play
• - Configure compliance settings such as passwords, security, roaming, encryption, and wireless communication

On-Premise Mobile Device Management

As its name suggests, this type of mobile device management allows you to enroll and manage Windows 10 Enterprise PCs and Windows 10 mobile using the Configuration Manager infrastructure without the need for a Windows Intune subscription.

Manage of these devices is performed by the management functionality built in to supported devices and does not require the Configuration Manager client to be installed.

Operating System Deployment

Operating System Deployment (OSD), as its name suggests, is the ability to deploy an operating system to a machine. As in previous versions, OSD allows you to create and distribute operating system images that include any required updates and applications to computers both managed and unmanaged by Configuration Manager using PXE boot or bootable media such USB flash drives, DVD, or CD set.

Power management

Saving energy and preserving the environment are important goals for IT professionals and organizations. The Power Management feature allows you to create different power plans that configure Windows power management settings on your organization’s needs. These plans can then be applied to collections of computers where they will be enforced. Configuration Manager includes various reports relating to power management that allow you to ensure the power setting have been deploy correctly and are in place on the relevant computers.

Queries

Queries allow you to retrieve information from the Configuration Manager site database about the resources in your environment that meet certain criteria, such as all machines running a certain version of Windows, or all users running a certain piece of software. Queries can be used to answer questions quickly or make mini-reports that might not be used often enough to be imported into the reporting interface.

Remote Connection Profile

The Remote Connection Profile feature allows you to create profiles that contain Remote Desktop Connection settings that you can deploy to users in your Configuration Manager hierarchy.

Users can then use the company portal to use Remote Desktop using the Remote Desktop Connection settings deployed to them via the remote connection profile to remotely connect from their Windows, iOS, or Android corporate device to their work computer when they are not connected over the Internet or connected to your domain.

Note: You only need  a Microsoft Intune subscription if you want users to be able to connect to their work PC using the company portal. If you don’t have Intune, users can still use a VPN connection to connect to their work PC using Remote Desktop using the settings configured in the remote connection profile.

Remote Control

The Remote Control feature allows computer support staff to remotely troubleshoot problems with user’s computers just like they are sitting in front of the computer. This feature is still integrated with Remote Assistance and Remote Desktop, and it works pretty much the same as it did in previous versions of Configuration Manager.

Reporting

The Reporting feature allows you to create and run reports to show data from the Configuration Manager site database for all of the various feature, whether it be client installation, inventory, software deployment/updates, or even status or alert messages.

Software Metering

Software metering allows you to collect information on software usage to assist in managing software purchases and licensing. Using software metering, you can do the following:

• -   Report on the software that is being used in your environment and on which users are running the software.
• -      Report on the number of concurrent users of software application.
• -      Report on software license requirements.
• -      Find software that is installed but isn’t being used
  

Software Updates

Using this feature, you can manage the daunting task of deploying updates to Microsoft applications and operating systems. Not only does this apply to Microsoft security patches and updates, but having this flexible and extensible environment has allowed partners (such as HP, Dell, IBM, Citrix, and others) to create custom catalogs to update server and desktop BIOS firmware, and drives as well as to create internal catalogs.

Deploying updates require a Windows Server Update Services (WUSU) server. Configuration Manager leverages WSUS with its functionality and provides a higher level of granularity than is available with WSUS alone.

User Data and Profiles Configuration Items

The user data and profile configuration items in Configuration Manager Current Branch allow you to manage roaming profiles, offline files, and folder redirection on computers running Windows.

Wake on LAN

The Wake on LAN feature, added to software distribution, was available in SMS 2003 only by purchasing third-party software. It allows you to leverage technology built into computer hardware to wake up computes that have been turned off so they can run assigned deployments.

Asset Intelligence

Asset Intelligence, which was include within Configuration Manager 2007, now comes with its node within the admin console. This is not the only new aspect of Asset Intelligence; AI also became part of the Software + Services initiative within Microsoft. The services component of AI is not a fee-based feature but is just another extension of the holistic approach; it includes the following functionality:

• -   New catalog and license management UI in the Configuration Manager admin console.
• -      The ability to customize the local catalog
• -     On-demand or scheduled catalog update synchronization
• -    The ability to tap software assets unknown to the catalog and pass them up to the online service for async identification.
• -   The ability to import licensing data from Microsoft and compare it to installed inventory.

Application Virtualization Management

The newest release of App-V Configuration Manager leverages its existing infrastructure and extends its reach to deliver virtual applications:

-      Application Virtualization Management (AVM) allows you to use Configuration Manager to manage and deploy virtual applications, when possible, to make managing virtual applications for the Configuration Manager administrator the same experience as managing standard or physical software.

Client Health and Monitoring

Configuration Manager displays client health evaluations results and client activities directly in the console, providing alerting and remediation capabilities if health statistics fall below established thresholds.

   Thanks For Learning 

   Enterprise Mobility Part-3

Azure Backup Practice Slide

PART-2

Enterprise Mobility + Security Practice

IDENTITY AND ACCESS MANAGEMENT

Today’s User to have multiple identities for everything from Windows Active Directory to SaaS applications like DropBox and Concur. As a business, ensuring that the data stored by your users with these identities is available and secure is of upmost importance.

Identity Management is another “Must-Have” service offering for Cloud Managed Service Providers (MSPs). For MSPs focused on productivity and mobility solutions, ID management is natural add-on. However, ID management is an integral part of infrastructure deployments as well. It’s a security discipline in which an MSP will conduct the administration of IDs on behalf of their customers. This ensures the right individuals have access to the right on-premises, hybrid, or public cloud resources at the right times for the right reasons.

To meet customer needs, in their ID management offering, MSPs will define user group resource policies in Active Directory, implement single sign-on, federate identities across apps and other resources, and handle rights management – ensuring that the right users have the correct access. On behalf of their customers, MSPs that develop mature ID management policies can lower associate costs and become more agile in supporting new business initiatives – all while staying compliant with industry and regulatory standards.

DEFINE YOUR STRATEGY

SYSTEM CENTER 2012R2 CONFIGURATION MANAGER SYSTEM REQUIREMENTS

Welcome, I would like to start System Center 2012R2 Configuration Manager deployment series with little information about its basics and then we will look into its new features and design considerations. System Center 2012R2 delivers unified management across on-premises, service provider and Windows Azure environments, in a manner that’s simple and cost-effective, application focused, and enterprise-class. System Center 2012R2 offers exciting new features and enhancements across infrastructure provision, infrastructure monitoring, application performance monitoring, automation & self-service, and IT service management. The Microsoft names it as Cloud OS, System Center enables the Microsoft Cloud OS by delivering unified management across on-premises, service, and Windows Azure environments. 

What’s New In System Center 2012R2 Configuration Manager

1. System Center 2012R2 Configuration Manager now supports deployment of Windows 8.1 and Windows Server 2012R2. There is added support for boot images created by using the Windows Automated Installation Kit (WAIK) for Windows 7 and based on Windows PE.
2. System Center 2012R2 Configuration Manager is now integrated with Windows Intune and this is named as Unified Modern Device Management. This means you can use System Center 2012R2 Configuration Manager together with Windows Intune to manage a broad array of PCs and devices covering Windows, Windows RT, Macs, Windows Phone, Apple iOS and Android.
3. You can now select Rseultant Client Settings (RSOP) from the Configuration Manager console to view the effective client settings that will be applied to the selected device. This is another great feature.
4. You can now reassign Configuration Manager clients, including managed mobile devices, to another primary site in the hierarchy. Clients can be reassigned individually or can be multi-selected and reassigned in bulk to a new site.
5.  Compliance Settings – New mobile device settings and mobile device setting groups have been added.
6. Profiles – There are new Certificate Profiles, VPN Profiles and Wi-Fi Profiles introduced in System Center 2012 R2 Configuration Manager and the supported devices include those that run iOS, Windows 8.1 and Windows RT 8.1, and Android. 
7.  Software Updates – There is a new maintenance window dedicated for software updates installation. This lets you configure a general maintenance window and a different maintenance window for software updates. You can now change the deployment package for an existing automatic deployment rule. New software updates are added to the specified deployment package every time an automatic deployment rule is  run. A new feature called Software updates preview lets you review the software updates before you create the deployment.
8. 2. Application Management – Web applications in System Center 2012 R2 Configuration Manager are a new deployment type that allows you to deploy a shortcut to a web-based app on users devices.
9. Collections – A new management option allows you to configure maintenance windows to apply to task sequences only, software updates only, or to all deployments.
10. Reporting – Configuration Manager reports are now fully enabled for role-based administration. The data for all reports included with Configuration Manager is filtered based on the permissions of the administrative user who runs the report. Administrative users with specific roles can only view information defined for their roles.

  System Center 2012 R2 Configuration Manager Design Considerations

    Before we install the System Center 2012 R2 Configuration Manager it would be better to have an idea on System Center 2012 R2 Configuration Manager Site and System Roles and how are we going to install the roles and their limits. In most of the cases planning for hardware and software requirements for Configuration manager takes more time, so it is very important to understand about the site and system role scalability.

   1) Central Administration Site – A central administration site can support up to 25 child primary sites. When you install a Central Administration Site and use an Enterprise or Datacenter edition of SQL Server, the hierarchy can support a combined total of up to 400,000 devices. So you must plan for CAS only when an organization has over 1,00,000 clients.

    2) Primary Site – Each primary site can support up to 250 secondary sites and up to 1,00,000 clients.

    3) Secondary Site – A secondary site supports a maximum of 5,000 clients. For secondary sites SQL Server must be installed on the site server computer and in a location if there are fewer than 500 clients, consider a distribution point instead of a secondary site.

    4) Management Point – Each primary site supports up to 10 management points and each primary site management point can support up to 25,000 computer clients. Each secondary site supports a single management point which must be installed on the site server computer.   

    5) Distribution Point – With System Center 2012 R2 Configuration Manager each primary and secondary site supports up to 250 distribution points and each distribution point supports connections from up to 4,000 clients. Each primary site supports a combined total of up to 5,000 distribution points. This total includes all the distribution points at the primary site and all distribution points that belong to the primary site’s child secondary sites. Each primary and secondary site supports up to 2000 additional distribution points configured as pull-distribution points. For example, a single primary site supports 2250 distribution points when 2000 of those distribution points are configured as pull-distribution points.

    6) Software Update Point – A software update point that is installed on the site server can support up to 25,000 clients.

    7) Fallback status point – Each fallback status point can support up to 100,000 clients.

     

   Thanks for learning

   Enterprise Mobility Part-2

Enterprise Mobility + Security

PART-1

Enterprise Mobility + Security Practice

-      Which can be summarized as follows:

Ø  Keep your customers productive and secure on their favorite apps and devices

Ø  Their company data protected with Enterprise Mobility + Security solutions from Microsoft

Helping your customers to protect their identities and data Built a practice that helps your customers identity breaches and threats using behavioral analysis and provide actionable insights while ensuring they have sound approach to manage users and groups, and secure access to on premises and cloud apps.

 

Manage and protect corporate apps and data. Provide your customers with mobile device management (MDM), mobile app management (MAM), and PC management capabilities. Enable employees with access from virtually anywhere on almost any device, while helping to keep corporate information secure.

Keep company data secure across employees, partners, and customers. Reduce the risk of data loss, vulnerabilities, and compromise while enabling safe sharing with anyone by maximizing secure behavior with minimal user friction. All this while enabling your customers to better manage and monitor their data.

Understanding the EMS + Security Opportunity

What is EMS?

EMS is the best way for customers to solve the challenge data, identity, and devices bring to the modern business, and it’s designed to work with Office 365, empowering secure mobile productivity across devices. It helps protect information and keep businesses safe from threats.

IT INCLUDES THE FOLLOWING SERVICES:

Microsoft Azure Active Directory

-      A product which provides enterprise-grade identity and access management for nearly any app or device, cloud or on-premises. It delivers single sign-on, multi-factor authentication, self-service passwords, and more.

Microsoft Intune

-     A cloud-based enterprise mobility management solution that helps you control employee access to corporate applications and data on virtual any device, including PCs and mobile devices.

Azure Information Protection

-      A comprehensive encryption, identity, and authorization policy solution designed to secure corporate files and email across phones tablets, and PCs.

Advanced Threat Analytics

-     Provides automated behavioral analytics that helps identity suspicious activities and advanced threats in near real time, with simple, actionable reporting.

Cloud App Security

      Whether or not you’re in the cloud, your employees are. Bring the security of your on-premises systems to your cloud applications, both approved and unapproved, for deeper visibility, comprehensive controls, and enhanced protection against cloud security issues.

> 72% of employees who use Smartphones for work select their smartphones personally

> 80% of employees admit to using non-approved software-as-a-service (SaaS) applications in their jobs

> 70% of network intrusions exploited weak or stolen credentials

Understanding The Security Landscape

The current digital security landscape for business can accurately be described in one word: complicate. More numerous and advanced threats, more nebulous and complex compliance requirements, more difficult and intricate infrastructure to secure. Simply put: keeping date, workloads, and users secure is more than a full-time job and organizations are having trouble keeping up.

The graphic below illustrates the myriad of offerings and postures taken by security companies, highlighting the fragmented nature of the market. However, this harsh environment represents a significant opportunity for partners looking to offer security as a managed service

For even the most adept IT and incident Response teams, effectively handling patching, malware threats, and intrusion detection can be too difficult to manage without help.

Thanks for Learning. 

Enterprise Mobility Part-1