via What’s New in Windows Intune – New Features, Changes | TechNet.
Unified Enterprise Management Solution
In this article:
- User-based Licensing
- Extending Client Support
- Understanding Mobile Device Management
- Customizing the Company Portal Application
- Distributing Windows 8 and Windows Phone 8 Applications
- Dynamic Group Configuration Wizard Updates
- Updating Endpoint Protection Policy
- Summary
- Resources
With this update, you can now manage mobile devices either directly from the cloud-based Windows Intune management solution or with Microsoft System Center 2012 Configuration Manager with SP1 by using a new Windows Intune connector. Figures 1 and 2 provide an overview of how these two configurations can help manage devices either directly through the cloud or through Configuration Manager on-premise:
Figure 1. Windows Intune Cloud Configuration
Figure 1 shows the classic cloud-based configuration; existing users of Windows Intune will be familiar with this approach. With this arrangement, IT administrators use the Windows Intune web-based Administrator console to access the management features on the client computers and mobile devices.
Figure 2 shows the new unified on-premises configuration, in which the administrator can use the Configuration Manager 2012 SP1 management console to access the management features for the supported clients.
Figure 2. Windows Intune Integrated On-Premises Configuration
By using the Configuration Manager console, administrators can manage operations on a day-to-day basis. Its single pane of glass helps to manage not only servers, desktops, and laptops, but also mobile devices. Figure 3 shows management of all supported device types from a single console.
Figure 3. Configuration Manager Console
This configuration can help administrators manage all the organization’s devices through a single console and get added insight into the ways employees use their mobile devices to access company data.
The Configuration Manager infrastructure enables support for very large installations. This release supports installations of up to approximately 100,000 users, computers, and mobile devices in a single management infrastructure.
The following table summarizes the enhancements that this release of Windows Intune provides, enhancements listed in italics are only applicable in the Windows Intune unified configuration:
| Windows Intune core updates |
|
| People-centric updates |
|
| Mobile device management updates |
|
This guide is intended to provide you with information about the new features and updates that are specific to the December 2012 Windows Intune release. If you are not familiar with Windows Intune, we recommend that you check the Windows Intune web site at www.windowsintune.com for the full range of features that Windows Intune provides.
.gif)
User-based Licensing
This release of Windows Intune updates adds new licensing options to help organizations with managed users who employ multiple devices, rather than focusing on one device at a time. Each new license is for a managed user and that single licensed user can have up to five managed devices*. This new approach can provide more flexibility to organizations that plan to implement a “bring your own device” strategy.
Microsoft has introduced these new licensing options to help integrate Windows Intune into hybrid management solutions that include both cloud-based and on-premise System Center-based management systems. This unified hybrid device management license can help simplify the process of licensing mobile and personal computer devices, because it licenses the user rather than the device.
The following list outlines these new licensing options:
- Windows Intune. The new default option for most organizations, basic licensing now provides access to the Windows Intune service for a user with up to five devices. It also includes use rights to System Center Configuration Manager so that you can integrate the Windows Intune service with an on-premises solution
- Windows Intune with Windows Software Assurance. This option provides access to the Windows Intune service for up to five devices per user and also includes a Windows Software Assurance (SA) license for one of those devices. As a result, it’s a good option for organizations that need to upgrade PCs to Windows 8 Enterprise.
- Windows Intune Add-on for System Center Configuration Manager. Available to organizations with an existing System Center volume licensing agreement. It extends the System Center management capabilities through the Windows Intune cloud service to help you manage both existing Configuration Manager managed devices and new mobile devices using the Configuration Manager management console.
 Note |
|---|
| *All Licenses are per user, but the Windows SA is for one primary device per user. |
Extending Client Support
Windows Intune can now help you manage the entire family of Windows 8 devices, including:
- Windows 8 Professional (x86 and x64 architectures).
- Microsoft Surface Pro.
- Microsoft Surface.
- Windows RT devices.
- Windows Phone 8 devices.
Windows Intune classifies Microsoft Surface, Windows RT, and Windows Phone 8 devices as mobile devices (see below for details). Windows 8 and Microsoft Surface Pro devices are classified as fully managed PC devices, on which Windows Intune management and Endpoint Protection agents are installed. With the addition of these new clients, and the new capabilities of System Center Configuration Manager SP1, the management capabilities of the unified solution provides one of the most comprehensive range of clients supported in the industry. As a result, you’ll be better equipped to manage the needs of a Bring Your Own Device (BYOD) infrastructure.
Understanding Mobile Device Management
In this release of Windows Intune a new direct management capability provides the Mobile Device Management (MDM) features to Windows RT, Windows Phone 8, and iOS devices. Modern devices no longer require an Exchange ActiveSync (EAS) connection in place to support the MDM solution. Instead, end users can enroll devices to the Windows Intune service and the built-in management services of these mobile devices directly provide the capabilities to manage the device. There is no need to compromise security on the device or install unsupported third-party agents.
Windows RT and Windows Phone 8 devices include a Company Apps setting that the user can employ to initiate the device enrollment process. Figure 4 shows this option listed in the Windows RT Company Apps enrollment screen.
This enrollment process identifies the device to the Windows Intune management service and establishes a trusted communication channel by using a security certificate on the device. After this enrollment has occurred, Windows Intune can manage the device and the user can install the Company portal app that provides the user with a view of the available corporate applications.
Figure 4. Windows RT Company Apps Setting
| Note |
|---|
| If a user tries to install the Company portal app before they have enrolled the device they will be notified that they need to enroll the device before they can complete the Company portal installation. |
After the user has enrolled the device, Windows Intune applies the organization’s mobile device policies and reports detailed inventory information back to the management service.
While direct management is the recommended management solution, both Windows Intune configurations still fully supports EAS-based settings. If your organization wishes to keep EAS for Exchange connected devices, the recommended approach is to apply EAS settings through Configuration Manager to manage all mobile devices in the same management console. In the cloud configuration you can manage EAS-connected devices by using the Windows Intune Exchange connector. This option is the recommended method for older smartphone platforms such as Windows Phone 7 and Android-based devices. It can also be useful to help discover devices that have not enrolled with the Windows Intune service directly.
The following table lists the supported operating systems for each of these device types*:
| Mobile Device | Operating System | MDM Method |
| Microsoft Surface | Windows RT | Direct |
| Windows RT | Windows RT | Direct |
| Windows Phone 8 | 8.0 | Direct |
| Windows Phone 7 | 7.0 or later | EAS |
| iPad and iPad2, iPhones, iPod Touch | iOS 4.0 or later | Direct |
| Android-based phones and mobile devices | Android 2.1 or later | EAS |
* The full list of supported features depends on the capabilities of the mobile device.
If your organization has standardized on EAS for configuring your current mobiles devices, you can continue to do so with for newer devices through EAS. In this case, Windows Intune integrates both with EAS and direct management so that you can use whatever solution best meets your organization’s needs.
| Note |
|---|
| Microsoft Surface devices are classed as Mobile devices and Microsoft Surface Pro devices are fully managed PC devices. |
Customizing the Company Portal Application
In the previous release of Windows Intune, administrators accessed company applications, device management and IT support features through an online Web portal. In this new release, Windows 8 can access these features through a new self-service Portal (SSP) Windows 8 application. Figure 5 shows how this portal looks to a user connected to the service from within Windows 8.
Figure 5. Windows Intune Windows 8 Company App
The SSP application provides a feature-rich, touch-optimized user experience that can speed access to IT published applications, provides direct links to IT approved Windows Store applications, and can also include links to web-based applications that users can access through the device’s web browser.
The final feature area of the Company Portal application focuses on providing users with customizable information to help them contact IT support in the event that they need assistance from the company helpdesk.
Distributing Windows 8 and Windows Phone 8 Applications
Microsoft has extended the software distribution feature of Windows Intune to support both Windows 8 and Windows Phone 8 applications. As a result, you can now use the same wizard to publish your line-of-business applications to Windows 8 computers, Windows RT devices, and Windows Phone 8 devices. Figure 6 shows the updated Add Software wizard and the supported software options.
Figure 6. Add Software Wizard
Microsoft has extended the software distribution feature of Windows Intune to support both Windows 8 and Windows Phone 8 applications. As a result, you can now use the same wizard to publish your line-of-business applications to Windows 8 computers, Windows RT devices, and Windows Phone 8 devices.
Dynamic Group Configuration Wizard Updates
The new release of Windows Intune also helps to simplify some of the Administration console tasks, based on feedback Microsoft received from customers. An administrator can create dynamic groups for users based on security group membership or on values in Active Directory properties, such as people managed by the same person. To make this process easier, the Groups wizard has been streamlined to enables you to include and exclude objects in the same view. Figure 7 shows how this new arrangement works.
Figure 7. New Group Creation Wizard
In the Criteria Membership screen in Figure 7, if the Start group membership with field has the value Empty group, then you can browse for members of security groups or members that have the same managers. If you select AllUsers in the Parent group option, this new group inherits members from the parent group and you can then use the Exclude members’ options to adjust membership based on security groups or managers.
Updating Endpoint Protection Policy
Finally, we have extended the control an administrator has over the Windows Intune Endpoint Protection agent installation process. In this release, administrators can get more control over how the Windows Intune Endpoint Protection agents and user interface behave. Figure 8 shows these new Endpoint protection policy controls.
Figure 8. New Endpoint Protection Policy Controls
With these new controls, administrators can disable the Windows Intune Endpoint Protection user interface all together, so that the computer is protected but the agent does not allow the user to interact with the application. In this situation the administrator manages all the Endpoint Protection configuration settings through the Windows Intune Agent Settings policy settings.
Summary
With this release, Windows Intune significantly extends the reach of its management solution and enhances existing features through the following changes:
- Unified management with Microsoft System Center 2012 Configuration Manager with SP1
- More flexible user licensing options
- Windows 8 support
- Windows RT and Windows Phone 8 device management
- Enhanced iOS direct device management
- Support for Windows 8 applications publishing
- Improved Dynamic Group creation wizard
- Enhanced Endpoint protection policy
Many other improvements have been made to enhance the overall speed, scalability, and performance of the service. As a result, you’ll get a flexible and integrated management environment for all your devices.
To sign up for a trial of this release of Windows Intune, sign up at the Windows Intune website at:
http://www.microsoft.com/en-us/windows/windowsintune/try-and-buy.aspx
Finally, if you are interested in some of the other features included in System Center 2012 Configuration Manager with SP1 see “What’s New in Configuration Manager SP1” on TechNet library at:
http://technet.microsoft.com/en-us/library/jj591552.aspx
Resources
- Windows Intune website: http://www.windowsintune.com
- Windows Intune Online Help: http://onlinehelp.microsoft.com/en-us/windowsintune.latest
- Windows Intune TechNet: http://technet.microsoft.com/windows/intune
- Windows Intune Team Blog: http://blogs.technet.com/b/windowsintune/