windows phone8 device management with windows intune
DESCRIPTION
Windows Phone8 Device Management with Windows IntuneTRANSCRIPT
December 2012
Windows Phone 8
Device Management
with Windows Intune
This white paper is part of a series of technical papers designed to help IT professionals evaluate
Windows Phone 8 and understand how it can play a role in their organizations. It discusses and
contains information regarding Windows Phone 8 mobile device management via Windows
Intune.
Windows Phone 8 Mobile Device Management with Windows Intune
Legal Disclaimer
© 2012 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and
views expressed in this document, including URL and other Internet Web site references, may change
without notice. You bear the risk of using it.
This document does not provide you with any legal rights to any intellectual property in any Microsoft
product. You may copy and use this document for your internal, reference purposes.
Published: December 2012
Windows Phone 8 Mobile Device Management with Windows Intune
Windows Phone 8 Device Management with Windows Intune 1
Introduction 1
Using Windows Intune for Direct Management of Windows Phone devices 1
Configuring Windows Intune to Manage Devices 2
Setting up Windows Intune for Windows Phone 8 4
Enrolling Windows Phone Devices in Windows Intune 7
Resources 9
TTable of contents
Windows Phone 8 Mobile Device Management with Windows Intune
1
Introduction
Windows Intune provides a rich and flexible mobile device management
experience for Windows Phone. With Windows Intune, you can manage Windows
Phone 8 devices directly or through Exchange ActiveSync. With System Center
2012 Configuration Manager deployed in your environment as well, you can use
the Windows Intune service to manage mobile devices, while performing all
management tasks in the System Center Configuration Manager console.
Using Windows Intune for Direct Management of
Windows Phone devices
Windows Intune provides comprehensive mobile device management for Windows
Phone 8. With Windows Intune, you can deploy policies to help secure corporate
data on your phone, perform a hardware inventory, and distribute applications and
links to applications that users can choose to install on their phone, and retire and
wipe phones. In addition, Windows Intune direct management of mobile devices
enables you to distribute applications to users in either of the following ways:
External link: For Windows Phone 8 devices, you can provide a link address
to an application on the Windows Phone Store. In addition, this web link
can be to a web-based application that runs on the device through the
device’s web browser.
Software installer: You can provide a signed application package that is
uploaded to the Windows Intune service directly and then sideloaded onto
managed devices. Sideloaded applications do not have to be certified by
or installed through the Windows Phone Store.
Users benefit from an enrollment and application installation experience that is
tailored for their Windows Phone allowing users to choose the applications that
they want to install, and maintain control of configuring their devices.
Windows Phone 8 Mobile Device Management with Windows Intune
2
Configuring Windows Intune to Manage Devices
Setting the Mobile Device Management Authority
The mobile device management authority determines where you will perform
phone device management tasks. You can set the mobile device management
authority to Windows Intune by using the Windows Intune administrator console
or to System Center Configuration Manager by using the System Center
Configuration Manager console.
Note: If you also plan to use Exchange ActiveSync to manage mobile devices,
we recommend that you only deploy the Exchange Connector in the same
environment where you set the mobile device management authority and
where you plan to configure Windows Intune direct management. For
information about how to set up the Exchange Connector for mobile device
management in Windows Intune environments, see Exchange Connector
Host System Requirements.
Consider carefully whether you want to manage mobile devices by using Windows
Intune only or System Center Configuration Manager with Windows Intune
Integration. Once you set the mobile device management authority to either of
these options, it cannot be changed.
For information about how to set the mobile device management authority to
System Center Configuration Manager, see the System Center Configuration
Manager 2012 SP1 documentation.
To set the mobile device management authority for Windows Intune:
1. Open the Windows Intune administrator console.
2. In the workspace shortcuts pane, click the Administration icon.
3. In the navigation pane, click Mobile Device Management Setup.
4. In the Tasks list on the Policy Overview page, click Set Mobile Device
Management Authority.
5. The Set Mobile Device Management Authority dialog box appears, and
it prompts you to choose whether to use Windows Intune to manage the
mobile devices in your account. Do one of the following:
Click Yes to use Windows Intune to manage mobile devices for
your account. If you set Windows Intune as the management
authority, you must manage mobile devices by using the
Windows Intune administrator console.
Click No to exit the dialog box. This leaves the mobile device
management authority as None specified.
Windows Phone 8 Mobile Device Management with Windows Intune
3
Provisioning users in Windows Intune
To manage users’ mobile devices, you must first provision the users in Windows
Intune. The process of provisioning defines device owners as managed users in
Windows Intune. After provisioning is complete, users appear and can be managed
in the Windows Intune administrator console. You provision by users doing either
of the following:
If you have Active Directory Domain Services (AD DS) in your environment
you can configure Active Directory synchronization so that your local users
and security groups are synchronized to the Windows Azure Active
Directory and can appear in the Windows Intune administrator console. To
configure Active Directory synchronization, you need to set up the
Microsoft Directory Synchronization Tool. Doing this populates the
Windows Intune account portal with synchronized users and security
groups and enables Windows Intune to retrieve user information for
mobile device users. To ensure that your AD DS infrastructure is properly
prepared for Windows Intune, we strongly recommend that you review
Active Directory Synchronization Roadmap.
If you do not have AD DS in your environment you can provision users in
Windows Intune by manually adding the users to the Windows Intune
account portal. For more information, see “Adding Users and Security
Groups to Windows Intune” in the Windows Intune Getting Started Guide.
Enabling automatic detection of a Windows Intune enrollment
To be managed by Windows Intune, devices must first discover and enroll in the
Windows Intune service. If you plan to enable automatic detection of a Windows
Intune enrollment server, you must ensure that you have set up a verified domain
name for your Windows Intune account and then create a CNAME resource record
for the verified domain in the public DNS
Windows Phone 8 Mobile Device Management with Windows Intune
4
Obtaining an enterprise mobile code-signing certificate from Symantec
In order to distribute applications and external links to users who have Windows
Phone 8 devices, you must first distribute the Company Portal app to these users
by making it available on the Windows Phone Store. Users access the Company
Portal app and install the Company Portal when they enroll their devices in
Windows Intune. When you distribute applications and external links to users, they
can access the applications and links by visiting the Company Portal.
Before you can distribute the Company Portal app to users, you must ensure that it
is signed by a mobile code-signing certificate that is trusted by users’ devices. After
you obtain an enterprise mobile code-signing certificate, additional steps are
required to export the certificate in PFX format, and to generate an application
enrollment token (AET).
Setting up Windows Intune for Windows Phone 8
Setting up mobile device management for Windows Phone 8 devices
In order to be managed by Windows Intune, Windows Phone 8 devices must first
discover and enroll in the Windows Intune service. You can either enable automatic
detection of a Windows Intune enrollment server, or provide the following
enrollment server address to users: enterpriseenrollment-s.manage.microsoft.com.
To enable devices to automatically detect a Windows Intune enrollment server,
complete the following steps:
1. Verify your domain in the Windows Intune account portal.
2. Create a CNAME resource record for the verified domain in the
public DNS. If there is more than one verified domain, you must
create a CNAME record for each domain. The CNAME resource
record must contain the following information:
Alias name: enterpriseenrollment
Fully qualified domain name (FQDN) for the target DNS
host: enterpriseenrollment.manage.microsoft.com
For example, if contoso.com and fabrikam.com are the verified
domains, you would create two CNAME resource records: One
Windows Phone 8 Mobile Device Management with Windows Intune
5
resource record to redirect requests that arrive at
enterpriseenrollment.contoso.com to
enterpriseenrollment.manage.microsoft.com, and another record
to redirect requests that arrive at
enterpriseenrollment.fabrikam.com to
enterpriseenrollment.manage.microsoft.com. For information
about how to create a CNAME resource record, see Add an Alias
(CNAME) Resource Record to a Zone.
If you have enabled automatic detection, confirm that you have set up automatic
detection correctly by completing the following steps:
1. Open the Windows Intune administrator console.
2. In the workspace shortcuts pane, click the Administration icon.
3. In the navigation pane, under Mobile Device Management , click
Windows Phone 8 .
4. Under Step 1: Enrollment Server Address , type the name of the
verified domain, and then click Test Auto-Detection.
5. If you have set up automatic detection correctly, a message
appears to confirm that users can enroll their devices without
manually specifying the address of the Windows Intune enrollment
server.
Windows Phone 8 Mobile Device Management with Windows Intune
6
Distributing Applications and External Links to Windows Phone users
In order to distribute applications and external web links to users with Windows
Phone 8 devices be sure to complete the steps required for distributing
applications and external web links to users with Windows Phone 8 devices that are
listed here: http://technet.microsoft.com/en-us/library/jj662647.aspx
Distributing applications and external links to users with Windows Phone 8 devices
requires that you first distribute the Company Portal app to these users. Users
access the Company Portal app when they enroll their devices in Windows Intune.
To complete the enrollment process, users must install the Company Portal app.
When you distribute applications and external links to users, they can access the
applications and links by using the Company Portal app.
Before you can distribute the Company Portal app to users, you must make sure
that the app is signed by a mobile code-signing certificate that is trusted by users’
devices. To obtain the code-signing certificate, complete the following steps:
1. Establish a Company Dev Center account on the Windows Phone
Dev Center. As part of this process, you will receive a Publisher ID.
For more information, see Registration Info.
2. Visit the Symantec Enterprise Mobile Code Signing Certificate
website to complete the required steps to obtain an enterprise
mobile code-signing certificate. When this process is complete,
Symantec will deliver a certificate that can be imported into the
certificate store on a computer.
3. In the Certificates snap-in on the computer where the certificate is
imported, export the certificate in PFX format. Be sure to export
the private key with the certificate. The .pfx file will be used to
generate an application enrollment token (AET) and sign company
apps. For more information about how to export the certificate in
PFX format, see Export a Certificate with the Private Key.
4. Windows Intune generates an application enrollment token (AET)
so that you can enroll phones in the company account. This is
required so that users can install the Company Portal app.
To prepare the Company Portal app for distribution to users, you must first
download the app, and then ensure that it is signed with a certification authority
Windows Phone 8 Mobile Device Management with Windows Intune
7
that is trusted by the users’ devices. To download and sign the app, complete the
following steps:
5. Open the Windows Intune administrator console.
6. In the workspace shortcuts pane, click the Administration icon.
7. In the navigation pane, under Mobile Device Management , click
Windows Phone 8 .
8. Under Step 3: Download the Company Portal app File , click the
Download the App File hyperlink.
9. Download the XapSignTool tool from the Windows Phone 8 SDK.
10. To sign the Company Portal app, follow the instructions in the
“Signing the XAP by using the XapSignTool tool” section in How to
precompile managed assemblies and sign a company app. You
must sign the Company Portal app with the Symantec enterprise
mobile code-signing certificate that you obtained when you
completed step 3b.
Before distributing the Company Portal app to users, you must upload the signed
Company Portal app file to Windows Intune. During the upload process, you will be
prompted to provide the code-signing certificate. The Company Portal app will
then be automatically made available to members of the All Users group in
Windows Intune, so that you do not have to explicitly create a deployment to make
it available.
Enrolling Windows Phone Devices in Windows Intune
Enrollment establishes a relationship among a user who is provisioned in
Windows Intune, the user’s device, and the Windows Intune service. Users must
enroll their devices in Windows Intune to access and install applications that you
distribute. Enrollment enables the following:
Windows Intune to identify the device
Windows Intune to identify the user of the device
The device to contact the Windows Intune service
The Windows Intune service to contact the device through a notification
service
Windows Phone 8 Mobile Device Management with Windows Intune
8
Windows Intune and the device to exchange management
communications securely
Follow-up tasks, such as hardware inventory and the application of
security policies, to be triggered
The names of the devices that users enroll should appear in the Windows Intune
administrator console within a few hours of enrollment.
To enroll a Windows Phone 8 Device
To enroll their devices, users must enter their Windows Intune user ID or their
existing on-premises Active Directory credentials using the following steps:
1. On the Windows Phone 8 device select Settings , then system , and select
Company Apps .
2. Select add account , and enter your company credentials in the Company
Apps dialog.
After the Windows Phone 8 device is enrolled, users will be prompted to install the
Company Portal app, which users can then use to install apps provided by their
administrator.
During enrollment, the Windows Intune service checks to confirm that:
The account for the organization is active.
The user is provisioned in Windows Intune.
The user has not exceeded the maximum allowed number of devices per
user. Each user who is provisioned in Windows Intune can enroll a
maximum of five devices.
Windows Phone 8 Mobile Device Management with Windows Intune
9
Resources
For more information about all the aspects of using Windows Phone in your
company, see, Windows Phone for Business (http://www.windowsphone.com/en-
US/business/for-business).
To learn more about Windows Phone 8 Device Management and Windows Intune,
or for more complete guidance for managing Windows Phone and other mobile
devices additional information is available at:
“Using Windows Intune for Direct Management of Mobile Devices” at
http://technet.microsoft.com/en-us/library/jj733632.aspx
“Customizing the Windows Intune Company Portal” at
http://technet.microsoft.com/en-us/library/jj662649.aspx