Over the next few days, I’ll be writing a series of blog posts about mobile device management (MDM). Microsoft’s focus is on providing best-in-class mobile and cloud services.
Today, everyone has a mobile device, whether it’s a tablet, convertible, laptop, or smartphone. Users are never out of touch with one another and their information. But how can we manage devices that are never in one place for long? Well, because mobile devices mostly use cloud services, the best way to manage these devices is through a cloud service.
Enter Microsoft System Center 2012 R2 Configuration Manager and Windows Intune. These products provide user-centric management for devices that are mobile or at your offices. Over the next few posts, I’ll be focusing on how to use System Center 2012 R2 Configuration Manager and Windows Intune to manage your mobile devices and reduce the level of effort (and worry) you spend doing so.
Watch this video to see Microsoft mobile device management in action.
Now that we’ve seen how Microsoft mobile device management works, let’s talk more about the products that are used and how they work together.
Microsoft mobile device management products
I’ll start off by talking about the products in a Microsoft MDM solution: Microsoft System Center 2012 R2 Configuration Manager and Windows Intune. Why do you need both products? The short answer is that you don’t. For example, many organizations are using System Center 2012 R2 Configuration Manager and Microsoft Exchange Server to manage their mobile devices through Microsoft Exchange ActiveSync. Other organizations use only Windows Intune to manage their on-premises and mobile devices.
So, why use both System Center 2012 R2 Configuration Manager and Windows Intune? To be able to manage all of your devices and users in one place. When you integrate these two products, you can manage users and devices regardless of whether they are in your office or out in the field, and you can do so from one management console: the Configuration Manager console. This integration allows you to manage all phases of the device life cycle, too, from device enrollment through device retirement and all phases in between.
In fact, when you enable System Center 2012 R2 Configuration Manager and Windows Intune integration, Windows Intune becomes transparent for the most part. You manage devices through System Center 2012 R2 Configuration Manager, which communicates with Windows Intune through the Windows Intune Connector in System Center 2012 R2 Configuration Manger. Windows Intune communicates with your mobile devices. Conceptually, after you set up the System Center 2012 R2 Configuration Manager–Windows Intune integration, Windows Intune appears as a logical extension of System Center 2012 R2 Configuration Manager.
So, let’s look at how to prepare for MDM by examining the prerequisites.
Mobile device management prerequisites
How do you go about creating an enterprise-class MDM solution? You need:
- System Center 2012 R2 Configuration Manager. This version of System Center Configuration Manager has all the features to manage Windows, Windows Phone, Apple iOS, and Google Android devices. System Center 2012 R2 Configuration Manager also supports the latest version of Windows Intune, which provides support for the Windows 8.1 operating system, Windows Phone 8.1, iOS 7, Android, and the Samsung KNOX Standard platform.
- Windows Intune subscription. Windows Intune subscriptions are based on the number of users you’re managing. You can manage up to five devices for each user, which means that you will need a subscription license for each user who has a mobile device. Users who don’t have a mobile device don’t require a Windows Intune subscription license.
- Public Domain Name System (DNS) domain. You must have a public-facing DNS domain that Windows Intune can verify. The Windows Intune verification process includes adding DNS records to this domain.
- Public user principle name (UPN) for users. Ensure that your users have a public UPN (such as email@example.com). The domain portion of the UPN should match the public DNS domain that Windows Intune verified.
- Create a DNS alias for automatic enrollment. In your public-facing DNS zone, add a DNS alias (CNAME) record for EnterpriseEnrollment that points to manage.microsoft.com. For example, if the user UPN is firstname.lastname@example.org, you would create a DNS record of EnterpriseEnrollment.contoso.com.
- Device certificates or keys. Each device platform (such as Windows, Windows RT, Windows Phone, or iOS) may require certificates that are specific to the platform. You will also need sideloading keys for Windows devices.
- System Center 2012 R2 Configuration Manager user collection. This user collection contains all of the users you’ll be managing through Windows Intune. You must create this collection prior to configuring your Windows Intune subscription.
For more information about these prerequisites, see Prerequisites in How to Manage Mobile Devices by Using Configuration Manager and Windows Intune.
That’s all you need as far as prerequisites. When these elements are in place, you’re ready to configure integration between System Center 2012 R2 Configuration Manager and Windows Intune.
Synchronize on-premises Active Directory with Microsoft Azure Active Directory
In most cases, you’ll have an on-premises Active Directory Domain Services (AD DS) infrastructure, which is where your user accounts are managed. Ideally, you want to provide a single sign-on experience for your users so that they can use the same credentials to access on-premises and Windows Intune services.
To do this, install and configure the Microsoft Azure Active Directory Sync Tool. This tool synchronizes the user and group accounts in your on-premises AD DS forest with Azure Active Directory (which Windows Intune uses). You install the tool on an on-premises server (virtual or physical). The installation process is wizard-driven and simple.
Configure the Azure Active Directory Sync Tool by providing:
- Administrative credentials for your Windows Intune subscription.
- Administrative credentials for your on-premises AD DS forest.
- Verification if you want to synchronize passwords for the accounts.
After you have configured the Azure Active Directory Sync Tool, it automatically starts the synchronization process. Depending on the number of users in your AD DS forest, synchronization can take a few minutes or a couple of hours. The tool continues to run and keeps both directory services in sync with each other, which helps ensure that users need to remember only one set of credentials.
You can also use Active Directory Federation Services (AD FS) with Windows Intune to enable single sign-on. Implementing single sign-on with AD FS means that password hashes do not have to be synchronized between your on-premises AD DS cloud and Azure Active Directory.
For more information about how to install and configure the Azure Active Directory Sync Tool, see Set up your directory sync computer and Directory integration. For more information about implementing Windows Intune sign-on with AD FS, see Checklist: Use AD FS to implement and manage single sign-on.
Configure the Windows Intune subscription
With the user accounts synchronized, you’re ready to configure the Windows Intune subscription in System Center 2012 R2 Configuration Manager. Windows Intune subscriptions that are:
- Integrated with System Center 2012 R2 Configuration Manager can be administered only in the Configuration Manager console.
- Not integrated with System Center 2012 R2 Configuration Manager can be administered only in the Windows Intune Administration portal.
Note You configure a Windows Intune subscription for integration with System Center 2012 R2 Configuration Manager only once. The process cannot be reversed for that subscription.
You configure the Windows Intune subscription by completing the Add Windows Intune Subscription Wizard. In that wizard, you provide the following information:
- User collection that contains users who will enroll their mobile devices
- Administrative credentials for your Windows Intune subscription
- Company name that you want to appear in the Company Portal app
- Any company logos that you want displayed in the Company Portal app
- System Center 2012 R2 Configuration Manager site code
- IT support contact information (which is displayed in the Company Portal app)
- The mobile device platforms (Windows, Windows Phone, iOS, or Android) that you want to support
- Any platform-specific configuration information
You can also configure some of these settings after you have added the Windows Intune subscription in the Configuration Manager console.
Add the Windows Intune Connector site system role
Adding the Windows Intune Connector site system role in System Center 2012 R2 Configuration Manager is like adding any other System Center 2012 R2 Configuration Manager site system role: you use the Add Site System Roles Wizard in the Configuration Manager console. You don’t have to provide configuration settings; just ensure that you select the Windows Intune Connector site system role on the System Role Selection wizard page. For more information about adding the Windows Intune Connector site system role in System Center 2012 R2 Configuration Manager, see The Windows Intune Connector Site System Role.
Enable Windows Intune extensions
Windows Intune has Configuration Manager console extensions that allow the Configuration Manager console to be aware of new capabilities. You can find these extensions in the Extensions for Windows Intune node in the Administration workspace.
For example, the iOS 7 Security Settings extension adds support for the new iOS 7 security configuration settings; the Windows Phone 8.1 Extension adds support for Windows Phone 8.1 features and management. Depending on the devices you’re managing, you may need to enable some or all of the extensions.
After you enable the Windows Intune extensions for the Configuration Manager console, close the console, and then reopen it to complete the process. When you restart the Configuration Manager console, the new features and configuration options appear.
For more information about Windows Intune extensions in System Center 2012 R2 Configuration Manager, see Planning to Use Extensions in Configuration Manager.
Now you’ve seen how easy it is to prepare for MDM by using System Center 2012 R2 Configuration Manager and Windows Intune. You can try out these steps by downloading the evaluation copy of System Center 2012 R2 Configuration Manager and signing up for a trial version of Windows Intune. In my next blog post, I’ll walk through the process of enrolling different types of devices.
NEXT BLOG POST IN THIS SERIES: How-to perform device enrollment for mobile devices