System Center 2012 SP1 and Windows Intune 4
8th Mar 2013 | 08:00
Microsoft upgrades its cloud management service
Need to manage PCs and devices in your company? Microsoft has two new solutions.
The latest version of Microsoft's System Center management software adds support for new Microsoft products. Some new features, such as deploying Windows 8 and configuring Windows RT, that will be useful to most businesses. Others will suit companies with more complex IT infrastructure that want to build private and hybrid cloud solutions.
System Center 2012 SP1 provides tools to build something from the blocks in Microsoft's operating systems. You can use it for everything from deploying group policy objects to administering instances on Windows Azure.
For smaller companies, however, it could be too complex and Microsoft's cloud management service, Intune is more suitable.
Intune enables you to manage mobile devices and Windows PCs over the internet without waiting for users to connect to a VPN. The new release of Intune adds features for managing Windows RT and sideloading applications, as well as support for Windows 8 and Windows Phone 8 and much stronger management options for iOS.
It also simplifies some tasks, such as creating dynamic groups to manage users in Active Directory, and allows you to prevent users changing options for the Intune agent, which provides malware protection for their PCs.
Some companies want the combination of System Center and Intune. It can provide on-premise management of servers and desktops on the company network plus remote management of notebooks, tablets and phones that are rarely on VPN.
System Center and Intune have been developed by the same team over the past two years, but it's only this release that allows admins to manage users and devices through both services from the System Center Configuration Manager console, and get reports that cover both.
Setting device rules
You can set password rules for all devices, such as how many chances users have to get it right. You can also control email sync through Exchange if you want to limit email or specify whether users can download attachments. You can force users to turn on encryption on their phone or tablet, including for storage cards, and block devices that don't support encryption from connecting to Exchange.
For Windows RT you can prevent the use of PINs instead of passwords or setting a picture password. For iOS, you can turn off the camera and web browser, and individually allow or block backup, document sync and Photo Stream sync to iCloud.
For Android (and other smartphones like Windows Phone 7, BlackBerry and Symbian managed through Exchange Active Sync policies), management is a little more complex and less powerful. Microsoft hasn't created an agent to deploy onto Android phones because it says there are too many to deal with; but you still can manage options like password complexity and turn off the camera and web browser using EAS policies.
In Intune this requires an on-premise Active Directory and Exchange Connector software on a server in your office – it can't be the same server on which you run Exchange unless they're both in virtual machines – even if you use Office and Exchange Online rather than running your own Exchange server. Once that's done you'll see EAS-connected devices you're managing through Intune and be able to apply policies to them like other devices, instead of having to use the Exchange admin console.
This is an improvement over the previous release of Intune, which could only manage phones and tablets through EAS, and only if you had your own Exchange server rather than Exchange Online. It provides a simple and powerful option for managing Windows PCs, Windows RT and iOS; but it's still not a complete cloud management system if you need to include EAS-only devices.
If someone brings a phone or tablet to work, they don't want you installing software without asking – but they want to get their email, access work resources and have an easy way to get at any apps they need to get things done. Intune allows you to customise a company portal; a website for most users, but Windows 8, RT and Windows Phone users get an app.
You can include useful information and support contacts, and users can see all the devices you manage for them in Intune, add their own devices, and remove those they no longer want for work.
A single wizard enables you to deploy links to apps from public stores, as well as installers for Windows, Android, iOS, Windows Phone and WinRT apps. If you're sideloading WinRT apps you write yourself and don't put in the Windows Store, you need a $30 sideloading product key for users not running the Enterprise version. You can distribute those through Intune.
Windows Intune continues to develop as a cloud management service that fits the way many companies now manage remote workers on multiple devices.
You don't have to learn Group Policy, or upset users, to make sure PCs have up-to-date anti-virus or to make apps available to users on most of the devices they'll bring to work – including Windows RT and iPads.
The licensing is sensible; you can manage five devices for each user with a single licence and you can choose whether you pay £3.90 per user per month for just Intune or £7.20 a month to add a Windows 8 Enterprise licence with software assurance.
Intune works best when you fit the profile. Some scenarios quickly become complex if you're doing something slightly out of the ordinary (like using Office 365 and wanting to manage Android devices through Intune).
It doesn't have all the features of a more powerful desktop or mobile management system, although not all businesses need one, and if you do you can use it with System Center.
We'd also like to see Microsoft offer an alternative to Silverlight so you could manage a Surface user from a Surface or an iPad user from an iPad.
System Center 2012 is an enormously powerful and complex management system; as well as adding Windows 8, RT and Server 2012 support, SP1 takes advantage of Intune to cover all the bases. But on its own, Intune is less overwhelming and it fits well with the BYOD scenario.
The Windows RT support in Intune is the perfect example of Microsoft's new user-centric approach; you get very few options to turn off features but you can see the devices, use your existing Active Directory authentication to give them access to company resources, and can provide and recommend apps from the Windows Store.
Even for Windows 8, you can be sure they're running up to date anti-malware software, check whether they have enough disk space and make sure they get the latest version of the software you want them to use. You get the productivity benefits of computers that are secure and properly configured without annoying users or taking up a lot of admin time, and for a reasonable monthly price.