mobile device management design considerations … · mobile device management design...
TRANSCRIPT
Mobile Device Management
Design Considerations Guide
Published May, 2015
Version 1.1
Copyright
This guide is provided “as-is”. Information and views expressed in this guide, including URL and other Internet Web site references, may change without notice. Some examples
depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred.
This guide does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this guide for your internal, reference
purposes.
© 2015 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Microsoft Intune, Microsoft System Center 2012 R2 Configuration Manager, Mobile Device Management for Office 365, Office 365, Windows, and
Windows Server are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.
Contents Introduction .................................................................................................................................................. 1
Design considerations overview ................................................................................................................... 3
Step 1 - Identify your mobile device management requirements ................................................................ 3
Task 1: Identify your business needs ........................................................................................................ 3
Task 2: Specify your mobile device management location requirements ................................................ 5
Task 3: Develop your mobile device management adoption strategy ..................................................... 6
Step 2 - Plan for mobile device management tasks .................................................................................... 12
Task 1: Understanding the mobile device management lifecycle .......................................................... 13
Task 2: Gather monitoring requirements ............................................................................................... 17
Task 3: Determine network resource requirements............................................................................... 18
Task 4: Define your mobile device management lifecycle strategy ....................................................... 23
Step 3 - Plan for secure mobile devices ...................................................................................................... 39
Task 1: Gather your data protection requirements ................................................................................ 40
Task 2: Specify your privacy requirements ............................................................................................. 41
Task 3: Specify your access requirements .............................................................................................. 42
Task 4: Develop your incident response requirements .......................................................................... 44
Task 5: Plan your mobile device security strategy .................................................................................. 45
Step 4 - Plan for Software as a Service (SaaS) mobile device management ............................................... 60
Task 1: Identify your SaaS requirements ................................................................................................ 61
Task 2: Identify your SaaS solution / on-premises infrastructure integration needs ............................. 64
Task 3: Develop your SaaS mobile device management adoption strategy ........................................... 67
Next steps and resources ............................................................................................................................ 71
Mobile device management solutions .................................................................................................... 71
Mobile device management documentation ......................................................................................... 71
Mobile device management resources................................................................................................... 72
Mobile Device Management Design Considerations 1
Introduction With all of the different design and configuration options for mobile device management
(MDM), it’s difficult to determine which combination will best meet the needs of your
organization. This design considerations guide will help you to understand mobile device
management design requirements and will detail a series of steps and tasks that you can follow
to design a solution that best fits the business and technology needs for your organization.
Throughout the steps and tasks, this guide will present the relevant technologies and feature
options available to organizations to meet functional and service quality (such as availability,
scalability, performance, manageability, and security) level requirements.
Specifically, the goals of this guide are to help you answer the following questions:
What questions do I need to answer to drive a MDM-specific design for a technology or
problem domain that best meets my requirements?
What is the sequence of activities I should complete to design a MDM solution for the
technology or problem domain?
What MDM technology and configuration options are available to help me meet my
requirements, and what are the trade-offs between those options so that I can select the
best option for my MDM requirements?
Who is this guide intended for? Information technology architects and professionals
responsible for designing a mobile device management solution for medium or large
organizations.
How can this guide help you? You can use this guide to understand how to design a mobile
device management solution that is able to manage company-owned devices as well as user-
owned devices in different form factors.
2 Mobile Device Management Design Considerations
Figure 1 - Example of a hybrid Intune and System Center 2012 R2 Configuration Manager
MDM solution
Figure 1 is an example of a hybrid solution, where it’s leveraging cloud services to integrate with
on-premises capabilities in order to manage all types of devices, regardless of their location.
Although this is a very common scenario, every organization’s MDM design might be different
than the example due to each organization’s unique management requirements.
This guide details a series of steps and tasks that you should follow to assist you in designing a
customized MDM solution that meets your organization’s unique requirements. Throughout the
following steps and tasks, this guide covers the relevant technologies and feature options
available to you to meet the functional and service quality level requirements for MDM.
Though this guide can help you design a MDM solution, it does not discuss specific
implementation or operations options for the management solutions. You can find detailed
deployment and configuration steps for Microsoft Intune, Mobile Device Management for Office
365, and Microsoft System Center in the TechNet Library using the links available in the Next
Steps section located at the end of this guide.
Assumptions: You have some experience with Intune, System Center 2012 R2 Configuration
Manager, Windows Server 2012 R2, and mobile devices running Android, iOS, and Windows
Phone. You may have even deployed one of these solutions in an initial MDM test or limited
production environment. In this guide, we assume you are looking for how these solutions can
best meet your business needs on their own or in an integrated solution.
Mobile Device Management Design Considerations 3
Design considerations overview This guide covers a set of steps and tasks that you can follow to design a solution that best
meets your requirements. The steps are presented in an ordered sequence. However, design
considerations you learn in later steps may prompt you to change decisions you made in earlier
steps as your design matures or due to conflicting design choices. We’ll alert you to potential
design conflicts throughout this guide.
You will develop a mobile device management design that best meets your requirements only
after iterating through the following steps as many times as necessary to incorporate all of the
considerations within this guide:
Step 1 – Identify your device management requirements
Step 2 - Plan for mobile device management
Step 3 - Plan for secure mobile devices
Step 4 - Plan for SaaS mobile device management
Step 1 - Identify your mobile device management requirements The first step in designing a mobile device management solution is to determine the
management platform requirements that will be used to support your mobile devices. Overall
mobile device adoption for your company will dictate the platform requirements. If you decide
to adopt a single management solution to manage all your mobile devices, you may disregard
the multi-platform requirements for your solution. You’ll need to go over your company’s
business strategy to fully understand your current and future business requirements. If you don’t
have a long-term strategy for mobile device adoption, chances are that your solution won’t be
scalable as your business needs grow and change.
Task 1: Identify your business needs Each company will have different requirements. Even if these companies are part of the same
industry, the real business requirements might vary. You can still leverage best practices from
the industry, but ultimately it’s the company’s business needs that will identify the requirements
for the mobile device management solution.
The first thing you’ll want to do is answer the following questions:
Device ownership: You must understand the device ownership policy for your company:
o Who owns the mobile device?
The employee?
The company?
Both?
Platform: Understanding which mobile device operating systems will be used by the
company is very important for adoption and supportability decisions:
o Which mobile device operating systems will be supported?
4 Mobile Device Management Design Considerations
Android?
iOS?
Windows?
Windows Phone?
All of them?
A mix of the above options?
o Which mobile OS version will be supported?
Only the latest?
Current -1 (current version plus the previous version)?
Application: Since the main reason to embrace mobility is to increase productivity, the
applications (or just apps) used by employees must be able to run in all the mobile
device operating systems used in your organization. This is an important point to
consider, because while some companies might have their most important apps fully
portable to run in a mobile environment, others might need to understand what options
are available that can help them to deploy their apps to mobile devices. To assist you
identifying individual app requirements, ask yourself the following questions:
o Do the apps require Internet access from users’ devices?
o Do the apps collect any user personal information?
If so, do the apps inform users about privacy issues and data collection
while being installed?
o Do the apps require integration with cloud services?
o Were the apps developed to run on a specific operating system, or are they
capable of running on any operating system?
o Do you plan to enable users to use apps via remote desktop from their own
devices?
o Do the apps require full-time access to corporate resources, or can they run in
offline mode?
o Do the apps have any integration with social networks?
o Will all apps be available to BYOD users?
o How do you plan to deploy these apps to users’ devices?
o What are the deployment options for these apps?
o Does the installation requirement vary according to the target device, or is it the
same?
o How much space in a target device is necessary in order to install each app?
o Do the apps encrypt the data before transmitting it through the network from the
users’ devices to the app server on the back end?
o Can the apps be remotely uninstalled via the network, or do they need to be
uninstalled via the devices’ consoles?
o Do the apps work in a low-latency network?
o Do the apps provide authentication capabilities?
If so, which authentication method do the apps use?
User: One of the main points in embracing mobility is to put the user at the center of the
mobility solution and enabling the user to be more productive, while keeping company
data secure and available. This is important to understand what the user’s requirements
are:
o Will the user be able to bring their own device and access company’s resources?
Mobile Device Management Design Considerations 5
If yes, what are the requirements to access company’s resources?
o Does your company have different user’s needs?
If yes, how each user’s profile will impact the mobility strategy?
o Will users be able to access all apps that they have access to in the on-premises
environment via their mobile device?
If not, which apps will be available for the users?
Are those apps available for all supported mobile device
platforms?
Will be necessary to modify or update any apps in order to run
them on all supported mobile device platforms?
During this task, you should also evaluate if the company has existing management and
compliance policies in place for mobile devices and how these policy might affect the mobile
device management solution selection.
Note
Make sure to take notes of each answer and understand the rationale behind the answer.
Task 3 will go over the available options and advantages/disadvantages of each option. By
having answered these questions, you’ll be able to select which solution best suits your
business needs.
Task 2: Specify your mobile device management location requirements
Location requirements are one of the many factors that you should take in consideration when
designing your mobile device management strategy. Location is important from the mobile
device management solution perspective as well as from the device itself. Answer the following
questions:
Track Users: To keep control of user’s activity while using a mobile device that has
access to company resources, you must be able to implement policies that can restrict
access to those resources based on user’s location:
o Does the company need to implement mechanisms to cover geo-fencing, or the
ability to enforce policies based on the geographic location of the device?
o Does the company need to keep track of where the user was geographically
located when they accessed a company resource?
Administration model: Depending on the mobile device management solution that you
deploy, administration can be distributed in different sites (locations) or centralized in a
single location. A central administration site is suitable for large-scale deployments and
provides a central point of administration and the flexibility to support devices that are
distributed across a global network infrastructure. A primary site is suitable for smaller
deployments, though it has fewer options to accommodate any future growth of your
enterprise. You must understand the administration model for your solution:
o Does your company need a centralized administration model?
Does the device management solution need to be located on-premises?
If not, can it be located in the cloud?
If not, can it be hybrid?
6 Mobile Device Management Design Considerations
o Does your company need a decentralized model where different locations should
have autonomy over the device management administration?
Note
Make sure to take notes of each answer and understand the rationale behind the answer.
Task 3 will go over the available options and advantages/disadvantages of each option.
By having answered these questions, you’ll be able to select which solution best suits
your business needs.
Task 3: Develop your mobile device management adoption strategy
In this task, you’ll develop the mobile device management adoption strategy that will meet the
business requirements that you identified in Tasks 1 and 2.
Task 3a: Device ownership After reviewing your organization’s current policy and strategy to manage devices, you should
have a list of scenarios that your organization plans to implement. Table 1 will assist you to
understand the advantages and disadvantages of each scenario:
Table 1
Scenario Advantages Disadvantages
Employee owns the
device (BYOD) Your company does not need
to buy mobile devices for the
employees
Usually allows employees to be
more productive since they will
be using the mobile device of
their choice
Support costs may decrease
since the organization will have
limited support over the mobile
devices
Increases the amount of
security considerations to
protect company’s data
located on personal devices
Increases likelihood of data
leakage, especially when
appropriate security controls
aren’t in place
Limited management
capability due to privacy
restrictions
Company-owned
device Full management capability,
including device hardening and
security controls
More control over mobile
devices
Capability of defining which
mobile devices will be used by
employees
Potential increases in support
costs, since the organization
will maintain the mobile
devices
Less flexibility for end users,
which may affect their
productivity
Cost increases, since the
organization will have to buy
mobile devices
Mobile Device Management Design Considerations 7
Your organization might need to implement a mixture of elements from these scenarios. In this
case the device management platform needs to be able to manage multiple platforms while
integrating with the current on-premises infrastructure. In this case, your mobile device
management solution needs to be able to manage multiple device platforms while integrating
with your current on-premises infrastructure.
Task 3b: Supported mobile device platforms The decision you made regarding device ownership will help you identify which mobile device
platforms you’ll support. The mobile device management solution that you choose will have to
accommodate this decision. In a single mobile device platform scenario, the platform choice will
not be as relevant as in the multi-platform scenario. Use Table 2 to help you choose the mobile
device management solution for a multi-platform scenario:
Table 2
MDM option Advantages Disadvantages
Intune (standalone) Supports provisioning all major
mobile device operating
systems (Android, iOS, Windows
8.x, and Windows Phone).
Allows you to manage any
mobile device from any location
More advanced management
options for mobile devices
Lack of integration with
current MDM solution
located on-premises will
introduce an additional
management interface for
you to use
Policies created using the
on-premises MDM solution
are not replicated to the
cloud service
MDM for Office 365 Pre-integrated with Office 365
If you’re already using Office
365, the MDM capabilities are
easily leveraged to manage
mobile devices
If you’re already using Office
365, you won’t need to use
another console to manage
mobile devices
Limited set of capabilities
(see the note that follows
this table) to manage
mobile devices
Lack of integration with
current any MDM solution
located on-premises will
introduce an additional
management interface for
you to use
Hybrid (Intune with
System Center) Native integration between
Intune and System Center 2012
R2 Configuration Manager
Allows you to use a single
console to deploy policies and
manage mobile devices
Requires additional
configuration steps to
connect Intune and System
Center 2012 R2
Configuration Manager
If the organization does not
have a current System
Center infrastructure on-
8 Mobile Device Management Design Considerations
premises, it will require to
plan, install and configure
this platform prior to the
integration
To learn more about the management capabilities available in Office 365, read Device
management tasks.
Task 3c: Application requirements Based on the requirements that were defined in Task 1, you’ll need to choose which mobile
device management solution best fits those requirements. Use Table 3 to compare the MDM
options and advantages and disadvantages of each option:
Table 3
MDM option Advantages Disadvantages
Intune (standalone) Allows you to manage mobile
apps through their lifecycle,
including app deployment from
installation files and app stores,
detailed monitoring of app
status, and app removal. Read
Deploy software to mobile
devices in Microsoft Intune for
more information.
Allows you to specify a list of
compliant apps that users are
allowed to install and
noncompliant apps, which must
not be installed by users. Read
Manage devices using
configuration policies with
Microsoft Intune for more
information about this
capability.
Allows you to configure
restrictions for apps by using a
mobile application
management policy. This helps
you to increase the security of
your company data by
restricting operations such as
copy and paste, external backup
of data and the transfer of data
Lacks integration with the
on-premises MDM platform,
introduces an additional
management interface for
you to use when managing
mobile devices
Policies created using the
on-premises MDM platform
aren’t replicated to the
cloud service, requiring two
sets of management and
compliance policies
Mobile Device Management Design Considerations 9
between apps. Read Control
apps using mobile application
management policies with
Microsoft Intune for more
information.
MDM for Office 365 Allows you to require
passwords when users access
the application store
Allows you to block access to
the application store
Limited set of capabilities to
control apps
Lack of integration with
current on-premises MDM
platform, will introduce an
additional management
interface for you to use to
manage mobile devices
Hybrid (Intune with
System Center) Inherits app control settings
from Intune standalone
Allows you to integrate Intune
with System Center to have a
better management experience
Leverages Configuration
Manager App management
capabilities. Read Application
Management in Configuration
Manager for more information
Requires additional steps to
perform this integration
If your organization does
not have a current on-
premises System Center
infrastructure, it will require
to plan, install and
configure this platform prior
to the integration
Task 3d: Track requirements Understanding the user’s behavior and being able to identify their location are important
characteristics that should be included in your mobile device management strategy. How
devices will be tracked will vary according to your business requirements and needs. It is
important to remember that different tracking capabilities are available via each mobile
operating system; therefore your selections on which mobile device platforms will be supported
will have a direct impact on this requirement. Compliance requirements may drive you to
prioritize the adoption of mobile devices platforms that can allow you to track user’s location
and use geofencing.
Note
Geofencing allows you to monitor a mobile device’s geographic location and
enable/disable device and network resources based on that location. For example,
Windows 8.1 supports geofencing, which allows an app to define a geographical region
and have the system alert the app when the device it's running on enters or exits that
area. For more information about this feature in Windows 8.1, read Geofencing, start to
finish (XAML).
10 Mobile Device Management Design Considerations
The MDM authority must also be geolocation aware and communicate with the mobile device
to obtain information that will allow you to enforce geofencing restrictions. Use Table 4 to
compare the MDM options, advantages and disadvantages of each solution:
Table 4
MDM option Advantages Disadvantages
Intune (standalone) Allows you to enable or disable
whether applications can use
location information on mobile
devices. Read Use policies to
manage computers and mobile
devices with Microsoft Intune
for more information
Does not provide full
geolocation setting
capabilities for apps that
use this feature
Lack of integration with
current MDM platform
located on-premises will
introduce an additional
management interface for
you to use
MDM for Office Not available Not available
Hybrid (Intune with
System Center) Allows you to enable or disable
whether applications can use
location information on mobile
devices. Read the article
Compliance Settings for Mobile
Devices in Configuration
Manager for more information.
Does not provide full
geolocation setting
capabilities for apps that
use this feature
If the organization does not
have a current System
Center infrastructure on-
premises, it will require to
plan, install and configure
this platform prior to the
integration
Task 3e: Administration model The administration model that you will choose will vary according to your business
requirements. If the mobile device management solution needs to be located on-premises, you
must evaluate what capabilities are available in your current infrastructure to accommodate
mobile device management based on devices that can be located in the cloud or on-premises.
After going through the evaluation of how this will impact the mobile management strategy,
you might decide that you it is possible to keep the core management on-premises and
integrate with a cloud mobile device management solution, which leads you to choose the
hybrid scenario. Review Table 1 to see advantages and disadvantages of using standalone,
cloud, or hybrid MDM solution.
Note
Mobile Device Management Design Considerations 11
It is important to mention that Intune Standalone has limited capabilities for delegated
admin. ConfigMgr in a hybrid scenario provides greater control and delegation for
delegated admin.
One strategic aspect of how an organization will manage their mobile devices is to understand
the current management platform capabilities and the administration model in place. For
organizations that are composed of a headquarters and multiple branch offices, they might be
using a distributed administration model where each branch office has control over the
management platform for that location. Most of the time, an administration model is already in
place when a company decides to embrace mobility by deploying a mobile device management
solution. However, you must ensure that the current infrastructure will be able to handle the
requirements that were introduced by the adoption of a mobile device management solution.
Figure 2 is an example of an organization with a central administration site, with multiple
primary sites and multiple secondary sites:
Figure 2: Example of a central administration site hierarchy
One important fact to mention is that the administration model in question here is related to
how the infrastructure on-premises will be designed. In this case the company already has a
device management solution in place and is already able to manage their on-premises devices.
Here are some important factors to consider when choosing which administration model you
will use for your mobile device management solution:
12 Mobile Device Management Design Considerations
You can schedule and throttle network traffic when you distribute deployment content to
distribution points.
Discovery data records (DDRs) for unknown resource transfers by using file-based replication
from a primary site to the central administration site for processing.
Role-based administration provides a central security model for the hierarchy, and you do
not have to install sites to provide a security boundary. Instead, use security scopes, security
roles, and collections to define what administrators can see and manage in the hierarchy.
Note
For more information on how to plan for System Center 2012 R2 Configuration Manager
Sites and Hierarchy, read Planning for Configuration Manager Sites and Hierarchy.
System Center 2012 R2 Configuration Manager can accomplish this requirement by allowing
administrators to deploy ConfigMgr using a single stand-alone primary site, or as multiple sites
in a hierarchy. When you plan your initial deployment, consider a design that can scale for the
future growth that your organization might require. Planning for expansion is an important step
because the changes in System Center 2012 R2 Configuration Manager from previous versions
of the product mean that ConfigMgr can now support more clients with fewer sites.
High availability factors should also be considered when designing your management hierarchy.
At each site that will have a System Center 2012 R2 Configuration Manager installed, you deploy
site system roles to provide the services that you want clients to use at that site. The site
database contains the configuration information for the site and for all clients. Use one or more
of the available options to provide for high availability of the site database, and the recovery of
the site and site database if needed.
Note
For more information on how to plan for System Center 2012 R2 Configuration Manager
high availability, read the article Planning for High Availability with Configuration
Manager
Another important point to consider regarding administration model is how you will delegate
administration to your resources. Ideally the management platform will be able to use role base
access control (RBAC). While this is one method of restricting and managing control of what
users, operators and administrators can perform, it is not the only method and it might not be
required for the business. Step 3 of this document will cover RBAC in more details and how to
identify the need to use this capability.
Step 2 - Plan for mobile device management tasks Managing mobile devices, both company-owned and user-owned, encompasses several
important lifecycle management decisions. After you’ve determined the mobile device platform,
application, user requirements for your organization, you’ll also need to identify how to manage
each of these areas to align your overall MDM strategy to your ongoing management and
Mobile Device Management Design Considerations 13
support policies. In this step, we’ll examine the MDM enrollment, management, monitoring, and
reporting lifecycle requirements.
Task 1: Understanding the mobile device management lifecycle Understanding the different areas of managing mobile devices is important when designing
your mobile device management solution. Figure 3 outlines the overall mobile device
management lifecycle stages. Each stage has unique requirements and questions for you to
consider when planning your solution. We’ll start with the enrollment stage in this section, and
the other stages will be covered in more detail throughout this guide.
Figure 3 – Mobile device management lifecycle stages
Device enrollment and provisioning Mobile device management starts with the initial enrollment and provisioning of devices into
your mobile device management solution. Simplicity, ease of registration, and enrollment are
the key factors for success in the mobile device management lifecycle. If initial device enrollment
is difficult or overly confusing, both you and your users will be reluctant to leverage the features,
benefits, and protections that the mobile device management solution is intended to deliver.
Mobile device enrollment in mobile device management solutions are typically initiated in two
ways:
14 Mobile Device Management Design Considerations
Administrator-managed enrollment
User/owner self-enrollment
Administrator-managed enrollment offers a centrally managed enrollment experience, and
typically is centered on enabling the bulk enrollment of multiple devices using a single directory
account. This is useful when enrolling many company-owned devices into the mobile device
management solution.
Self-enrollment offers the device user/owner the option of enrolling in the mobile device
management solution and is typically used in “bring your own device” (BYOD) scenarios,
although it can also be used in scenarios where the company owns the device. This type of
enrollment typically leverages features of a “push-based” enrollment model, where devices are
automatically triggered to enroll in the mobile device management solution upon attempting to
connect to the corporate network or network resource. Users can also elect to enroll their
devices before connecting to an organization’s network or resources.
Enrollment and the provisioning of mobile devices encompasses several different areas:
Deploying, accessing, and managing internal and external applications and services
Enforcing device security and access configurations
Protecting devices from security threats
In most cases, when a mobile device is enrolled in a mobile device management solution the
device is automatically assigned policies and permissions associated with the device user’s
directory account and/or the group the device itself is associated with in directory services.
Depending on the mobile device management solution, the bulk of configuring the provisioning
of these policies and permissions is usually done prior to actual device enrollments. This allows
the provisioning of any configuration settings to immediately take effect when the devices
enrolled and avoids the possibility of a gap between enrollment and provisioning.
Device enrollment and provisioning planning questions: As part of mobile device
management lifecycle planning, you’ll want to answer the following planning questions about
device enrollments and provisioning:
Will mobile devices be enrolled by you, by users, or both?
Do you need to ability to bulk enroll mobile devices?
What is the maximum number of devices you’ll need to bulk enroll?
Do the mobile operating system platforms in your organization require different bulk
enrollment requirements and resources?
How many devices will each user typically use and need to enroll?
Does the mobile device management solution have a per-user device enrollment limit?
What are the requirements (connectivity, application, management agent, company
portal) for users to self-enroll devices?
Is this different from the administrator-managed enrollment experience?
What are the enrollment requirements for each device operating system you need to
support?
Mobile Device Management Design Considerations 15
Do the mobile device operating systems in your organization require special or unique
enrollment requirements?
Does the mobile device management solution support both connected and over-the-air
enrollments?
What are the hardware requirements (if any) for supporting device enrollments?
What are the network connectivity and network security requirements for supporting
device enrollments?
Do you need specific device compliance policies applied to devices upon initial
enrollment?
Do you need specific device security policies applied to devices upon initial enrollment?
Do you need the ability to configure or set a maximum or minimum time limit for
provisioning device policies after initial enrollment?
Do you require special provisioning policies to be automatically triggered in the event of
enrollment failures?
Device management How mobile devices are managed, both from your perspective and the device user’s perspective,
is a key component of a mobile device management solution. Often, the method in which
management of mobile devices is highly dependent on how non-mobile devices (servers,
desktops, other networked devices) are managed. Depending on the organization, non-mobile
device management solutions may have been in place long before mobile devices were
introduced to the organization. This may have been at considerable cost and may include long-
term investments in these management solutions. Thoroughly understanding how your
organization can integrate mobile device management solutions with existing non-mobile
device management solutions is likely one of the most important activity you’ll need to
complete when designing a mobile device management solution that meets the needs of your
organization.
Mobile device management typically involves activities in several administrative areas:
Device security and configuration: Configuring mobile device security allows you to
configure a wide range of settings that you can deploy to managed devices in your
organization. These settings can be used to control the overall functionality and security
of mobile devices. This may include setting and configuration of device passcode access,
device encryption, and erasing data from lost or stolen devices. More details about
security and configuration will be covered in the Plan for secure mobile devices section.
Application management: Configuring mobile device applications spans several
important areas, including managing application deployment, installation, updating and
managing status, and application removal. Additionally, managing restrictions on certain
non-compliant applications is central to an overall compliance and security strategy.
Company resource access: Managing access to on-premises network resources, such as
email servers, Wi-Fi networks, and VPN-enabled resources serve a dual purpose of
insuring both security compliance and making it easier for mobile device users to access
company resources according to company policy. If accessing organization resources is
overly complex or difficult for mobile device users, non-approved company resources
may be used to bypass approved company resources for the storage of company data.
16 Mobile Device Management Design Considerations
Inventory and reporting: Managing mobile devices requires recording and analyzing
mobile device and platform events to insure compliance with management policies.
Detailed reporting also provides you with real-time statistics and data so that they can
make timely, actionable decisions based on the status of mobile devices and mobile
device users. More details about inventory and reporting will be covered in a later
section.
Device management planning questions: Understanding your organization’s requirements will
lead you to determine the core administration tasks that the mobile device management
solution must be able to support. For now, focus only in the key administration aspects as you
are still defining the requirements by ensuring that the following questions are answered. As
part of mobile device management lifecycle planning, you’ll want to answer the following
planning questions about device management:
Do you need specific management policies applied to groups of users, groups of devices,
and/or groups of device operating systems?
Do you need specific management policies for different types of devices? For example,
separate policies for user-owned or company-owned devices, or mobile devices and
non-mobile devices?
Do you need to separate device management rights and permissions among several IT
roles or positions? If so;
o What separation of permission levels is required?
o Do the permission levels supported by the solution need to be customizable?
o Do the permissions need to be integrated into your existing account directory
services?
Do you need the ability to both manually and automatically deploy the mobile device
management solution agents or software?
Do you want to integrate managing mobile devices with an existing non-mobile device
management solution? If so;
o Do you want to manage all devices from a unified management console or
portal?
o What are the integration requirements for your existing non-mobile device
management solution?
o How does your existing non-mobile device management solution support
required management roles and permissions?
o Are there hardware or networking requirements to connect management services
between the mobile device management and the non-mobile device
management solutions?
o Do both solutions have separate or integration inventory and reporting systems?
Does the mobile device management solution have a company portal for users to install
their apps?
Does the mobile device management solution meet your company’s scalability
requirements?
Does the mobile device management solution support remote administration?
Does the mobile device management solution support automation?
Mobile Device Management Design Considerations 17
Device retirement/unenrollment When users leave your organization or mobile devices are retired or replaced, it’s important to
insure that corporate data isn’t lost or compromised. Typically, mobile device management
solutions support both IT-managed and user-managed device resets and unenrollment. With
most mobile devices, the unenrollment starts with resetting the device to factory defaults or
performing a selective wipe of all corporate data and applications, followed by removing the
device enrollment connection to the management solution. Often this process differs between
mobile device manufacturers and device operating system platforms.
Device retirement/unenrollment planning questions: As part of mobile device management
lifecycle planning, you’ll want to answer the following planning questions about device
retirement and unenrollment:
Do you need the ability for both IT and users to unenroll mobile devices?
If a device is selectively wiped, will it be automatically unenrolled from the mobile device
management solution?
If mobile device users can unenroll their mobile devices, how will the removal of
corporate data and applications be verified?
o Is this different for devices that are selectively wiped and devices that are reset to
the factory default setting?
Note
Make sure to take notes of each answer and understand the rationale behind the answer.
Task 4 will go over the options available and advantages/disadvantages of each option. By
having answered those questions you will select which option best suits your business
needs.
Task 2: Gather monitoring requirements Monitoring and capturing status and event information for mobile devices is vital to ensuring
that users and devices are maintaining compliance with your corporate policies and security
strategy. This is especially important for organizations that must comply with governmental
regulatory requirements and industry compliance guidelines. Reporting can also provide
valuable information about software, hardware, and software licenses in your organization to
assist with inventory management. It is also important to note that user privacy issues also
impact monitoring and reporting, especially in case where users are enrolling personally-owned
devices in your organization’s mobile device management solution. Your organization should
not be able to capture, monitor, report or share any personal activity or information.
In general, mobile device management solutions split this area into two general areas:
Logging: Capturing and storing mobile device and mobile device application status and
information.
18 Mobile Device Management Design Considerations
Reporting: Displaying reports or notifications, both to standard and customizable
reports that can be created on-demand and automatically to summary and dashboard
status reports.
Monitoring planning questions: As part of mobile device management lifecycle planning,
you’ll want to answer the following planning questions about device monitoring:
What types of regular reports for mobile devices will you need?
o Device inventory?
o Device usage?
o Device access?
o Device applications?
Will reports need to be shared?
o Between IT roles?
o Outside of the IT organization?
o Accessed remotely (outside of the corporate network)?
What types of issues or problems with devices will you need to identify?
What types of events captured in monitoring will need to be acted upon? In what time
frame?
Will you need customized reports?
When a device is de-enrolled, should specific inventory and reporting events be
captured?
After a device is de-enrolled, should legacy inventory and reporting events be
archived/maintained?
Note
Make sure to take notes of each answer and understand the rationale behind the answer.
Task 4 will go over the options available and advantages/disadvantages of each option. By
having answered those questions you will select which option best suits your business
needs.
Task 3: Determine network resource requirements Enabling secure, managed access to a wide variety of corporate resources by mobile devices is
one of the primary features of a mobile device management solution. While these resources
have typically been located in on-premises networks in the past, more and more they are also
starting to be hosted on cloud-based web services and external networks. How mobile devices
connect to corporate email platforms, virtual private networks (VPNs), and corporate wireless
(Wi-Fi) networks all play an important role in keeping corporate data and other resources
protected from unauthorized access. Equally important is making it convenient and easy for
mobile device users to properly secure access these resources to avoid users finding a more
convenient, non-protected method of access resources.
Email management Accessing corporate email, whether on a personal-owned mobile device or a company-owned
mobile device, is typically the primary data resource most users need access to on a corporate
Mobile Device Management Design Considerations 19
network. It is also typically the connection that can trigger initial mobile device enrollment to the
mobile device management solution. Having the ability to manage email access for mobile
devices across both your existing non-mobile device management solution and the mobile
device management solution helps avoid device coverage gaps and increase the protection level
for data stored on email servers.
Most mobile device management solutions provide email access protection by using one or
both of the following features:
Email profiles: Email profiles provide administrators with ability to create and deploy
profiles that can automatically configure mobile devices with appropriate email server
information to that users can connect to their email mailbox. This helps insure that users
connect to the correct email server and prevents the need for users to have to try to
remember email server endpoint names or network addresses. Removing these email
profiles also provide administrators with the ability to remove email from devices as part
of device reset or selective wipe process. Email profile management can be included as a
feature in non-mobile device management solutions, or can often be configured as part
of the integration of a mobile device management solution.
Managed email access: Managed email access, sometimes referred to as conditional
email access, is different from email profiles in that it typically focuses on the security
and compliance area of the mobile device rather than which endpoint the mobile device
connects to for email access. With managed email access, a compliance policy that
outlines the device prerequisites needed before a mobile device can connect to an email
resource is defined and assigned to individual users or devices or groups of users and/or
devices. This compliance policy for managed access is typically first enforced upon initial
device enrollment, but should remain in place and active as long as the mobile device is
enrolled in the mobile device management system.
Email management planning questions: As part of mobile device management lifecycle
planning, you’ll want to answer the following planning questions about email management:
How will mobile devices connect to your existing on-premises or cloud-hosted email
system?
If mobile devices are already connecting to your existing email system, what connection
type or protocol are the devices using to connect?
Will administrators or users (or a combination of both) be responsible for connecting
mobile devices to your email system? If users will be connecting mobile devices to the
email system, how will they:
o Choose the proper connection point to access their email mailbox?
o Choose the proper connection protocol or connection method?
Will mobile devices need to meet certain security and compliance standards before and
while remaining connected to your email system?
Do you need the ability to create custom email security and compliance connection
policies? If so, what are the specific requirements?
Will you need the ability to import or export email security and compliance connection
policies?
How do you need to manage connections to your email system?
20 Mobile Device Management Design Considerations
o By device user?
o By device type?
o By device OS?
o By user group or role?
When a mobile device needs to be disconnected from your email system, how will email
data be deleted from the mobile device?
Will both administrators and users need the ability to delete email data or the
connection to the email system?
How will confirmation of email data deletion be verified or confirmed?
If you’re currently managing mobile device connections to email resources with an
existing protocol or management method, how does it integrate with the mobile device
management solution?
If you’re using both an on-premises and cloud-based email system, how do they
integrated with the mobile device management solution? Are email profiles or managed
access policies administered the same or differently from the IT perspective? Is the user
email connection experience the same or different depending on where their mailbox is
hosted?
Network connectivity management When connecting to the corporate network and corporate resources, mobile devices typically
use one of the following access technologies:
Wi-Fi: Wireless access to corporate resources is typically provided as an on-premises
network extension service while devices are in close physical proximity to the on-
premises network. This usually involves allowing mobile devices to connect to network
resources as users roam from location-to-location in an on-premises office, such as
conference and meeting rooms, different offices, or other on-premises areas. It can also
include wireless access from remote locations over non-corporate managed wireless
network access points, such as the user’s home network or a public wireless access point.
To simplify connections to wireless networks, administrators can usually manage these
connections using wireless profiles that outline the specific settings mobile devices need
to configure in order to connect to the wireless network. This may include automatically
configuring a custom network name, network Service Set Identifier (SSID), security
settings, network proxy, and whether or not the device should automatically connect to
the wireless network when the device is in range.
Virtual Private Network (VPN): Secure remote access to corporate resources often
includes using a defined VPN connection type from the mobile device. This is often
vendor-specific and includes the installation of a VPN application on the mobile device.
Additionally, these VPN applications often use either digital certificates or separately
managed user account credentials to authenticate the VPN connection. To simplify
connections to VPNs, administrators can usually manage these connections using VPN
profiles or the VPN management tools included with the VPN solution. Depending on
integration support, managing VPN connections with the mobile device management
solution may or may not be an option with certain VPN platforms.
Note
Mobile Device Management Design Considerations 21
You may have other web-based resources, such as SharePoint, that leverage secure
access via Secure Socket Layer (SSL) or Transport Layer Security (TLS). Be sure you
understand how mobile devices will access these resources or resources with separate
VPN or secure access methods.
Network connectivity management planning questions: As part of mobile device
management lifecycle planning, you’ll want to answer the following planning questions about
network connectivity management:
How will internet be accessed via the mobile device?
o Is it via WiFi? If it is, do they require access via proxy? Proxy authentication?
How will mobile devices connect to your existing on-premises wireless or VPN platform?
If mobile devices are already connecting to your existing wireless or VPN platform, what
connection type or protocol are the devices using to connect?
Will changes to these connections be needed if the devices are enrolled in a mobile
device management solution?
Will administrators or users (or a combination of both) be responsible for connecting
mobile devices to your wireless or VPN platform? If users will be connecting mobile
devices to the wireless or VPN platform, how will they:
o Choose the proper connection point to access the corporate network?
o Choose the proper connection protocol or connection method?
o Choose the proper digital certificate for the connection method?
Do you want to automatically configure wireless and VPN connection properties and
settings on user’s mobile devices?
Do you need to provide different wireless network configuration or security settings to
different types of users, devices, device operating systems, or user groups and roles?
Will you need the ability to import or export wireless and/or VPN configuration or
security connection policies?
Which of the following wireless security protocols do you need to support?
o WPA-Personal
o WPA2-Personal
o WPA-Enterprise
o WPA2-Enterprise
o WEP
If you need to support WPA-Enterprise or WPA2-Enterprise, which of the following
Extensible Authentication Protocol (EAP) types do you need to support?
o EAP-TLS
o PEAP
o EAP-AST
o LEAP
o EAP-SIM
Which type of non-EAP authentication connection do you need to support?
o Unencrypted passwords (PAP)
o Challenge Handshake Authentication Protocol (CHAP)
o Microsoft CHAP (MS-CHAP)
o Microsoft CHAP Version 2 (MS-CHAP v2)
22 Mobile Device Management Design Considerations
What type of VPN platform do you have deployed in your on-premises network?
Is the VPN platform supported or able to be integrated with the mobile device
management solution?
If the VPN platform is already integrated or support by an existing non-mobile device
management solution – does the mobile device management solution integrate with
both systems?
Certificate management Digital certificates, either self-signed or issued from a third party Certificate Authorities (CAs),
may be used to authenticate mobile devices to networks connections or specific network
resources. To simplify managing digital certificates, administrators can usually manage
certificates using certificate profiles. This allows a uniform, centralized method for managing
certificates, including how they are created, issued and renewed. This also helps users connect to
corporate resource without having to request and install certificates manually or by using a non-
approved security process. However, using certificates for this type of authentication often
requires additional on-premises infrastructure requirements. This may include all or some of the
following network components, depending on the level of integration supported by the mobile
device management solution:
Directory services: Directory services, such as Microsoft Active Directory, are usually
required to securely connect and manage all other network components.
Certification Authority (CA) server: If you’re issuing self-signed certificates for your
organization, you’ll need a certification authority to create, issue, manage and renew
digital certificates.
Network Device Enrollment Service (NDES) server: This server allows software and
mobile devices to obtain certificates based on the Simple Certificate Enrollment Protocol
(SCEP).
Proxy server: Depending on your on-premises network configuration, you may require a
proxy server that allows mobile devices to receive certificates using an Internet
connection and without directly connecting to your internal corporate network.
Certificate management planning questions: As part of mobile device management lifecycle
planning, you’ll want to answer the following planning questions about certificate management:
Does your organization already require or use digital certificates to authenticate access
to network resources?
Do you have an existing enterprise public key infrastructure (PKI)?
Do you need to automatically issue digital certificates to mobile devices?
How are digital certificates created, issued, renewed, or revoked from mobile devices?
Are digital certificates centrally managed by an on-premises or third party Certification
Authority (CA)?
Do you need to have different certificates assigned for access to different network
services? Is this dependent on the type of mobile device accessing the network?
Mobile Device Management Design Considerations 23
Note
Make sure to take notes of each answer and understand the rationale behind the answer.
Task 4 will go over the options available and advantages/disadvantages of each option. By
having answered those questions you will select which option best suits your business
needs.
Task 4: Define your mobile device management lifecycle strategy In this task, you’ll refine the mobile device management lifecycle strategy to meet the
management requirements you identified in Tasks 1-3.
Task 4a: Device enrollment options Enrolling devices in Intune, whether standalone or when connected to Systems Center 2012,
requires that you prepare the service for the devices. Enrolling mobile devices in MDM for Office
365 only requires that each user included in a security policy respond to an enrollment message
the next time they sign in to Office 365 on their mobile device. They must complete the
enrollment and activation steps on each mobile device they will use to access Office 365 email
and documents.
Intune standalone needs to be configured to define the Mobile Device Management Authority
solution, which can be either Intune or an on-premises System Center 2012 R2 Configuration
Manager infrastructure. This simply means “which management platform do you want to use to
manage Intune-enrolled devices – Intune OR System Center?” It’s very important to understand
the impact of choosing the best option for your organization, as the management impact
cannot be easily changed once chosen. If you need to change this configuration, you’ll have to
contact Microsoft Support for assistance. For most organizations that are already using System
Center 2012 R2 Configuration Manager to manage PCs, servers, and other devices, connect the
on-premises solution with Intune and managing devices with the System Center 2012 R2
Configuration Manager (ConfigMgr) is usually the best choice. To assign the mobile device
management authority to ConfigMgr, you’ll create an Intune subscription from within the
ConfigMgr console and select the option to allow ConfigMgr to manage the Intune subscription
and Intune-enrolled devices.
Additionally, before you can enroll certain types of mobile devices running different types of
mobile operating systems, you’ll need to prepare the Intune service with specific configuration
requirements. For example, if you plan to enroll Apple iOS-based devices, you’ll need to
configure Intune with an Apple Push Notification (APN) service certificate prior to enrolling iOS-
based devices. If this isn’t configured, Intune can’t communicate with the APN service and iOS-
based devices. Other mobile devices, such as device running Android or Windows Phone
operating systems are able to connect with separate enrollment requirements.
Depending on how you answered the questions in Task 1, you should be able to determine how
you want devices to be enrolled in the mobile device management solution. Table 5 below will
help you understand the advantages and disadvantages of each enrollment scenario:
24 Mobile Device Management Design Considerations
Table 5
Enrollment
scenario
Advantages Disadvantages
Administrators
enroll all mobile
devices
Administrators closely control
the enrollment of all devices,
effectively pre-screening any
device or user at the beginning
of the enrollment process
Each device is enrolled without
any user interaction, reducing
device enrollment errors
Easier to support more
complex, automated, bulk, or
highly customized device
enrollment processes
Support/help desk costs may
decrease since experienced
administrators are performing
the device enrollments
If supporting a BYOD strategy,
increased likelihood that
administrators may see or
expose sensitive user personal
information if appropriate
security controls are not in
place
Users may have to arrange
times with you to drop off and
pick up mobile devices,
requiring device enrollment
scheduling and tracking
Modern mobile device users
may feel that this centralization
is cumbersome and
inconvenient, leading to user-
defined workarounds that may
compromise enrollment
security and compliance
processes
User self-enrolls
mobile devices More convenient and flexible
for device owners/users
Typically quicker device
enrollment than a centralized
enrollment process
Offloads relatively simple
administration tasks from you
to your users, saving time,
scheduling, tracking and
administration overhead costs
Potential increase in support
costs or help desk calls, less-
experienced users may need
personalized enrollment
assistance
User confusion or problems
with device enrollment security
or compliance requirements
may stall enrollment or
generate a support call
Your organization might need to have the capability to implement both of these enrollment
scenarios, requiring a blend of support and the mixing and matching of the advantages and
disadvantages listed above. In this case, your mobile device management solution needs to be
able to support both scenarios.
Task 4b: Device enrollment and provisioning options When a user wants to use and enroll their own device, this immediately raises requirements
from both the user and IT and impacts several areas shown in Figure 4:
Mobile Device Management Design Considerations 25
Figure 4 - Overview of the enrollment process for mobile devices using hybrid Intune and
System Center 2012 R2 Configuration Manager
1. With Windows Server 2012 R2, a new concept known as device registration was
introduced. Users can register their devices for single sign-on and access to corporate
data using Workplace Join. As part of this registration process, a certificate is installed
on the device. In return for registering their device and making in known to the device
management solution, the user gains access to corporate resources that were previously
not available outside of their domain-joined PC.
2. Users can enroll devices which configure the device for management with Microsoft
Intune using the Company Portal, and then leverage the Microsoft Intune Company
Portal for easy access to corporate applications, data and to be able to manage their
own devices, performing tasks such as remote wiping them in the event they are lost,
stolen or replaced.
3. You can publish access to corporate resources with the built in capability available in
Windows Server 2012 R2 called Web Application Proxy based on device awareness (i.e. is
it registered) and the users identity. Multi-factor authentication can be used through
Azure Active Authentication.
4. In order to provide administrators with a unified view of their entire environment, the
data from Microsoft Intune is synchronized with ConfigMgr which provides unified
management across both on-premises and in the cloud.
5. As part of the enrollment process, a new device object is created in Active Directory. This
device object establishes a link between the user and their device, making it known to
the device management solution, and allowing the device to be authenticated, effectively
a seamless two-factor authentication.
Depending on how you answered the questions in Task 1, you should be able to determine how
you want devices to be managed in the mobile device management solution. Table 6 below will
help you understand the advantages and disadvantages of each provisioning option:
Table 6
26 Mobile Device Management Design Considerations
Enrollment &
provisioning
options
Advantages Disadvantages
Intune (standalone) Supports enrolling and
provisioning all major mobile
device operating systems
(Android, iOS, Windows 8.x, and
Windows Phone)
A cloud-based service, mobile
devices can be enrolled from
any location with Internet
access
Devices may be enrolled via a
centralized, customizable
Company Portal
Advanced device provisioning
options for mobile devices
Additional management
interface for provisioning
mobile devices (only) if using
an on-premises management
platform for non-mobile
devices
Separate device compliance
and security policies for the
cloud-based service and the
on-premises management
platform
MDM for Office 365 Integrated with Office 365
tenants, providing a single
management console for
mobile devices and Office 365
tenant services (Exchange
Online, SharePoint Online, and
Lync Online
Supports enrolling and
provisioning all major mobile
device operating systems
(Android, iOS, Windows 8.1, and
Windows Phone)
Basic device provisioning
options for mobile devices
Additional management
interface for provisioning
mobile devices (only) if using
an on-premises management
platform for non-mobile
devices
Separate device compliance
and security policies for the
cloud-based service and the
on-premises management
platform
Less advanced device
provisioning options
Hybrid (Intune with
System Center) Native integration between
Intune (cloud-based device
management service) with
System Center 2012 and System
Center 2012 R2 Configuration
Manager (on-premises device
management platforms)
Supports enrolling and
provisioning all major mobile
device operating systems
(Android, iOS, and Windows
Phone), and includes
Requires additional
configuration to connect
Intune with the on-premises
System Center infrastructure
For organizations that don’t
have a current System Center
infrastructure configured, it
will need to be planned,
installed and configured prior
to integrating with Intune
Mobile Device Management Design Considerations 27
provisioning for all major non-
mobile device operating
systems
Supports advanced device
provisioning options for mobile
devices via Intune connectivity
For more details about mobile device enrollment and provisioning options, make sure to review
how to enable mobile device enrollments in Microsoft Intune and compare these requirements
and procedures to enable mobile device enrollments in System Center 2012 R2 Configuration
Manager and MDM for Office 365.
Task 4c: Device management options Managing mobile devices with Intune and System Center centers around management policies.
Policies define groups of settings for mobile devices and can be either created from templates
or customized for specific devices, users, or groups. The best management practice is to create
management policies before mobile devices are enrolled in the management solution. This
insures that the devices are immediately managed in accordance with the policies and processes
defined in your IT strategy. Both solutions allow for configuring the following policy types:
Configuration policies: Configuration policies are used to define the general organizational
settings for each enrolled mobile device. This may include device password, application,
cloud policy, and encryption settings, but can include many other device settings for
different management areas. Additionally, configuration policies are applied and configured
differently for different types of mobile device operating systems by using device enrollment
profiles.
Tip
When creating different policies for different types of devices, users, or groups – it’s easy to
have conflicting policy settings applied to the same device. Be sure that you understand how
conflicting policy settings are applied.
Compliance policies: Compliance policies enforce your organization’s requirements for
mobile devices to access (or be denied access) to company resources or services. This can
also include device password and encryption settings, as well as determining if the mobile
device is rooted (“jail-broken”). As with configuration policies, Intune and System Center
2012 compliance policy options also vary by mobile device operating system type. If you’re
creating compliance policies in System Center 2012 R2 Configuration Manager, it’s
important to note that increased granularity can be configured as part of a multi-part
process:
1. Creating configuration items
2. Creating configuration baselines
3. Deploying the configuration baselines to System Center 2012 R2 Configuration
Manager user or device collections
28 Mobile Device Management Design Considerations
Conditional access policies: Conditional access policies define how access to email is
managed and can be used separately or in conjunction with compliance policies.
Connections to your Exchange Server or Exchange Online service must be configured in
Intune or in System Center 2012 before conditional access policies can be deployed.
Conditional access can also be configured for Office 365 and SharePoint Online services.
Depending on how you answered the questions in Task 1, you should be able to determine how
you want devices to be enrolled in the mobile device management solution. Table 7 below will
help you understand the advantages and disadvantages of each management scenario:
Table 7
Management
options
Advantages Disadvantages
Intune (standalone) Supports simplified policy
control for managing users and
devices
Provides a simple, web-based
administration & management
console that is accessible from
any location
Supports group-based policies,
making it easier to manage
large numbers and diverse
types of mobile devices
Supports advances mobile
device compliance features and
functionality, including device
root and jailbreak detection
Allows for selective wipe or full
factory reset for all mobile
devices
Includes a customizable
Company portal, allowing the
managed and secure
distribution of internal and 3rd
party mobile applications
Deploy certificates
Allows organizations to prevent
cut/copy/paste functions in
mobile applications
Supports enforcing the use of
managed browsers
Additional licensing
requirements and costs for
user accounts enrolling
devices in the Intune service
Mobile Device Management Design Considerations 29
MDM for Office 365 Integrated web-based
administration and
management console within an
Office 365 tenant
Supports group-based policies,
making it easier to manage
large numbers and diverse
types of mobile devices
Supports advances mobile
device compliance features and
functionality, including device
root and jailbreak detection
Allows for selective wipe or full
factory reset for all mobile
devices
Managing many non-
mobile on-premises devices
isn’t supported
Advanced mobile device
management features and
functionality aren’t
supported:
o Provisioning and
managing certificates,
email, VPN, wireless
profiles
o Enrolling and managing
collections of devices
Mobile application
management features and
functionality aren’t
supported:
o Deploying line of
business applications to
mobile devices
o Enabling secure data
access to Office mobile
applications
o Extending corporate
data securely to line of
business apps for
mobile devices
o Enabling managed
browsers and other
content viewing
applications
Hybrid (Intune with
System Center)
All the advantages of Intune
standalone, plus the following:
o Provides a single pane of
glass view for managing the
corporate estate, including
flexibility for role-based
administration and scripting
(through PowerShell)
Requires additional
configuration to connect
Intune with the on-premises
System Center infrastructure
For organizations that don’t
have a current System
Center infrastructure
configured, it will need to
be planned, installed and
configured prior to
integrating with Intune
30 Mobile Device Management Design Considerations
VPN and email profiles for
Android devices aren’t
currently supported
Managed browser support
isn’t currently supported
Task 4d: Device monitoring options Monitoring and understanding the status and configuration of all mobile devices managed by
your organization is an important first step in the discovery of problems, non-compliance, and
managing device inventory. Without detailed reports on hardware, software, and compliance
status, it’s impossible to reconcile your device policies to actual device configurations and to
make sure that devices are operating properly. Proactive monitoring will mitigate smaller
problems before they become larger, more costly problems.
Intune, MDM for Office 365, and a hybrid deployment of Intune and System Center 2012 R2
Configuration Manager all provide monitoring and reporting capabilities to help manage device,
users, and compliance with your organization’s policies and procedures. Leveraging built-in
reports and coupled with the ability to create customized reports, you can monitor several
mobile device management areas that include:
Update reports for software
Software inventory reports
Hardware inventory reports
Licensing reports
Non-compliance reports
Depending on the configuration of your infrastructure, you may be able to leverage different
types of reporting capabilities, depending on your monitoring needs. Intune-based monitoring
and reporting capabilities are the backbone for MDM for Office 365 (as well as Intune
standalone deployments of course) and can be tightly integrated with the reporting capabilities
of System Center 2012 R2 Configuration Manager when connected in a hybrid deployment. Each
element of the reporting stack shown below have different, yet complementary reporting
capabilities. It’s important that you understand the nuances of the reporting capabilities of each
element of the mobile device management solution.
Mobile Device Management Design Considerations 31
Figure 5 – Integrated mobile device monitoring and reporting
Depending on how you answered the questions in Task 2, you should be able to determine how
you want to monitor mobile devices in the mobile device management solution. Table 8 below
will help you understand the advantages and disadvantages of each monitoring scenario:
Table 8
Monitoring options Advantages Disadvantages
Intune (standalone) Monitoring overview/dashboard
Alerts when errors are detected
on direct managed network
devices
Three levels of alerts (critical,
warning, Informational) with
thresholds and email alert
notifications
Can filter alerts by device type
Can review the status of any
managed device
Can monitor details in the
following areas:
o System
o OS
o Storage
o Exchange ActiveSync
o System enclosure
o Network
o Service
Email alerts only, no text-
based or voice alerts
32 Mobile Device Management Design Considerations
MDM for Office 365 Monitoring overview/dashboard
Three levels of alerts (critical,
warning, Informational) with
thresholds and email alert
notifications
Can filter alerts by device type
Can review the status of any
managed device
Mobile device compliance
status reports only
Hybrid (Intune with
System Center)
All the advantages of Intune
standalone, plus the following:
o Comprehensive, threshold-
based, consolidated
monitoring and reporting
for all your organization’s
devices, including non-
mobile and non-Intune
enrolled devices
o Advanced reporting
capabilities of SQL Server
Reporting Services (SSRS)
and the rich authoring
experience provided by
Reporting Services Report
Builder
Requires additional
configuration to connect
Intune with the on-premises
System Center infrastructure
For organizations that don’t
have a current System
Center infrastructure
configured, it will need to
be planned, installed and
configured prior to
integrating with Intune
For more details about mobile device monitoring options, make sure to review how to monitor
mobile devices and manage reporting in Microsoft Intune and compare these requirements and
procedures to monitoring mobile devices and manage reporting in System Center 2012 R2
Configuration Manager and MDM for Office 365.
Task 4e: Email management options Providing managed access to corporate email from mobile devices is usually the primary need
to implement a mobile device management solution. And typically, it’s the gateway service the
drives initial mobile device enrollment. For example, in MDM for Office 365 a security policy
provides basic managed access to email mailboxes hosted in Exchange Online. This policy
configures Exchange ActiveSync settings that can enforce basic mobile device compliance
settings, such as requiring a device password and device encryption, before the device will be
able to connect to a user mailbox.
Configuring email management options in Intune and hybrid Intune and System Center 2012 R2
Configuration Manager deployments follows a similar process. The primary difference is that
Mobile Device Management Design Considerations 33
more advanced email management options are available in these types of deployments. For
Intune standalone, configuring managed email access to allow access mailboxes hosted on both
Exchange Online and Exchange on-premises is supported, as well as supporting the configuring
of customized email profiles. These are enabled by configuring both configuration and
compliance policies in the Intune service. Hybrid Intune and System Center 2012 R2
Configuration Manager deployments also support managed email access, but only for mailboxes
hosted on Exchange Online.
In the scenario that you see in Figure 6, the user has enrolled their device into the Intune service
and is now trying to access their corporate email using Office 365 or Exchange on-premises.
Based upon the settings defined by their IT administrator at their company, a policy verification
process performed by Intune, the user’s access will be granted if the device is encrypted, a
passcode is set, and the device isn’t jail broken or rooted. If a user tries to access corporate
email and their device is not enrolled, or not compliant based upon settings defined by the IT
admin, the user will receive an email explaining why their access has been blocked with steps for
how to resolve the issue.
Figure 6 – Managed email access
Depending on how you answered the questions in Task 1, you should be able to determine how
you want devices to be enrolled in the mobile device management solution. Table 9 below will
help you understand the advantages and disadvantages of each monitoring scenario:
Table 9
Email management
options
Advantages Disadvantages
34 Mobile Device Management Design Considerations
Intune (standalone) Supports email management
for all major mobile device
operating systems (Android,
iOS, Windows 8.x, and Windows
Phone)
Can leverage native mobile
device email applications via
integration with Exchange
ActiveSync
Integration with Exchange
Online via the Service-to-
Service connector to allow
cross-platform monitoring and
reporting between Intune and
Office 365
Supports configuration of email
profiles for managing Exchange
ActiveSync-based settings on
mobile devices
Managed email access
Email profiles aren’t
supported for Android-
based mobile devices
MDM for Office 365 Allows Exchange ActiveSync
support for password,
encryption, rooted device
compliance
Support for managed
(conditional) email access
Advanced email
management profiles aren’t
supported for mobile
devices
Hybrid (Intune with
System Center) Intune on-premises connector
for hybrid connectivity with
Exchange Online
Integration with Exchange
Active Sync (most strict policy
setting is enforced)
Email profiles
Conditional access to restrict
email access to Exchange
Online
Set compliance policies to
define the rules and settings the
device must comply with in
order to be allowed access to
the services
Conditional access policies for
each service, define rules for
Managed access to email
only available for mailboxes
hosted on Exchange Online,
not mailboxes hosted on
Exchange on-premises
Configuring the service-to-
service connector should
not be configured if you
enable conditional access
for both Exchange Online
and Exchange on-premises
Mobile Device Management Design Considerations 35
security groups, Intune groups,
or how unenrolled devices are
managed
For more details about mobile device email configuration management options, make sure to
review how to enable email profiles and managed email access in Microsoft Intune and compare
these requirements and procedures to enabling email profiles and managed email access in
System Center 2012 R2 Configuration Manager and MDM for Office 365.
Task 4f: Network connectivity management options Managing how mobile devices connect to resources located on your on-premises network
impacts several important areas of your solution design. Depending on your infrastructure,
mobile devices may connect to corporate resources from a variety of Internet connectivity
services, often secured by leveraging VPN-protected endpoints.
Managing Wi-Fi network access with Intune or a hybrid deployment with System Center 2012 R2
Configuration Manager enables the ability to deploy Wi-Fi profiles that can provision Wi-Fi
networks, so the device can auto connect to the network when it is in range. For example,
mobile devices can be configured to connect to a Wi-Fi network segmented to a conference
room, but then automatically connect to a Wi-Fi network segment when roaming to a different
location. Users don’t have to enter passwords or choose a network - it just works. Intune and
System Center 2012 can also deploy VPN profiles directly to mobile devices, enabling user
access to internal corporate resources without any additional configuration or manual work.
Additionally, Intune can also configure that mobile devices to automatically start a VPN
connection based on the type resource or method of access. However, there are different
configuration requirements for different types of mobile device operating systems.
Depending on how you answered the questions in Task 3, you should be able to determine how
you want devices to be enrolled in the mobile device management solution. Currently, Mobile
Device Management for Office 365 doesn’t support managing wireless and VPN network
resources for mobile devices. Table 10 below will help you understand the advantages and
disadvantages of managing the wireless and VPN networks for the Intune standalone and hybrid
Intune with System Center deployment scenarios:
Table 10
Network
management
options
Advantages Disadvantages
Intune (standalone) Supports wireless and VPN
profiles on all major mobile
device operating systems
To support VPN profiles,
you’ll need to deploy and
maintain an on-premises
VPN infrastructure
36 Mobile Device Management Design Considerations
(Android, iOS, Windows 8.x, and
Windows Phone)
Supports industry leading VPN
connection types, including
Cisco, Juniper, Dell SonicWall,
Checkpoint, and others
Wireless and VPN profiles can
be integrated with SCEP
certificate profiles for increased
security
Supports configuring
customized wireless and VPN
profiles for different types of
users, devices, device operating
systems, or user groups and
roles
DNS name-based initiation
support for Windows 8.1,
Windows Phone 8.1 and iOS
Application ID based initiation
support for Windows 8.1
MDM for Office 365 Not available Not available
Hybrid (Intune with
System Center) All the advantages of Intune
standalone, plus the following:
o VPN profiles are supported
by your existing on-
premises enterprise VPN
infrastructure
To support VPN profiles,
you’ll need to deploy and
maintain an on-premises
VPN infrastructure
Specific security permissions
must be granted to manage
Wi-Fi profiles and VPN
profiles in System Center
2012 R2 Configuration
Manager
For more details about mobile device wireless and VPN configuration management options,
make sure to review how to enable wireless and VPN profiles in Microsoft Intune and compare
these requirements and procedures to enabling wireless and VPN profiles in System Center 2012
R2 Configuration Manager.
Task 4g: Certificate management options Leveraging digital certificate management and certificate profiles is supported both by Intune
standalone and hybrid Intune and System Center 2012 deployment scenarios. This allows you to
deploy trusted root certificates to mobile devices, as well as Simple Certificate Enrollment
Protocol (SCEP) based profiles that instruct mobile devices to get additional certificates from a
Mobile Device Management Design Considerations 37
NDES server in your organization. Since SCEP is natively supported by iOS, Windows 8.1 and
Windows Phone 8.1, and is also supported through the Windows Intune Company Portal app for
Android, using this enrollment protocol has the advantage of having the private key generated
directly on the mobile device. The private key is never generated, cached, or stored by either
System Center or by Intune - which helps to keep the mobile device secure.
Figure 7 shows how Intune and ConfigMgr use the NDES to provide secure certificate
provisioning to mobile devices using SCEP:
Figure 7 – Secure certificate provisioning
1. A policy that includes the properties of the certificate for SCEP enrollment is created on the
Intune service.
2. Intune converts the policy to a platform mobile device management protocol (like OMA-DM
for Windows 8.1) and sends it to the device
3. The mobile device receives the policy and initiates an enrollment request from NDES
4. NDES forwards the request to System Center
5. System Center compares the request attributes of the SCEP request for an authentication
match and sends confirmation back to NDES.
6. NDES sends a certificate issuance request to the CA and it sends the certificate to the NDES
role.
7. NDES role sends the certificate to the device.
Depending on how you answered the questions in Task 3, you should be able to determine how
you want certificates managed in the mobile device management solution. Currently, MDM for
Office 365 doesn’t support managing certificate profiles for mobile devices. Table 11 below will
help you understand the advantages and disadvantages of the certificate profile management
for Intune and the hybrid Intune with System Center deployment scenario:
38 Mobile Device Management Design Considerations
Table 11
Certificate
management
options
Advantages Disadvantages
Intune (standalone) Supports certificate profiles on
all major mobile device
operating systems (Android,
iOS, Windows 8.x, and Windows
Phone)
Platform supports the Simple
Certificate Enrollment Protocol
(SCEP)
Certificate profiles can
automatically configure mobile
devices so that company
resources can be accessed
without having to install
certificates manually or use a
non-approved security process
Certificates can be automatically
revoked when the device is
retired from management,
selectively wiped, or block from
the management hierarchy
To use certificate profiles,
some existing on-premises
infrastructure must be in place.
You must integrate the
following on-premises
infrastructure with Microsoft
Intune:
A server that runs the
Network Device
Enrollment Service
An Enterprise
Certification Authority
The Intune NDES
Connector, which
installs on the server
that runs NDES
MDM for Office 365 Not available Not available
Hybrid (Intune with
System Center) All the advantages of Intune
standalone, plus the following:
o Also supports managing
certificates for non-mobile
devices
To use certificate profiles,
some existing on-premises
infrastructure must be in place.
You must integrate the
following on-premises
infrastructure with Microsoft
Intune:
A server that runs the
Network Device
Enrollment Service
An Enterprise
Certification Authority
The Intune NDES
Connector, which
installs on the server
that runs NDES
Mobile Device Management Design Considerations 39
For more details about mobile device certificate management options, make sure to review how
to enable certificate profiles in Intune and compare these requirements and procedures to
enabling certificate profiles in System Center 2012.
Step 3 - Plan for secure mobile devices Enabling on-premises and remote users to access company resources on their mobile devices
will increase productivity; however it will also increase threats that must be mitigated in order to
keep company’s data secure and maintain user’s privacy. While these are core requirements to
secure mobile devices, you also need to consider your organization’s individual requirements for
securing corporate data and maintaining user privacy. Your company might have different
requirements in this regard; different compliance rules that will vary according to which industry
your company operates may lead to different design decisions. However, there are some general
security aspects of mobile device management that should be explored and validated,
regardless of the industry, as shown in Figure 8:
Figure 8 – Security capabilities in a MDM solution
The foundation of this diagram show the core security capabilities that are required for any
MDM solution. The key areas that these capabilities will be handling are explained below:
1. Data protection at the mobile device level:
Data encryption
Data classification
Client privacy
Containerization
Policy enforcement
Hardening
40 Mobile Device Management Design Considerations
2. Data protection while in transit:
Data encryption
Authentication
Authorization
3. Data protection while at rest in your on-premises organization:
Data encryption
Authentication
Authorization
4. Data protection while at rest in the cloud:
Data encryption
Authentication
Authorization
The tasks that follow will explain how this will influence your decisions when choosing the best
MDM solution for your business requirements.
Task 1: Gather your data protection requirements In order to define the data protection requirements, you must first understand some essential
characteristics of your organization. It is important to understand if your company has to be
compliant to specific regulations and also understand your current policy regarding data
protection. By knowing these core elements, you’ll have the foundational requirements and
basis on which to ask more granular questions. This will lead to better design decisions for your
MDM solution. When defining these requirements, consider the following:
Data encryption at rest: As shown in Figure 8, company data will be stored on the
user’s mobile device. It is important to ask the following questions to help you choose
the best MDM option available:
o Does the MDM solution support encrypting the entire mobile device disk?
If yes, for which operating systems?
o Does the MDM solution support app data encryption?
If yes, for which operating systems?
If yes, for which apps?
Data encryption in transit: Regardless who owns the data, at some point during the
data communication process, the data will be in transit between the mobile device and a
company server (or web service). You must understand what capabilities the MDM
solution has in order to protect data in transit. Ask the following questions to help you
choose the best MDM option:
o Does the MDM solution support data encryption in transit?
If yes, for which operating systems?
Mobile Device Management Design Considerations 41
If yes, which capabilities are available?
o What options does the MDM solution has to protect data while in transit?
Data segregation: It’s also very important to understand if your company’s data should
be treated differently from the user’s data. Segregation, separation, or isolation are some
terms that can be used to describe this capability. When designing your MDM solution,
consider:
o Does the MDM solution support data separation?
If yes, is it possible to erase your company’s data, while preserving the
mobile device user’s data?
o Does the MDM data separation capability ensure that only trusted apps can
access data located on the mobile device?
o Does the MDM solution support containerization?
If so, is it possible to encrypt data located in a particular container?
Hardening mobile devices: Since there might be different mobile device platforms used
in your organization, you should understand what capabilities are available in each
mobile device platform. Each mobile device platform may control and harden devices via
different methods and at different levels of granularity. Some mobile devices may have a
more granular set of configuration than others. In this case, you must have a strategy to
use a common set of options to harden the devices and use custom policies to enhance
the security for each mobile device platform that your organization will support. Use the
list below as a reference for common options that should be supported by the MDM
solution to harden mobile devices:
o Requiring a password to unlock mobile devices
o Requiring a password type – minimum number of characters and character types
o Minimum password length
o Number of repeated sign-in failures to allow before the mobile device is wiped
o Minutes of inactivity before the device screen turns off
o Remembering password history – preventing the reuse of previous passwords
o Password expiration (days)
o Requiring encryption on the mobile device
o Requiring encryption on storage cards
o Allowing idle return without a password
Note
In Windows Phone 8.1 the police Allow idle return without password can be configured
using Windows Phone 8.1 Enterprise Device Management Protocol.
Task 2: Specify your privacy requirements While Task 1 was more focused on the data protection and how to enhance the overall security
of mobile devices to keep company data secure, the second task of this step focuses on
understanding your organizational requirements for privacy. In the previous step, you already
defined the device management tasks, which covered device management and content
42 Mobile Device Management Design Considerations
distribution management. In this task, the goal is to define the privacy requirements for the
company content that will reside on the mobile device.
Note
Read the solution Streamlined management for mobile devices and computers in a
hybrid environment for more information about content distribution for mobile devices
Your organization’s privacy requirements will vary according to your industry, applicable
regulations, and type of business. Your MDM solution should allow you to perform basic
hardware inventories, software inventories, file collections, and software distribution on mobile
devices. The privacy concerns that apply to your client computers for inventory and software
distribution also apply to mobile devices. Depending on what MDM solution you choose, it’s
possible to configure what software inventory you want to collect and whether you want to
collect files. Hardware inventory and software distribution are usually supported by default.
Before choosing a mobile device management solution, consider your unique privacy
requirements. When defining these requirements, consider:
Client Privacy: Empowering your users to use their mobile devices to connect and use
company resources also means that they will have to understand your organization’s
privacy policy and how this will affect their privacy:
o Are you required to provide users information regarding the privacy policy of
your company (and what they should expect from it)?
If yes, does the MDM solution have this capability built in?
o Does the MDM solution store mobile device information or data in the cloud?
If yes, how privacy is kept in the cloud?
Who has access to the data?
How is the privacy of data assured?
Data Classification: Understand what constitutes company data, and how to protect it.
Having policies and mechanisms in place to classify data is also part of the plan to
ensure privacy in mobile devices:
o Is it possible to identify or classify company documents or data that will reside on
the mobile device?
If yes, what type of data or document rights or permissions are
supported?
o Will the classification travel with the data or document, regardless of the mobile
device that the user is using?
o What type of data or documents can be classified?
Tip
Read the Microsoft Online Services Privacy Statement to better understand how Microsoft
Cloud services, including Intune will maintain user’s privacy
Task 3: Specify your access requirements There is no use for a mobile device that can’t use apps and have access to the company data
that users need in order to perform their work. For this reason, it’s critical to understand how the
data will travel from the source location (on-premises or cloud) to the mobile device. If you refer
Mobile Device Management Design Considerations 43
back to Figure 8, you will see the potential paths that the data will traverse and the
considerations that should be in place for each path. You need to review your company policies
to ensure that the requirements for authentication, authorization, and access control are aligned
with your business requirements. Many companies that have security policies in place don’t
consider how mobile devices can increase the likelihood of corporate data leakage. Answer the
following questions when determining your access requirements:
Authentication and authorization: As part of the strategy to allow your users to access
to company data from mobile devices, it’s necessary to identify which users are eligible
for this type of access. Some companies will initially allow data access for just a portion
of their users, and will grant access to their remaining users on demand. This means that
it is necessary for your solution to authenticate (identify that the user is who they claim
to be) and authorize (evaluate if the user should have access to the data that they are
requesting) according to your company’s policy. When designing your solution, consider
the following:
o Does your organization have a current directory service that is used for
authentication and authorization?
If yes, does the MDM solution integrate with your directory service to
authenticate and authorize access to resources?
o Does your organization need to have centralized authentication, or can it be
hybrid?
o Does your organization plan to have multi-factor authentication for mobile users?
o Does your organization use an on-premises Public Key Infrastructure (PKI) to
issue certificates?
If yes, does the MDM solution have the capability to perform
authentication using digital certificates?
If yes, does the MDM solution have the capability to integrate with
an existing on-premises PKI?
o Does your organization need to use the current directory services to authenticate
users accessing third party apps?
If yes, does the MDM solution allow users to use single sign-on (SSO) to
authenticate against third party apps?
Access Control: Once the user is authenticated and authorized, it’s necessary to validate
the level of access that the user will have for the requested resource. This requested
resource can be data or an app. When designing your solution, consider the following:
o Does your company need to have different level of control for you to manage the
mobile devices and the MDM solution?
If yes, does the MDM solution support Role Based Access Control (RBAC)?
o Does your company need to have different levels of access according to the
user’s location?
If yes, does the MDM solution allow you to create access control
restrictions according to the user’s location?
o Does your company need to control access to apps?
If yes, does the MDM solution allow you to control access to apps
installed at the mobile device?
44 Mobile Device Management Design Considerations
o Does your company need to control access according to a set of conditions?
If yes, does the MDM solution allow you to have conditional access
control?
Tip
Read the Secure access to company resources from any location on any device to better
understand how to leverage built in Windows Server 2012 R2 capabilities in conjunction with
System Center to provide access to your company resources.
Task 4: Develop your incident response requirements While many organizations already have an incident response (IR) plan in place, it’s important to
understand if the current plan includes mobile devices and what needs to be done in case an
incident is reported on those devices. If your company is just now embracing a mobility solution,
most likely the current IR plan doesn’t cover aspects unique to mobile devices.
If your organization doesn’t have a plan, it is important to work very closely with your security
team to understand the requirements in order to proper ask the right questions and choose the
best MDM solution for your needs.
Tip
Read Responding to IT Security Incidents to better understand the minimum requirements
for an IR plan.
When designing your MDM solution, make sure you ask the following questions regarding this
capability:
Does your organization have an existing Incident Response Plan in place?
o If yes, does it include processes and procedures for handling compromised
mobile devices?
Does the incident response policy cover scenarios where an end user reports that they’ve
lost their mobile device?
o Is it permissible to erase the entire device to avoid data leakage?
If it is, does your company have backup policy in place for data that
resides on mobile devices?
Does your organization have different procedures for company-owned devices and
personally-owned devices in case they are lost?
o If yes, what are those procedures?
o Will those procedures affect the selection of the MDM solution?
If a user loses their personally-owned mobile device but, they don’t authorize your
company to erase the entire device, does the MDM solution allow selective device
wipes?
When a mobile device is compromised and you need to prevent that device from
spreading malicious apps to the corporate network, does the MDM solution allow you to
enforce policies that can rapidly contain the compromised device?
Does the MDM solution allow you to plan for potential attacks in order to take proactive
actions to address any problems?
Mobile Device Management Design Considerations 45
Task 5: Plan your mobile device security strategy In this task you will define the mobile device management security strategy to meet the
business requirements that you defined in Tasks 1-4.
Task 5a: Data encryption After answering all questions in Task 1 regarding the requirements for data encryption at rest
and in transit, you now need to evaluate the options that are available to address each one of
those requirements. Even when the data is at rest, it can be encrypted in different ways, as
shown in Figure 9:
Figure 9 – Different levels of encryption
You can have full disk encryption or encryption based on the data handled by an app. System
Center 2012 R2 Configuration Manager allows you to enforce policies that will perform file
encryption on mobile devices. Although some mobile devices, like Windows Phone 8 devices are
automatically encrypted, some others only encrypt data if some other option is enabled. For iOS
devices, the encryption takes place automatically only after you configure the setting to require
the use of a password on the devices.
Note
For more information about the mobile devices that can have encryption enabled using
System Center 2012 R2 Configuration Manager, read Compliance Settings for Mobile
Devices in Configuration Manager.
For apps that are associated with an Microsoft Intune mobile application management policy,
encryption is provided by Microsoft. Data is encrypted synchronously during file I/O operations
according to the setting in the mobile application management policy. Managed apps on
Android use AES-128 encryption in Cipher Block Chaining (CBC) mode utilizing the platform
cryptography libraries. The encryption method is not FIPS 140-2 certified.
46 Mobile Device Management Design Considerations
Intune also has an option to encrypt app data. This option allows you to specify that all data
associated with a particular app will be encrypted, including data stored on external media, such
as SD cards. The same capability is also available with MDM for Office 365.
Most MDM solutions use SSL to protect data in transit, so you’ll just need to decide if you will
be using an existing PKI to issue certificates or if you will be using a third-party vendor
certificate authority (CA). The advantage of using a third party CA is that users using their own
device to access company’s resources will automatically trust a well-recognized public CA.
Use Table 12 as a reference to assist you choosing the MDM option that best fits your
organization’s security requirements.
Table 12
MDM option Advantages Disadvantages
Intune (standalone) Encrypt data associated with
apps controlled by Intune
management policy
Does not include native
encryption for mobile
device storage
Lack of integration with
current on-premises MDM
platform will introduce an
additional management
interface for you to use
MDM for Office 365 Encrypt data based on the
mobile device platform
capability
Lack of integration with
current on-premises MDM
platform will introduce an
additional management
interface for you to use
Hybrid (Intune with
System Center) Encrypt data associated with
apps controlled by Intune
management policy
Encrypt mobile device storage
Provides a more granular
control of what can be
encrypted in the mobile device,
including selection of the
encryption algorithm
Centralized management for
mobile device configuration
settings for cloud-based and
on-premises devices
If the organization does not
have a current on-premises
System Center
infrastructure, it will require
to plan, install and
configure this platform prior
to the integration
Note
Mobile Device Management Design Considerations 47
For more information about how to combine Intune and System Center 2012 R2
Configuration Manager capabilities to increase data protection and configure encryption,
read Managing Encryption on Mobile Devices with Configuration Manager and Intune.
Task 5b: Data segregation Data segregation is important, not only for your organization, but also to keep your user’s
personal information private. Data segregation plays an important role in scenarios where your
organization needs to remove all company apps and data a device that belongs to the user,
without affecting the user’s personal data, as shown in Figure 10:
Figure 10 – User’s personal data is isolated from company’s data
Figure 10 shows that all apps, company data, and policies that were deployed by the MDM
solution can be removed from the device if necessary. Selective wipe for mobile device data
management was introduced in Windows Server 2012 R2 and Windows 8.1. It links to resources
to help Exchange Server and Microsoft Intune administrators to manage enterprise data on
devices and develop apps to leverage the Windows Selective Wipe capabilities. Windows Phone
8 and Windows Phone 8.1 are capable or separating data in the internal storage as shown in
Figure 11:
48 Mobile Device Management Design Considerations
Figure 11 – Core architecture of Windows Phone 8.x
Tip
Read more about Windows Phone 8.1 security capabilities by downloading the Windows
Phone 8.1 Security Overview
As you can see, mobile device platforms play an important role on how the data is kept secure
while at rest. You need to ensure that the MDM solution is able to leverage vendor-specific
capabilities that will ensure that data is separated. Use Table 13 as a reference to assist you
choosing the MDM solution that best fits your organization’s data segregation requirements.
Table 13
MDM option Advantages Disadvantages
Intune
(standalone)
Allows you to perform selective
wipes to remove only company
data located on mobile devices
Allows you to perform factory
resets and fully wipe mobile
devices
Does not include native
encryption for mobile
device storage
Lack of integration with
current on-premises MDM
platform will introduce an
additional management
interface for you to use
Office 365 with
MDM
Allows you to perform selective
wipes to remove only company
data from mobile devices
Lack of integration with
current on-premises MDM
platform will introduce an
additional management
interface for you to use
Mobile Device Management Design Considerations 49
Hybrid (Intune
with System
Center)
Allows you to perform selective
wipes to remove only company
data from mobile devices
Allows you to perform factory
resets and fully wipe mobile
devices
Single management console to
manage cloud based and on-
premises mobile devices
If the organization does not
have a current on-premises
System Center
infrastructure, it will require
to plan, install and
configure this platform prior
to the integration
Make sure to read the article Help protect your data with remote wipe, remote lock, or passcode
reset using Microsoft Intune to understand how data is removed and retained after a selective
wipe for each mobile device platform. If you have a hybrid environment, consult the article How
to remote wipe mobile devices using Configuration Manager to understand how System Center
2012 R2 Configuration Manager can be used to accomplish this task.
Task 5c: Hardening mobile devices When creating a configuration baseline for mobile devices to harden its capabilities according to
your business needs, make sure that you are balancing usability with security. Sometimes a very
strict hardening template can cause usability and access problems, which defeats the purpose of
enabling users access company resources with their devices. Also, it is important to remember
that not all security policies are available for all mobile device platforms. This means that your
design choices when selecting which mobile device platforms will be used by your organization
might have to change according to your security compliance requirements for hardening
devices.
One way to approach mobile device hardening is by having different layers of security. The
settings that are available for each one of those layers can also vary according to your MDM
solution. Figure 12 shows how this layered approach can assist you:
Figure 12 – Different areas of mobile device hardening
Each one of these layers can be used to identify areas that must be compliant with your business
security requirements. Microsoft Intune configuration policies can assist you in managing mobile
50 Mobile Device Management Design Considerations
devices in your organization by allowing you to deploy security policies for devices that can be
used to hardening system settings and enable encryption. They will also ensure that only
compliant apps are available for mobile devices by creating an access white list.
Another area that you must be able to control is the mobile browsing experience for your users.
A managed browser policy configures an allow or block list that restricts the web sites that users
of the managed browser can visit. Read Manage Internet access using managed browser policies
with Microsoft Intune for more information on how to configure these policies.
In a hybrid environment with ConfigMgr on-premises, you can create a configuration baseline.
Customize this baseline to include all required settings and deploy it to your mobile devices.
Compliance settings options will vary according to the vendor, so read Compliance Settings for
Mobile Devices in Configuration Manager for more information about the options available for
each mobile device platform.
MDM for Office 365 also has a set of capabilities to assist you in hardening mobile devices for
the following categories:
Security
Encryption
Jailbroken
Managed email profile
Read the article Capabilities of built-in Mobile Device Management for Office 365 for more
information on how to configure these settings.
Hardening the mobile device platform plays an important role in keeping your company data
protected while allowing users to use their mobile device without compromising security. You
need to ensure that your MDM solution is able to leverage the vendor-specific capabilities that
will ensure that hardening is customized per platform and that common settings among major
vendors can be configured. Use Table 14 as a reference to assist you choosing the MDM option
that best fits your organization’s data hardening requirements.
Table 14
MDM option Advantages Disadvantages
Intune (standalone) Allows you to enforce policies
for enrolled devices:
o Encryption
o Malware
o Apps
o E-Mails
o System
o Security
Lacks integration with
current on-premises MDM
platform, will introduce an
additional management
interface for you to use
when managing mobile
devices
Mobile Device Management Design Considerations 51
Supports policy deployment for
major mobile device platforms,
including (Android, iOS,
Windows 8.x, and Windows
Phone)
Some policies may not be
available for some mobile
platforms
MDM for Office 365 Allows you to enforce policies
for enrolled devices:
o Encryption
o Apps
o Email Profile
o Jailbroken
o Security
Supports policy deployment for
major mobile device platforms,
including (Android, iOS,
Windows 8.x, and Windows
Phone)
Lacks integration with
current on-premises MDM
platform, will introduce an
additional management
interface for you to use
when managing mobile
devices
Some policies may not be
available for some mobile
platforms
Doesn’t have the same
granularity as Intune
Hybrid (Intune with
System Center) Allows you to enforce policies
for enrolled devices:
o Encryption
o Malware
o Apps
o E-Mails
o System
o Security
o Jailbroken
Support policy deployment for
major mobile device platforms,
including (Android, iOS,
Windows 8.x, and Windows
Phone)
Single management console for
mobile devices registered from
the cloud and on-premises
devices
If your company dosen’t
have a current on-premises
System Center
infrastructure, it will require
resources to plan, install
and configure System
Center prior to integration
Tip
Read more about mobile device management settings that you can configure in a Microsoft
Intune mobile device security policy at Mobile device management policy settings for
Microsoft Intune.
52 Mobile Device Management Design Considerations
Task 5d: Client privacy If your organization is going to embrace mobile device management, you must be aware of the
boundaries between end-user and organization privacy. Ideally, your organization will have a
clear privacy policy stating what’s expected from the end-user regarding data privacy. Since
mobile devices might store company data and these devices will be traveling around with the
user, it’s extremely important that these boundaries are well-defined and that your users know
upfront what their role is to keep that privacy in place.
Transparency is a very important part of the plan to ensure that users are aware of what to
expect when they enroll their devices in your organization’s MDM solution. Using Microsoft
Intune Company Portal, you can customize your company’s privacy statement by providing a
URL that has the description of what will be collected from users while managing their devices.
You can also publish terms and conditions that your users will see when they first use the
company portal from their devices, whether or not that device is already enrolled in the MDM
solution. Users will have to accept those terms to access the company portal. When you update
the terms and conditions and want users to see and accept the new terms, you can mark the
new terms and conditions as a new version, and users will go through the same acceptance
process the next time they visit the company portal.
The same capability is also available when you have a hybrid environment with System Center
2012 R2 Configuration Manager connected with Intune. In addition, ConfigMgr can also use
compliance settings to evaluate whether client devices are compliant with configuration items
that you deployed using configuration baselines. Some settings can be automatically
remediated if they are out of compliance. Compliance information is sent to the site server by
the management point and stored in the site database. This information is encrypted when
devices send it to the management point, but it’s not stored in an encrypted format in the site
database. Information is retained in the database until the site maintenance task Delete Aged
Configuration Management Data deletes it every 90 days. You also have the capability to
configure the deletion interval. This compliance information is not sent to Microsoft.
Since Intune and Office 365 are cloud-based services, users might also want to be aware of how
Microsoft deals with user privacy for these services. You can obtain more information about
privacy on these services by visiting the following sites:
Office 365 Trust Center
Microsoft Intune Trust Center
Privacy is very important for both end-users and your organization. You need to ensure that the
MDM solution is able to manage privacy and informs your end-users about your organization’s
privacy policy and expectations. Use Table 15 as a reference to assist you choosing the MDM
option that best fits your organization’s privacy requirements.
Table 15
Mobile Device Management Design Considerations 53
MDM option Advantages Disadvantages
Intune
(standalone)
Uses the Intune Company Portal
to publish your organization’s
privacy statement
It doesn’t have a template
for a privacy policy. There is
an assumption that your
organization has a privacy
policy in place and the
Company Portal is only
going to advertise this
policy that is stored in
another location
Office 365 with
MDM
Not available Not available
Hybrid (Intune
with System
Center)
Uses the Intune Company Portal
to publish your organization’s
privacy statement
Single management console for
mobile devices registered from
the cloud and on-premises
devices
If the organization does not
have a current on-premises
System Center
infrastructure, it will require
to plan, install and
configure this platform prior
to the integration
Task 5e: Data classification Most companies already have a data classification policy in place, and you’ll need to understand
how deploying a mobile device management solution will affect this policy. Some organizations
perform on-premises data classification at the file server level using Active Directory Rights
Management Services (ADRMS). Another tool is the Microsoft Data Classification Toolkit,
helping organizations to identify, classify, and protect data on their file servers. If your company
does not have a current data classification policy, you should introduce this capability in
conjunction with planning your mobile device management solution.
Office 365 uses transport rules to detect sensitive information incorporated into mail flow
processing. The DLP feature performs deep content analysis through keyword matches,
dictionary matches, regular expression evaluation, internal functions such as validate checksum
on credit card numbers, and other content examination to detect specific content types within
the message body or attachments.
Microsoft Intune and System Center 2012 R2 Configuration Manager don’t have data
classification built in, so they rely on cloud-based classification using Azure RMS or on-premises
using ADRMS. Another option is to use the Enterprise Mobility Suite (EMS) as your MDM
solution. With EMS, you’ll have access to Azure AD Premium and Azure RMS, which can be used
to classify data. Data classification using Azure RMS can be integrated with an on-premises
management solution in a hybrid environment.
54 Mobile Device Management Design Considerations
Use Table 16 as a reference to assist you choosing the MDM option that best fits your
organization’s data classification requirements.
Table 16
MDM option Advantages Disadvantages
Intune (standalone) Not available Not available
MDM for Office 365 Exchange Transport rules can
be used to detect sensitive
information
Data classification is not
carried with the file itself.
Once the file is located at
the mobile device, it can be
used without restrictions
Hybrid (Intune with
System Center) Not available Not available
Enterprise
Mobility Suite
Leverages Azure RMS to
perform data classification
Azure RMS subscription is
included with EMS
Doesn’t require an on-premises
infrastructure for data
classification
Can be integrated with existing
on-premises AD RMS solution
Protection is located in the file
itself, which means that the file
will keep its classification even if
it was saved in a different
location
Not available for customers
that are not adopting
cloud-based solution
Task 5f: Authentication and Authorization The first line of defense for protecting your company data is to properly identify your users.
Once your users are identified, it’s then necessary to verify that they are authorized to access
what they are requesting. Organizations that already have on-premises Active Directory services
should leverage this repository to authenticate and authorize mobile users. All Microsoft mobile
device management solutions are capable of leveraging an existing Active Directory
infrastructure for this purpose.
Another decision point regarding authentication and authorization is where the directory
services will be located. While the vast majority of organizations will have on-premises Active
Directory services, some organizations might be considering extending their on-premises
directory services with a cloud-based directory service such as Azure AD. For a hybrid scenario,
integrating both directories is a good alternative to leverage Azure AD such capabilities as:
Mobile Device Management Design Considerations 55
Self-service group management: Allows users to create groups, request access to other
groups, delegate group ownership so others can approve requests, and maintain their
group memberships.
Enterprise SLA of 99.9%: Microsoft guarantees at least 99.9% availability of the Azure
Active Directory Premium service.
Password reset with write-back: Self-service password reset can be written back to on-
premises directories.
Read more about the different options and capabilities at Azure Active Directory.
Having two factors of authentication can also be an important strategy for your organization
when planning a mobile device management solution. Microsoft Intune can integrate directory
services with multi-factor authentication (MFA), which adds another layer of security for the
authentication process. If your organization has on-premises IT infrastructure that includes an
Active Directory domain with Active Directory Federation Services (AD FS), you can configure
MFA on your federation server and then enable MFA for enrollment in Intune. If you configure
MFA on your federation server, but you don’t enable MFA for enrollment in Intune, users will
need to use MFA each time that they access corporate resources. You can also use Azure AD
MFA to require MFA each time that users access your corporate resources, and this requirement
can be enabled on a per-user basis. Azure AD MFA is a cloud service that doesn’t require any
on-premises IT infrastructure.
Use Table 17 as a reference to assist you choosing the MDM option that best fits your
organization’s authentication and authorization requirements.
Table 17
MDM option Advantages Disadvantages
Intune (standalone) Can use on-premises directory
services, such as Active
Directory for authentication
Can use cloud-based directory
services, such as Azure AD for
authentication
Can integrate with multi-factor
authentication
Azure AD cloud service is
not included when you
purchase an Intune
subscription
MDM for Office 365 Can use on-premises directory,
such as Active Directory for
authentication
Can use cloud based directory,
such as Azure AD for
authentication
Azure AD cloud service is
not included when you
purchase an Office 365
subscription
56 Mobile Device Management Design Considerations
Can integrate with multi-factor
authentication
Hybrid (Intune with
System Center) Can use on-premises directory,
such as Active Directory for
authentication
Can use cloud based directory,
such as Azure AD for
authentication
Can integrate with multi-factor
authentication
Azure AD cloud service is
not included when you
purchase Intune
subscription
Enterprise
Mobility Suite
Leverages Azure AD Premium
to provide access control
Azure AD Premium license is
already included with EMS
Does not required on-premises
directory services
Can synchronize with on-
premises Active Directory
services
MFA is natively available with
EMS
Not available for customers
that are not adopting
cloud-based solution
Task 5g: Access control Organizations that already use Active Directory to authenticate and authorize users are going to
be use discretionary access control by default. If they use groups to segment and control access
to resources, this is just another aspect of how they manage access control. As shown in Figure
13, after authenticating and authorizing access for the user (Bob), it’s necessary to validate what
type of control Bob has on the target resource, in this case a folder:
Figure 13 – Basic authentication and authorization flow
The traditional Access Control List (ACL) is very limited and doesn’t take into consideration other
aspects of the user’s state, such as where he is located when trying to access this resource. If
Mobile Device Management Design Considerations 57
your organization needs to have more variables before granting access to a resource, you can
use Dynamic Access Control, which is natively available in Windows Server 2012. With many
companies trying to operate like a cloud provider by using technologies that allow them to have
a private cloud, another option is to use Role Based Access Control (RBAC). Azure AD allows IT
to use RBAC to control access to resources and since Azure AD can be integrated with your
Active Directory on-premises you can leverage this capability consolidate how users will access
resources.
A resource can also be an app, which means that your MDM solution must be able to control
how apps are installed and accessed. Mobile application management policies in Microsoft
Intune let you modify the functionality of apps that you deploy to help bring them into line with
your company compliance and security policies.
Use Table 18 as a reference to assist you choosing the MDM option that best fits your
organization’s access control requirements.
Table 18
MDM option Advantages Disadvantages
Intune (standalone) Access control (installation and
management) for apps
Lack of integration with
current on-premises MDM
platform will introduce an
additional management
interface for you to use
Some policies may not be
available for some mobile
platforms
MDM for Office 365 Access control to email, Office
Mobile and OneDrive for
Business
Only allow a small subset of
access control to resources
Lack of integration with
current on-premises MDM
platform will introduce an
additional management
interface for you to use
Some policies may not be
available for some mobile
platforms
Hybrid (Intune with
System Center) Access control (installation and
management) for apps
Azure AD cloud service is
not included when you
purchase Intune
subscription
Enterprise Mobility
Suite Access control (installation and
management) for apps
If the organization does not
have a current on-premises
System Center
58 Mobile Device Management Design Considerations
Leverages Azure AD Premium
to provide RBAC based access
control
infrastructure, it will require
to plan, install and
configure this platform prior
to the integration
Task 5h: Incident responses A good mobile device management solution must be able to allow you to rapidly respond to an
incident by taking an action that will mitigate the threat. The management system is the tool
that allows the procedures that were established in the incident response plan to be executed.
Privacy is always important, in particular in a BYOD scenario. When the user owns the mobile
device, it’s necessary to keep the balance between keeping your company data secure and
preserving the user’s privacy. There are many levels of response in a scenario where a user has
lost their device as shown in Figure 14. It will be the company security policy that will dictate
what ultimately needs to be done, knowing that in some circumstances it might be necessary to
completely wipe the target device.
Figure 14 – Incident response process for a compromised device
Microsoft Intune provides selective wipe, full wipe, remote lock, and passcode reset capabilities.
If a mobile device is lost or stolen, you can issue a remote device wipe command from the
Microsoft Intune administrator console. Microsoft Intune also allows your users to issue remote
Mobile Device Management Design Considerations 59
device wipe commands from the Microsoft Intune company portal on their own. In a scenario
with System Center 2012 R2 Configuration Manager only, you have the option to do a selective
wipe that only removes company content, for a hybrid scenario you can use both options since
it will leverage Intune. MDM for Office 365 allows you to perform selective wipe to remove only
organizational data or a full wipe to delete all information from a device and restore it to its
factory settings.
Policies can also be used to take actions to mitigate a threat, using System Center 2012 R2 you
can create compliance policies to create restrictions for the device that was compromised. For
example, if the mobile device that was compromised is an iOS 7 or iOS 8 device - you can use
security settings extension to require fingerprint for unlocking the device. In this particular case,
this same capability is also available with Intune. As you design your MDM solution to comply
with your incident response plan, ensure that all supported mobile device platforms are covered,
since not all of them will have the same set of options.
Another important aspect of incident response is how you will proactively take action based on
trends and also how you will react to an incident that was not reported, based on the
monitoring system in place. The MDM solution must facilitate monitoring and reporting the
state of those mobile devices that are enrolled. For more information about incident responses,
see the Determine incident response requirements task.
Use Table 19 as a reference to assist you choosing the MDM option that best fits your
organization’s incident response requirements.
Table 19
MDM option Advantages Disadvantages
Intune (standalone) Allows you to remotely wipe,
remote lock, and password lock
a mobile device
Allows you to create restrictive
security policies to mitigate
threats
Allows you to create alerts and
custom notifications based on
those alerts
Lack of integration with
current on-premises MDM
platform will introduce an
additional management
interface for you to use
Some policies may not be
available for some mobile
platforms
MDM for Office 365 Allows you to remotely wipe
and remote lock a mobile
device
Only allow a small subset of
security policies
Lack of integration with
current on-premises MDM
platform will introduce an
additional management
interface for you to use
60 Mobile Device Management Design Considerations
Some policies may not be
available for some mobile
platforms
Hybrid (Intune with
System Center) Allows you to remote wipe,
remote lock, and password lock
a mobile device
Allows you to create restrictive
security policies to mitigate
threats
Single management for cloud
and on-premises devices
Easier
Azure AD cloud service is
not included when you
purchase Intune
subscription
Enterprise Mobility
Suite Allows you to remote wipe,
remote lock, and password lock
a device
Allows you to create restrictive
security policies to mitigate
threats
Allows you to track user’s
behavior by leveraging Azure
AD Reports
Allows you to track user rights
assignment that can be used in
some incident response
scenarios
Lack of integration with
current on-premises MDM
platform will introduce an
additional management
interface for you to use
Some policies may not be
available for some mobile
platforms
Step 4 - Plan for Software as a Service (SaaS) mobile device management The last step in designing a complete mobile device management strategy is to determine the
requirements for the Software as a Service device management solution that will be used to
support mobile devices within your organization. In this step, we’ll examine SaaS platform types,
characteristics such as scalability and accessibility, mobile device management connectivity, and
integration with your on-premises infrastructure.
More and more, organizations are starting to leverage the features and power of cloud
computing infrastructure solutions to deliver services and applications to users. Software as a
Service (SaaS) allows user and device services, applications, and activities to be centrally
managed from a single location, regardless of the location of the user or device. If your
organization is currently using (or planning to implement) SaaS services, it’s important to define
how the solution will deliver these services to mobile devices in your organization and integrate
with (or even replace) your on-premises mobile device management platform. In some cases,
SaaS solution decisions may be completely separate or just a small part of how mobile devices
will be managed in your organization. However, understanding the overall impact of the SaaS
Mobile Device Management Design Considerations 61
solution as it relates to managing mobile devices is an important part deploying a complete
mobile device management solution.
You need to go over these key aspects of the SaaS solution to understand what it is a current
requirement and what your organization plans for the future. If you don’t have the vision to
define a long-term strategy for managing mobile devices and integration with cloud services
adoption, your mobile device management solution may not be scalable as your organization’s
business needs change.
Task 1: Identify your SaaS requirements Each SaaS solution will have different requirements, mobile device management features, and
levels of integration with on-premises networks and platforms. Many SaaS solutions offer trial
tenants or services for you to evaluate their features and functionality, which is an important
part of determining which solution actually meets your needs. However, many SaaS solutions
may have subtle differences in features and functionality, depending on the platform type.
The majority of SaaS solutions are based on three types of cloud types:
Multi-tenant (public)
Private (dedicated)
Hybrid
Before making decisions on how you’ll use a SaaS solution to manage your mobile devices,
you’ll also need to examine the differences between these types of cloud platform architectures
and choose the one that best fits the overall needs of your organization. Individual SaaS
solutions have differing levels of support for areas such as customization, feature configuration,
integration, and collaborative functionality.
SaaS cloud types Multi-tenant SaaS solutions are what are typically called “public” cloud infrastructures. This is
when the software architecture of the service is in a single instance, but serves multiple tenants
or organizations. The solution is designed to provide every tenant a reserved share of its
services, such as user or device management, configuration, and data support. The tenant
accounts and services are separated virtually, with each tenant accessing the platform
infrastructure in separate instances. Multi-tenant SaaS solutions also typically offer cost-savings
earned from sharing the infrastructure and distributing the overhead costs amongst multiple
tenants. Most mobile device management platforms are offered in a multi-tenant SaaS platform
infrastructure.
Private, or dedicated cloud services are instances of SaaS solutions that are operated for a
single organization or tenant. These can either be private cloud services hosted by the
organization or private cloud services hosted by a 3rd party provider. Private cloud solutions also
typically offer greater opportunities for customization, both in the areas of services and security.
62 Mobile Device Management Design Considerations
Some dedicated SaaS solutions offer mobile device management services as a part of larger
private cloud tenant options.
Hybrid SaaS solutions can offer a combination of either multi-tenant and private cloud
infrastructures, or a combination of hosted (either multi-tenant or private) and on-premises
cloud infrastructures. A hybrid infrastructure may also include leveraging an external cloud SaaS
solution for delivering certain types of services (such as applications), but leveraging internal
resources for other types of services. Most SaaS solutions offer the ability to support a hybrid
cloud configuration, but may vary significantly on the depth and completeness of integration
with on-premises or other hosted cloud platforms.
SaaS cloud type questions: As part of SaaS management lifecycle planning, you’ll want to
answer the following planning questions about cloud types:
What level of security do I need for mobile device data stored in my SaaS solution?
How does the SaaS solution address intrusion detection and data loss prevention for
mobile devices?
Does your organization have to comply with any regulatory, certification, or compliance
requirements for mobile devices or data stored on mobile devices? If so, do these
require a specific level of security, customization, scalability, or resiliency? How is
compliance audited and reported?
Does the SaaS solution need connectivity with other cloud services or platforms that will
manage mobile devices? If so, is this connectivity:
o Pre-configured or standardized?
o Customizable?
o Supported by the platforms you need to connect to?
Do you need to connect your SaaS solution with an existing on-premises device
management infrastructure? If so, is this connectivity:
o Supported by your on-premises device management platform?
o Supported by the SaaS solution?
o Supported without the need for additional on-premises physical resources?
Will your cloud-based services, applications, and processes for mobile devices require
different levels of security, customization, scalability, and resiliency?
Scalability Ease of scalability is one of the primary reasons for considering or deploying a SaaS solution for
managing mobile devices in your organization. By definition, public SaaS solutions typically offer
a virtually limitless ability to support any amount of users or mobile devices. Private and hybrid
SaaS solutions may be subject to scaling limits, based of available organization resources.
Scaling increases or decreases to support greater or lesser number of users or devices usually
depends on a specific licensing model or per user/device pricing package for public clouds.
Mobile Device Management Design Considerations 63
Scalability questions: As part of SaaS management lifecycle planning, you’ll want to answer the
following planning questions about cloud scalability:
What type of short and long-term plans does your organization have for growth or
contraction in mobile device and application support infrastructure?
How rapidly will your organization need to scale mobile device management support
services upward or downward?
What are the initial number of mobile devices and/or users that need support in the SaaS
solution? How likely is this number to change in the next year? The next 3 years? The
next 5 years?
Does the number of mobile devices needing SaaS solution support change on a regular
pattern (such as seasonally)? Does it change according to the number of active or
inactive organization projects?
Does SaaS solution performance change depending on the scale of supported mobile
device and users? If so, in what areas? (nodes, data, processing, etc.) How is the scaling
performance measured, reported, and audited?
Accessibility Easy access to the SaaS solution is another key component of the SaaS architecture. Because the
SaaS solution is hosted on a cloud-based infrastructure, it’s accessible by administrators, users,
and devices from any location that has access to the Internet. Administration of mobile devices
is done via a browser. Because many SaaS solution providers operate geographically diverse
datacenters, users and devices can access the platform “locally”, often avoiding latency and
delays that can be associated with connecting to geographically distant endpoints. Accessibility
can also typically be expanded by integrating the SaaS solution with on-premises device
management platforms.
Accessibility questions: As part of SaaS management lifecycle planning, you’ll want to answer
the following planning questions about cloud accessibility:
Are there specific mobile device browser requirements in your organization? If so, does
the SaaS solution support the required browser(s)?
Do mobile device users need any special accessibility requirements for applications or
services?
Does your organization need to access the SaaS infrastructure located in the same
geographic as the user devices or your on-premises infrastructure? Are there legal
ramifications if mobile device data is stored or moved across international borders?
Resiliency Since the SaaS infrastructure is cloud-based and hosted across multiple datacenters, resiliency is
typically subject to less instability or outages than traditional on-premises hosted services.
Multi-location service hosts offer protection against geographic-based outages and service
interruptions by using fail-over infrastructure and processes to replicate data across multiple
64 Mobile Device Management Design Considerations
datacenter nodes. Depending on the SaaS solution, access to the service may or may not remain
in the original geographic area during a fail-over.
Resiliency questions: As part of SaaS management lifecycle planning, you’ll want to answer the
following planning questions about cloud resiliency:
In the event of primary SaaS solution fail-over, how will mobile device management
services be impacted?
How will mobile device data stored on the SaaS solution be shared in the cloud-based
infrastructure?
If the primary mobile device SaaS datacenter isn’t available, are the fail-over datacenters
in the same geographic region as the primary datacenter? Is it OK for fail-over
datacenters to be located outside the international borders from which the mobile
devices are operating?
Does the SaaS solution have a defined service level agreement (SLA) outlining support
for mobile device management?
Up-to-date services SaaS solutions also are able to keep the applications and services up-to-date with the latest
application version, features, security updates, and bug fixes. Often these updates are published
very quickly, sometimes even on a daily basis. Depending on the SaaS solution, updates may be
instantly available to all customers or released in a phased approach to smaller groups of
customers. One of the biggest benefits is that when a bug is fixed for one customer, the fix can
be easily applied to all customers using the service.
Services questions: As part of SaaS management lifecycle planning, you’ll want to answer the
following planning questions about cloud services:
How often are mobile device management features and functionality updated in the
SaaS service?
What impact will feature and functionality updates have on your mission-critical mobile
device applications and services?
Are SaaS solution feature and functionality updates deployed to customers on an ad hoc
or planned schedule?
Does the SaaS solution support exemptions from service-wide updates for individual
organizations?
Does the SaaS solution have different service update schedules for mobile device
application and mobile device management features and functionality?
Task 2: Identify your SaaS solution / on-premises infrastructure integration needs One of the primary decisions that need to be made when considering managing mobile devices
with a SaaS solution are:
Mobile Device Management Design Considerations 65
How will your existing user and device on-premises directory accounts integrate with the
SaaS solution?
Do you need to integrate the SaaS solution with existing on-premises client
management platforms?
The decisions you make in these two areas will significantly impact the overall deployment,
administration, and end-user experiences for your mobile device management solution.
Identity and directory connectivity Connecting and synchronizing your on-premises user and device account directory with the
SaaS solution is really the glue that truly connects users, mobile devices, mobile applications,
and mobile device management. Knowing who a user is (identity) and associating the identity to
specific mobile devices is critical in managing access to company resources and data from the
mobile device. In many ways, maximizing how these areas are connected to the SaaS solution
determines the overall value to both you and your mobile device users. Ubiquitous connectivity
means that people and devices can use devices and applications anywhere, and it’s essential
that user identity management keeps pace with the demands of this connectivity. It can’t be
stressed enough that how you manage identity and user authentication is critical to the success
of your mobile device management solution.
Synchronizing on-premises directory services to the SaaS solution is another key area to
consider when defining your mobile device management strategy. Most organizations prefer to
maintain an on-premises user and device directory infrastructure, but need to extend these
accounts to a variety of cloud-based services. This may include only a SaaS-based mobile device
management solution, but in most scenarios organizations need to integrate user and device
accounts into several different types of cloud-based services. This may include cloud-based
applications, data, or 3rd party web services. Keeping your user and device directory accounts
synchronized is the cornerstone of a well-designed identity management solution. Once you
integrate your on-premises directory with cloud directory, you can also enable single sign-on
(SSO) to allow users to sign into all services using their on-premises credentials. Both Intune and
Office 365 can take advantage of this integration to enable SSO with SaaS apps that the
organization might want to use.
Identity and directory connectivity questions: As part of SaaS management lifecycle planning,
you’ll want to answer the following planning questions about identity management and
directory connectivity:
Does the SaaS solution support integrated user authentication services? If so, does it
support the type of directory services you’re using in your on-premises infrastructure?
Do you need to support user and mobile device authentication for on-premises and/or
internal applications or services?
Does the SaaS solution support user and mobile device authentication for 3rd party or
other external SaaS-based applications or services?
66 Mobile Device Management Design Considerations
How does the SaaS solution manage identity-related threats and abnormalities?
Does the SaaS solution support implementing and managing multi-factor authentication
(MFA)?
What types of directory services objects do you need to extend to the SaaS solution?
Does the SaaS solution have any restrictions for certain object types?
What on-premises requirements are needed to extend your directory services to the
SaaS solution?
Once connected to the SaaS solution, how are user and mobile device directory objects
replicated or synchronized with the cloud service? Are synchronization settings
customizable or fixed?
Are all directory object attributes synchronized with the SaaS solution? Do you need to
synchronize custom directory object attributes?
Are on-premises directory services hosted in a single location or logical grouping? If not,
does the SaaS solution support synchronizing multiple directory services from multiple
locations and logical groupings?
Connecting with existing client management platforms Most organizations have an existing on-premises client management platform to manage
desktop computers and servers. How you integrate the management of mobile devices into this
system is likely to have a substantial impact on IT infrastructure costs, device management
administration processes, device inventory and reporting support, and overall integration with
other business-critical applications and services. By connecting these two platforms,
organizations are able to leverage the economies of scale of a single, unified management
platform.
Connecting existing client management platforms questions: As part of SaaS management
lifecycle planning, you’ll want to answer the following planning questions about connecting the
SaaS solution with existing client management platforms:
Does your on-premises client management platform support integration with SaaS
solution? If so, are there:
o Limitations on the type of SaaS solution?
o Limitations on the types of supported devices?
What are the requirements to connect your on-premises client management platform to
the SaaS solution? Specifically, are there:
o Physical server or device requirements?
o Directory services or directory schema requirements?
o Domain Name Services (DNS) requirements?
o Identity requirements?
o Client management platform upgrades or configuration requirements?
o Network connectivity and/or network security configuration requirements?
Mobile Device Management Design Considerations 67
Can existing client or device configuration information (policies, profiles, and settings)
be shared or leveraged in the SaaS solution? Will this information have to be recreated?
After the two platforms are connected, how are clients managed? Are different types of
clients managed in a unified administration system or are they managed separately?
How are updates and changes in the SaaS solution integrated with the on-premises
client management platform? Is this an automatic or manual configuration process?
Task 3: Develop your SaaS mobile device management adoption strategy In this task you will define the mobile device management SaaS strategy to meet the
requirements that you defined in Tasks 1 and 2.
Task 3a: Identify your SaaS solution requirements Depending on how you answered the questions in Task 1, you should be able to determine what
the SaaS solution needs to support in your mobile device management solution. Table 20 below
will help you understand the advantages and disadvantages of each SaaS solution scenario:
Table 20
MDM options Advantages Disadvantages
Intune (standalone) Offered as a multi-tenant,
public cloud architecture
Scales to support up to 50,000
mobile devices
Doesn’t require any additional
investments in on-premises
infrastructure, hardware or
software
Updates and feature
improvements are made on a
daily basis. Major feature and
functionality enhancements
made on a monthly basis
Services can be assigned to
datacenters in specific
geographic locations
Datacenter fail-overs can be
restricted to specific geographic
locations
Certified and compliant with the
most industry and
governmental standards
Service Level Agreement (SLA)
is financially-backed, if the
service or features aren’t
Private cloud instances aren’t
supported
If you need to support more
than 50,000 mobile devices,
you’ll need to connect Intune
to System Center 2012 R2
Configuration Manager to
manage the additional
devices
68 Mobile Device Management Design Considerations
available, monthly charges are
waived
MDM for Office 365 Tightly integrated with Office
365 commercial tenants,
providing a single management
console for mobile devices and
Office 365 tenant services
(Exchange Online, SharePoint
Online, and Lync Online)
Offered in Office 365 multi-
tenant (public) or private
(dedicated) platform types
No additional user or device
licensing costs, included by
default in Office 365
commercial (Business,
Enterprise, Education, and
Government) plans
Doesn’t support managing
non-mobile operating
systems
Additional management
interface for provisioning
mobile devices (only) if using
an on-premises management
platform for non-mobile
devices
Hybrid (Intune with
System Center) All the advantages of Intune
standalone, plus the following:
o Native integration between
Intune (cloud-based device
management service) with
System Center 2012 and
System Center 2012 R2
Configuration Manager (on-
premises device
management platforms)
o Supports advanced device
provisioning options for
mobile devices via Intune
connectivity
o New Intune service features
and functionality extended
to the on-premises System
Center infrastructure via
platform extensions, either
automatically or customized.
Requires additional
configuration requirements to
connect Intune with the on-
premises System Center
infrastructure
For organizations that don’t
have a current System Center
infrastructure configured, it
will need to be planned,
installed and configured prior
to integrating with Intune
Make sure to read the article Help protect your data with remote wipe, remote lock, or passcode
reset using Microsoft Intune to understand what data is removed and the effect on data that
remains on the device after a selective wipe per platform. If you have a hybrid environment,
Mobile Device Management Design Considerations 69
consult the article How to remote wipe mobile devices using Configuration Manager to
understand how System Center 2012 R2 Configuration Manager can be used to accomplish this
task.
For more details about SaaS solution functionality and requirements, make sure to review the
service description for Microsoft Intune to understand the differences in SaaS support versus
MDM for Office 365 and in a hybrid Intune and System Center 2012 infrastructure.
Task 3b: Identify your SaaS solution connectivity requirements Connecting your on-premises infrastructure has important impact of how user and device
identity is management with both Intune, MDM for Office 365, and hybrid Intune and System
Center deployments. Both Intune and MDM for Office 365 leverage the directory services
architecture provided by Azure Active Directory Services. This integration with Azure offers
maximum flexibility when designing identity management support in your mobile device
management solution.
As shown in the Figure 15 below, connecting your on-premises directory services with Azure is
the key component requirement to enable both single sign-on and unified directory account
management. Synchronizing directory account attributes and credentials between Azure and
on-premises directory services allows users to authenticate themselves through their mobile
devices when accessing either MDM for Office 365 or the Intune service.
Figure 15 – Overview of integrated identity management
Depending on how you answered the questions in Task 2, you should be able to determine how
the SaaS solution needs to connect to your on-premises client management platform for your
mobile device management solution. Table 21 below will help you understand the advantages
and disadvantages of connecting your on-premises infrastructure with a SaaS solution:
70 Mobile Device Management Design Considerations
Table 21:
Connectivity
options
Advantages Disadvantages
Intune (standalone) Tightly integrated with Azure
Active Directory for managing
user and device identity and
authentication
Supports user credential self-
management and single sign-
on experiences that can
leverage existing on-premises
account credentials
Supports single sign-on access
to thousands of pre-integrated
SaaS applications
Supports application access
security by enforcing rules-
based multifactor authentication
(MFA) for both on-premises and
cloud applications
Advanced directory services
connectivity features and
functionality require pairing
with Azure Active Directory
Premium
MDM for Office 365 Integrated with Office 365
tenants, leveraging the Azure
Active Directory backbone for
managing user and device
identity and authentication
On-premises directory services
can be connected as a part of
connecting services with Office
365
Supports user self-management
and single sign-on experiences
that can leverage existing on-
premises account credentials
Doesn’t support mobile
application management
integration with other SaaS
solutions or applications
Doesn’t support multi-factor
authentication
Hybrid (Intune with
System Center) All the advantages of Intune
standalone, plus the following:
o Direct integration with on-
premises directory services
through System Center
infrastructure
For organizations that don’t
have a current System Center
infrastructure configured, it
will need to be planned,
installed and configured prior
to integrating with Intune
Requires additional on-
premises deployment
requirements and
Mobile Device Management Design Considerations 71
configuration changes for
organizations with System
Center
Next steps and resources Now that you’ve completed defining your requirements and examining all the options for your
mobile device management solution, you’re ready to take the next steps for deploying the
supporting infrastructure that’s right for you and your organization.
Mobile device management solutions Leveraging specific solution scenarios that fit your needs is a great way to review and plan for
the details of deploying a mobile device management infrastructure. The following solutions
outline several of the most common mobile device management scenarios:
The manage mobile devices and PCs in enterprise environments solution helps you
manage mobile devices by extending your on-premises System Center 2012 R2
Configuration Manager infrastructure into the cloud with Microsoft Intune. This hybrid
infrastructure helps medium and large companies enable BYOD and remote access while
reducing administration complexity.
The managing mobile devices for Configuration Manager 2007 solution helps you
manage mobile devices when your infrastructure rests on System Center Configuration
Manager 2007. This solution shows you how to set up a single server running System
Center 2012 R2 Configuration Manager so you can then run Microsoft Intune and take
advantage of its MDM capabilities.
The managing mobile devices in small environments solution is intended for small
businesses that need to support MDM. It explains how to use Microsoft Intune to extend
your current infrastructure to support mobile device management and BYOD. This
solution describes the simplest scenario supported for using Microsoft Intune in a
standalone, cloud-only configuration without local servers.
Mobile device management documentation Conceptual and procedural planning, deployment, and administration content are useful when
implementing your mobile device management solution:
Microsoft System Center solutions can help you capture and aggregate knowledge
about your infrastructure, policies, processes, and best practices so that your IT staff can
build manageable systems and automate operations.
Microsoft Intune is a cloud-based device management service that helps you to manage
your computers and mobile devices and to secure your company’s information.
MDM for Office 365 allows you to manage and secure mobile devices when they're
connected to your Office 365 organization. You can use MDM for Office 365 to set
device security policies and access rules, and to wipe mobile devices if they’re lost or
stolen.
72 Mobile Device Management Design Considerations
Mobile device management resources Monitoring the following resources provides the latest news and updates on our mobile device
management solutions:
Microsoft Enterprise Mobility blog
Microsoft In The Cloud blog
Microsoft Intune blog
Microsoft System Center Configuration Manager blog
Microsoft System Center Configuration Manager Team blog
Microsoft Office 365 blog