Simplified, User-centric Application Management across Devices with System Center 2012 R2 Configuration Manager and Windows Intune

Simplified, User-centric Application Management across Devices with System Center 2012 R2 Configuration Manager and Windows Intune

  • Comments 2
  • Likes

This post is a part of the nine-part “What’s New in Windows Server & System Center 2012 R2” series that is featured on Brad Anderson’s In the Cloud blog.  Today’s blog post covers how System Center 2012 R2 Configuration Manager and Windows Intune allow application delivery to all major device types and application management from a single console and how it applies to Brad’s larger topic of “People-centric IT.”  To read that post and see the other technologies discussed, read today’s post:  “Making Device Users Productive and Protecting Corporate Information.”


Because employees use a wide variety of devices (such as Windows x86 and x64 PCs, laptops, Windows RT tablets, Windows Phones, iPads, iPhones and Android devices), it becomes very difficult for the IT admin to manage applications built for different device platforms and deploy them to different devices for end users. As noted in Brad Anderson’s People Centric IT blog post Making Device Users Productive and Protecting Corporate Information, with Configuration Manager and Windows Intune, we’ve made it easy to ensure that applications are delivered in the optimal method for each device to ensure worker productivity.

Configuration Manager allows the administrator to model the application with multiple deployment types (for example, MSI installers, Windows Store links, iOS applications, etc.) and then to deploy it to collections of users or devices.

The application evaluates the user’s device type and other requirements (for example, the amount of free storage space, etc.) specified by the administrator to select the appropriate deployment type to install on the user’s device. So whether your employee is using a laptop, VDI session, an iPad, or all of those, it can deliver the app to that user with the best experience on each device.  Because of the integration between Windows Intune and Configuration Manager, you can now extend application delivery to all major device types by using a single management console.  Applications can include locally installed MSI packages, side-loaded Windows 8 modern applications (appx), App-V virtual applications on Windows devices, remote applications using Microsoft virtualization solutions, web links, or public applications stored in the Windows Store, App Store, or Google Play. Compliance reporting is available for the application across all the deployment types, making it easy for IT Admins to keep track of overall compliance while at the same time monitoring any issues with particular deployment types. The diagram below illustrates the flexibility offered by the application model to deploy to the user and choose the appropriate app delivery mechanism based on the user’s device.

 

Let’s consider one more example where the IT admin wants to make Skype available to employees. The IT admin can model the Skype application with multiple deployment types based on platforms. For example, for Windows 7 and below, MSI based installation can be specified. For Windows 8 and above, Skype can be made available for end users to install from the Windows Store. For iOS and Android devices, Skype can be downloaded and installed from the appropriate app store. Here is how the application model for Skype with multiple deployment types will look like in the Configuration Manager console:

 

New Application Management Features in System Center 2012 R2 Configuration Manager

With the release of System Center 2012 R2 Configuration Manager, we have added quite a few new features for application management. Here is a quick overview of the new features:

Windows 8.1 modern application and app bundle support: Windows 8.1 Preview introduced the app bundle (or .appxbundle package) to help optimize the packaging and distribution of a Windows Store app and resource packages to users. Configuration Manager can now help you deploy LOB apps built using the side-loaded .appxbundle packages. We have extended the existing “Windows app package (.appx)” deployment type to now recognize the .appxbundle package files to create this deployment type.

Web application deployment: It is now easy to publish web applications (e.g. SaaS application links, internal web sites, LOB web applications) by using Configuration Manager. IT admins can use the new deployment type “Web Application” to publish the web applications and make them available to the end users in their company portal self-service application. This makes the discovery of web applications really easy for the employees and they can then install shortcuts for these web applications from the company portal on their devices.

Required (“Push”) installation of applications on mobile devices: In System Center 2012 Configuration Manager SP1, applications could be made available for end users to install from the self-service company portal application. We received a lot of feedback from our customers that they need a way to push commonly used corporate applications to mobile devices. With the System Center 2012 R2 Configuration Manager release, IT admins can now push the applications to mobile devices similar to the way they used to push applications on PCs. This required install support for applications is available across Windows (RT, x86), iOS platform based devices and Android support is in the works also. Web applications, side-loaded Windows app packages and App Package for iOS can be pushed with the System Center 2012 R2 Configuration Manager. Deep linked store apps (for example, Windows Store, Apple Store) cannot be pushed to the user’s devices and can only be made available for end users to install them from the respective stores.

Application removal from mobile devices: With System Center 2012 R2 Configuration Manager, IT admins can uninstall a previously deployed application from a mobile device. IT admins can create an “uninstall” deployment for the application to explicitly remove the application from the devices. Retiring the device from management also triggers a selective wipe of corporate information including removal of corporate applications deployed through Configuration Manager.

Featured application and per-app privacy link: With System Center 2012 R2 Configuration Manager, IT admins can deploy an application inside the company portal by marking it as a featured application. Since different ISVs can have different privacy policies related to handling customer data collected by their applications, IT Admins can also specify a privacy policy link for the application. End users can review the privacy policies related to end user data usage prior to installing the application. Featured application and per-app privacy link can be specified in the application properties in the Application Catalog tab as shown in the picture below:

 

Automatic VPN connection: One of the new features of Windows 8.1 is that now it supports a VPN platform that allows for the automatic opening of VPN connections under certain conditions. For example, you have a sales dashboard application that requires access to the sales contact database that is only available on your corporate network. Let us suppose that the sales manager is on the road and he needs to use the sales dashboard application from his personal tablet running Windows 8.1. With System Center 2012 R2 Configuration Manager and the Windows Intune service, you can not only deploy the sales dashboard application to the user but also configure it to automatically open a VPN connection when needed.  The user can just click and launch the application and because Configuration Manager associated the sales application to the VPN profile, the underlying VPN platform will automatically detect that this application requires VPN connectivity and will automatically open a VPN connection to the corporate network. All this happens seamlessly in the background and the end user doesn’t even realize that VPN was connected so that he could work on his application.

In order to configure this feature, there are 2 steps:

  1. You need to create and deploy a VPN profile for that user.  This blog post http://blogs.technet.com/b/configmgrteam/archive/2013/07/10/compliance-settings-and-company-resource-access.aspx provides an overview of the new feature in System Center 2012 R2 Configuration Manager for configuring and deploying VPN profiles to both PCs and mobile devices. Typically this is performed by a network or security administrator role.
  2. Now when an application administrator is deploying a line of business application (like the sales dashboard app), the application administrator will be also be aware that this application requires corporate data access. In the application model for that app, he can select a check box that states that this application has the ability to automatically open a VPN connection.

 

When the application is installed on the device by the end user, Configuration Manager also automatically associates it to the VPN profile.

Note: This feature is currently supported only on non-domain joined Windows 8.1 devices.  

In summary, user centric application management with Configuration Manager and Windows Intune helps IT admins to provide the right set of applications to employees on their devices of choice while easily managing the application lifecycle for the corporate applications.


--Nilesh Bhide and Dilip Radhakrishnan

To see all of the posts in this series, check out the What’s New in Windows Server & System Center 2012 R2 archive.

This posting is provided "AS IS" with no warranties and confers no rights.

 

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • COMMENT REPERER LES PERIPHERIES LINUX AVEC SCCM 2014 R2