mobile device management design considerations … · mobile device management design...

Mobile Device Management

Design Considerations Guide

Published May, 2015

Version 1.1

Copyright

This guide is provided “as-is”. Information and views expressed in this guide, including URL and other Internet Web site references, may change without notice. Some examples

depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred.

This guide does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this guide for your internal, reference

purposes.

© 2015 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Microsoft Intune, Microsoft System Center 2012 R2 Configuration Manager, Mobile Device Management for Office 365, Office 365, Windows, and

Windows Server are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

Contents Introduction .................................................................................................................................................. 1

Design considerations overview ................................................................................................................... 3

Step 1 - Identify your mobile device management requirements ................................................................ 3

Task 1: Identify your business needs ........................................................................................................ 3

Task 2: Specify your mobile device management location requirements ................................................ 5

Task 3: Develop your mobile device management adoption strategy ..................................................... 6

Step 2 - Plan for mobile device management tasks .................................................................................... 12

Task 1: Understanding the mobile device management lifecycle .......................................................... 13

Task 2: Gather monitoring requirements ............................................................................................... 17

Task 3: Determine network resource requirements............................................................................... 18

Task 4: Define your mobile device management lifecycle strategy ....................................................... 23

Step 3 - Plan for secure mobile devices ...................................................................................................... 39

Task 1: Gather your data protection requirements ................................................................................ 40

Task 2: Specify your privacy requirements ............................................................................................. 41

Task 3: Specify your access requirements .............................................................................................. 42

Task 4: Develop your incident response requirements .......................................................................... 44

Task 5: Plan your mobile device security strategy .................................................................................. 45

Step 4 - Plan for Software as a Service (SaaS) mobile device management ............................................... 60

Task 1: Identify your SaaS requirements ................................................................................................ 61

Task 2: Identify your SaaS solution / on-premises infrastructure integration needs ............................. 64

Task 3: Develop your SaaS mobile device management adoption strategy ........................................... 67

Next steps and resources ............................................................................................................................ 71

Mobile device management solutions .................................................................................................... 71

Mobile device management documentation ......................................................................................... 71

Mobile device management resources................................................................................................... 72

Mobile Device Management Design Considerations 1

Introduction With all of the different design and configuration options for mobile device management

(MDM), it’s difficult to determine which combination will best meet the needs of your

organization. This design considerations guide will help you to understand mobile device

management design requirements and will detail a series of steps and tasks that you can follow

to design a solution that best fits the business and technology needs for your organization.

Throughout the steps and tasks, this guide will present the relevant technologies and feature

options available to organizations to meet functional and service quality (such as availability,

scalability, performance, manageability, and security) level requirements.

Specifically, the goals of this guide are to help you answer the following questions:

What questions do I need to answer to drive a MDM-specific design for a technology or

problem domain that best meets my requirements?

What is the sequence of activities I should complete to design a MDM solution for the

technology or problem domain?

What MDM technology and configuration options are available to help me meet my

requirements, and what are the trade-offs between those options so that I can select the

best option for my MDM requirements?

Who is this guide intended for? Information technology architects and professionals

responsible for designing a mobile device management solution for medium or large

organizations.

How can this guide help you? You can use this guide to understand how to design a mobile

device management solution that is able to manage company-owned devices as well as user-

owned devices in different form factors.

2 Mobile Device Management Design Considerations

Figure 1 - Example of a hybrid Intune and System Center 2012 R2 Configuration Manager

MDM solution

Figure 1 is an example of a hybrid solution, where it’s leveraging cloud services to integrate with

on-premises capabilities in order to manage all types of devices, regardless of their location.

Although this is a very common scenario, every organization’s MDM design might be different

than the example due to each organization’s unique management requirements.

This guide details a series of steps and tasks that you should follow to assist you in designing a

customized MDM solution that meets your organization’s unique requirements. Throughout the

following steps and tasks, this guide covers the relevant technologies and feature options

available to you to meet the functional and service quality level requirements for MDM.

Though this guide can help you design a MDM solution, it does not discuss specific

implementation or operations options for the management solutions. You can find detailed

deployment and configuration steps for Microsoft Intune, Mobile Device Management for Office

365, and Microsoft System Center in the TechNet Library using the links available in the Next

Steps section located at the end of this guide.

Assumptions: You have some experience with Intune, System Center 2012 R2 Configuration

Manager, Windows Server 2012 R2, and mobile devices running Android, iOS, and Windows

Phone. You may have even deployed one of these solutions in an initial MDM test or limited

production environment. In this guide, we assume you are looking for how these solutions can

best meet your business needs on their own or in an integrated solution.

https://technet.microsoft.com/library/jj676587.aspx

https://technet.microsoft.com/library/ms.o365.cc.devicepolicy.aspx


https://technet.microsoft.com/library/cc507089.aspx


Design considerations overview This guide covers a set of steps and tasks that you can follow to design a solution that best

meets your requirements. The steps are presented in an ordered sequence. However, design

considerations you learn in later steps may prompt you to change decisions you made in earlier

steps as your design matures or due to conflicting design choices. We’ll alert you to potential

design conflicts throughout this guide.

You will develop a mobile device management design that best meets your requirements only

after iterating through the following steps as many times as necessary to incorporate all of the

considerations within this guide:

Step 1 – Identify your device management requirements

Step 2 - Plan for mobile device management

Step 3 - Plan for secure mobile devices

Step 4 - Plan for SaaS mobile device management

Step 1 - Identify your mobile device management requirements The first step in designing a mobile device management solution is to determine the

management platform requirements that will be used to support your mobile devices. Overall

mobile device adoption for your company will dictate the platform requirements. If you decide

to adopt a single management solution to manage all your mobile devices, you may disregard

the multi-platform requirements for your solution. You’ll need to go over your company’s

business strategy to fully understand your current and future business requirements. If you don’t

have a long-term strategy for mobile device adoption, chances are that your solution won’t be

scalable as your business needs grow and change.

Task 1: Identify your business needs Each company will have different requirements. Even if these companies are part of the same

industry, the real business requirements might vary. You can still leverage best practices from

the industry, but ultimately it’s the company’s business needs that will identify the requirements

for the mobile device management solution.

The first thing you’ll want to do is answer the following questions:

Device ownership: You must understand the device ownership policy for your company:

o Who owns the mobile device?

The employee?

The company?

Both?

Platform: Understanding which mobile device operating systems will be used by the

company is very important for adoption and supportability decisions:

o Which mobile device operating systems will be supported?


Android?

iOS?

Windows?

Windows Phone?

All of them?

A mix of the above options?

o Which mobile OS version will be supported?

Only the latest?

Current -1 (current version plus the previous version)?

Application: Since the main reason to embrace mobility is to increase productivity, the

applications (or just apps) used by employees must be able to run in all the mobile

device operating systems used in your organization. This is an important point to

consider, because while some companies might have their most important apps fully

portable to run in a mobile environment, others might need to understand what options

are available that can help them to deploy their apps to mobile devices. To assist you

identifying individual app requirements, ask yourself the following questions:

o Do the apps require Internet access from users’ devices?

o Do the apps collect any user personal information?

If so, do the apps inform users about privacy issues and data collection

while being installed?

o Do the apps require integration with cloud services?

o Were the apps developed to run on a specific operating system, or are they

capable of running on any operating system?

o Do you plan to enable users to use apps via remote desktop from their own

devices?

o Do the apps require full-time access to corporate resources, or can they run in

offline mode?

o Do the apps have any integration with social networks?

o Will all apps be available to BYOD users?

o How do you plan to deploy these apps to users’ devices?

o What are the deployment options for these apps?

o Does the installation requirement vary according to the target device, or is it the

same?

o How much space in a target device is necessary in order to install each app?

o Do the apps encrypt the data before transmitting it through the network from the

users’ devices to the app server on the back end?

o Can the apps be remotely uninstalled via the network, or do they need to be

uninstalled via the devices’ consoles?

o Do the apps work in a low-latency network?

o Do the apps provide authentication capabilities?

If so, which authentication method do the apps use?

User: One of the main points in embracing mobility is to put the user at the center of the

mobility solution and enabling the user to be more productive, while keeping company

data secure and available. This is important to understand what the user’s requirements

are:

o Will the user be able to bring their own device and access company’s resources?


If yes, what are the requirements to access company’s resources?

o Does your company have different user’s needs?

If yes, how each user’s profile will impact the mobility strategy?

o Will users be able to access all apps that they have access to in the on-premises

environment via their mobile device?

If not, which apps will be available for the users?

Are those apps available for all supported mobile device

platforms?

Will be necessary to modify or update any apps in order to run

them on all supported mobile device platforms?

During this task, you should also evaluate if the company has existing management and

compliance policies in place for mobile devices and how these policy might affect the mobile

device management solution selection.

Note

Make sure to take notes of each answer and understand the rationale behind the answer.

Task 3 will go over the available options and advantages/disadvantages of each option. By

having answered these questions, you’ll be able to select which solution best suits your

business needs.

Task 2: Specify your mobile device management location requirements

Location requirements are one of the many factors that you should take in consideration when

designing your mobile device management strategy. Location is important from the mobile

device management solution perspective as well as from the device itself. Answer the following

questions:

Track Users: To keep control of user’s activity while using a mobile device that has

access to company resources, you must be able to implement policies that can restrict

access to those resources based on user’s location:

o Does the company need to implement mechanisms to cover geo-fencing, or the

ability to enforce policies based on the geographic location of the device?

o Does the company need to keep track of where the user was geographically

located when they accessed a company resource?

Administration model: Depending on the mobile device management solution that you

deploy, administration can be distributed in different sites (locations) or centralized in a

single location. A central administration site is suitable for large-scale deployments and

provides a central point of administration and the flexibility to support devices that are

distributed across a global network infrastructure. A primary site is suitable for smaller

deployments, though it has fewer options to accommodate any future growth of your

enterprise. You must understand the administration model for your solution:

o Does your company need a centralized administration model?

Does the device management solution need to be located on-premises?

If not, can it be located in the cloud?

If not, can it be hybrid?


o Does your company need a decentralized model where different locations should

have autonomy over the device management administration?

Note


Task 3 will go over the available options and advantages/disadvantages of each option.

By having answered these questions, you’ll be able to select which solution best suits

your business needs.

Task 3: Develop your mobile device management adoption strategy

In this task, you’ll develop the mobile device management adoption strategy that will meet the

business requirements that you identified in Tasks 1 and 2.

Task 3a: Device ownership After reviewing your organization’s current policy and strategy to manage devices, you should

have a list of scenarios that your organization plans to implement. Table 1 will assist you to

understand the advantages and disadvantages of each scenario:

Table 1

Scenario Advantages Disadvantages

Employee owns the

device (BYOD) Your company does not need

to buy mobile devices for the

employees

Usually allows employees to be

more productive since they will

be using the mobile device of

their choice

Support costs may decrease

since the organization will have

limited support over the mobile

devices

Increases the amount of

security considerations to

protect company’s data

located on personal devices

Increases likelihood of data

leakage, especially when

appropriate security controls

aren’t in place

Limited management

capability due to privacy

restrictions

Company-owned

device Full management capability,

including device hardening and

security controls

More control over mobile

devices

Capability of defining which

mobile devices will be used by

employees

Potential increases in support

costs, since the organization

will maintain the mobile

devices

Less flexibility for end users,

which may affect their

productivity

Cost increases, since the

organization will have to buy

mobile devices


Your organization might need to implement a mixture of elements from these scenarios. In this

case the device management platform needs to be able to manage multiple platforms while

integrating with the current on-premises infrastructure. In this case, your mobile device

management solution needs to be able to manage multiple device platforms while integrating

with your current on-premises infrastructure.

Task 3b: Supported mobile device platforms The decision you made regarding device ownership will help you identify which mobile device

platforms you’ll support. The mobile device management solution that you choose will have to

accommodate this decision. In a single mobile device platform scenario, the platform choice will

not be as relevant as in the multi-platform scenario. Use Table 2 to help you choose the mobile

device management solution for a multi-platform scenario:

Table 2

MDM option Advantages Disadvantages

Intune (standalone) Supports provisioning all major

mobile device operating

systems (Android, iOS, Windows

8.x, and Windows Phone).

Allows you to manage any

mobile device from any location

More advanced management

options for mobile devices

Lack of integration with

current MDM solution

located on-premises will

introduce an additional

management interface for

you to use

Policies created using the

on-premises MDM solution

are not replicated to the

cloud service

MDM for Office 365 Pre-integrated with Office 365

If you’re already using Office

365, the MDM capabilities are

easily leveraged to manage

mobile devices

If you’re already using Office

365, you won’t need to use

another console to manage

mobile devices

Limited set of capabilities

(see the note that follows

this table) to manage

mobile devices


current any MDM solution




you to use

Hybrid (Intune with

System Center) Native integration between

Intune and System Center 2012

R2 Configuration Manager

Allows you to use a single

console to deploy policies and

manage mobile devices

Requires additional

configuration steps to

connect Intune and System

Center 2012 R2

Configuration Manager

If the organization does not

have a current System

Center infrastructure on-


premises, it will require to

plan, install and configure

this platform prior to the

integration

To learn more about the management capabilities available in Office 365, read Device

management tasks.

Task 3c: Application requirements Based on the requirements that were defined in Task 1, you’ll need to choose which mobile

device management solution best fits those requirements. Use Table 3 to compare the MDM

options and advantages and disadvantages of each option:

Table 3


Intune (standalone) Allows you to manage mobile

apps through their lifecycle,

including app deployment from

installation files and app stores,

detailed monitoring of app

status, and app removal. Read

Deploy software to mobile

devices in Microsoft Intune for

more information.

Allows you to specify a list of

compliant apps that users are

allowed to install and

noncompliant apps, which must

not be installed by users. Read

Manage devices using

configuration policies with

Microsoft Intune for more

information about this

capability.

Allows you to configure

restrictions for apps by using a

mobile application

management policy. This helps

you to increase the security of

your company data by

restricting operations such as

copy and paste, external backup

of data and the transfer of data

Lacks integration with the

on-premises MDM platform,

introduces an additional


you to use when managing

mobile devices

Policies created using the

on-premises MDM platform

aren’t replicated to the

cloud service, requiring two

sets of management and

compliance policies

https://technet.microsoft.com/library/dn792010.aspx#tasks

https://technet.microsoft.com/library/dn792010.aspx#tasks

https://technet.microsoft.com/library/dn646972.aspx






between apps. Read Control

apps using mobile application

management policies with

Microsoft Intune for more

information.

MDM for Office 365 Allows you to require

passwords when users access

the application store

Allows you to block access to

the application store

Limited set of capabilities to

control apps


current on-premises MDM

platform, will introduce an

additional management

interface for you to use to

manage mobile devices

Hybrid (Intune with

System Center) Inherits app control settings

from Intune standalone

Allows you to integrate Intune

with System Center to have a

better management experience

Leverages Configuration

Manager App management

capabilities. Read Application

Management in Configuration

Manager for more information

Requires additional steps to

perform this integration

If your organization does

not have a current on-

premises System Center

infrastructure, it will require

to plan, install and

configure this platform prior

to the integration

Task 3d: Track requirements Understanding the user’s behavior and being able to identify their location are important

characteristics that should be included in your mobile device management strategy. How

devices will be tracked will vary according to your business requirements and needs. It is

important to remember that different tracking capabilities are available via each mobile

operating system; therefore your selections on which mobile device platforms will be supported

will have a direct impact on this requirement. Compliance requirements may drive you to

prioritize the adoption of mobile devices platforms that can allow you to track user’s location

and use geofencing.

Note

Geofencing allows you to monitor a mobile device’s geographic location and

enable/disable device and network resources based on that location. For example,

Windows 8.1 supports geofencing, which allows an app to define a geographical region

and have the system alert the app when the device it's running on enters or exits that

area. For more information about this feature in Windows 8.1, read Geofencing, start to

finish (XAML).





https://technet.microsoft.com/library/gg699373.aspx



https://msdn.microsoft.com/library/windows/apps/xaml/dn342943.aspx

https://msdn.microsoft.com/library/windows/apps/xaml/dn342943.aspx


The MDM authority must also be geolocation aware and communicate with the mobile device

to obtain information that will allow you to enforce geofencing restrictions. Use Table 4 to

compare the MDM options, advantages and disadvantages of each solution:

Table 4


Intune (standalone) Allows you to enable or disable

whether applications can use

location information on mobile

devices. Read Use policies to

manage computers and mobile

devices with Microsoft Intune

for more information

Does not provide full

geolocation setting

capabilities for apps that

use this feature


current MDM platform




you to use

MDM for Office Not available Not available

Hybrid (Intune with

System Center) Allows you to enable or disable

whether applications can use

location information on mobile

devices. Read the article

Compliance Settings for Mobile

Devices in Configuration

Manager for more information.

Does not provide full

geolocation setting

capabilities for apps that

use this feature



Center infrastructure on-

premises, it will require to

plan, install and configure

this platform prior to the

integration

Task 3e: Administration model The administration model that you will choose will vary according to your business

requirements. If the mobile device management solution needs to be located on-premises, you

must evaluate what capabilities are available in your current infrastructure to accommodate

mobile device management based on devices that can be located in the cloud or on-premises.

After going through the evaluation of how this will impact the mobile management strategy,

you might decide that you it is possible to keep the core management on-premises and

integrate with a cloud mobile device management solution, which leads you to choose the

hybrid scenario. Review Table 1 to see advantages and disadvantages of using standalone,

cloud, or hybrid MDM solution.

Note





https://technet.microsoft.com/library/dn376523.aspx#bkmk_wp8_1




It is important to mention that Intune Standalone has limited capabilities for delegated

admin. ConfigMgr in a hybrid scenario provides greater control and delegation for

delegated admin.

One strategic aspect of how an organization will manage their mobile devices is to understand

the current management platform capabilities and the administration model in place. For

organizations that are composed of a headquarters and multiple branch offices, they might be

using a distributed administration model where each branch office has control over the

management platform for that location. Most of the time, an administration model is already in

place when a company decides to embrace mobility by deploying a mobile device management

solution. However, you must ensure that the current infrastructure will be able to handle the

requirements that were introduced by the adoption of a mobile device management solution.

Figure 2 is an example of an organization with a central administration site, with multiple

primary sites and multiple secondary sites:

Figure 2: Example of a central administration site hierarchy

One important fact to mention is that the administration model in question here is related to

how the infrastructure on-premises will be designed. In this case the company already has a

device management solution in place and is already able to manage their on-premises devices.

Here are some important factors to consider when choosing which administration model you

will use for your mobile device management solution:


You can schedule and throttle network traffic when you distribute deployment content to

distribution points.

Discovery data records (DDRs) for unknown resource transfers by using file-based replication

from a primary site to the central administration site for processing.

Role-based administration provides a central security model for the hierarchy, and you do

not have to install sites to provide a security boundary. Instead, use security scopes, security

roles, and collections to define what administrators can see and manage in the hierarchy.

Note

For more information on how to plan for System Center 2012 R2 Configuration Manager

Sites and Hierarchy, read Planning for Configuration Manager Sites and Hierarchy.

System Center 2012 R2 Configuration Manager can accomplish this requirement by allowing

administrators to deploy ConfigMgr using a single stand-alone primary site, or as multiple sites

in a hierarchy. When you plan your initial deployment, consider a design that can scale for the

future growth that your organization might require. Planning for expansion is an important step

because the changes in System Center 2012 R2 Configuration Manager from previous versions

of the product mean that ConfigMgr can now support more clients with fewer sites.

High availability factors should also be considered when designing your management hierarchy.

At each site that will have a System Center 2012 R2 Configuration Manager installed, you deploy

site system roles to provide the services that you want clients to use at that site. The site

database contains the configuration information for the site and for all clients. Use one or more

of the available options to provide for high availability of the site database, and the recovery of

the site and site database if needed.

Note

For more information on how to plan for System Center 2012 R2 Configuration Manager

high availability, read the article Planning for High Availability with Configuration

Manager

Another important point to consider regarding administration model is how you will delegate

administration to your resources. Ideally the management platform will be able to use role base

access control (RBAC). While this is one method of restricting and managing control of what

users, operators and administrators can perform, it is not the only method and it might not be

required for the business. Step 3 of this document will cover RBAC in more details and how to

identify the need to use this capability.

Step 2 - Plan for mobile device management tasks Managing mobile devices, both company-owned and user-owned, encompasses several

important lifecycle management decisions. After you’ve determined the mobile device platform,

application, user requirements for your organization, you’ll also need to identify how to manage

each of these areas to align your overall MDM strategy to your ongoing management and


https://technet.microsoft.com/library/hh846246.aspx

https://technet.microsoft.com/library/hh846246.aspx


support policies. In this step, we’ll examine the MDM enrollment, management, monitoring, and

reporting lifecycle requirements.

Task 1: Understanding the mobile device management lifecycle Understanding the different areas of managing mobile devices is important when designing

your mobile device management solution. Figure 3 outlines the overall mobile device

management lifecycle stages. Each stage has unique requirements and questions for you to

consider when planning your solution. We’ll start with the enrollment stage in this section, and

the other stages will be covered in more detail throughout this guide.

Figure 3 – Mobile device management lifecycle stages

Device enrollment and provisioning Mobile device management starts with the initial enrollment and provisioning of devices into

your mobile device management solution. Simplicity, ease of registration, and enrollment are

the key factors for success in the mobile device management lifecycle. If initial device enrollment

is difficult or overly confusing, both you and your users will be reluctant to leverage the features,

benefits, and protections that the mobile device management solution is intended to deliver.

Mobile device enrollment in mobile device management solutions are typically initiated in two

ways:


Administrator-managed enrollment

User/owner self-enrollment

Administrator-managed enrollment offers a centrally managed enrollment experience, and

typically is centered on enabling the bulk enrollment of multiple devices using a single directory

account. This is useful when enrolling many company-owned devices into the mobile device

management solution.

Self-enrollment offers the device user/owner the option of enrolling in the mobile device

management solution and is typically used in “bring your own device” (BYOD) scenarios,

although it can also be used in scenarios where the company owns the device. This type of

enrollment typically leverages features of a “push-based” enrollment model, where devices are

automatically triggered to enroll in the mobile device management solution upon attempting to

connect to the corporate network or network resource. Users can also elect to enroll their

devices before connecting to an organization’s network or resources.

Enrollment and the provisioning of mobile devices encompasses several different areas:

Deploying, accessing, and managing internal and external applications and services

Enforcing device security and access configurations

Protecting devices from security threats

In most cases, when a mobile device is enrolled in a mobile device management solution the

device is automatically assigned policies and permissions associated with the device user’s

directory account and/or the group the device itself is associated with in directory services.

Depending on the mobile device management solution, the bulk of configuring the provisioning

of these policies and permissions is usually done prior to actual device enrollments. This allows

the provisioning of any configuration settings to immediately take effect when the devices

enrolled and avoids the possibility of a gap between enrollment and provisioning.

Device enrollment and provisioning planning questions: As part of mobile device

management lifecycle planning, you’ll want to answer the following planning questions about

device enrollments and provisioning:

Will mobile devices be enrolled by you, by users, or both?

Do you need to ability to bulk enroll mobile devices?

What is the maximum number of devices you’ll need to bulk enroll?

Do the mobile operating system platforms in your organization require different bulk

enrollment requirements and resources?

How many devices will each user typically use and need to enroll?

Does the mobile device management solution have a per-user device enrollment limit?

What are the requirements (connectivity, application, management agent, company

portal) for users to self-enroll devices?

Is this different from the administrator-managed enrollment experience?

What are the enrollment requirements for each device operating system you need to

support?


Do the mobile device operating systems in your organization require special or unique

enrollment requirements?

Does the mobile device management solution support both connected and over-the-air

enrollments?

What are the hardware requirements (if any) for supporting device enrollments?

What are the network connectivity and network security requirements for supporting

device enrollments?

Do you need specific device compliance policies applied to devices upon initial

enrollment?

Do you need specific device security policies applied to devices upon initial enrollment?

Do you need the ability to configure or set a maximum or minimum time limit for

provisioning device policies after initial enrollment?

Do you require special provisioning policies to be automatically triggered in the event of

enrollment failures?

Device management How mobile devices are managed, both from your perspective and the device user’s perspective,

is a key component of a mobile device management solution. Often, the method in which

management of mobile devices is highly dependent on how non-mobile devices (servers,

desktops, other networked devices) are managed. Depending on the organization, non-mobile

device management solutions may have been in place long before mobile devices were

introduced to the organization. This may have been at considerable cost and may include long-

term investments in these management solutions. Thoroughly understanding how your

organization can integrate mobile device management solutions with existing non-mobile

device management solutions is likely one of the most important activity you’ll need to

complete when designing a mobile device management solution that meets the needs of your

organization.

Mobile device management typically involves activities in several administrative areas:

Device security and configuration: Configuring mobile device security allows you to

configure a wide range of settings that you can deploy to managed devices in your

organization. These settings can be used to control the overall functionality and security

of mobile devices. This may include setting and configuration of device passcode access,

device encryption, and erasing data from lost or stolen devices. More details about

security and configuration will be covered in the Plan for secure mobile devices section.

Application management: Configuring mobile device applications spans several

important areas, including managing application deployment, installation, updating and

managing status, and application removal. Additionally, managing restrictions on certain

non-compliant applications is central to an overall compliance and security strategy.

Company resource access: Managing access to on-premises network resources, such as

email servers, Wi-Fi networks, and VPN-enabled resources serve a dual purpose of

insuring both security compliance and making it easier for mobile device users to access

company resources according to company policy. If accessing organization resources is

overly complex or difficult for mobile device users, non-approved company resources

may be used to bypass approved company resources for the storage of company data.


Inventory and reporting: Managing mobile devices requires recording and analyzing

mobile device and platform events to insure compliance with management policies.

Detailed reporting also provides you with real-time statistics and data so that they can

make timely, actionable decisions based on the status of mobile devices and mobile

device users. More details about inventory and reporting will be covered in a later

section.

Device management planning questions: Understanding your organization’s requirements will

lead you to determine the core administration tasks that the mobile device management

solution must be able to support. For now, focus only in the key administration aspects as you

are still defining the requirements by ensuring that the following questions are answered. As

part of mobile device management lifecycle planning, you’ll want to answer the following

planning questions about device management:

Do you need specific management policies applied to groups of users, groups of devices,

and/or groups of device operating systems?

Do you need specific management policies for different types of devices? For example,

separate policies for user-owned or company-owned devices, or mobile devices and

non-mobile devices?

Do you need to separate device management rights and permissions among several IT

roles or positions? If so;

o What separation of permission levels is required?

o Do the permission levels supported by the solution need to be customizable?

o Do the permissions need to be integrated into your existing account directory

services?

Do you need the ability to both manually and automatically deploy the mobile device

management solution agents or software?

Do you want to integrate managing mobile devices with an existing non-mobile device

management solution? If so;

o Do you want to manage all devices from a unified management console or

portal?

o What are the integration requirements for your existing non-mobile device

management solution?

o How does your existing non-mobile device management solution support

required management roles and permissions?

o Are there hardware or networking requirements to connect management services

between the mobile device management and the non-mobile device

management solutions?

o Do both solutions have separate or integration inventory and reporting systems?

Does the mobile device management solution have a company portal for users to install

their apps?

Does the mobile device management solution meet your company’s scalability

requirements?

Does the mobile device management solution support remote administration?

Does the mobile device management solution support automation?


Device retirement/unenrollment When users leave your organization or mobile devices are retired or replaced, it’s important to

insure that corporate data isn’t lost or compromised. Typically, mobile device management

solutions support both IT-managed and user-managed device resets and unenrollment. With

most mobile devices, the unenrollment starts with resetting the device to factory defaults or

performing a selective wipe of all corporate data and applications, followed by removing the

device enrollment connection to the management solution. Often this process differs between

mobile device manufacturers and device operating system platforms.

Device retirement/unenrollment planning questions: As part of mobile device management

lifecycle planning, you’ll want to answer the following planning questions about device

retirement and unenrollment:

Do you need the ability for both IT and users to unenroll mobile devices?

If a device is selectively wiped, will it be automatically unenrolled from the mobile device


If mobile device users can unenroll their mobile devices, how will the removal of

corporate data and applications be verified?

o Is this different for devices that are selectively wiped and devices that are reset to

the factory default setting?

Note


Task 4 will go over the options available and advantages/disadvantages of each option. By

having answered those questions you will select which option best suits your business

needs.

Task 2: Gather monitoring requirements Monitoring and capturing status and event information for mobile devices is vital to ensuring

that users and devices are maintaining compliance with your corporate policies and security

strategy. This is especially important for organizations that must comply with governmental

regulatory requirements and industry compliance guidelines. Reporting can also provide

valuable information about software, hardware, and software licenses in your organization to

assist with inventory management. It is also important to note that user privacy issues also

impact monitoring and reporting, especially in case where users are enrolling personally-owned

devices in your organization’s mobile device management solution. Your organization should

not be able to capture, monitor, report or share any personal activity or information.

In general, mobile device management solutions split this area into two general areas:

Logging: Capturing and storing mobile device and mobile device application status and

information.


Reporting: Displaying reports or notifications, both to standard and customizable

reports that can be created on-demand and automatically to summary and dashboard

status reports.

Monitoring planning questions: As part of mobile device management lifecycle planning,

you’ll want to answer the following planning questions about device monitoring:

What types of regular reports for mobile devices will you need?

o Device inventory?

o Device usage?

o Device access?

o Device applications?

Will reports need to be shared?

o Between IT roles?

o Outside of the IT organization?

o Accessed remotely (outside of the corporate network)?

What types of issues or problems with devices will you need to identify?

What types of events captured in monitoring will need to be acted upon? In what time

frame?

Will you need customized reports?

When a device is de-enrolled, should specific inventory and reporting events be

captured?

After a device is de-enrolled, should legacy inventory and reporting events be

archived/maintained?

Note




needs.

Task 3: Determine network resource requirements Enabling secure, managed access to a wide variety of corporate resources by mobile devices is

one of the primary features of a mobile device management solution. While these resources

have typically been located in on-premises networks in the past, more and more they are also

starting to be hosted on cloud-based web services and external networks. How mobile devices

connect to corporate email platforms, virtual private networks (VPNs), and corporate wireless

(Wi-Fi) networks all play an important role in keeping corporate data and other resources

protected from unauthorized access. Equally important is making it convenient and easy for

mobile device users to properly secure access these resources to avoid users finding a more

convenient, non-protected method of access resources.

Email management Accessing corporate email, whether on a personal-owned mobile device or a company-owned

mobile device, is typically the primary data resource most users need access to on a corporate


network. It is also typically the connection that can trigger initial mobile device enrollment to the

mobile device management solution. Having the ability to manage email access for mobile

devices across both your existing non-mobile device management solution and the mobile

device management solution helps avoid device coverage gaps and increase the protection level

for data stored on email servers.

Most mobile device management solutions provide email access protection by using one or

both of the following features:

Email profiles: Email profiles provide administrators with ability to create and deploy

profiles that can automatically configure mobile devices with appropriate email server

information to that users can connect to their email mailbox. This helps insure that users

connect to the correct email server and prevents the need for users to have to try to

remember email server endpoint names or network addresses. Removing these email

profiles also provide administrators with the ability to remove email from devices as part

of device reset or selective wipe process. Email profile management can be included as a

feature in non-mobile device management solutions, or can often be configured as part

of the integration of a mobile device management solution.

Managed email access: Managed email access, sometimes referred to as conditional

email access, is different from email profiles in that it typically focuses on the security

and compliance area of the mobile device rather than which endpoint the mobile device

connects to for email access. With managed email access, a compliance policy that

outlines the device prerequisites needed before a mobile device can connect to an email

resource is defined and assigned to individual users or devices or groups of users and/or

devices. This compliance policy for managed access is typically first enforced upon initial

device enrollment, but should remain in place and active as long as the mobile device is

enrolled in the mobile device management system.

Email management planning questions: As part of mobile device management lifecycle

planning, you’ll want to answer the following planning questions about email management:

How will mobile devices connect to your existing on-premises or cloud-hosted email

system?

If mobile devices are already connecting to your existing email system, what connection

type or protocol are the devices using to connect?

Will administrators or users (or a combination of both) be responsible for connecting

mobile devices to your email system? If users will be connecting mobile devices to the

email system, how will they:

o Choose the proper connection point to access their email mailbox?

o Choose the proper connection protocol or connection method?

Will mobile devices need to meet certain security and compliance standards before and

while remaining connected to your email system?

Do you need the ability to create custom email security and compliance connection

policies? If so, what are the specific requirements?

Will you need the ability to import or export email security and compliance connection

policies?

How do you need to manage connections to your email system?


o By device user?

o By device type?

o By device OS?

o By user group or role?

When a mobile device needs to be disconnected from your email system, how will email

data be deleted from the mobile device?

Will both administrators and users need the ability to delete email data or the

connection to the email system?

How will confirmation of email data deletion be verified or confirmed?

If you’re currently managing mobile device connections to email resources with an

existing protocol or management method, how does it integrate with the mobile device


If you’re using both an on-premises and cloud-based email system, how do they

integrated with the mobile device management solution? Are email profiles or managed

access policies administered the same or differently from the IT perspective? Is the user

email connection experience the same or different depending on where their mailbox is

hosted?

Network connectivity management When connecting to the corporate network and corporate resources, mobile devices typically

use one of the following access technologies:

Wi-Fi: Wireless access to corporate resources is typically provided as an on-premises

network extension service while devices are in close physical proximity to the on-

premises network. This usually involves allowing mobile devices to connect to network

resources as users roam from location-to-location in an on-premises office, such as

conference and meeting rooms, different offices, or other on-premises areas. It can also

include wireless access from remote locations over non-corporate managed wireless

network access points, such as the user’s home network or a public wireless access point.

To simplify connections to wireless networks, administrators can usually manage these

connections using wireless profiles that outline the specific settings mobile devices need

to configure in order to connect to the wireless network. This may include automatically

configuring a custom network name, network Service Set Identifier (SSID), security

settings, network proxy, and whether or not the device should automatically connect to

the wireless network when the device is in range.

Virtual Private Network (VPN): Secure remote access to corporate resources often

includes using a defined VPN connection type from the mobile device. This is often

vendor-specific and includes the installation of a VPN application on the mobile device.

Additionally, these VPN applications often use either digital certificates or separately

managed user account credentials to authenticate the VPN connection. To simplify

connections to VPNs, administrators can usually manage these connections using VPN

profiles or the VPN management tools included with the VPN solution. Depending on

integration support, managing VPN connections with the mobile device management

solution may or may not be an option with certain VPN platforms.

Note


You may have other web-based resources, such as SharePoint, that leverage secure

access via Secure Socket Layer (SSL) or Transport Layer Security (TLS). Be sure you

understand how mobile devices will access these resources or resources with separate

VPN or secure access methods.

Network connectivity management planning questions: As part of mobile device

management lifecycle planning, you’ll want to answer the following planning questions about

network connectivity management:

How will internet be accessed via the mobile device?

o Is it via WiFi? If it is, do they require access via proxy? Proxy authentication?

How will mobile devices connect to your existing on-premises wireless or VPN platform?

If mobile devices are already connecting to your existing wireless or VPN platform, what

connection type or protocol are the devices using to connect?

Will changes to these connections be needed if the devices are enrolled in a mobile

device management solution?

Will administrators or users (or a combination of both) be responsible for connecting

mobile devices to your wireless or VPN platform? If users will be connecting mobile

devices to the wireless or VPN platform, how will they:

o Choose the proper connection point to access the corporate network?

o Choose the proper connection protocol or connection method?

o Choose the proper digital certificate for the connection method?

Do you want to automatically configure wireless and VPN connection properties and

settings on user’s mobile devices?

Do you need to provide different wireless network configuration or security settings to

different types of users, devices, device operating systems, or user groups and roles?

Will you need the ability to import or export wireless and/or VPN configuration or

security connection policies?

Which of the following wireless security protocols do you need to support?

o WPA-Personal

o WPA2-Personal

o WPA-Enterprise

o WPA2-Enterprise

o WEP

If you need to support WPA-Enterprise or WPA2-Enterprise, which of the following

Extensible Authentication Protocol (EAP) types do you need to support?

o EAP-TLS

o PEAP

o EAP-AST

o LEAP

o EAP-SIM

Which type of non-EAP authentication connection do you need to support?

o Unencrypted passwords (PAP)

o Challenge Handshake Authentication Protocol (CHAP)

o Microsoft CHAP (MS-CHAP)

o Microsoft CHAP Version 2 (MS-CHAP v2)


What type of VPN platform do you have deployed in your on-premises network?

Is the VPN platform supported or able to be integrated with the mobile device


If the VPN platform is already integrated or support by an existing non-mobile device

management solution – does the mobile device management solution integrate with

both systems?

Certificate management Digital certificates, either self-signed or issued from a third party Certificate Authorities (CAs),

may be used to authenticate mobile devices to networks connections or specific network

resources. To simplify managing digital certificates, administrators can usually manage

certificates using certificate profiles. This allows a uniform, centralized method for managing

certificates, including how they are created, issued and renewed. This also helps users connect to

corporate resource without having to request and install certificates manually or by using a non-

approved security process. However, using certificates for this type of authentication often

requires additional on-premises infrastructure requirements. This may include all or some of the

following network components, depending on the level of integration supported by the mobile

device management solution:

Directory services: Directory services, such as Microsoft Active Directory, are usually

required to securely connect and manage all other network components.

Certification Authority (CA) server: If you’re issuing self-signed certificates for your

organization, you’ll need a certification authority to create, issue, manage and renew

digital certificates.

Network Device Enrollment Service (NDES) server: This server allows software and

mobile devices to obtain certificates based on the Simple Certificate Enrollment Protocol

(SCEP).

Proxy server: Depending on your on-premises network configuration, you may require a

proxy server that allows mobile devices to receive certificates using an Internet

connection and without directly connecting to your internal corporate network.

Certificate management planning questions: As part of mobile device management lifecycle

planning, you’ll want to answer the following planning questions about certificate management:

Does your organization already require or use digital certificates to authenticate access

to network resources?

Do you have an existing enterprise public key infrastructure (PKI)?

Do you need to automatically issue digital certificates to mobile devices?

How are digital certificates created, issued, renewed, or revoked from mobile devices?

Are digital certificates centrally managed by an on-premises or third party Certification

Authority (CA)?

Do you need to have different certificates assigned for access to different network

services? Is this dependent on the type of mobile device accessing the network?


Note




needs.

Task 4: Define your mobile device management lifecycle strategy In this task, you’ll refine the mobile device management lifecycle strategy to meet the

management requirements you identified in Tasks 1-3.

Task 4a: Device enrollment options Enrolling devices in Intune, whether standalone or when connected to Systems Center 2012,

requires that you prepare the service for the devices. Enrolling mobile devices in MDM for Office

365 only requires that each user included in a security policy respond to an enrollment message

the next time they sign in to Office 365 on their mobile device. They must complete the

enrollment and activation steps on each mobile device they will use to access Office 365 email

and documents.

Intune standalone needs to be configured to define the Mobile Device Management Authority

solution, which can be either Intune or an on-premises System Center 2012 R2 Configuration

Manager infrastructure. This simply means “which management platform do you want to use to

manage Intune-enrolled devices – Intune OR System Center?” It’s very important to understand

the impact of choosing the best option for your organization, as the management impact

cannot be easily changed once chosen. If you need to change this configuration, you’ll have to

contact Microsoft Support for assistance. For most organizations that are already using System

Center 2012 R2 Configuration Manager to manage PCs, servers, and other devices, connect the

on-premises solution with Intune and managing devices with the System Center 2012 R2

Configuration Manager (ConfigMgr) is usually the best choice. To assign the mobile device

management authority to ConfigMgr, you’ll create an Intune subscription from within the

ConfigMgr console and select the option to allow ConfigMgr to manage the Intune subscription

and Intune-enrolled devices.

Additionally, before you can enroll certain types of mobile devices running different types of

mobile operating systems, you’ll need to prepare the Intune service with specific configuration

requirements. For example, if you plan to enroll Apple iOS-based devices, you’ll need to

configure Intune with an Apple Push Notification (APN) service certificate prior to enrolling iOS-

based devices. If this isn’t configured, Intune can’t communicate with the APN service and iOS-

based devices. Other mobile devices, such as device running Android or Windows Phone

operating systems are able to connect with separate enrollment requirements.

Depending on how you answered the questions in Task 1, you should be able to determine how

you want devices to be enrolled in the mobile device management solution. Table 5 below will

help you understand the advantages and disadvantages of each enrollment scenario:

https://technet.microsoft.com/library/ms.o365.cc.newdevicepolicy.aspx








Table 5

Enrollment

scenario

Advantages Disadvantages

Administrators

enroll all mobile

devices

Administrators closely control

the enrollment of all devices,

effectively pre-screening any

device or user at the beginning

of the enrollment process

Each device is enrolled without

any user interaction, reducing

device enrollment errors

Easier to support more

complex, automated, bulk, or

highly customized device

enrollment processes

Support/help desk costs may

decrease since experienced

administrators are performing

the device enrollments

If supporting a BYOD strategy,

increased likelihood that

administrators may see or

expose sensitive user personal

information if appropriate

security controls are not in

place

Users may have to arrange

times with you to drop off and

pick up mobile devices,

requiring device enrollment

scheduling and tracking

Modern mobile device users

may feel that this centralization

is cumbersome and

inconvenient, leading to user-

defined workarounds that may

compromise enrollment

security and compliance

processes

User self-enrolls

mobile devices More convenient and flexible

for device owners/users

Typically quicker device

enrollment than a centralized

enrollment process

Offloads relatively simple

administration tasks from you

to your users, saving time,

scheduling, tracking and

administration overhead costs

Potential increase in support

costs or help desk calls, less-

experienced users may need

personalized enrollment

assistance

User confusion or problems

with device enrollment security

or compliance requirements

may stall enrollment or

generate a support call

Your organization might need to have the capability to implement both of these enrollment

scenarios, requiring a blend of support and the mixing and matching of the advantages and

disadvantages listed above. In this case, your mobile device management solution needs to be

able to support both scenarios.

Task 4b: Device enrollment and provisioning options When a user wants to use and enroll their own device, this immediately raises requirements

from both the user and IT and impacts several areas shown in Figure 4:


Figure 4 - Overview of the enrollment process for mobile devices using hybrid Intune and

System Center 2012 R2 Configuration Manager

1. With Windows Server 2012 R2, a new concept known as device registration was

introduced. Users can register their devices for single sign-on and access to corporate

data using Workplace Join. As part of this registration process, a certificate is installed

on the device. In return for registering their device and making in known to the device

management solution, the user gains access to corporate resources that were previously

not available outside of their domain-joined PC.

2. Users can enroll devices which configure the device for management with Microsoft

Intune using the Company Portal, and then leverage the Microsoft Intune Company

Portal for easy access to corporate applications, data and to be able to manage their

own devices, performing tasks such as remote wiping them in the event they are lost,

stolen or replaced.

3. You can publish access to corporate resources with the built in capability available in

Windows Server 2012 R2 called Web Application Proxy based on device awareness (i.e. is

it registered) and the users identity. Multi-factor authentication can be used through

Azure Active Authentication.

4. In order to provide administrators with a unified view of their entire environment, the

data from Microsoft Intune is synchronized with ConfigMgr which provides unified

management across both on-premises and in the cloud.

5. As part of the enrollment process, a new device object is created in Active Directory. This

device object establishes a link between the user and their device, making it known to

the device management solution, and allowing the device to be authenticated, effectively

a seamless two-factor authentication.


you want devices to be managed in the mobile device management solution. Table 6 below will

help you understand the advantages and disadvantages of each provisioning option:

Table 6







Enrollment &

provisioning

options


Intune (standalone) Supports enrolling and

provisioning all major mobile

device operating systems

(Android, iOS, Windows 8.x, and

Windows Phone)

A cloud-based service, mobile

devices can be enrolled from

any location with Internet

access

Devices may be enrolled via a

centralized, customizable

Company Portal

Advanced device provisioning


Additional management

interface for provisioning

mobile devices (only) if using

an on-premises management

platform for non-mobile

devices

Separate device compliance

and security policies for the

cloud-based service and the

on-premises management

platform

MDM for Office 365 Integrated with Office 365

tenants, providing a single

management console for

mobile devices and Office 365

tenant services (Exchange

Online, SharePoint Online, and

Lync Online

Supports enrolling and



(Android, iOS, Windows 8.1, and

Windows Phone)

Basic device provisioning







devices

Separate device compliance

and security policies for the

cloud-based service and the

on-premises management

platform

Less advanced device

provisioning options

Hybrid (Intune with

System Center) Native integration between

Intune (cloud-based device

management service) with

System Center 2012 and System

Center 2012 R2 Configuration

Manager (on-premises device

management platforms)

Supports enrolling and



(Android, iOS, and Windows

Phone), and includes

Requires additional

configuration to connect

Intune with the on-premises

System Center infrastructure

For organizations that don’t

have a current System Center

infrastructure configured, it

will need to be planned,

installed and configured prior

to integrating with Intune


provisioning for all major non-

mobile device operating

systems

Supports advanced device

provisioning options for mobile

devices via Intune connectivity

For more details about mobile device enrollment and provisioning options, make sure to review

how to enable mobile device enrollments in Microsoft Intune and compare these requirements

and procedures to enable mobile device enrollments in System Center 2012 R2 Configuration

Manager and MDM for Office 365.

Task 4c: Device management options Managing mobile devices with Intune and System Center centers around management policies.

Policies define groups of settings for mobile devices and can be either created from templates

or customized for specific devices, users, or groups. The best management practice is to create

management policies before mobile devices are enrolled in the management solution. This

insures that the devices are immediately managed in accordance with the policies and processes

defined in your IT strategy. Both solutions allow for configuring the following policy types:

Configuration policies: Configuration policies are used to define the general organizational

settings for each enrolled mobile device. This may include device password, application,

cloud policy, and encryption settings, but can include many other device settings for

different management areas. Additionally, configuration policies are applied and configured

differently for different types of mobile device operating systems by using device enrollment

profiles.

Tip

When creating different policies for different types of devices, users, or groups – it’s easy to

have conflicting policy settings applied to the same device. Be sure that you understand how

conflicting policy settings are applied.

Compliance policies: Compliance policies enforce your organization’s requirements for

mobile devices to access (or be denied access) to company resources or services. This can

also include device password and encryption settings, as well as determining if the mobile

device is rooted (“jail-broken”). As with configuration policies, Intune and System Center

2012 compliance policy options also vary by mobile device operating system type. If you’re

creating compliance policies in System Center 2012 R2 Configuration Manager, it’s

important to note that increased granularity can be configured as part of a multi-part

process:

1. Creating configuration items

2. Creating configuration baselines

3. Deploying the configuration baselines to System Center 2012 R2 Configuration

Manager user or device collections


https://technet.microsoft.com/library/jj884158.aspx#bkmk_Nextsteps

https://technet.microsoft.com/library/ms.o365.cc.devicepolicysupporteddevice.aspx






https://technet.microsoft.com/library/gg712331.aspx?WT.mc_id=Blog_EntMob_Showcase_PCIT


https://technet.microsoft.com/library/hh219289.aspx?WT.mc_id=Blog_EntMob_Showcase_PCIT


Conditional access policies: Conditional access policies define how access to email is

managed and can be used separately or in conjunction with compliance policies.

Connections to your Exchange Server or Exchange Online service must be configured in

Intune or in System Center 2012 before conditional access policies can be deployed.

Conditional access can also be configured for Office 365 and SharePoint Online services.



help you understand the advantages and disadvantages of each management scenario:

Table 7

Management

options


Intune (standalone) Supports simplified policy

control for managing users and

devices

Provides a simple, web-based

administration & management

console that is accessible from

any location

Supports group-based policies,

making it easier to manage

large numbers and diverse

types of mobile devices

Supports advances mobile

device compliance features and

functionality, including device

root and jailbreak detection

Allows for selective wipe or full

factory reset for all mobile

devices

Includes a customizable

Company portal, allowing the

managed and secure

distribution of internal and 3rd

party mobile applications

Deploy certificates

Allows organizations to prevent

cut/copy/paste functions in

mobile applications

Supports enforcing the use of

managed browsers

Additional licensing

requirements and costs for

user accounts enrolling

devices in the Intune service




MDM for Office 365 Integrated web-based

administration and

management console within an

Office 365 tenant

Supports group-based policies,

making it easier to manage

large numbers and diverse

types of mobile devices

Supports advances mobile

device compliance features and

functionality, including device

root and jailbreak detection

Allows for selective wipe or full

factory reset for all mobile

devices

Managing many non-

mobile on-premises devices

isn’t supported

Advanced mobile device

management features and

functionality aren’t

supported:

o Provisioning and

managing certificates,

email, VPN, wireless

profiles

o Enrolling and managing

collections of devices

Mobile application

management features and

functionality aren’t

supported:

o Deploying line of

business applications to

mobile devices

o Enabling secure data

access to Office mobile

applications

o Extending corporate

data securely to line of

business apps for

mobile devices

o Enabling managed

browsers and other

content viewing

applications

Hybrid (Intune with

System Center)

All the advantages of Intune

standalone, plus the following:

o Provides a single pane of

glass view for managing the

corporate estate, including

flexibility for role-based

administration and scripting

(through PowerShell)

Requires additional






Center infrastructure

configured, it will need to

be planned, installed and

configured prior to

integrating with Intune


VPN and email profiles for

Android devices aren’t

currently supported

Managed browser support

isn’t currently supported

Task 4d: Device monitoring options Monitoring and understanding the status and configuration of all mobile devices managed by

your organization is an important first step in the discovery of problems, non-compliance, and

managing device inventory. Without detailed reports on hardware, software, and compliance

status, it’s impossible to reconcile your device policies to actual device configurations and to

make sure that devices are operating properly. Proactive monitoring will mitigate smaller

problems before they become larger, more costly problems.

Intune, MDM for Office 365, and a hybrid deployment of Intune and System Center 2012 R2

Configuration Manager all provide monitoring and reporting capabilities to help manage device,

users, and compliance with your organization’s policies and procedures. Leveraging built-in

reports and coupled with the ability to create customized reports, you can monitor several

mobile device management areas that include:

Update reports for software

Software inventory reports

Hardware inventory reports

Licensing reports

Non-compliance reports

Depending on the configuration of your infrastructure, you may be able to leverage different

types of reporting capabilities, depending on your monitoring needs. Intune-based monitoring

and reporting capabilities are the backbone for MDM for Office 365 (as well as Intune

standalone deployments of course) and can be tightly integrated with the reporting capabilities

of System Center 2012 R2 Configuration Manager when connected in a hybrid deployment. Each

element of the reporting stack shown below have different, yet complementary reporting

capabilities. It’s important that you understand the nuances of the reporting capabilities of each

element of the mobile device management solution.


https://technet.microsoft.com/library/faa7d8e5-645d-4d59-839c-c8d4c1869e4a(v=technet.10).aspx



Figure 5 – Integrated mobile device monitoring and reporting


you want to monitor mobile devices in the mobile device management solution. Table 8 below

will help you understand the advantages and disadvantages of each monitoring scenario:

Table 8

Monitoring options Advantages Disadvantages

Intune (standalone) Monitoring overview/dashboard

Alerts when errors are detected

on direct managed network

devices

Three levels of alerts (critical,

warning, Informational) with

thresholds and email alert

notifications

Can filter alerts by device type

Can review the status of any

managed device

Can monitor details in the

following areas:

o System

o OS

o Storage

o Exchange ActiveSync

o System enclosure

o Network

o Service

Email alerts only, no text-

based or voice alerts


MDM for Office 365 Monitoring overview/dashboard

Three levels of alerts (critical,

warning, Informational) with

thresholds and email alert

notifications

Can filter alerts by device type

Can review the status of any

managed device

Mobile device compliance

status reports only

Hybrid (Intune with

System Center)

All the advantages of Intune


o Comprehensive, threshold-

based, consolidated

monitoring and reporting

for all your organization’s

devices, including non-

mobile and non-Intune

enrolled devices

o Advanced reporting

capabilities of SQL Server

Reporting Services (SSRS)

and the rich authoring

experience provided by

Reporting Services Report

Builder

Requires additional






Center infrastructure

configured, it will need to

be planned, installed and

configured prior to

integrating with Intune

For more details about mobile device monitoring options, make sure to review how to monitor

mobile devices and manage reporting in Microsoft Intune and compare these requirements and

procedures to monitoring mobile devices and manage reporting in System Center 2012 R2

Configuration Manager and MDM for Office 365.

Task 4e: Email management options Providing managed access to corporate email from mobile devices is usually the primary need

to implement a mobile device management solution. And typically, it’s the gateway service the

drives initial mobile device enrollment. For example, in MDM for Office 365 a security policy

provides basic managed access to email mailboxes hosted in Exchange Online. This policy

configures Exchange ActiveSync settings that can enforce basic mobile device compliance

settings, such as requiring a device password and device encryption, before the device will be

able to connect to a user mailbox.

Configuring email management options in Intune and hybrid Intune and System Center 2012 R2

Configuration Manager deployments follows a similar process. The primary difference is that







https://technet.microsoft.com/library/ms.o365.cc.newdevicepolicy.aspx


more advanced email management options are available in these types of deployments. For

Intune standalone, configuring managed email access to allow access mailboxes hosted on both

Exchange Online and Exchange on-premises is supported, as well as supporting the configuring

of customized email profiles. These are enabled by configuring both configuration and

compliance policies in the Intune service. Hybrid Intune and System Center 2012 R2

Configuration Manager deployments also support managed email access, but only for mailboxes

hosted on Exchange Online.

In the scenario that you see in Figure 6, the user has enrolled their device into the Intune service

and is now trying to access their corporate email using Office 365 or Exchange on-premises.

Based upon the settings defined by their IT administrator at their company, a policy verification

process performed by Intune, the user’s access will be granted if the device is encrypted, a

passcode is set, and the device isn’t jail broken or rooted. If a user tries to access corporate

email and their device is not enrolled, or not compliant based upon settings defined by the IT

admin, the user will receive an email explaining why their access has been blocked with steps for

how to resolve the issue.

Figure 6 – Managed email access



help you understand the advantages and disadvantages of each monitoring scenario:

Table 9

Email management

options





Intune (standalone) Supports email management

for all major mobile device

operating systems (Android,

iOS, Windows 8.x, and Windows

Phone)

Can leverage native mobile

device email applications via

integration with Exchange

ActiveSync

Integration with Exchange

Online via the Service-to-

Service connector to allow

cross-platform monitoring and

reporting between Intune and

Office 365

Supports configuration of email

profiles for managing Exchange

ActiveSync-based settings on

mobile devices

Managed email access

Email profiles aren’t

supported for Android-

based mobile devices

MDM for Office 365 Allows Exchange ActiveSync

support for password,

encryption, rooted device

compliance

Support for managed

(conditional) email access

Advanced email

management profiles aren’t

supported for mobile

devices

Hybrid (Intune with

System Center) Intune on-premises connector

for hybrid connectivity with

Exchange Online

Integration with Exchange

Active Sync (most strict policy

setting is enforced)

Email profiles

Conditional access to restrict

email access to Exchange

Online

Set compliance policies to

define the rules and settings the

device must comply with in

order to be allowed access to

the services

Conditional access policies for

each service, define rules for

Managed access to email

only available for mailboxes

hosted on Exchange Online,

not mailboxes hosted on

Exchange on-premises

Configuring the service-to-

service connector should

not be configured if you

enable conditional access

for both Exchange Online

and Exchange on-premises


security groups, Intune groups,

or how unenrolled devices are

managed

For more details about mobile device email configuration management options, make sure to

review how to enable email profiles and managed email access in Microsoft Intune and compare

these requirements and procedures to enabling email profiles and managed email access in

System Center 2012 R2 Configuration Manager and MDM for Office 365.

Task 4f: Network connectivity management options Managing how mobile devices connect to resources located on your on-premises network

impacts several important areas of your solution design. Depending on your infrastructure,

mobile devices may connect to corporate resources from a variety of Internet connectivity

services, often secured by leveraging VPN-protected endpoints.

Managing Wi-Fi network access with Intune or a hybrid deployment with System Center 2012 R2

Configuration Manager enables the ability to deploy Wi-Fi profiles that can provision Wi-Fi

networks, so the device can auto connect to the network when it is in range. For example,

mobile devices can be configured to connect to a Wi-Fi network segmented to a conference

room, but then automatically connect to a Wi-Fi network segment when roaming to a different

location. Users don’t have to enter passwords or choose a network - it just works. Intune and

System Center 2012 can also deploy VPN profiles directly to mobile devices, enabling user

access to internal corporate resources without any additional configuration or manual work.

Additionally, Intune can also configure that mobile devices to automatically start a VPN

connection based on the type resource or method of access. However, there are different

configuration requirements for different types of mobile device operating systems.


you want devices to be enrolled in the mobile device management solution. Currently, Mobile

Device Management for Office 365 doesn’t support managing wireless and VPN network

resources for mobile devices. Table 10 below will help you understand the advantages and

disadvantages of managing the wireless and VPN networks for the Intune standalone and hybrid

Intune with System Center deployment scenarios:

Table 10

Network

management

options


Intune (standalone) Supports wireless and VPN

profiles on all major mobile


To support VPN profiles,

you’ll need to deploy and

maintain an on-premises

VPN infrastructure






https://technet.microsoft.com/library/dn818903.aspxv





(Android, iOS, Windows 8.x, and

Windows Phone)

Supports industry leading VPN

connection types, including

Cisco, Juniper, Dell SonicWall,

Checkpoint, and others

Wireless and VPN profiles can

be integrated with SCEP

certificate profiles for increased

security

Supports configuring

customized wireless and VPN

profiles for different types of

users, devices, device operating

systems, or user groups and

roles

DNS name-based initiation

support for Windows 8.1,

Windows Phone 8.1 and iOS

Application ID based initiation

support for Windows 8.1

MDM for Office 365 Not available Not available

Hybrid (Intune with

System Center) All the advantages of Intune


o VPN profiles are supported

by your existing on-

premises enterprise VPN

infrastructure

To support VPN profiles,

you’ll need to deploy and

maintain an on-premises

VPN infrastructure

Specific security permissions

must be granted to manage

Wi-Fi profiles and VPN

profiles in System Center

2012 R2 Configuration

Manager

For more details about mobile device wireless and VPN configuration management options,

make sure to review how to enable wireless and VPN profiles in Microsoft Intune and compare

these requirements and procedures to enabling wireless and VPN profiles in System Center 2012

R2 Configuration Manager.

Task 4g: Certificate management options Leveraging digital certificate management and certificate profiles is supported both by Intune

standalone and hybrid Intune and System Center 2012 deployment scenarios. This allows you to

deploy trusted root certificates to mobile devices, as well as Simple Certificate Enrollment

Protocol (SCEP) based profiles that instruct mobile devices to get additional certificates from a











NDES server in your organization. Since SCEP is natively supported by iOS, Windows 8.1 and

Windows Phone 8.1, and is also supported through the Windows Intune Company Portal app for

Android, using this enrollment protocol has the advantage of having the private key generated

directly on the mobile device. The private key is never generated, cached, or stored by either

System Center or by Intune - which helps to keep the mobile device secure.

Figure 7 shows how Intune and ConfigMgr use the NDES to provide secure certificate

provisioning to mobile devices using SCEP:

Figure 7 – Secure certificate provisioning

1. A policy that includes the properties of the certificate for SCEP enrollment is created on the

Intune service.

2. Intune converts the policy to a platform mobile device management protocol (like OMA-DM

for Windows 8.1) and sends it to the device

3. The mobile device receives the policy and initiates an enrollment request from NDES

4. NDES forwards the request to System Center

5. System Center compares the request attributes of the SCEP request for an authentication

match and sends confirmation back to NDES.

6. NDES sends a certificate issuance request to the CA and it sends the certificate to the NDES

role.

7. NDES role sends the certificate to the device.


you want certificates managed in the mobile device management solution. Currently, MDM for

Office 365 doesn’t support managing certificate profiles for mobile devices. Table 11 below will

help you understand the advantages and disadvantages of the certificate profile management

for Intune and the hybrid Intune with System Center deployment scenario:


Table 11

Certificate

management

options


Intune (standalone) Supports certificate profiles on

all major mobile device

operating systems (Android,

iOS, Windows 8.x, and Windows

Phone)

Platform supports the Simple

Certificate Enrollment Protocol

(SCEP)

Certificate profiles can

automatically configure mobile

devices so that company

resources can be accessed

without having to install

certificates manually or use a

non-approved security process

Certificates can be automatically

revoked when the device is

retired from management,

selectively wiped, or block from

the management hierarchy

To use certificate profiles,

some existing on-premises

infrastructure must be in place.

You must integrate the

following on-premises

infrastructure with Microsoft

Intune:

A server that runs the

Network Device

Enrollment Service

An Enterprise

Certification Authority

The Intune NDES

Connector, which

installs on the server

that runs NDES

MDM for Office 365 Not available Not available

Hybrid (Intune with



o Also supports managing

certificates for non-mobile

devices

To use certificate profiles,

some existing on-premises

infrastructure must be in place.

You must integrate the

following on-premises

infrastructure with Microsoft

Intune:

A server that runs the

Network Device

Enrollment Service

An Enterprise

Certification Authority

The Intune NDES

Connector, which

installs on the server

that runs NDES


For more details about mobile device certificate management options, make sure to review how

to enable certificate profiles in Intune and compare these requirements and procedures to

enabling certificate profiles in System Center 2012.

Step 3 - Plan for secure mobile devices Enabling on-premises and remote users to access company resources on their mobile devices

will increase productivity; however it will also increase threats that must be mitigated in order to

keep company’s data secure and maintain user’s privacy. While these are core requirements to

secure mobile devices, you also need to consider your organization’s individual requirements for

securing corporate data and maintaining user privacy. Your company might have different

requirements in this regard; different compliance rules that will vary according to which industry

your company operates may lead to different design decisions. However, there are some general

security aspects of mobile device management that should be explored and validated,

regardless of the industry, as shown in Figure 8:

Figure 8 – Security capabilities in a MDM solution

The foundation of this diagram show the core security capabilities that are required for any

MDM solution. The key areas that these capabilities will be handling are explained below:

1. Data protection at the mobile device level:

Data encryption

Data classification

Client privacy

Containerization

Policy enforcement

Hardening




2. Data protection while in transit:

Data encryption

Authentication

Authorization

3. Data protection while at rest in your on-premises organization:

Data encryption

Authentication

Authorization

4. Data protection while at rest in the cloud:

Data encryption

Authentication

Authorization

The tasks that follow will explain how this will influence your decisions when choosing the best

MDM solution for your business requirements.

Task 1: Gather your data protection requirements In order to define the data protection requirements, you must first understand some essential

characteristics of your organization. It is important to understand if your company has to be

compliant to specific regulations and also understand your current policy regarding data

protection. By knowing these core elements, you’ll have the foundational requirements and

basis on which to ask more granular questions. This will lead to better design decisions for your

MDM solution. When defining these requirements, consider the following:

Data encryption at rest: As shown in Figure 8, company data will be stored on the

user’s mobile device. It is important to ask the following questions to help you choose

the best MDM option available:

o Does the MDM solution support encrypting the entire mobile device disk?

If yes, for which operating systems?

o Does the MDM solution support app data encryption?


If yes, for which apps?

Data encryption in transit: Regardless who owns the data, at some point during the

data communication process, the data will be in transit between the mobile device and a

company server (or web service). You must understand what capabilities the MDM

solution has in order to protect data in transit. Ask the following questions to help you

choose the best MDM option:

o Does the MDM solution support data encryption in transit?



If yes, which capabilities are available?

o What options does the MDM solution has to protect data while in transit?

Data segregation: It’s also very important to understand if your company’s data should

be treated differently from the user’s data. Segregation, separation, or isolation are some

terms that can be used to describe this capability. When designing your MDM solution,

consider:

o Does the MDM solution support data separation?

If yes, is it possible to erase your company’s data, while preserving the

mobile device user’s data?

o Does the MDM data separation capability ensure that only trusted apps can

access data located on the mobile device?

o Does the MDM solution support containerization?

If so, is it possible to encrypt data located in a particular container?

Hardening mobile devices: Since there might be different mobile device platforms used

in your organization, you should understand what capabilities are available in each

mobile device platform. Each mobile device platform may control and harden devices via

different methods and at different levels of granularity. Some mobile devices may have a

more granular set of configuration than others. In this case, you must have a strategy to

use a common set of options to harden the devices and use custom policies to enhance

the security for each mobile device platform that your organization will support. Use the

list below as a reference for common options that should be supported by the MDM

solution to harden mobile devices:

o Requiring a password to unlock mobile devices

o Requiring a password type – minimum number of characters and character types

o Minimum password length

o Number of repeated sign-in failures to allow before the mobile device is wiped

o Minutes of inactivity before the device screen turns off

o Remembering password history – preventing the reuse of previous passwords

o Password expiration (days)

o Requiring encryption on the mobile device

o Requiring encryption on storage cards

o Allowing idle return without a password

Note

In Windows Phone 8.1 the police Allow idle return without password can be configured

using Windows Phone 8.1 Enterprise Device Management Protocol.

Task 2: Specify your privacy requirements While Task 1 was more focused on the data protection and how to enhance the overall security

of mobile devices to keep company data secure, the second task of this step focuses on

understanding your organizational requirements for privacy. In the previous step, you already

defined the device management tasks, which covered device management and content

http://download.microsoft.com/download/C/A/0/CA091018-1A43-4063-B70B-20B9901F4D10/Windows%20Phone%208.1%20MDM%20Protocol.pdf


distribution management. In this task, the goal is to define the privacy requirements for the

company content that will reside on the mobile device.

Note

Read the solution Streamlined management for mobile devices and computers in a

hybrid environment for more information about content distribution for mobile devices

Your organization’s privacy requirements will vary according to your industry, applicable

regulations, and type of business. Your MDM solution should allow you to perform basic

hardware inventories, software inventories, file collections, and software distribution on mobile

devices. The privacy concerns that apply to your client computers for inventory and software

distribution also apply to mobile devices. Depending on what MDM solution you choose, it’s

possible to configure what software inventory you want to collect and whether you want to

collect files. Hardware inventory and software distribution are usually supported by default.

Before choosing a mobile device management solution, consider your unique privacy

requirements. When defining these requirements, consider:

Client Privacy: Empowering your users to use their mobile devices to connect and use

company resources also means that they will have to understand your organization’s

privacy policy and how this will affect their privacy:

o Are you required to provide users information regarding the privacy policy of

your company (and what they should expect from it)?

If yes, does the MDM solution have this capability built in?

o Does the MDM solution store mobile device information or data in the cloud?

If yes, how privacy is kept in the cloud?

Who has access to the data?

How is the privacy of data assured?

Data Classification: Understand what constitutes company data, and how to protect it.

Having policies and mechanisms in place to classify data is also part of the plan to

ensure privacy in mobile devices:

o Is it possible to identify or classify company documents or data that will reside on

the mobile device?

If yes, what type of data or document rights or permissions are

supported?

o Will the classification travel with the data or document, regardless of the mobile

device that the user is using?

o What type of data or documents can be classified?

Tip

Read the Microsoft Online Services Privacy Statement to better understand how Microsoft

Cloud services, including Intune will maintain user’s privacy

Task 3: Specify your access requirements There is no use for a mobile device that can’t use apps and have access to the company data

that users need in order to perform their work. For this reason, it’s critical to understand how the

data will travel from the source location (on-premises or cloud) to the mobile device. If you refer



http://www.microsoft.com/server-cloud/products/intune-trust-center/privacy.aspx


back to Figure 8, you will see the potential paths that the data will traverse and the

considerations that should be in place for each path. You need to review your company policies

to ensure that the requirements for authentication, authorization, and access control are aligned

with your business requirements. Many companies that have security policies in place don’t

consider how mobile devices can increase the likelihood of corporate data leakage. Answer the

following questions when determining your access requirements:

Authentication and authorization: As part of the strategy to allow your users to access

to company data from mobile devices, it’s necessary to identify which users are eligible

for this type of access. Some companies will initially allow data access for just a portion

of their users, and will grant access to their remaining users on demand. This means that

it is necessary for your solution to authenticate (identify that the user is who they claim

to be) and authorize (evaluate if the user should have access to the data that they are

requesting) according to your company’s policy. When designing your solution, consider

the following:

o Does your organization have a current directory service that is used for

authentication and authorization?

If yes, does the MDM solution integrate with your directory service to

authenticate and authorize access to resources?

o Does your organization need to have centralized authentication, or can it be

hybrid?

o Does your organization plan to have multi-factor authentication for mobile users?

o Does your organization use an on-premises Public Key Infrastructure (PKI) to

issue certificates?

If yes, does the MDM solution have the capability to perform

authentication using digital certificates?

If yes, does the MDM solution have the capability to integrate with

an existing on-premises PKI?

o Does your organization need to use the current directory services to authenticate

users accessing third party apps?

If yes, does the MDM solution allow users to use single sign-on (SSO) to

authenticate against third party apps?

Access Control: Once the user is authenticated and authorized, it’s necessary to validate

the level of access that the user will have for the requested resource. This requested

resource can be data or an app. When designing your solution, consider the following:

o Does your company need to have different level of control for you to manage the

mobile devices and the MDM solution?

If yes, does the MDM solution support Role Based Access Control (RBAC)?

o Does your company need to have different levels of access according to the

user’s location?

If yes, does the MDM solution allow you to create access control

restrictions according to the user’s location?

o Does your company need to control access to apps?

If yes, does the MDM solution allow you to control access to apps

installed at the mobile device?


o Does your company need to control access according to a set of conditions?

If yes, does the MDM solution allow you to have conditional access

control?

Tip

Read the Secure access to company resources from any location on any device to better

understand how to leverage built in Windows Server 2012 R2 capabilities in conjunction with

System Center to provide access to your company resources.

Task 4: Develop your incident response requirements While many organizations already have an incident response (IR) plan in place, it’s important to

understand if the current plan includes mobile devices and what needs to be done in case an

incident is reported on those devices. If your company is just now embracing a mobility solution,

most likely the current IR plan doesn’t cover aspects unique to mobile devices.

If your organization doesn’t have a plan, it is important to work very closely with your security

team to understand the requirements in order to proper ask the right questions and choose the

best MDM solution for your needs.

Tip

Read Responding to IT Security Incidents to better understand the minimum requirements

for an IR plan.

When designing your MDM solution, make sure you ask the following questions regarding this

capability:

Does your organization have an existing Incident Response Plan in place?

o If yes, does it include processes and procedures for handling compromised

mobile devices?

Does the incident response policy cover scenarios where an end user reports that they’ve

lost their mobile device?

o Is it permissible to erase the entire device to avoid data leakage?

If it is, does your company have backup policy in place for data that

resides on mobile devices?

Does your organization have different procedures for company-owned devices and

personally-owned devices in case they are lost?

o If yes, what are those procedures?

o Will those procedures affect the selection of the MDM solution?

If a user loses their personally-owned mobile device but, they don’t authorize your

company to erase the entire device, does the MDM solution allow selective device

wipes?

When a mobile device is compromised and you need to prevent that device from

spreading malicious apps to the corporate network, does the MDM solution allow you to

enforce policies that can rapidly contain the compromised device?

Does the MDM solution allow you to plan for potential attacks in order to take proactive

actions to address any problems?

https://technet.microsoft.com/library/dn550982



Task 5: Plan your mobile device security strategy In this task you will define the mobile device management security strategy to meet the

business requirements that you defined in Tasks 1-4.

Task 5a: Data encryption After answering all questions in Task 1 regarding the requirements for data encryption at rest

and in transit, you now need to evaluate the options that are available to address each one of

those requirements. Even when the data is at rest, it can be encrypted in different ways, as

shown in Figure 9:

Figure 9 – Different levels of encryption

You can have full disk encryption or encryption based on the data handled by an app. System

Center 2012 R2 Configuration Manager allows you to enforce policies that will perform file

encryption on mobile devices. Although some mobile devices, like Windows Phone 8 devices are

automatically encrypted, some others only encrypt data if some other option is enabled. For iOS

devices, the encryption takes place automatically only after you configure the setting to require

the use of a password on the devices.

Note

For more information about the mobile devices that can have encryption enabled using

System Center 2012 R2 Configuration Manager, read Compliance Settings for Mobile

Devices in Configuration Manager.

For apps that are associated with an Microsoft Intune mobile application management policy,

encryption is provided by Microsoft. Data is encrypted synchronously during file I/O operations

according to the setting in the mobile application management policy. Managed apps on

Android use AES-128 encryption in Cipher Block Chaining (CBC) mode utilizing the platform

cryptography libraries. The encryption method is not FIPS 140-2 certified.






Intune also has an option to encrypt app data. This option allows you to specify that all data

associated with a particular app will be encrypted, including data stored on external media, such

as SD cards. The same capability is also available with MDM for Office 365.

Most MDM solutions use SSL to protect data in transit, so you’ll just need to decide if you will

be using an existing PKI to issue certificates or if you will be using a third-party vendor

certificate authority (CA). The advantage of using a third party CA is that users using their own

device to access company’s resources will automatically trust a well-recognized public CA.

Use Table 12 as a reference to assist you choosing the MDM option that best fits your

organization’s security requirements.

Table 12


Intune (standalone) Encrypt data associated with

apps controlled by Intune

management policy

Does not include native

encryption for mobile

device storage



platform will introduce an


interface for you to use

MDM for Office 365 Encrypt data based on the

mobile device platform

capability






Hybrid (Intune with

System Center) Encrypt data associated with

apps controlled by Intune

management policy

Encrypt mobile device storage

Provides a more granular

control of what can be

encrypted in the mobile device,

including selection of the

encryption algorithm

Centralized management for

mobile device configuration

settings for cloud-based and

on-premises devices


have a current on-premises

System Center




to the integration

Note



For more information about how to combine Intune and System Center 2012 R2

Configuration Manager capabilities to increase data protection and configure encryption,

read Managing Encryption on Mobile Devices with Configuration Manager and Intune.

Task 5b: Data segregation Data segregation is important, not only for your organization, but also to keep your user’s

personal information private. Data segregation plays an important role in scenarios where your

organization needs to remove all company apps and data a device that belongs to the user,

without affecting the user’s personal data, as shown in Figure 10:

Figure 10 – User’s personal data is isolated from company’s data

Figure 10 shows that all apps, company data, and policies that were deployed by the MDM

solution can be removed from the device if necessary. Selective wipe for mobile device data

management was introduced in Windows Server 2012 R2 and Windows 8.1. It links to resources

to help Exchange Server and Microsoft Intune administrators to manage enterprise data on

devices and develop apps to leverage the Windows Selective Wipe capabilities. Windows Phone

8 and Windows Phone 8.1 are capable or separating data in the internal storage as shown in

Figure 11:

http://blogs.technet.com/b/pauljones/archive/2014/08/04/managing-encryption-on-mobile-devices-with-configuration-manager-and-intune.aspx



Figure 11 – Core architecture of Windows Phone 8.x

Tip

Read more about Windows Phone 8.1 security capabilities by downloading the Windows

Phone 8.1 Security Overview

As you can see, mobile device platforms play an important role on how the data is kept secure

while at rest. You need to ensure that the MDM solution is able to leverage vendor-specific

capabilities that will ensure that data is separated. Use Table 13 as a reference to assist you

choosing the MDM solution that best fits your organization’s data segregation requirements.

Table 13


Intune

(standalone)

Allows you to perform selective

wipes to remove only company

data located on mobile devices

Allows you to perform factory

resets and fully wipe mobile

devices

Does not include native

encryption for mobile

device storage






Office 365 with

MDM



data from mobile devices






http://www.microsoft.com/download/details.aspx?id=42509



Hybrid (Intune

with System

Center)



data from mobile devices

Allows you to perform factory

resets and fully wipe mobile

devices

Single management console to

manage cloud based and on-

premises mobile devices



System Center




to the integration

Make sure to read the article Help protect your data with remote wipe, remote lock, or passcode

reset using Microsoft Intune to understand how data is removed and retained after a selective

wipe for each mobile device platform. If you have a hybrid environment, consult the article How

to remote wipe mobile devices using Configuration Manager to understand how System Center

2012 R2 Configuration Manager can be used to accomplish this task.

Task 5c: Hardening mobile devices When creating a configuration baseline for mobile devices to harden its capabilities according to

your business needs, make sure that you are balancing usability with security. Sometimes a very

strict hardening template can cause usability and access problems, which defeats the purpose of

enabling users access company resources with their devices. Also, it is important to remember

that not all security policies are available for all mobile device platforms. This means that your

design choices when selecting which mobile device platforms will be used by your organization

might have to change according to your security compliance requirements for hardening

devices.

One way to approach mobile device hardening is by having different layers of security. The

settings that are available for each one of those layers can also vary according to your MDM

solution. Figure 12 shows how this layered approach can assist you:

Figure 12 – Different areas of mobile device hardening

Each one of these layers can be used to identify areas that must be compliant with your business

security requirements. Microsoft Intune configuration policies can assist you in managing mobile

https://technet.microsoft.com/library/jj676679.aspx#bkmk_wipe





devices in your organization by allowing you to deploy security policies for devices that can be

used to hardening system settings and enable encryption. They will also ensure that only

compliant apps are available for mobile devices by creating an access white list.

Another area that you must be able to control is the mobile browsing experience for your users.

A managed browser policy configures an allow or block list that restricts the web sites that users

of the managed browser can visit. Read Manage Internet access using managed browser policies

with Microsoft Intune for more information on how to configure these policies.

In a hybrid environment with ConfigMgr on-premises, you can create a configuration baseline.

Customize this baseline to include all required settings and deploy it to your mobile devices.

Compliance settings options will vary according to the vendor, so read Compliance Settings for

Mobile Devices in Configuration Manager for more information about the options available for

each mobile device platform.

MDM for Office 365 also has a set of capabilities to assist you in hardening mobile devices for

the following categories:

Security

Encryption

Jailbroken

Managed email profile

Read the article Capabilities of built-in Mobile Device Management for Office 365 for more

information on how to configure these settings.

Hardening the mobile device platform plays an important role in keeping your company data

protected while allowing users to use their mobile device without compromising security. You

need to ensure that your MDM solution is able to leverage the vendor-specific capabilities that

will ensure that hardening is customized per platform and that common settings among major

vendors can be configured. Use Table 14 as a reference to assist you choosing the MDM option

that best fits your organization’s data hardening requirements.

Table 14


Intune (standalone) Allows you to enforce policies

for enrolled devices:

o Encryption

o Malware

o Apps

o E-Mails

o System

o Security

Lacks integration with





when managing mobile

devices











Supports policy deployment for

major mobile device platforms,

including (Android, iOS,

Windows 8.x, and Windows

Phone)

Some policies may not be

available for some mobile

platforms

MDM for Office 365 Allows you to enforce policies


o Encryption

o Apps

o Email Profile

o Jailbroken

o Security

Supports policy deployment for




Phone)

Lacks integration with





when managing mobile

devices



platforms

Doesn’t have the same

granularity as Intune

Hybrid (Intune with

System Center) Allows you to enforce policies


o Encryption

o Malware

o Apps

o E-Mails

o System

o Security

o Jailbroken

Support policy deployment for




Phone)

Single management console for

mobile devices registered from

the cloud and on-premises

devices

If your company dosen’t


System Center


resources to plan, install

and configure System

Center prior to integration

Tip

Read more about mobile device management settings that you can configure in a Microsoft

Intune mobile device security policy at Mobile device management policy settings for

Microsoft Intune.




Task 5d: Client privacy If your organization is going to embrace mobile device management, you must be aware of the

boundaries between end-user and organization privacy. Ideally, your organization will have a

clear privacy policy stating what’s expected from the end-user regarding data privacy. Since

mobile devices might store company data and these devices will be traveling around with the

user, it’s extremely important that these boundaries are well-defined and that your users know

upfront what their role is to keep that privacy in place.

Transparency is a very important part of the plan to ensure that users are aware of what to

expect when they enroll their devices in your organization’s MDM solution. Using Microsoft

Intune Company Portal, you can customize your company’s privacy statement by providing a

URL that has the description of what will be collected from users while managing their devices.

You can also publish terms and conditions that your users will see when they first use the

company portal from their devices, whether or not that device is already enrolled in the MDM

solution. Users will have to accept those terms to access the company portal. When you update

the terms and conditions and want users to see and accept the new terms, you can mark the

new terms and conditions as a new version, and users will go through the same acceptance

process the next time they visit the company portal.

The same capability is also available when you have a hybrid environment with System Center

2012 R2 Configuration Manager connected with Intune. In addition, ConfigMgr can also use

compliance settings to evaluate whether client devices are compliant with configuration items

that you deployed using configuration baselines. Some settings can be automatically

remediated if they are out of compliance. Compliance information is sent to the site server by

the management point and stored in the site database. This information is encrypted when

devices send it to the management point, but it’s not stored in an encrypted format in the site

database. Information is retained in the database until the site maintenance task Delete Aged

Configuration Management Data deletes it every 90 days. You also have the capability to

configure the deletion interval. This compliance information is not sent to Microsoft.

Since Intune and Office 365 are cloud-based services, users might also want to be aware of how

Microsoft deals with user privacy for these services. You can obtain more information about

privacy on these services by visiting the following sites:

Office 365 Trust Center

Microsoft Intune Trust Center

Privacy is very important for both end-users and your organization. You need to ensure that the

MDM solution is able to manage privacy and informs your end-users about your organization’s

privacy policy and expectations. Use Table 15 as a reference to assist you choosing the MDM

option that best fits your organization’s privacy requirements.

Table 15



https://products.office.com/business/office-365-trust-center-cloud-computing-security?tab=ce9e8dfe-592a-91b5-3af1-2820b1d0ce1f

http://www.microsoft.com/server-cloud/products/intune-trust-center/privacy.aspx



Intune

(standalone)

Uses the Intune Company Portal

to publish your organization’s

privacy statement

It doesn’t have a template

for a privacy policy. There is

an assumption that your

organization has a privacy

policy in place and the

Company Portal is only

going to advertise this

policy that is stored in

another location

Office 365 with

MDM

Not available Not available

Hybrid (Intune

with System

Center)

Uses the Intune Company Portal

to publish your organization’s

privacy statement

Single management console for

mobile devices registered from

the cloud and on-premises

devices



System Center




to the integration

Task 5e: Data classification Most companies already have a data classification policy in place, and you’ll need to understand

how deploying a mobile device management solution will affect this policy. Some organizations

perform on-premises data classification at the file server level using Active Directory Rights

Management Services (ADRMS). Another tool is the Microsoft Data Classification Toolkit,

helping organizations to identify, classify, and protect data on their file servers. If your company

does not have a current data classification policy, you should introduce this capability in

conjunction with planning your mobile device management solution.

Office 365 uses transport rules to detect sensitive information incorporated into mail flow

processing. The DLP feature performs deep content analysis through keyword matches,

dictionary matches, regular expression evaluation, internal functions such as validate checksum

on credit card numbers, and other content examination to detect specific content types within

the message body or attachments.

Microsoft Intune and System Center 2012 R2 Configuration Manager don’t have data

classification built in, so they rely on cloud-based classification using Azure RMS or on-premises

using ADRMS. Another option is to use the Enterprise Mobility Suite (EMS) as your MDM

solution. With EMS, you’ll have access to Azure AD Premium and Azure RMS, which can be used

to classify data. Data classification using Azure RMS can be integrated with an on-premises

management solution in a hybrid environment.

http://blogs.microsoft.com/cybertrust/2014/01/28/the-importance-of-data-classification/

https://technet.microsoft.com/windowsserver/dd448611.aspx

https://technet.microsoft.com/windowsserver/dd448611.aspx


http://blogs.office.com/2013/10/28/office-365-compliance-controls-data-loss-prevention/

http://www.microsoft.com/server-cloud/enterprise-mobility/overview.aspx

https://msdn.microsoft.com/library/azure/dn532272.aspx




organization’s data classification requirements.

Table 16


Intune (standalone) Not available Not available

MDM for Office 365 Exchange Transport rules can

be used to detect sensitive

information

Data classification is not

carried with the file itself.

Once the file is located at

the mobile device, it can be

used without restrictions

Hybrid (Intune with

System Center) Not available Not available

Enterprise

Mobility Suite

Leverages Azure RMS to

perform data classification

Azure RMS subscription is

included with EMS

Doesn’t require an on-premises

infrastructure for data

classification

Can be integrated with existing

on-premises AD RMS solution

Protection is located in the file

itself, which means that the file

will keep its classification even if

it was saved in a different

location

Not available for customers

that are not adopting

cloud-based solution

Task 5f: Authentication and Authorization The first line of defense for protecting your company data is to properly identify your users.

Once your users are identified, it’s then necessary to verify that they are authorized to access

what they are requesting. Organizations that already have on-premises Active Directory services

should leverage this repository to authenticate and authorize mobile users. All Microsoft mobile

device management solutions are capable of leveraging an existing Active Directory

infrastructure for this purpose.

Another decision point regarding authentication and authorization is where the directory

services will be located. While the vast majority of organizations will have on-premises Active

Directory services, some organizations might be considering extending their on-premises

directory services with a cloud-based directory service such as Azure AD. For a hybrid scenario,

integrating both directories is a good alternative to leverage Azure AD such capabilities as:

http://azure.microsoft.com/documentation/articles/active-directory-whatis/


Self-service group management: Allows users to create groups, request access to other

groups, delegate group ownership so others can approve requests, and maintain their

group memberships.

Enterprise SLA of 99.9%: Microsoft guarantees at least 99.9% availability of the Azure

Active Directory Premium service.

Password reset with write-back: Self-service password reset can be written back to on-

premises directories.

Read more about the different options and capabilities at Azure Active Directory.

Having two factors of authentication can also be an important strategy for your organization

when planning a mobile device management solution. Microsoft Intune can integrate directory

services with multi-factor authentication (MFA), which adds another layer of security for the

authentication process. If your organization has on-premises IT infrastructure that includes an

Active Directory domain with Active Directory Federation Services (AD FS), you can configure

MFA on your federation server and then enable MFA for enrollment in Intune. If you configure

MFA on your federation server, but you don’t enable MFA for enrollment in Intune, users will

need to use MFA each time that they access corporate resources. You can also use Azure AD

MFA to require MFA each time that users access your corporate resources, and this requirement

can be enabled on a per-user basis. Azure AD MFA is a cloud service that doesn’t require any

on-premises IT infrastructure.


organization’s authentication and authorization requirements.

Table 17


Intune (standalone) Can use on-premises directory

services, such as Active

Directory for authentication

Can use cloud-based directory

services, such as Azure AD for

authentication

Can integrate with multi-factor

authentication

Azure AD cloud service is

not included when you

purchase an Intune

subscription

MDM for Office 365 Can use on-premises directory,

such as Active Directory for

authentication

Can use cloud based directory,

such as Azure AD for

authentication



purchase an Office 365

subscription

https://msdn.microsoft.com/library/azure/dn532272.aspx





authentication

Hybrid (Intune with

System Center) Can use on-premises directory,

such as Active Directory for

authentication

Can use cloud based directory,

such as Azure AD for

authentication


authentication



purchase Intune

subscription

Enterprise

Mobility Suite

Leverages Azure AD Premium

to provide access control

Azure AD Premium license is

already included with EMS

Does not required on-premises

directory services

Can synchronize with on-

premises Active Directory

services

MFA is natively available with

EMS

Not available for customers

that are not adopting

cloud-based solution

Task 5g: Access control Organizations that already use Active Directory to authenticate and authorize users are going to

be use discretionary access control by default. If they use groups to segment and control access

to resources, this is just another aspect of how they manage access control. As shown in Figure

13, after authenticating and authorizing access for the user (Bob), it’s necessary to validate what

type of control Bob has on the target resource, in this case a folder:

Figure 13 – Basic authentication and authorization flow

The traditional Access Control List (ACL) is very limited and doesn’t take into consideration other

aspects of the user’s state, such as where he is located when trying to access this resource. If


your organization needs to have more variables before granting access to a resource, you can

use Dynamic Access Control, which is natively available in Windows Server 2012. With many

companies trying to operate like a cloud provider by using technologies that allow them to have

a private cloud, another option is to use Role Based Access Control (RBAC). Azure AD allows IT

to use RBAC to control access to resources and since Azure AD can be integrated with your

Active Directory on-premises you can leverage this capability consolidate how users will access

resources.

A resource can also be an app, which means that your MDM solution must be able to control

how apps are installed and accessed. Mobile application management policies in Microsoft

Intune let you modify the functionality of apps that you deploy to help bring them into line with

your company compliance and security policies.


organization’s access control requirements.

Table 18


Intune (standalone) Access control (installation and

management) for apps








platforms

MDM for Office 365 Access control to email, Office

Mobile and OneDrive for

Business

Only allow a small subset of

access control to resources








platforms

Hybrid (Intune with

System Center) Access control (installation and




purchase Intune

subscription

Enterprise Mobility

Suite Access control (installation and




System Center


http://azure.microsoft.com/documentation/articles/role-based-access-control-configure/

http://azure.microsoft.com/documentation/articles/role-based-access-control-configure/




Leverages Azure AD Premium

to provide RBAC based access

control




to the integration

Task 5h: Incident responses A good mobile device management solution must be able to allow you to rapidly respond to an

incident by taking an action that will mitigate the threat. The management system is the tool

that allows the procedures that were established in the incident response plan to be executed.

Privacy is always important, in particular in a BYOD scenario. When the user owns the mobile

device, it’s necessary to keep the balance between keeping your company data secure and

preserving the user’s privacy. There are many levels of response in a scenario where a user has

lost their device as shown in Figure 14. It will be the company security policy that will dictate

what ultimately needs to be done, knowing that in some circumstances it might be necessary to

completely wipe the target device.

Figure 14 – Incident response process for a compromised device

Microsoft Intune provides selective wipe, full wipe, remote lock, and passcode reset capabilities.

If a mobile device is lost or stolen, you can issue a remote device wipe command from the

Microsoft Intune administrator console. Microsoft Intune also allows your users to issue remote



device wipe commands from the Microsoft Intune company portal on their own. In a scenario

with System Center 2012 R2 Configuration Manager only, you have the option to do a selective

wipe that only removes company content, for a hybrid scenario you can use both options since

it will leverage Intune. MDM for Office 365 allows you to perform selective wipe to remove only

organizational data or a full wipe to delete all information from a device and restore it to its

factory settings.

Policies can also be used to take actions to mitigate a threat, using System Center 2012 R2 you

can create compliance policies to create restrictions for the device that was compromised. For

example, if the mobile device that was compromised is an iOS 7 or iOS 8 device - you can use

security settings extension to require fingerprint for unlocking the device. In this particular case,

this same capability is also available with Intune. As you design your MDM solution to comply

with your incident response plan, ensure that all supported mobile device platforms are covered,

since not all of them will have the same set of options.

Another important aspect of incident response is how you will proactively take action based on

trends and also how you will react to an incident that was not reported, based on the

monitoring system in place. The MDM solution must facilitate monitoring and reporting the

state of those mobile devices that are enrolled. For more information about incident responses,

see the Determine incident response requirements task.


organization’s incident response requirements.

Table 19


Intune (standalone) Allows you to remotely wipe,

remote lock, and password lock

a mobile device

Allows you to create restrictive

security policies to mitigate

threats

Allows you to create alerts and

custom notifications based on

those alerts








platforms

MDM for Office 365 Allows you to remotely wipe

and remote lock a mobile

device

Only allow a small subset of

security policies













platforms

Hybrid (Intune with

System Center) Allows you to remote wipe,


a mobile device



threats

Single management for cloud

and on-premises devices

Easier



purchase Intune

subscription

Enterprise Mobility

Suite Allows you to remote wipe,


a device



threats

Allows you to track user’s

behavior by leveraging Azure

AD Reports

Allows you to track user rights

assignment that can be used in

some incident response

scenarios








platforms

Step 4 - Plan for Software as a Service (SaaS) mobile device management The last step in designing a complete mobile device management strategy is to determine the

requirements for the Software as a Service device management solution that will be used to

support mobile devices within your organization. In this step, we’ll examine SaaS platform types,

characteristics such as scalability and accessibility, mobile device management connectivity, and

integration with your on-premises infrastructure.

More and more, organizations are starting to leverage the features and power of cloud

computing infrastructure solutions to deliver services and applications to users. Software as a

Service (SaaS) allows user and device services, applications, and activities to be centrally

managed from a single location, regardless of the location of the user or device. If your

organization is currently using (or planning to implement) SaaS services, it’s important to define

how the solution will deliver these services to mobile devices in your organization and integrate

with (or even replace) your on-premises mobile device management platform. In some cases,

SaaS solution decisions may be completely separate or just a small part of how mobile devices

will be managed in your organization. However, understanding the overall impact of the SaaS


solution as it relates to managing mobile devices is an important part deploying a complete

mobile device management solution.

You need to go over these key aspects of the SaaS solution to understand what it is a current

requirement and what your organization plans for the future. If you don’t have the vision to

define a long-term strategy for managing mobile devices and integration with cloud services

adoption, your mobile device management solution may not be scalable as your organization’s

business needs change.

Task 1: Identify your SaaS requirements Each SaaS solution will have different requirements, mobile device management features, and

levels of integration with on-premises networks and platforms. Many SaaS solutions offer trial

tenants or services for you to evaluate their features and functionality, which is an important

part of determining which solution actually meets your needs. However, many SaaS solutions

may have subtle differences in features and functionality, depending on the platform type.

The majority of SaaS solutions are based on three types of cloud types:

Multi-tenant (public)

Private (dedicated)

Hybrid

Before making decisions on how you’ll use a SaaS solution to manage your mobile devices,

you’ll also need to examine the differences between these types of cloud platform architectures

and choose the one that best fits the overall needs of your organization. Individual SaaS

solutions have differing levels of support for areas such as customization, feature configuration,

integration, and collaborative functionality.

SaaS cloud types Multi-tenant SaaS solutions are what are typically called “public” cloud infrastructures. This is

when the software architecture of the service is in a single instance, but serves multiple tenants

or organizations. The solution is designed to provide every tenant a reserved share of its

services, such as user or device management, configuration, and data support. The tenant

accounts and services are separated virtually, with each tenant accessing the platform

infrastructure in separate instances. Multi-tenant SaaS solutions also typically offer cost-savings

earned from sharing the infrastructure and distributing the overhead costs amongst multiple

tenants. Most mobile device management platforms are offered in a multi-tenant SaaS platform

infrastructure.

Private, or dedicated cloud services are instances of SaaS solutions that are operated for a

single organization or tenant. These can either be private cloud services hosted by the

organization or private cloud services hosted by a 3rd party provider. Private cloud solutions also

typically offer greater opportunities for customization, both in the areas of services and security.

https://technet.microsoft.com/library/office-365-platform-service-description.aspx

https://technet.microsoft.com/library/office-365-platform-service-description.aspx



Some dedicated SaaS solutions offer mobile device management services as a part of larger

private cloud tenant options.

Hybrid SaaS solutions can offer a combination of either multi-tenant and private cloud

infrastructures, or a combination of hosted (either multi-tenant or private) and on-premises

cloud infrastructures. A hybrid infrastructure may also include leveraging an external cloud SaaS

solution for delivering certain types of services (such as applications), but leveraging internal

resources for other types of services. Most SaaS solutions offer the ability to support a hybrid

cloud configuration, but may vary significantly on the depth and completeness of integration

with on-premises or other hosted cloud platforms.

SaaS cloud type questions: As part of SaaS management lifecycle planning, you’ll want to

answer the following planning questions about cloud types:

What level of security do I need for mobile device data stored in my SaaS solution?

How does the SaaS solution address intrusion detection and data loss prevention for

mobile devices?

Does your organization have to comply with any regulatory, certification, or compliance

requirements for mobile devices or data stored on mobile devices? If so, do these

require a specific level of security, customization, scalability, or resiliency? How is

compliance audited and reported?

Does the SaaS solution need connectivity with other cloud services or platforms that will

manage mobile devices? If so, is this connectivity:

o Pre-configured or standardized?

o Customizable?

o Supported by the platforms you need to connect to?

Do you need to connect your SaaS solution with an existing on-premises device

management infrastructure? If so, is this connectivity:

o Supported by your on-premises device management platform?

o Supported by the SaaS solution?

o Supported without the need for additional on-premises physical resources?

Will your cloud-based services, applications, and processes for mobile devices require

different levels of security, customization, scalability, and resiliency?

Scalability Ease of scalability is one of the primary reasons for considering or deploying a SaaS solution for

managing mobile devices in your organization. By definition, public SaaS solutions typically offer

a virtually limitless ability to support any amount of users or mobile devices. Private and hybrid

SaaS solutions may be subject to scaling limits, based of available organization resources.

Scaling increases or decreases to support greater or lesser number of users or devices usually

depends on a specific licensing model or per user/device pricing package for public clouds.

https://technet.microsoft.com/library/jj200581(v=exchg.150).aspx


Scalability questions: As part of SaaS management lifecycle planning, you’ll want to answer the

following planning questions about cloud scalability:

What type of short and long-term plans does your organization have for growth or

contraction in mobile device and application support infrastructure?

How rapidly will your organization need to scale mobile device management support

services upward or downward?

What are the initial number of mobile devices and/or users that need support in the SaaS

solution? How likely is this number to change in the next year? The next 3 years? The

next 5 years?

Does the number of mobile devices needing SaaS solution support change on a regular

pattern (such as seasonally)? Does it change according to the number of active or

inactive organization projects?

Does SaaS solution performance change depending on the scale of supported mobile

device and users? If so, in what areas? (nodes, data, processing, etc.) How is the scaling

performance measured, reported, and audited?

Accessibility Easy access to the SaaS solution is another key component of the SaaS architecture. Because the

SaaS solution is hosted on a cloud-based infrastructure, it’s accessible by administrators, users,

and devices from any location that has access to the Internet. Administration of mobile devices

is done via a browser. Because many SaaS solution providers operate geographically diverse

datacenters, users and devices can access the platform “locally”, often avoiding latency and

delays that can be associated with connecting to geographically distant endpoints. Accessibility

can also typically be expanded by integrating the SaaS solution with on-premises device

management platforms.

Accessibility questions: As part of SaaS management lifecycle planning, you’ll want to answer

the following planning questions about cloud accessibility:

Are there specific mobile device browser requirements in your organization? If so, does

the SaaS solution support the required browser(s)?

Do mobile device users need any special accessibility requirements for applications or

services?

Does your organization need to access the SaaS infrastructure located in the same

geographic as the user devices or your on-premises infrastructure? Are there legal

ramifications if mobile device data is stored or moved across international borders?

Resiliency Since the SaaS infrastructure is cloud-based and hosted across multiple datacenters, resiliency is

typically subject to less instability or outages than traditional on-premises hosted services.

Multi-location service hosts offer protection against geographic-based outages and service

interruptions by using fail-over infrastructure and processes to replicate data across multiple


datacenter nodes. Depending on the SaaS solution, access to the service may or may not remain

in the original geographic area during a fail-over.

Resiliency questions: As part of SaaS management lifecycle planning, you’ll want to answer the

following planning questions about cloud resiliency:

In the event of primary SaaS solution fail-over, how will mobile device management

services be impacted?

How will mobile device data stored on the SaaS solution be shared in the cloud-based

infrastructure?

If the primary mobile device SaaS datacenter isn’t available, are the fail-over datacenters

in the same geographic region as the primary datacenter? Is it OK for fail-over

datacenters to be located outside the international borders from which the mobile

devices are operating?

Does the SaaS solution have a defined service level agreement (SLA) outlining support

for mobile device management?

Up-to-date services SaaS solutions also are able to keep the applications and services up-to-date with the latest

application version, features, security updates, and bug fixes. Often these updates are published

very quickly, sometimes even on a daily basis. Depending on the SaaS solution, updates may be

instantly available to all customers or released in a phased approach to smaller groups of

customers. One of the biggest benefits is that when a bug is fixed for one customer, the fix can

be easily applied to all customers using the service.

Services questions: As part of SaaS management lifecycle planning, you’ll want to answer the

following planning questions about cloud services:

How often are mobile device management features and functionality updated in the

SaaS service?

What impact will feature and functionality updates have on your mission-critical mobile

device applications and services?

Are SaaS solution feature and functionality updates deployed to customers on an ad hoc

or planned schedule?

Does the SaaS solution support exemptions from service-wide updates for individual

organizations?

Does the SaaS solution have different service update schedules for mobile device

application and mobile device management features and functionality?

Task 2: Identify your SaaS solution / on-premises infrastructure integration needs One of the primary decisions that need to be made when considering managing mobile devices

with a SaaS solution are:


How will your existing user and device on-premises directory accounts integrate with the

SaaS solution?

Do you need to integrate the SaaS solution with existing on-premises client

management platforms?

The decisions you make in these two areas will significantly impact the overall deployment,

administration, and end-user experiences for your mobile device management solution.

Identity and directory connectivity Connecting and synchronizing your on-premises user and device account directory with the

SaaS solution is really the glue that truly connects users, mobile devices, mobile applications,

and mobile device management. Knowing who a user is (identity) and associating the identity to

specific mobile devices is critical in managing access to company resources and data from the

mobile device. In many ways, maximizing how these areas are connected to the SaaS solution

determines the overall value to both you and your mobile device users. Ubiquitous connectivity

means that people and devices can use devices and applications anywhere, and it’s essential

that user identity management keeps pace with the demands of this connectivity. It can’t be

stressed enough that how you manage identity and user authentication is critical to the success

of your mobile device management solution.

Synchronizing on-premises directory services to the SaaS solution is another key area to

consider when defining your mobile device management strategy. Most organizations prefer to

maintain an on-premises user and device directory infrastructure, but need to extend these

accounts to a variety of cloud-based services. This may include only a SaaS-based mobile device

management solution, but in most scenarios organizations need to integrate user and device

accounts into several different types of cloud-based services. This may include cloud-based

applications, data, or 3rd party web services. Keeping your user and device directory accounts

synchronized is the cornerstone of a well-designed identity management solution. Once you

integrate your on-premises directory with cloud directory, you can also enable single sign-on

(SSO) to allow users to sign into all services using their on-premises credentials. Both Intune and

Office 365 can take advantage of this integration to enable SSO with SaaS apps that the

organization might want to use.

Identity and directory connectivity questions: As part of SaaS management lifecycle planning,

you’ll want to answer the following planning questions about identity management and

directory connectivity:

Does the SaaS solution support integrated user authentication services? If so, does it

support the type of directory services you’re using in your on-premises infrastructure?

Do you need to support user and mobile device authentication for on-premises and/or

internal applications or services?

Does the SaaS solution support user and mobile device authentication for 3rd party or

other external SaaS-based applications or services?


http://azure.microsoft.com/marketplace/active-directory/


How does the SaaS solution manage identity-related threats and abnormalities?

Does the SaaS solution support implementing and managing multi-factor authentication

(MFA)?

What types of directory services objects do you need to extend to the SaaS solution?

Does the SaaS solution have any restrictions for certain object types?

What on-premises requirements are needed to extend your directory services to the

SaaS solution?

Once connected to the SaaS solution, how are user and mobile device directory objects

replicated or synchronized with the cloud service? Are synchronization settings

customizable or fixed?

Are all directory object attributes synchronized with the SaaS solution? Do you need to

synchronize custom directory object attributes?

Are on-premises directory services hosted in a single location or logical grouping? If not,

does the SaaS solution support synchronizing multiple directory services from multiple

locations and logical groupings?

Connecting with existing client management platforms Most organizations have an existing on-premises client management platform to manage

desktop computers and servers. How you integrate the management of mobile devices into this

system is likely to have a substantial impact on IT infrastructure costs, device management

administration processes, device inventory and reporting support, and overall integration with

other business-critical applications and services. By connecting these two platforms,

organizations are able to leverage the economies of scale of a single, unified management

platform.

Connecting existing client management platforms questions: As part of SaaS management

lifecycle planning, you’ll want to answer the following planning questions about connecting the

SaaS solution with existing client management platforms:

Does your on-premises client management platform support integration with SaaS

solution? If so, are there:

o Limitations on the type of SaaS solution?

o Limitations on the types of supported devices?

What are the requirements to connect your on-premises client management platform to

the SaaS solution? Specifically, are there:

o Physical server or device requirements?

o Directory services or directory schema requirements?

o Domain Name Services (DNS) requirements?

o Identity requirements?

o Client management platform upgrades or configuration requirements?

o Network connectivity and/or network security configuration requirements?


Can existing client or device configuration information (policies, profiles, and settings)

be shared or leveraged in the SaaS solution? Will this information have to be recreated?

After the two platforms are connected, how are clients managed? Are different types of

clients managed in a unified administration system or are they managed separately?

How are updates and changes in the SaaS solution integrated with the on-premises

client management platform? Is this an automatic or manual configuration process?

Task 3: Develop your SaaS mobile device management adoption strategy In this task you will define the mobile device management SaaS strategy to meet the

requirements that you defined in Tasks 1 and 2.

Task 3a: Identify your SaaS solution requirements Depending on how you answered the questions in Task 1, you should be able to determine what

the SaaS solution needs to support in your mobile device management solution. Table 20 below

will help you understand the advantages and disadvantages of each SaaS solution scenario:

Table 20

MDM options Advantages Disadvantages

Intune (standalone) Offered as a multi-tenant,

public cloud architecture

Scales to support up to 50,000

mobile devices

Doesn’t require any additional

investments in on-premises

infrastructure, hardware or

software

Updates and feature

improvements are made on a

daily basis. Major feature and

functionality enhancements

made on a monthly basis

Services can be assigned to

datacenters in specific

geographic locations

Datacenter fail-overs can be

restricted to specific geographic

locations

Certified and compliant with the

most industry and

governmental standards

Service Level Agreement (SLA)

is financially-backed, if the

service or features aren’t

Private cloud instances aren’t

supported

If you need to support more

than 50,000 mobile devices,

you’ll need to connect Intune

to System Center 2012 R2

Configuration Manager to

manage the additional

devices


available, monthly charges are

waived

MDM for Office 365 Tightly integrated with Office

365 commercial tenants,

providing a single management

console for mobile devices and

Office 365 tenant services

(Exchange Online, SharePoint

Online, and Lync Online)

Offered in Office 365 multi-

tenant (public) or private

(dedicated) platform types

No additional user or device

licensing costs, included by

default in Office 365

commercial (Business,

Enterprise, Education, and

Government) plans

Doesn’t support managing

non-mobile operating

systems






devices

Hybrid (Intune with



o Native integration between

Intune (cloud-based device

management service) with

System Center 2012 and

System Center 2012 R2

Configuration Manager (on-

premises device

management platforms)

o Supports advanced device

provisioning options for

mobile devices via Intune

connectivity

o New Intune service features

and functionality extended

to the on-premises System

Center infrastructure via

platform extensions, either

automatically or customized.

Requires additional

configuration requirements to

connect Intune with the on-

premises System Center

infrastructure







Make sure to read the article Help protect your data with remote wipe, remote lock, or passcode

reset using Microsoft Intune to understand what data is removed and the effect on data that

remains on the device after a selective wipe per platform. If you have a hybrid environment,




consult the article How to remote wipe mobile devices using Configuration Manager to

understand how System Center 2012 R2 Configuration Manager can be used to accomplish this

task.

For more details about SaaS solution functionality and requirements, make sure to review the

service description for Microsoft Intune to understand the differences in SaaS support versus

MDM for Office 365 and in a hybrid Intune and System Center 2012 infrastructure.

Task 3b: Identify your SaaS solution connectivity requirements Connecting your on-premises infrastructure has important impact of how user and device

identity is management with both Intune, MDM for Office 365, and hybrid Intune and System

Center deployments. Both Intune and MDM for Office 365 leverage the directory services

architecture provided by Azure Active Directory Services. This integration with Azure offers

maximum flexibility when designing identity management support in your mobile device

management solution.

As shown in the Figure 15 below, connecting your on-premises directory services with Azure is

the key component requirement to enable both single sign-on and unified directory account

management. Synchronizing directory account attributes and credentials between Azure and

on-premises directory services allows users to authenticate themselves through their mobile

devices when accessing either MDM for Office 365 or the Intune service.

Figure 15 – Overview of integrated identity management


the SaaS solution needs to connect to your on-premises client management platform for your

mobile device management solution. Table 21 below will help you understand the advantages

and disadvantages of connecting your on-premises infrastructure with a SaaS solution:



https://technet.microsoft.com/library/faa7d8e5-645d-4d59-839c-c8d4c1869e4a(v=technet.10).aspx


https://technet.microsoft.com/en-us/library/hh852466.aspx



Table 21:

Connectivity

options


Intune (standalone) Tightly integrated with Azure

Active Directory for managing

user and device identity and

authentication

Supports user credential self-

management and single sign-

on experiences that can

leverage existing on-premises

account credentials

Supports single sign-on access

to thousands of pre-integrated

SaaS applications

Supports application access

security by enforcing rules-

based multifactor authentication

(MFA) for both on-premises and

cloud applications

Advanced directory services

connectivity features and

functionality require pairing

with Azure Active Directory

Premium

MDM for Office 365 Integrated with Office 365

tenants, leveraging the Azure

Active Directory backbone for

managing user and device

identity and authentication

On-premises directory services

can be connected as a part of

connecting services with Office

365

Supports user self-management

and single sign-on experiences

that can leverage existing on-

premises account credentials

Doesn’t support mobile

application management

integration with other SaaS

solutions or applications

Doesn’t support multi-factor

authentication

Hybrid (Intune with



o Direct integration with on-

premises directory services

through System Center

infrastructure







Requires additional on-

premises deployment

requirements and


configuration changes for

organizations with System

Center

Next steps and resources Now that you’ve completed defining your requirements and examining all the options for your

mobile device management solution, you’re ready to take the next steps for deploying the

supporting infrastructure that’s right for you and your organization.

Mobile device management solutions Leveraging specific solution scenarios that fit your needs is a great way to review and plan for

the details of deploying a mobile device management infrastructure. The following solutions

outline several of the most common mobile device management scenarios:

The manage mobile devices and PCs in enterprise environments solution helps you

manage mobile devices by extending your on-premises System Center 2012 R2

Configuration Manager infrastructure into the cloud with Microsoft Intune. This hybrid

infrastructure helps medium and large companies enable BYOD and remote access while

reducing administration complexity.

The managing mobile devices for Configuration Manager 2007 solution helps you

manage mobile devices when your infrastructure rests on System Center Configuration

Manager 2007. This solution shows you how to set up a single server running System

Center 2012 R2 Configuration Manager so you can then run Microsoft Intune and take

advantage of its MDM capabilities.

The managing mobile devices in small environments solution is intended for small

businesses that need to support MDM. It explains how to use Microsoft Intune to extend

your current infrastructure to support mobile device management and BYOD. This

solution describes the simplest scenario supported for using Microsoft Intune in a

standalone, cloud-only configuration without local servers.

Mobile device management documentation Conceptual and procedural planning, deployment, and administration content are useful when

implementing your mobile device management solution:

Microsoft System Center solutions can help you capture and aggregate knowledge

about your infrastructure, policies, processes, and best practices so that your IT staff can

build manageable systems and automate operations.

Microsoft Intune is a cloud-based device management service that helps you to manage

your computers and mobile devices and to secure your company’s information.

MDM for Office 365 allows you to manage and secure mobile devices when they're

connected to your Office 365 organization. You can use MDM for Office 365 to set

device security policies and access rules, and to wipe mobile devices if they’re lost or

stolen.








Mobile device management resources Monitoring the following resources provides the latest news and updates on our mobile device

management solutions:

Microsoft Enterprise Mobility blog

Microsoft In The Cloud blog

Microsoft Intune blog

Microsoft System Center Configuration Manager blog

Microsoft System Center Configuration Manager Team blog

Microsoft Office 365 blog

http://blogs.technet.com/b/enterprisemobility/

http://blogs.technet.com/b/in_the_cloud/

http://blogs.technet.com/b/microsoftintune/

http://blogs.technet.com/b/configurationmgr/

http://blogs.technet.com/b/configmgrteam/

http://blogs.office.com/office365forbusiness/

mobile device management design considerations … · mobile device management design...

Documents