With the movement to the cloud, Microsoft has done alot of stuff right with its Office365 offering and also done a lot with Azure, the problem that has been over the last years has been their forgotten child… Intune.
Now the concept was good, built up a fully cloud based MDM/ PC management solution as an extension to Office365, the execution how ever hasn’t been all that great at first. While Office365 and Azure got most of the focus, Intune was left behind in terms of features and focus.
But now this has changed, last year Microsoft announced their EMS (Enterprise Mobility Suite) which was a combo of Identity service with Azure AD premium, data protection with Azure RMs and MDM with Intune, Microsoft got serious with their MDM/EMM solution, and one piece that Microsoft has that none of their MDM competitors has is the identity features, which is crucial in a BYO strategy, because if people wish to use their device and using their same ID and with the strong increase of SaaS applicaitons we need a common identity provider in place (Where traditional Active Directory does not cut it, because of its limitations)
This is from the latest report from Gartner on Identity and Access Management as a service
With their offerings from within Azure AD and with many customers already using it with Office365, Microsoft has an advantage that none of their competitors have.
Gartner also released their new report on MDM/EMM as well (Where we again see Vmware, Citrix and MobileIron) note that of these 4, Microsoft is the only one that has their own mobile hardware platform and their own personal operating system which allows them go get a bit of an advantage since Microsoft is also pushing Windows 10 as a more mobile operating system and more features will be directly integrated into Intune and Azure AD.
- Windows Update for buisness
- Windows Store for buisness
- Enterprise Data Protection
and note its been a little bit over a year ago that Microsoft launched their EMS package (even thou Intune has been available for some time, it hasn’t been until recently that Microsoft started focusing on this, and with Microsoft pushing updates to Intune almost each month it shows their are serious with this offering.
And moving forward Microsoft will continue to create more and more direct integration between Office365 (where there are about 80 mill customers) which make it a winning combo and become the natural choice for many customers, since in most cases it will just be as any other addon to Office365.
(Crappy drawning I know..)
And with the integration possibilities that Microsoft has with their on-premise solution (System Center Configuration Manager) it makes sense to get access to direct manage all regular computers and mobile devices from the same solution since a device is a device and should be managed by the same staff.
Microsoft has also stated alot of new features which are coming to Azure AD, Intune and Office365, which can be seen here on their own roadmap –> http://www.microsoft.com/en-us/server-cloud/roadmap/Indevelopment.aspx?TabIndex=2&dropValue=AllProducts
There is no denying that Microsoft is moving more and more focus into their cloud offerings, even with solution such as Office365, EMS (Enterprise Mobility Suite) and of course their Azure platform.
EMS being the latest product bundle in the suite gives customers Intune, Azure Rights Management and Azure Active Directory Premium. So if a customer already has Office365 (their users are already placed with Azure AD and can then easily be attached to EMS for more features)
We are also seeing that Microsoft is adding more and more management capabilities against Office365 into their Intune suite (Which is one of the keypoints which no other vendors have yet) but is this type of management something we need ? or is it just to give it a “key” selling point?
Now Microsoft has added alot of MDM capabilities to Intune, but they are nowhere close to the competition yet. Of course they have other offerings in the EMS pack, like Azure Rights Management, which are quite unique on the way it functions and integrates with Azure AD and Office365. As of 2014 Microsoft isn’t even listed on the Gartner quadrant for EMM (which they stated would be the goal for 2015)
But it will be interesting to se if Microsoft’s strategy is to compete head-to-head on the other vendors or if they wish to give the basic features and dvelve more into the part of Azure AD and identity management across clouds and SaaS offerings.
Citrix on the other hand, have their XenMobile offering which is a more complete EMM product suite (MDM and MAM, Follow me data with Sharefile, and so on) Now Citrix has a lot of advantages for instance over using Sharefile against OneDrive. Sharefile has encryption of data even thou it is locally and running on a sandboxed application( on a mobile device), while the only option that OneDrive has is using as a part of Rights Management Service (of course OneDrive has extensive data encryption in-transit and at rest https://technet.microsoft.com/en-us/library/dn905447.aspx
Citrix also has MicroVPN functionality and secure browser access running VPN access using Netscaler, while Microsoft also has a secure browser application which is much more limited to restricting which URLs to open and what content can be viewed from that browser.
So from a customer side you need to ask yourself.
- what kind of requirement does my buisness have?
- Do I use Office365 or a regualr on-premise setup?
- Do I need the advanced capabilities ?
- How are my users actually working ?
Is there a best of both worlds using both of these technologies ?
Now of course there are some feature that overlaps using Offic365 and EMS + XenMobile, but there are also some features which are important to be aware of.
* Citrix has Sharefile storage controller templates in Azure (Meaning that if a customer has an IaaS in Azure, they can setup a Sharefile connector in Azure and use that to publish files and content without using OneDrive)
* Citrix has a Sharefile connector to Office365 (Which allows users to use Sharefile almost as a file aggregrator for communicating between Office365 and their regular fileservers) which allows for secure editing directly from ShareFile.
* Citrix XenMobile has alot better MDM features for Windows Phone that Intune has at the moment.
* Azure AAD has a lot of built-in SSO access to many of Citrix web based applications (Sharefile, GTM, GTA and so on) since users are already in Azure AD premium it can be used to grant access to the different applications using SSO)
* Netscaler and SAML iDP (If we have an on-premise enterprise solution we can use the Netscaler to operate as an SAML identity provider against Office365 which allows for replacement for ADFS which is required for full SSO of on-premise AD users to Office365
* Office365 ProPlus with Lync is supported on XenApp/XD with Lync optimization pack (Note that this is not part of XenMobile but of Workspace suite)
* Netscaler and Azure MFA (We can use Azure MFA against Netscaler to publish web based applications with traffic optimization)
* Netscaler will also soon be available in Azure which allows for setting up a full Citrix infrastructure in Azure
But in the future I would be guessing that Microsoft is moving forward with the user collaboration part, it is going to become the heart of identity management with Azure AD directory and rights management, while Citrix on the other hand will focus more and enabling mobility using solutions like EMM ( MAM ) and follow me data aggregator and secure file access and devices. Citrix will also play an important part in hybrid setup using Netscaler with Cloud bridge and as an identity provider on-premise
So Microsoft has been busy coming with numerous updates to Intune lately. The latest updates came last week, you can see updates here –> http://blogs.technet.com/b/microsoftintune/archive/2014/12/09/new-mobile-application-management-capabilities-coming-to-microsoft-intune-this-week.aspx
- Ability to restrict access to Exchange Online email based upon device enrollment and compliance policies
- Management of Office mobile apps (Word, Excel, PowerPoint) for iOS devices, including ability to restrict actions such as copy, cut, and paste outside of the managed app ecosystem
- Ability to extend application protection to existing line-of-business apps using the Intune App Wrapping Tool for iOS
- Managed Browser app for Android devices that controls actions that users can perform, including allow/deny access to specific websites. Managed Browser app for iOS devices currently pending store approval
- PDF Viewer, AV Player, and Image Viewer apps for Android devices that help users securely view corporate content
- Bulk enrollment of iOS devices using Apple Configurator
- Ability to create configuration files using Apple Configurator and import these files into Intune to set custom iOS policies
- Lockdown of Windows Phone 8.1 devices with Assigned Access mode using OMA-URI settings
- Ability to set additional policies on Windows Phone 8.1 devices using OMA-URI settings
Now one of the cool features is the managed browser app. This allow us to manage how content is opened and displayed from this app. By default the application can do two things.
- Allow the managed browser to open only the URLs listed below – Specify a list of URLs that the managed browser can open.
- Block the managed browser from opening the URLs listed below – Specify a list of URLs that the managed browser will be blocked from opening.
So we define a URL which a user can open (NOTE: You can see what kind of policy prefix I can use here –> http://technet.microsoft.com/en-us/library/dn878029.aspx#BKMK_URLs)
The application itself is available from Google Play https://play.google.com/store/apps/details?id=com.microsoft.intune.managedbrowser but in order to use it in conjuction with Intune policies we need to deploy the application from Intune itself. Besides the managed browser application, Microsoft also released some other applications like Intune PDF viewer, Intune AV player, Intune Image player which users can download from google play. So when a user uses the managed browser, opens a PDF link from the managed browser, it will automatically open in the Intune PDF viewer (Where we can define settings like cannot copy/paste screenshot etc.
So when we setup this we need to deploy the package to our users, so they can install it from the company portal. NOTE: Dont deploy it right away we need to create some policies first.
So when setting up policies we have a lot of new policy features we can define for our devices.
Now the Managed Browser Policy is just the allow/deny list. And we have the mobile application management policy, here we can define how the apps are going to integrate and what users can do when the content is displayed.
When we are done creating the policies, we can deploy these policies. Now unlike other policies these need to be deployed as a part of the software and not directly to users or groups. So when setting up the browser deployment we can add the policies.
Now we can head on over to the mobile device! First of I need to sync my mobile device policy
Then I install the managed browser app and other compents I need from the company portal
Now I am ready to use managed browser. When I open a URL that is on the deny list I get this error message.
When I open a URL that is on the allow it works like a regular browser, but when I download a PDF file you can see there is a loading bar underneath the URL this is because the managed browser downloads the PDF internally in the App and then
we are switched over to the Intune PDF viewer
so again, alot of new stuff arriving to Intune, looking forward to the next chapter
Think you manage to get all the news that has appeared from Microsoft the last month ? don’t think so
So there is alot happening at Microsoft these days. I’ve had trouble my self keeping track what has happend the last weeks or so. Therefore I decided to write this blog to just get an overview myself what’s happend.
Microsoft and Dell launch Cloud Platform Suite
Azure: D-series virtual machine instances
Azure: Network security Groups, Multi NICs on virtual machines, Announcement of Azure Marketplace, New VPN gateway sizes, Force tunnelig, GA of Automation Services, preview of Batch Services, Antimalware of VMs in Azure
Azure: Traffic manager, nested profiles
Azure: Website migration tool
Azure: Operations Insight announced
Azure: G-sizes, Premium Storage
Azure: Netscaler and Azure
Azure: General availability for disaster recovery
Azure: PowerShell DSC extensions
Office365: Outlook for Mac
Office365: Unlimited Storage
Intune: MAM features for Office
System Center and Windows Server vNext announced
So this is a discussion I often meet, and will come across more the next weeks and months ahead I belive
Many of the customers I work with are often a full blowen Citrix customer or more forwards Microsoft.
Many are facing the discussion mobility how do we embrace it ? (or from another point of view, how do we manage it ?) and they are doing some research and find often that XenMobile or Intune shows up. So whats the difference between the two ?
Citrix has a long time been the master of delivering workspaces to a user and to any type of device, and with the release of CloudGateway Enterprise they were entering towards delivering mobile based features (for instance allowing them to deliver mobile based applications to a user device trough Citrix client) and with the purchase of ZenPrise last year they went full in. Zenprise was a fullblown MDM solution and now they have integratet CloudGateway (Cloudgateway was the old product which included Storefront, Gateway and AppController) with ZenPrise which is now known as XenMobile Enterprise.
This fits well for Citrix’s image (any device anywhere) and now they can manage any device as well (as long as it is mobile). Also they have developed sandboxed based applications under the category Worx and they can also deploy any applications from the vendors different stores. These Worx applications use Micro-VPN functionality to connect to the infrastructure and are completely seperated from other apps inside the mobile client.
To break it down in components XenMobile (Enterprise) consists of
* Netscaler (Gateway)
* XenMobile MDM
Then on the other side you have Microsoft, which is coming from a client management standpoint, and they have been there for quite some time. With the latest release of Configuration Manager, Microsoft released a connection with Intune which allowed buisneses to manage mobile devices via Intune directly from Configuration Manager.
So all mobile devices needed to be setup to talk to Intune in order to be managed.
Configuration Manager has also expanding it support to include Linux / Mac / Thin Clients as well as mobile devices with Intune, so microsoft has operated in the management part for a long time.
Instead of aiminig for a on-premise solution Microsoft har put everything in their cloud. So whenever Microsoft deployes a new feature to Intune every customer of Intune gets it without needing to do anything.
They also have an integration to exchange to allow the IT-guys to control mobile devices trough Active Sync (this also includes Office 365)
There is a new intune release coming with a new release of Configuration Manager the 18th of October.
But can these two products compete?
Well… they have some of the same features which is device management, Citrix has more advanced features with XenMobile and with Worx and Micro-VPN etc. Microsoft has full support for Windows phone and Windows RT (And coming with iOS and Android with an company portal app pretty soon) and Intune might have what you need but nothing fancy.
What we need to remember is that Configuration Manager is a fullblown client management suite, with patching, deploying operating systems, applications, baselining, antivirus, with Intune it gets mobile device management capability. XenMobile is not in this category, it gives you mobile management, mobile application management, sandboxing applications, give any device application delivery trough Citrix Receiver.
So if you are a System Center customer with Configuration Manager and your IT-guys use ConfigMgr for management, adding Intune might be an easy way to go ahead, and by using Intune you leave the feature set to Microsoft, they need to continue development and will add more features as new release become available (So you will get the new releases for free since its a cloud based solution which you get buy a monthly basis). For other customers which needs advanced features such as selective wipe and the ability to seperate buisness and private data and more advanced security features and deep suppor for all vendors (Except Windows) XenMobile is for you. Zenprise was one of the market leading vendors before Citrix bought them up.
If you compare the cost (for Intune the cost pr user is 6$ pr month so for one year you have 72 USD. You also need Configuration Manager for it to make any sense.) You can also get a discount if you are EAS or EA agreement already which makes Intune more viable.
XenMobile Enterprise on the other hand is not so much more expensive then a regular Intune subscribtion of course it requires alot more infrastructure then Intune does.
So hopefully you got a bit more understanding on what seperates Intune from XenMobile!
And now you can connect your on-premise ConfigMgr instance with Intune for more broad device management.
Here you have a list of the fully supported mobile devices.
Still missing the direct support for Android based phones but I’m guessing that is on the horizon as well
For Windows 8 users, they will get a new Self-service portal in order to get their apps, which is going to be a fully blown “new-gui” app.
You can read more about what’s new here –> http://bit.ly/ZBOdcs
For those not attending MMS this year, Microsoft today released information about the new Mobile device management. Which will be included in the future releases of SCCM and in Windows Intune (Bear in mind thou this will not be avaliable before Q1 2013) And Im betting that Windows RT will also be supported in this release )
For those not familiar with Windows Intune, it allows an administrator to manage his/hers client computers from the Cloud. This includes (Patching , Anti-virus/malware services, reporting services, software deployment etc..)
This is all the agents that get installed with the intune setup.
- Windows Intune Center
- Microsoft Policy Platform
- Microsoft Online Management Policy Agent
- Windows Firewall Configuration Provider
- Windows Intune Endpoint Protection
- Windows Intune Endpoint Protection Agent
- System Center Operations Manager 2007 R2 Agent
- Windows Intune Monitoring Agent
Today there is a limit of 25 clients via Intune (In the release that is public avaliable today), but Microsoft has stated that it will be integrated with the Office365, and you can also integrate it with your domain.
Integration with Microsoft Active Directory Domain Services*
The full release of Windows Intune will use the same authentication mechanism as Office 365, so that you can integrate Windows Intune with your existing Active Directory Domain Services (AD DS) environment. When you integrate Windows Intune with AD DS, you can synchronize existing security groups and users from AD DS to Windows Intune and manage them with Windows Intune.
Now then, since Im been lucky enough to try the new beta, I thought Id show you a quick demo about it.
The login page looks much like the Office 365 portal. Where you have your basic menus on the top.
If I go to the Company Portal, I get to the self-service portal, cleary Metro inspired.
Here I can access applications, my devices. And I can contact IT support.
If I go back and open the Admin Console, I come to the familiar Intune console (Silverlight based)
The new mobile based management which was annouced at MMS it not public avaliable yet. In order to manage your mobile deviced via Intune you need an Exchange Connector just as you would need in your ConfigMgr site.
And before you can use it, you have to sync your users from the local Active Directory in to the intune management.
Something that I miss is the option to link your Intune site with the Office365 Exchange.
Now im going to install the new Intune agent on one of my servers. First I create a computer group ( just like a collection in SCCM )
After I’ve done that, I go to administration –> and push Client Software download.
It is a zip file, so unzip and run the setup file.
The setup is pretty much the same as before, next , next , finish.
(It might take a while before it is finished installing…) Even when it says its finished installing, the intune is
installing a bunch of agents in the background.
If you follow the application log in the event viewer, you can see it is installing Opsmgr agent and online services etc. etc.. So might take a few min before the computer appears in the overview menu.
Now, its about finished ( Just installing the Endpoint Protection ) I can open the Intune Center, and I have the basic options. Pressing the “Get applications” just opens the self-service portal I showed earlier.
If I open the Management part of the web interface, I can now see my computer active. With a bunch of patches that I need to approve, and some alerts. (If you are having some issues with the client not contacting the service, do a restart of the client computer after you installed the agent. )
After the restart I wanted to test the Remote assitance funciton, open the Intune Center and press “Request Remote Assistance”, now open the System Overview, you will recive a alert.
This has been a short blog post, more to follow.