mobile device management design considerations guide

Mobile Device Management

Design Considerations Guide

Published August, 2015

Version 2.0

Copyright

This guide is provided “as-is”. Information and views expressed in this guide, including URL and other Internet Web site references, may change without notice. Some examples

depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred.

This guide does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this guide for your internal, reference

purposes.

© 2015 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Microsoft Intune, Microsoft System Center 2012 R2 Configuration Manager, Mobile Device Management for Office 365, Office 365, Windows, and

Windows Server are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

Contents Introduction .................................................................................................................................................. 1

Design considerations overview ................................................................................................................... 3

Step 1 - Identify your mobile device management requirements ................................................................ 3

Task 1: Identify your business needs ........................................................................................................ 3

Task 2: Specify your mobile device management location requirements ................................................ 5

Task 3: Develop your mobile device management adoption strategy ..................................................... 6

Step 2 - Plan for mobile device management tasks .................................................................................... 13

Task 1: Understanding the mobile device management lifecycle .......................................................... 13

Task 2: Gather monitoring requirements ............................................................................................... 18

Task 3: Determine network resource requirements............................................................................... 19

Task 4: Define your mobile device management lifecycle strategy ....................................................... 23

Step 3 - Plan for enhancing mobile devices protection .............................................................................. 40

Task 1: Gather your data protection requirements ................................................................................ 41

Task 2: Specify your privacy requirements ............................................................................................. 43

Task 3: Specify your access requirements .............................................................................................. 44

Task 4: Develop your incident response requirements .......................................................................... 45

Task 5: Plan your mobile device security strategy .................................................................................. 46

Step 4 - Plan for Software as a Service (SaaS) mobile device management ............................................... 63

Task 1: Identify your SaaS requirements ................................................................................................ 64

Task 2: Identify your SaaS solution / on-premises infrastructure integration needs ............................. 67

Task 3: Develop your SaaS mobile device management adoption strategy ........................................... 70

Next steps and resources ............................................................................................................................ 74

Mobile device management solutions .................................................................................................... 74

Mobile device management documentation ......................................................................................... 74

Mobile device management resources................................................................................................... 75

Mobile Device Management Design Considerations 1

Introduction With all of the different design and configuration options for mobile device management

(MDM), it’s sometimes difficult to determine which combination will best meet the needs of your

organization. This design considerations guide will help you to understand mobile device

management design requirements and will detail a series of steps and tasks that you can follow

to design a solution that best fits the business and technology needs for your organization.

Throughout the steps and tasks, this guide will present the relevant technologies and feature

options available to organizations to meet functional and service quality (such as availability,

scalability, performance, manageability, and security) level requirements.

Specifically, the goals of this guide are to help you answer the following questions:

What questions do I need to answer to drive a MDM-specific design for a technology or

problem domain that best meets my requirements?

What is the sequence of activities I should complete to design a MDM solution for the

technology or problem domain?

What MDM technology and configuration options are available to help me meet my

requirements, and what are the trade-offs between those options so that I can select the

best option for my MDM requirements?

Who is this guide intended for? Information technology architects and professionals

responsible for designing a mobile device management solution for medium or large

organizations.

How can this guide help you? You can use this guide to understand how to design a mobile

device management solution that is able to manage company-owned devices as well as user-

owned devices in different form factors.

2 Mobile Device Management Design Considerations

Figure 1 - Example of a hybrid Intune and System Center 2012 R2 Configuration Manager

MDM solution

Figure 1 is an example of a hybrid solution, where it’s leveraging cloud services to integrate with

on-premises capabilities in order to manage all types of devices, regardless of their location.

Although this is a very common scenario, every organization’s MDM design might be different

than the example due to each organization’s unique management requirements.

This guide details a series of steps and tasks that you should follow to assist you in designing a

customized MDM solution that meets your organization’s unique requirements. Throughout the

following steps and tasks, this guide covers the relevant technologies and feature options

available to you to meet the functional and service quality level requirements for MDM.

Though this guide can help you design a MDM solution, it does not discuss specific

implementation or operations options for the management solutions. You can find detailed

deployment and configuration steps for Microsoft Intune, Mobile Device Management for Office

365, and Microsoft System Center in the TechNet Library using the links available in the Next

Steps section located at the end of this guide.

Assumptions: You have some experience with Intune, System Center 2012 R2 Configuration

Manager (ConfigMgr), Windows Server 2012 R2, and mobile devices running Android, iOS, and

Windows Phone. You may have even deployed one of these solutions in an initial MDM test or

limited production environment. In this guide, we assume you are looking for how these

solutions can best meet your business needs on their own or in an integrated solution.

https://technet.microsoft.com/library/jj676587.aspx

https://technet.microsoft.com/library/ms.o365.cc.devicepolicy.aspx


https://technet.microsoft.com/library/cc507089.aspx


Design considerations overview This guide covers a set of steps and tasks that you can follow to design a solution that best

meets your requirements. The steps are presented in an ordered sequence. However, design

considerations you learn in later steps may prompt you to change decisions you made in earlier

steps as your design matures or due to conflicting design choices. We’ll alert you to potential

design conflicts throughout this guide.

You will develop a mobile device management design that best meets your requirements only

after iterating through the following steps as many times as necessary to incorporate all of the

considerations within this guide:

Step 1 – Identify your device management requirements

Step 2 - Plan for mobile device management

Step 3 - Plan for secure mobile devices

Step 4 - Plan for SaaS mobile device management

Step 1 - Identify your mobile device management requirements The first step in designing a mobile device management solution is to determine the

management platform requirements that will be used to support your mobile devices. Overall

mobile device adoption for your company will dictate the platform requirements. If you decide

to adopt a single management solution to manage all your mobile devices, you may disregard

the multi-platform requirements for your solution. You’ll need to go over your company’s

business strategy to fully understand your current and future business requirements. If you don’t

have a long-term strategy for mobile device adoption, chances are that your solution won’t be

scalable as your business needs grow and change.

Task 1: Identify your business needs Each company will have different requirements. Even if these companies are part of the same

industry, the real business requirements might vary. You can still leverage best practices from

the industry, but ultimately it’s the company’s business needs that will identify the requirements

for the mobile device management solution.

To help identify your business needs, answer the following questions:

Device ownership: You must understand the device ownership policy for your company.

o Who owns the mobile device?

The employee?

The company?

Both?

Platforms: Understanding which mobile device operating systems will be used by the

company is very important for adoption and supportability decisions.

o Which mobile device operating systems will be supported?


Android?

iOS?

Windows?

Windows Phone?

All of them?

A mix of the above options?

o Which mobile OS version will be supported?

Only the latest?

Current -1 (current version plus the previous version)?

Applications: Since the main reason to embrace mobility is to increase productivity, the

applications (apps) used by employees must be able to run in all the mobile device

operating systems used in your organization. This is an important point to consider,

because while some companies might have their most important apps fully portable to

run in a mobile environment, others might need to understand what options are

available that can help them to deploy their apps to mobile devices. To assist you

identifying individual app requirements, ask yourself the following questions.

o Do the apps require Internet access from users’ devices?

o Do the apps collect any user personal information?

If so, do the apps inform users about privacy issues and data collection

while being installed?

o Do the apps require integration with cloud services?

o Were the apps developed to run on a specific operating system, or are they

capable of running on any operating system?

o Do you plan to enable users to use apps via remote desktop from their own

devices?

o Do the apps require full-time access to corporate resources, or can they run in

offline mode?

o Do the apps have any integration with social networks?

o Will all apps be available to BYOD users?

o How do you plan to deploy these apps to users’ devices?

o What are the deployment options for these apps?

o Does the installation requirement vary according to the target device, or is it the

same?

o How much space in a target device is necessary in order to install each app?

o Do the apps encrypt the data before transmitting it through the network from the

users’ devices to the app server on the back end?

o Can the apps be remotely uninstalled via the network, or do they need to be

uninstalled via the devices’ consoles?

o Do the apps work in a low-latency network?

o Do the apps provide authentication capabilities?

If so, which authentication method do the apps use?

Users: One of the main points in embracing mobility is to put the user at the center of

the mobility solution and enabling the user to be more productive, while keeping

company data secure and available. This is important to understand what the user’s

requirements are.

o Will the user be able to bring their own device and access company’s resources?


If yes, what are the requirements to access company’s resources?

o Does your company have different user’s needs?

If yes, how each user’s profile will impact the mobility strategy?

o Will users be able to access all apps that they have access to in the on-premises

environment via their mobile device?

If not, which apps will be available for the users?

Are those apps available for all supported mobile device

platforms?

Will be necessary to modify or update any apps in order to run

them on all supported mobile device platforms?

o Do your users only need basic access to email (including calendar, contacts, and

tasks) features?

During this task, you should also evaluate if the company has existing management and

compliance policies in place for mobile devices and how these policies might affect the mobile

device management solution selection.

Note

Make sure to take notes of each answer and understand the rationale behind the answer.

Task 3 will go over the available options and advantages/disadvantages of each option. By

having answered these questions, you’ll be able to select which solution best suits your

business needs.

Task 2: Specify your mobile device management location requirements

Location requirements are one of the many factors that you should take in consideration when

designing your mobile device management strategy. Location is important from the mobile

device management solution perspective as well as from the device itself. Answer the following

questions:

Track users: For some kinds of mobile device control, you might need to implement

policies that can restrict access to company resources based on a user’s location.

o Does the company need to implement mechanisms to cover geo-fencing, or the

ability to enforce policies based on the geographic location of the device?

o Does the company need to keep track of where the user was geographically

located when they accessed a company resource?

Administration model: Depending on the mobile device management solution that you

deploy, administration can be distributed in different sites (locations) or centralized in a

single location. A central administration site is suitable for large-scale deployments and

provides a central point of administration and the flexibility to support devices that are

distributed across a global network infrastructure. A primary site is suitable for smaller

deployments, though it has fewer options to accommodate future growth. Determine if

MDM control should be centralized or distributed.

o Does your company need a centralized administration model?

Does the device management solution need to be located on-premises?

If not, can it be located in the cloud?


If not, can it be hybrid?

o Does your company need a decentralized model where different locations should

have autonomy over the device management administration?

Note


Task 3 will go over the available options and advantages/disadvantages of each option.

By having answered these questions, you’ll be able to select which solution best suits

your business needs.

Task 3: Develop your mobile device management adoption strategy

In this task, you’ll develop the mobile device management adoption strategy that will meet the

business requirements that you identified in Tasks 1 and 2.

Task 3a: Device ownership After reviewing your organization’s current policy and strategy to manage devices, you should

have a list of scenarios that your organization plans to implement. Table 1 will help you

understand the advantages and disadvantages of each scenario:

Table 1

Scenario Advantages Disadvantages

Employee owns the

device (BYOD) Your company does not need

to buy mobile devices for the

employees

Usually allows employees to be

more productive since they will

be using the mobile device of

their choice

Support costs may decrease

since the organization will have

limited support over the mobile

devices

Increases the amount of

security considerations to

protect company’s data

located on personal devices

Increases likelihood of data

leakage, especially when

appropriate security controls

aren’t in place

Limited management

capability due to privacy

restrictions

Company-owned

device Full management capability,

including device hardening and

security controls

More control over mobile

devices

Capability of defining which

mobile devices will be used by

employees

Potential increases in support

costs, since the organization

will maintain the mobile

devices

Less flexibility for end users,

which may affect their

productivity

Cost increases, since the

organization will have to buy

mobile devices


Your organization might need to implement a mixture of elements from these scenarios. In that

case, the device management platform must be able to manage multiple platforms while

integrating with current on-premises infrastructure.

Task 3b: Supported mobile device platforms The decision you made regarding device ownership will help you identify which mobile device

platforms you’ll support. The mobile device management solution that you choose will have to

accommodate this decision. In a single mobile device platform scenario, the platform choice will

not be as relevant as in the multi-platform scenario. Use Table 2 to help you choose the mobile

device management solution for a multi-platform scenario:

Table 2

MDM option Advantages Disadvantages

Intune (standalone) Always-on cloud service that

supports the latest MDM

features and updates

Supports provisioning all major

mobile device operating

systems (Android, iOS, Windows

8, Windows 10, and Windows

Phone).

Allows you to manage any

mobile device from any location

More advanced management

options for mobile devices

Mobile application

management capability

Lack of integration with

current device management

solution located on-

premises will introduce an

additional management

interface for you to use

Policies created using the

on-premises MDM solution

are not replicated to the

cloud service

MDM for Office 365 Integrated with Office 365

If you’re already using Office

365, the MDM capabilities are

easily leveraged to manage

mobile devices

If you’re already using Office

365, you won’t need to use

another console to manage

mobile devices

Limited set of capabilities

(see the note that follows

this table) to manage

mobile devices


current device management

solution located on-

premises will introduce an



Hybrid (Intune with

ConfigMgr) Native integration between

Intune and ConfigMgr

Allows you to use a centralized

console to deploy policies and

manage on-premises PCs,

servers, and mobile devices

Requires additional

configuration steps to

connect Intune and

ConfigMgr

If the organization does not

have a current ConfigMgr

http://blogs.technet.com/b/microsoftintune/archive/2015/06/18/now-available-intune-mobile-application-management-and-conditional-access-for-outlook.aspx

http://blogs.technet.com/b/microsoftintune/archive/2015/06/18/now-available-intune-mobile-application-management-and-conditional-access-for-outlook.aspx


infrastructure on-premises,

it will require to plan, install

and configure this platform

prior to the integration

If you only need to manage access to work email, calendar, contacts, and tasks from mobile

devices, learn about the Exchange ActiveSync device management capabilities available in Office

365.

Task 3c: Application requirements Based on the requirements that were defined in Task 1, you can choose which mobile device

management solution best fits your organization. Use Table 3 to compare the MDM options,

and advantages and disadvantages of each option.

Table 3


Intune (standalone) Allows you to manage mobile

apps through their lifecycle,

including app deployment from

installation files and app stores,

detailed monitoring of app

status, and app removal. Read

Deploy software to mobile

devices in Microsoft Intune for

more information.

Allows you to specify a list of

compliant apps that users are

allowed to install and

noncompliant apps, which must

not be installed by users. Read

Manage devices using

configuration policies with

Microsoft Intune for more

information.

Allows you to set restrictions for

apps by using a mobile

application management policy.

This helps you to increase the

security of your company data

by restricting operations such

as copy and paste, external data

backup, and the transfer of data

between apps. Read Control

Lacks integration with on-

premises device

management solutions,

which introduces an



when managing mobile

devices if you have an on-

premises solution. Policies

created using an on-

premises MDM platform

aren’t replicated to the

cloud service, requiring two

sets of management and

compliance policies (if you

have ab on-premises MDM

solution)

https://technet.microsoft.com/library/dn792010.aspx#tasks

https://technet.microsoft.com/library/dn792010.aspx#tasks

https://technet.microsoft.com/library/dn646972.aspx







apps using mobile application

management policies with

Microsoft Intune for more

information.

MDM for Office 365 Provides MDM capabilities

across OS platforms such as

password requirements

Limited set of capabilities to

control apps


premises device


which introduces an





premises solution.

No ability to deploy apps

and apply mobile

application management

capabilities

No advanced MDM

capabilities

Hybrid (Intune with

ConfigMgr) Inherits app control settings

from Intune standalone

Provides an integrated

management experience

(between Intune and

ConfigMgr)

Leverages Configuration

Manager App management

capabilities. Read Application

Management in Configuration

Manager for more information.

Allows you to use a single

console to deploy policies and

manage application policies for

on-premises PCs, servers, and

mobile devices

Requires additional steps to

set up the integration

If your organization does

not have a current on-

premises ConfigMgr

infrastructure, you must

plan, install, and configure

the ConfigMgr platform first

Task 3d: Track requirements Understanding user behavior and being able to identify their location are important factors to

include in your mobile device management strategy. How devices will be tracked will vary

according to your business requirements and needs. Different tracking capabilities are available

in each mobile operating system so the mobile device platforms you choose to support will




https://technet.microsoft.com/library/gg699373.aspx




impact your options. For example, compliance requirements may influence you to prioritize

adopting mobile devices platforms that allow you to track user’s location and use geofencing.

Note

Geofencing allows you to monitor a mobile device’s geographic location and

enable/disable device and network resources based on that location. For example,

Windows 8.1 supports allows an app to define a geographical region and have the

system alert the app when the device it's running on enters or exits that area. For more

information about this feature in Windows 8.1, read Geofencing, start to finish (XAML).

The MDM authority must also be geolocation-aware and communicate with the mobile device

to obtain information that allows enforcing geofencing restrictions. Table 4 compares the

advantages and disadvantages of MDM options.

Table 4


Intune (standalone) Allows you to enable or disable

whether applications can use

location information on mobile

devices. Read Use policies to

manage computers and mobile

devices with Microsoft Intune

for more information.

Does not provide full

geolocation setting

capabilities for apps that

use this feature


premises device


which introduces an





premises solution.

MDM for Office Not available Not available

Hybrid (Intune with

ConfigMgr) Allows you to enable or disable

whether applications can use

location information on mobile

devices. Read the article

Compliance Settings for Mobile

Devices in Configuration

Manager for more information.

Does not provide full

geolocation setting

capabilities for apps that

use this feature

If your organization doesn’t

have a current on-premises

ConfigMgr infrastructure,

you must plan, install, and

configure the ConfigMgr

platform first

https://msdn.microsoft.com/library/windows/apps/xaml/dn342943.aspx





https://technet.microsoft.com/library/dn376523.aspx#bkmk_wp8_1




Task 3e: Administration model The administration model that you will choose will vary according to your business

requirements. If the mobile device management solution needs to be located on-premises, you

must evaluate what capabilities are available in your current infrastructure to accommodate

mobile device management based on devices that can be located in the cloud or on-premises.

After evaluating this, you might decide that you should keep the core management on-premises

and integrate with a cloud mobile device management solution, which leads you to choose the

hybrid scenario. Review Table 1 to see advantages and disadvantages of using standalone,

cloud, or hybrid MDM solution.

Note

Be aware that Intune Standalone has limited capabilities for delegated admin. ConfigMgr

in a hybrid scenario provides greater control and delegation for delegated admin.

One strategic aspect of how an organization will manage their mobile devices is to understand

the current management platform capabilities and the administration model in place. For

example, organizations that have a headquarters and multiple branch offices might be using a

distributed administration model where each branch office has control over the management

platform for that location.

Most of the time, an administration model is already in place when a company decides to

embrace mobility by deploying a mobile device management solution. However, you must

ensure that the current infrastructure will be able to handle the requirements introduced by the

adoption of a mobile device management solution.

Figure 2 is an example of an organization with a central administration site, with multiple

primary sites and multiple secondary sites:


Figure 2: Example of a central administration site hierarchy

The administration model shown here describes an on-premises infrastructure. In this case, the

company already has a device management solution in place for managing their on-premises

devices.

With an administration model like the one shown in Figure 2, you have the following

advantages:

You can schedule and throttle network traffic when you distribute deployment content to

distribution points.

Discovery data records (DDRs) for unknown resources transfer by using file-based replication

from a primary site to the central administration site for processing.

Role-based administration provides a central security model for the hierarchy, and you do

not have to install sites to provide a security boundary. Instead, you use security scopes,

security roles, and collections to define what administrators can see and manage in the

hierarchy.

Note

For more information on how to plan for ConfigMgr Sites and Hierarchy, read Planning

for Configuration Manager Sites and Hierarchy.

You can deploy ConfigMgr using a single stand-alone primary site, or as multiple sites in a

hierarchy. When you plan your initial deployment, consider a design that can scale for future

growth in your organization. Planning for expansion is important because the changes from




previous versions of the product mean that ConfigMgr can now support more clients with fewer

sites.

High availability factors should also be considered when designing your management hierarchy.

At each site that will have ConfigMgr installed, you deploy site system roles to provide the

services that you want clients to use at that site. The site database contains the configuration

information for the site and for all clients. This allows you to provide high availability of the site

database, and the recovery of the site and site database if needed.

Note

For more information on how to plan for ConfigMgr high availability, read the article

Planning for High Availability with Configuration Manager

Another important point to consider regarding administration model is how you will delegate

administration to your resources. Ideally the management platform will be able to use role

based access control (RBAC). While this is one method of restricting and managing control of

what users, operators and administrators can manage, it is not the only method and it might not

be required for your business. Step 3 of this document will cover RBAC in more details and how

to identify if you need this capability.

Step 2 - Plan for mobile device management tasks Managing mobile devices, both company-owned and user-owned, includes several important

lifecycle management decisions. After you’ve determined the mobile device platforms,

applications, and user requirements for your organization, you’ll also need to identify how to

manage each of these areas in a way that aligns your overall MDM strategy with other

management and support policies.

In this step, we’ll examine MDM enrollment, management, monitoring, and reporting lifecycle

requirements.

Task 1: Understanding the mobile device management lifecycle Understanding the different areas of managing mobile devices is important when designing

your mobile device management solution. Figure 3 outlines the overall mobile device

management lifecycle stages. Each stage has unique requirements and questions for you to

consider when planning your solution.

We’ll start with the enrollment stage in this section, and the other stages will be covered in more

detail throughout this guide.

https://technet.microsoft.com/library/hh846246.aspx


Figure 3 – Mobile device management lifecycle stages

Device enrollment and configuration Mobile device management starts with the initial enrollment and configuration of devices into

your mobile device management solution. Simplicity, ease of registration, and enrollment are

the key factors for success in the mobile device management lifecycle. If initial device enrollment

is difficult or overly confusing, both you and your users may be reluctant to go ahead with a

mobile device management solution, which means you couldn’t leverage the features, benefits,

and protections that the mobile device management solution can deliver.

Mobile device enrollment in mobile device management solutions are typically initiated in two

ways:

Administrator-managed enrollment

User/owner self-enrollment

Administrator-managed enrollment offers a centrally managed enrollment experience, and

typically is centered on bulk enrollment of multiple devices using a single directory account. This

is useful if you need to enroll many company-owned devices into your mobile device

management solution.

With self-enrollment, the device user/owner enrolls their device in the mobile device

management solution. This is typically used in “bring your own device” (BYOD) scenarios,

although it can also be used in scenarios where the company owns the device. This type of

enrollment typically uses a “push-based” enrollment model, where devices are automatically


triggered to enroll in the mobile device management solution when the user tries to connect to

the corporate network or network resource from the device. Users can sometimes also elect to

enroll their devices before connecting to an organization’s network or resources.

Enrolling and configuring mobile devices includes the following:

Deploying, accessing, and managing internal and external applications and services

Enforcing device security and access configurations

Protecting devices from security threats

In most cases, when a mobile device is enrolled in a mobile device management solution, the

device is automatically assigned policies and permissions that you have associated with the

device user’s directory account and/or the group the device itself is associated with in directory

services. Depending on the mobile device management solution, most of the configuring and

provisioning of device policies and permissions is done before device enrollment. Then policy

and compliance settings take effect as soon as the devices enroll, avoiding gaps between

enrollment and compliance.

Device enrollment and configuration planning questions: To plan for MDM lifecycle

management, answer the following planning questions about device enrollment and

configuration:

Will mobile devices be enrolled by you, by users, or both?

Do you need to ability to bulk-enroll mobile devices?

What is the maximum number of devices you’ll need to bulk-enroll?

Do the mobile operating system platforms in your organization require different bulk

enrollment requirements and resources?

How many devices will each user typically use and need to enroll?

Does the mobile device management solution have a per-user device enrollment limit?

What are the requirements (connectivity, application, management agent, company

portal, support) for users to self-enroll devices?

Is this different from the requirements for administrator-managed enrollment?

What are the enrollment requirements for each device operating system you need to

support?

Do the mobile device operating systems in your organization require special or unique

enrollment requirements?

Does the mobile device management solution support both connected and over-the-air

enrollments?

What are the hardware requirements (if any) for supporting device enrollments?

What are the network connectivity and network security requirements for supporting

device enrollments?

Do you need specific device compliance policies applied to devices upon initial

enrollment?

Do you need specific device security policies applied to devices upon initial enrollment?

Do you need the ability to configure or set a maximum or minimum time limit for

provisioning device policies after initial enrollment?


Do you require special provisioning policies to be automatically triggered in the event of

enrollment failures?

Device management How mobile devices are managed, both from your perspective and the device user’s perspective,

is a key component of a mobile device management solution.

For example, you may want to integrate the way mobile devices are managed with how non-

mobile devices (servers, desktops, other networked devices) are managed. Depending on the

organization, non-mobile device management solutions may have been in place long before

mobile devices were introduced to the organization. This may have been at considerable cost

and may include long-term investments in these management solutions.

Thoroughly understanding how your organization can integrate mobile device management

solutions with existing non-mobile device management solutions is likely one of the most

important activities to complete when designing a mobile device management solution that

meets the needs of your organization.

Mobile device management typically involves several administrative areas:

Device security and configuration: Mobile device security includes a wide range of

settings that you can deploy to managed devices in your organization. Settings can

include specifying the timing, expiration, and required characteristics for device passcode

access, device encryption, and erasing data from lost or stolen devices. More details

about security and configuration are in the Plan for secure mobile devices section.

Application management: This area includes managing application deployment,

installation, updating and managing status, and application removal. You can also

manage restrictions on certain non-compliant applications, which can be central to an

overall compliance and security strategy.

Company resource access: MDM can also help manage access to on-premises network

resources, such as email servers, Wi-Fi networks, and VPN-enabled resources. This serves

a dual purpose of helping to insure security compliance and making it easier for mobile

device users to access company resources according to company policy. If accessing

organization resources is overly complex or difficult for mobile device users, they may

opt to use non-approved company resources to store company data because it’s easier.

Inventory and reporting: When you manage mobile devices, you’ll want to record and

analyze mobile device and platform events to track compliance with the management

policies in your organization. Detailed reporting can also provide you with real-time

statistics and data so that you can make faster, better decisions based on the status of

mobile devices and mobile device users. More details about inventory and reporting is

included in a later section.

Device management planning questions: For now, focus only in the key administration

aspects as you are still defining the requirements. You can refine these requirements as you

iterate on your plan and better understand the overall needs of your organization.


Answer the following planning questions about device management:

Do you need specific management policies applied to groups of users, groups of devices,

and/or groups of device operating systems?

Do you need specific management policies for different types of devices? For example,

separate policies for user-owned or company-owned devices, or mobile devices and

non-mobile devices?

Do you need to separate device management rights and permissions among several IT

roles or positions? If so:

o What separation of permission levels is required?

o Do the permission levels supported by the solution need to be customizable?

o Do the permissions need to be integrated into your existing account directory

services?

Do you need the ability to both manually and automatically deploy the mobile device

management solution agents or software?

Do you want to integrate managing mobile devices with an existing non-mobile device

management solution? If so:

o Do you want to manage all devices from a unified management console or

portal?

o What are the integration requirements for your existing non-mobile device

management solution?

o How does your existing non-mobile device management solution support

required management roles and permissions?

o Are there hardware or networking requirements to connect management services

between the mobile device management and the non-mobile device

management solutions?

o Do both solutions have separate or integration inventory and reporting systems?

Does the mobile device management solution have a company portal for users to install

their apps?

Does the mobile device management solution meet your company’s scalability

requirements?

Does the mobile device management solution support remote administration?

Does the mobile device management solution support automation?

Device retirement/unenrollment When users leave your organization or mobile devices are retired or replaced, you need to make

sure that corporate data isn’t lost or compromised. Typically, mobile device management

solutions support both IT-managed and user-managed device resets and unenrollment. With

most mobile devices, unenrollment starts with resetting the device to factory defaults or

performing a selective wipe of all corporate data and applications. Then the device enrollment

connection to the management solution is removed. However, the process varies between

mobile device manufacturers and device operating system platforms.

Device retirement/unenrollment planning questions: Answer the following planning

questions about device retirement and unenrollment.


Do you need the ability for both IT and users to unenroll mobile devices?

If a device is selectively wiped, should it be automatically unenrolled from the mobile

device management solution?

If mobile device users can unenroll their mobile devices, how will the removal of

corporate data and applications be verified?

o Is this different for devices that are selectively wiped and devices that are reset to

the factory default setting?

Note


Task 4 will go over the options available and advantages/disadvantages of each option.

Answering these questions will help you select the option that best suits your business

needs.

Task 2: Gather monitoring requirements Monitoring and capturing status and event information for mobile devices is vital to ensuring

that users and devices are in compliance with your corporate policies and security strategy. This

is especially important for organizations that must comply with governmental regulatory

requirements and industry compliance guidelines.

Reporting can also provide valuable information about software, hardware, and software

licenses in your organization to assist with inventory management.

Be aware of the importance of user privacy when you’re establishing monitoring and reporting

guidelines, especially when users can enrol personally-owned devices in your organization’s

mobile device management solution. Your organization should not be able to capture, monitor,

report, or share any personal activity or information.

In general, mobile device management solutions divide monitoring into two general areas:

Logging: Capturing and storing mobile device and mobile device application status and

information.

Reporting: Displaying reports or notifications, including standard and customizable

reports that can be created on-demand, and automatic summary and dashboard status

reports.

Monitoring planning questions: Answer the following planning questions about device

monitoring.

What types of regular reports for mobile devices will you need?

o Device inventory?

o Device usage?

o Device access?

o Device applications?

Will reports need to be shared?

o Between IT roles?


o Outside of the IT organization?

o Accessed remotely (outside of the corporate network)?

What types of issues or problems with devices will you need to identify?

What types of events captured in monitoring will need to be acted upon? In what time

frame?

Will you need customized, on-demand reports?

When a device is de-enrolled, should specific inventory and reporting events be

captured?

After a device is de-enrolled, should legacy inventory and reporting events be

archived/maintained?

Note


Task 4 will go over the options available and advantages/disadvantages of each option. By

having answered those questions you will select which option best suits your business

needs.

Task 3: Determine network resource requirements Enabling secure, managed access to a wide variety of corporate resources by mobile devices is

an important feature of a mobile device management solution. While these resources have

typically been located in on-premises networks, it’s more common now for resources to be

hosted in addition on cloud-based web services and external networks.

How mobile devices connect to corporate email platforms, virtual private networks (VPNs), and

corporate wireless (Wi-Fi) networks all play an important role in keeping corporate data and

other resources protected from unauthorized access. Equally important is making it convenient

and easy for mobile device users to have secure access these resources to avoid users finding a

more convenient but not secure method of storing or accessing resources.

Email management Corporate email is typically the primary data resource most users need access to on a corporate

network, whether from a personally-owned or a company-owned mobile device. Accessing to

email is also typically the connection that triggers initial mobile device enrollment. Being able to

manage email access for mobile devices across both your existing non-mobile device

management solution and the mobile device management solution helps avoid device coverage

gaps and increases the protection for data stored on email servers.

Most mobile device management solutions provide email access protection by using one or

both of the following features:

Email profiles: By setting up and deploying email profiles, administrators can

automatically configure mobile devices with appropriate email server information for

users to connect to their email mailboxes. This helps users connect to the correct email

server without having to remember the right email server endpoint names or network

addresses. In addition, by removing an email profile, administrators can remove email


from devices as part of device reset or selective wipe process. Email profile management

can be a feature in non-mobile device management solution, or can be integrated with a

mobile device management solution.

Conditional email access: Conditional email access, or “managed” email access, typically

focuses on security and compliance for accessing email on a mobile device rather than

which endpoint the mobile device connects to. With conditional email access, a

compliance policy is defined and assigned to individual users or devices or groups of

users and/or devices. The policy outlines the prerequisites that have to be in place before

a mobile device can connect to an email resource; for example, a PIN might be required

on the device. The policy is typically enforced when the device first enrolls, but remains

in place and active as long as the mobile device is enrolled in the mobile device

management system.

Email management planning questions: Answer the following planning questions about

email management.

How will mobile devices connect to your existing on-premises or cloud-hosted email

system?

If mobile devices are already connecting to your existing email system, what connection

type or protocol are the devices using to connect?

Will administrators or users (or a combination of both) be responsible for connecting

mobile devices to your email system? If users will be connecting mobile devices to the

email system, how will they:

o Choose the proper connection point to access their email mailbox?

o Choose the proper connection protocol or connection method?

Will mobile devices need to meet certain security and compliance standards before and

while remaining connected to your email system?

Do you need the ability to create custom email security and compliance connection

policies? If so, what are the specific requirements?

Will you need the ability to import or export email security and compliance connection

policies?

How do you need to manage connections to your email system?

o By device user?

o By device type?

o By device OS?

o By user group or role?

When a mobile device needs to be disconnected from your email system, how will email

data be deleted from the mobile device?

Will both administrators and users need the ability to delete email data or the

connection to the email system?

How will confirmation of email data deletion be verified or confirmed?

If you’re currently managing mobile device connections to email resources with an

existing protocol or management method, how does it integrate with the mobile device


If you’re using both an on-premises and cloud-based email system, how do they

integrated with the mobile device management solution? Are email profiles or managed

access policies administered the same or differently from the IT perspective? Is the user


email connection experience the same or different depending on where their mailbox is

hosted?

Network connectivity management Mobile devices typically connect to corporate networks and resources by using the following

access technologies:

Wi-Fi: Wireless access to corporate resources is typically provided as an on-premises

network extension service for devices that are in close physical proximity to the on-

premises network. This usually involves allowing mobile devices to connect to network

resources as users roam from location-to-location in an on-premises office, such as

conference and meeting rooms, different offices, or other on-premises areas. It can also

include wireless access from remote locations over non-corporate managed wireless

network access points, such as the user’s home network or a public wireless access point.

To simplify connections to wireless networks, administrators usually manage these

connections using wireless profiles that outline the specific settings mobile devices must

have in place before they can connect to the wireless network. This may include

automatically configuring a custom network name, network Service Set Identifier (SSID),

security settings, network proxy, and whether or not the device should automatically

connect to the wireless network when the device is in range.

Virtual Private Network (VPN): Secure remote access to corporate resources often

includes using a defined VPN connection type from the mobile device. This is often

vendor-specific and includes the installation of a VPN application on the mobile device.

Additionally, these VPN applications often use either digital certificates or separately

managed user account credentials to authenticate the VPN connection. To simplify

connections to VPNs, administrators can usually manage these connections using VPN

profiles or the VPN management tools included with the VPN solution. Depending on

integration support, managing VPN connections with the mobile device management

solution may or may not be an option with certain VPN platforms.

Note

You may have other web-based resources, such as SharePoint, that leverage secure

access via Secure Socket Layer (SSL) or Transport Layer Security (TLS). Be sure you

understand how mobile devices will access these resources or resources with separate

VPN or secure access methods.

Network connectivity management planning questions: Answer the following planning

questions about network connectivity management.

How will the Internet be accessed via the mobile device?

o By using WiFi? If so, do they require access via proxy? Proxy authentication?

Will your Wi-Fi infrastructure require updating to accommodate increased device

connections and increased bandwidth demands?

How will mobile devices connect to your existing on-premises wireless or VPN platform?

If mobile devices are already connecting to your existing wireless or VPN platform, what

connection type or protocol are the devices using to connect?


Will changes to these connections be needed if the devices are enrolled in a mobile

device management solution?

Will administrators or users (or a combination of both) be responsible for connecting

mobile devices to your wireless or VPN platform? If users will be connecting mobile

devices to the wireless or VPN platform, how will they:

o Choose the proper connection point to access the corporate network?

o Choose the proper connection protocol or connection method?

o Choose the proper digital certificate for the connection method?

Do you want to automatically configure wireless and VPN connection properties and

settings on user’s mobile devices?

Do you need to provide different wireless network configuration or security settings to

different types of users, devices, device operating systems, or user groups and roles?

Will you need the ability to import or export wireless and/or VPN configuration or

security connection policies?

Which of the following wireless security protocols do you need to support?

o WPA-Personal

o WPA2-Personal

o WPA-Enterprise

o WPA2-Enterprise

o WEP

If you need to support WPA-Enterprise or WPA2-Enterprise, which of the following

Extensible Authentication Protocol (EAP) types do you need to support?

o EAP-TLS

o PEAP

o EAP-AST

o LEAP

o EAP-SIM

Which type of non-EAP authentication connection do you need to support?

o Unencrypted passwords (PAP)

o Challenge Handshake Authentication Protocol (CHAP)

o Microsoft CHAP (MS-CHAP)

o Microsoft CHAP Version 2 (MS-CHAP v2)

What type of VPN platform do you have deployed in your on-premises network?

Is the VPN platform supported or able to be integrated with the mobile device


If the VPN platform is already integrated or support by an existing non-mobile device

management solution – does the mobile device management solution integrate with

both systems?

Certificate management Digital certificates, either self-signed or issued from a third party Certificate Authorities (CAs),

may be used to authenticate mobile devices to network connections or specific network

resources. To simplify managing digital certificates, administrators usually manage certificates

using certificate profiles. This allows a uniform, centralized method for managing certificates,

including how they are created, issued, and renewed. This also helps users connect to corporate


resource without having to request and install certificates manually or by using a non-approved

security process.

However, using certificates for this type of authentication often requires additional on-premises

infrastructure requirements. This may include all or some of the following network components,

depending on the level of integration supported by the mobile device management solution:

Directory services: Directory services, such as Microsoft Active Directory, are usually

required to securely connect and manage all other network components.

Certification Authority (CA) server: If you’re issuing self-signed certificates for your

organization, you’ll need a certification authority to create, issue, manage and renew

digital certificates.

Network Device Enrollment Service (NDES) server: This server allows software and

mobile devices to obtain certificates based on the Simple Certificate Enrollment Protocol

(SCEP).

Proxy server: Depending on your on-premises network configuration, you may require a

proxy server that allows mobile devices to receive certificates using an Internet

connection and without directly connecting to your internal corporate network.

Certificate management planning questions: Answer the following planning questions about

certificate management.

Does your organization already require or use digital certificates to authenticate access

to network resources?

Do you have an existing enterprise public key infrastructure (PKI)?

Do you need to automatically issue digital certificates to mobile devices?

How are digital certificates created, issued, renewed, or revoked from mobile devices?

Are digital certificates centrally managed by an on-premises or third party Certification

Authority (CA)?

Do you need to have different certificates assigned for access to different network

services? Is this dependent on the type of mobile device accessing the network?

Note


Task 4 will go over the options available and advantages/disadvantages of each option. By

having answered those questions you will select which option best suits your business

needs.

Task 4: Define your mobile device management lifecycle strategy In this task, you’ll refine the mobile device management lifecycle strategy to meet the

management requirements you identified in Tasks 1-3.


Task 4a: Device enrollment options Enrolling devices in Intune, whether standalone or when connected to Systems Center 2012

(ConfigMgr), requires that you prepare the service for the devices. Enrolling mobile devices in

MDM for Office 365 also requires you activate MDM, configure basic settings, and include each

user in a security policy respond to an enrollment message the next time they sign in to Office

365 on their mobile device. They must complete the enrollment and activation steps on each

mobile device they will use to access Office 365 email and documents.

Intune standalone needs to be configured to define the Mobile Device Management Authority

solution, which can be either Intune or an on-premises ConfigMgr infrastructure. This simply

means “which management platform do you want to use to manage Intune-enrolled devices –

Intune OR ConfigMgr?” It’s very important to understand the impact of choosing the best option

for your organization, as the management solution cannot be easily changed once chosen. If

you need to change this configuration later, you’ll have to contact Microsoft Support for

assistance.

For most organizations that are already using ConfigMgr to manage PCs, servers, and other

devices, connect the on-premises solution with Intune and managing devices with the

ConfigMgr is usually the best choice. To assign the mobile device management authority to

ConfigMgr, you’ll create an Intune subscription from within the ConfigMgr console and select

the option to allow ConfigMgr to manage the Intune subscription and Intune-enrolled devices.

Additionally, before you can enroll certain types of mobile devices running different types of

mobile operating systems, you’ll need to prepare the Intune service or MDM for Office 365 with

specific configuration requirements. For example, if you plan to enroll Apple iOS-based devices,

you’ll need to configure Intune with an Apple Push Notification (APN) service certificate prior to

enrolling iOS-based devices. If this isn’t configured, Intune can’t communicate with the APN

service and iOS-based devices. Mobile devices running Android or Windows Phone operating

systems have separate enrollment requirements.

Your answers to the questions in Task 1 will help you decide how you want devices to be

enrolled in your mobile device management solution. Table 5 below compares the advantages

and disadvantages of each enrollment scenario.

Table 5

Enrollment

scenario

Advantages Disadvantages

Administrators

enroll all mobile

devices

Administrators closely control

the enrollment of all devices,

effectively pre-screening any

device or user at the beginning

of the enrollment process

If supporting a BYOD strategy,

increased likelihood that

administrators may see or

expose sensitive user personal

information if appropriate

https://technet.microsoft.com/library/ms.o365.cc.newdevicepolicy.aspx







Each device is enrolled without

any user interaction, reducing

device enrollment errors

Easier to support more

complex, automated, bulk, or

highly customized device

enrollment processes

Support/help desk costs may

decrease since experienced

administrators are performing

the device enrollments

security controls are not in

place

Users may have to arrange

times with you to drop off and

pick up mobile devices,

requiring device enrollment

scheduling and tracking

Modern mobile device users

may feel that this centralization

is cumbersome and

inconvenient, leading to user-

defined workarounds that may

compromise enrollment

security and compliance

processes

User self-enrolls

mobile devices More convenient and flexible

for device owners/users

Quicker device enrollment than

a centralized enrollment

process in most cases

Offloads relatively simple

administration tasks from you

to your users, saving time,

scheduling, tracking, and

administration overhead costs

Potential increase in support

costs or help desk calls, less-

experienced users may need

personal help with enrollment

Your organization might want to allow both of these enrollment scenarios, taking a flexible

approach to permit different methods for different departments or situations. If so, your mobile

device management solution must be able to support both scenarios.

Task 4b: Device enrollment and provisioning options When a user can use and enroll their own device, this increases the requirements for both the

user and IT, and impacts several areas. For example, Figure 4 shows an overview of the

enrollment process for an organization using both Intune and ConfigMgr. This example outlines

the certificate, web application, and synchronization considerations that you’ll need to consider

when planning your solution:


Figure 4 - Overview of the enrollment process for mobile devices using hybrid Intune and

ConfigMgr

1. With Windows Server 2012 R2, a new concept known as device registration was

introduced. Users can register their devices for single sign-on and access to corporate

data using Workplace Join. As part of this registration process, a certificate is installed

on the device. In return for registering their device and making in known to the device

management solution, the user gains access to corporate resources that were previously

not available outside of their domain-joined PC.

2. Users can enroll devices which configure the device for management with Microsoft

Intune using the Company Portal, and then leverage the Microsoft Intune Company

Portal for easy access to corporate applications, data and to be able to manage their

own devices, performing tasks such as remote wiping them in the event they are lost,

stolen or replaced.

3. You can publish access to corporate resources with the built in capability available in

Windows Server 2012 R2 called Web Application Proxy based on device awareness (i.e. is

it registered) and the users identity. Multi-factor authentication can be used through

Azure Active Authentication.

4. In order to provide administrators with a unified view of their entire environment, the

data from Intune is synchronized with ConfigMgr which provides unified management

across both on-premises and in the cloud.

5. As part of the enrollment process, a new device object is created in Active Directory. This

device object establishes a link between the user and their device, making it known to

the device management solution, and allowing the device to be authenticated, effectively

a seamless two-factor authentication.

Depending on how you answered the questions in Task 1, you should be able to determine how

you want devices to be managed in the mobile device management solution. Table 6 below

shows the advantages and disadvantages of each provisioning option.

Table 6







Enrollment &

provisioning

options


Intune (standalone) Supports enrolling and

provisioning all major mobile

device operating systems

(Android, iOS, Windows 10,

Windows 8.x, and Windows

Phone)

A cloud-based service, mobile

devices can be enrolled from

any location with Internet

access

Devices may be enrolled via a

centralized, customizable

Company Portal

Advanced device provisioning


Additional management

interface for provisioning

mobile devices (only) if using

an on-premises management

platform for non-mobile

devices

Separate device compliance

and security policies for the

cloud-based service and the

on-premises management

platform


tenants, providing a single

management console for

mobile devices and Office 365

tenant services (Exchange

Online, SharePoint Online, and

Lync Online

Supports enrolling and




Windows 8.1, and Windows

Phone)

Basic device provisioning







devices

Separate device compliance

and security policies for the

cloud-based service and the

on-premises management

platform

Less advanced device

provisioning options

Hybrid (Intune with

ConfigMgr) Native integration between

Intune (cloud-based device

management service) with

System Center 2012 and System

Center 2012 R2 Configuration

Manager (on-premises device

management platforms)

Supports enrolling and



Requires additional

configuration to connect

Intune with the on-premises

ConfigMgr infrastructure

For organizations that don’t


infrastructure configured, it

will need to be planned,

installed and configured prior

to integrating with Intune




(Android, iOS, and Windows

Phone), and includes

provisioning for all major non-

mobile device operating

systems

Supports advanced device

provisioning options for mobile

devices via Intune connectivity

For more details about mobile device enrollment and provisioning options, make sure to review

how to enable mobile device enrollments in Microsoft Intune and compare these requirements

and procedures to enable mobile device enrollments in ConfigMgr and MDM for Office 365.

Task 4c: Device management options Managing mobile devices with Intune and ConfigMgr centers around management policies.

Policies define groups of settings for mobile devices and can be either created from templates

or customized for specific devices, users, or groups. The best management practice is to create

management policies before mobile devices are enrolled in the management solution. This

insures that the devices are immediately managed in accordance with the policies and processes

defined in your IT strategy. Both solutions allow for configuring the following policy types:

Configuration policies: Configuration policies are used to define the general organizational

settings for each enrolled mobile device. This may include device password, application,

cloud policy, and encryption settings, but can include many other device settings for

different management areas. Additionally, configuration policies are applied and configured

differently for different types of mobile device operating systems by using device enrollment

profiles.

Tip

When creating different policies for different types of devices, users, or groups – it’s easy to

have conflicting policy settings applied to the same device. Be sure that you understand how

conflicting policy settings are applied.

Compliance policies: Compliance policies enforce your organization’s requirements for

mobile devices to access (or be denied access) to company resources or services. This can

also include device password and encryption settings, as well as determining if the mobile

device is rooted (“jail-broken”). As with configuration policies, Intune and ConfigMgr

compliance policy options also vary by mobile device operating system type. If you’re

creating compliance policies in ConfigMgr, it’s important to note that increased granularity

can be configured as part of a multi-part process:

1. Creating configuration items

2. Creating configuration baselines

3. Deploying the configuration baselines to ConfigMgr user or device collections

Conditional access policies: Conditional access policies define how access to email is

managed and can be used separately or in conjunction with compliance policies.

Connections to your Exchange Server or Exchange Online service must be configured in


https://technet.microsoft.com/library/jj884158.aspx#bkmk_Nextsteps

https://technet.microsoft.com/library/ms.o365.cc.devicepolicysupporteddevice.aspx





https://technet.microsoft.com/library/gg712331.aspx?WT.mc_id=Blog_EntMob_Showcase_PCIT


https://technet.microsoft.com/library/hh219289.aspx?WT.mc_id=Blog_EntMob_Showcase_PCIT


Intune or in ConfigMgr before conditional access policies can be deployed. Conditional

access can also be configured for Office 365 and SharePoint Online services.

Your answers the questions in Task 1 can help you determine how you want devices to be

enrolled in the mobile device management solution. Table 7 below will help you understand the

advantages and disadvantages of each management scenario.

Table 7

Management

options


Intune (standalone) Supports simplified policy

control for managing users and

devices, now separated by

device platform. Supports

Android, iOS, Windows 10,


Phone platforms, as well as

support for Exchange

ActiveSync.

Provides a simple, web-based

administration & management

console that is accessible from

any location

Supports group-based policies,

making it easier to manage

large numbers and diverse

types of mobile devices

Supports advanced mobile

device compliance features and

functionality, including device

root and jailbreak detection

Allows for selective wipe or full

factory reset for all mobile

devices

Includes a customizable

Company portal, allowing the

managed and secure

distribution of internal and 3rd

party mobile applications

Deploy certificates to mobile

devices

Allows organizations to prevent

cut/copy/paste functions in

mobile applications

Additional licensing

requirements and costs for

user accounts enrolling

devices in the Intune service



https://technet.microsoft.com/library/mt147406.aspx


Supports enforcing the use of

managed browsers

MDM for Office 365 Integrated web-based

administration and

management console within

Office 365 tenants

Supports group-based policies,

making it easier to manage

large numbers and diverse

types of mobile devices

Supports advanced mobile

device compliance features and

functionality, including device

root and jailbreak detection

Allows selective wipe or full

factory reset for all mobile

devices

Advanced mobile device

management features aren’t

supported, including:

o Provisioning and

managing certificates,

email, VPN, wireless

profiles

o Enrolling and managing

collections of devices

Some mobile application

management features and

functionality aren’t

supported:

o Deploying line of

business applications to

mobile devices

o Enabling secure data

access to Office mobile

applications

o Extending corporate

data securely to line of

business apps for

mobile devices

o Managed browsers or

other content viewing

applications

Hybrid (Intune with

ConfigMgr)

All the advantages of Intune

standalone, plus the following:

o Provides a single pane of

glass view for managing the

corporate estate, including

flexibility for role-based

administration and scripting

(through PowerShell)

Requires additional








installed and configured

prior to integrating with

Intune

VPN and email profiles for

Android devices aren’t

currently supported


Managed browser support

isn’t currently supported

Task 4d: Device monitoring options Monitoring and understanding the status and configuration of all mobile devices managed by

your organization helps you discover problems and non-compliance, and manage device

inventory. Without detailed reports on hardware, software, and compliance status, it’s

impossible to make sure that your device policies are actually in place and working correctly.

Proactive monitoring helps mitigate small problems before they become larger and more costly.

Intune, MDM for Office 365, and a hybrid deployment of Intune and ConfigMgr all include

monitoring and reporting to help manage devices, users, and compliance with your

organization’s policies and procedures. Using built-in reports together with customized reports,

you can monitor mobile device management in areas such as:

Update reports for software

Software inventory reports

Hardware inventory reports

Licensing reports

Non-compliance reports

Depending on how your infrastructure is set up, you may be able to create a variety of reports to

help you monitor your organization. Intune-based monitoring and reporting capabilities are the

backbone for reports in MDM for Office 365, as well as Intune standalone deployments. These

reports can also be tightly integrated with the reporting capabilities of ConfigMgr when it’s

connected to Intune in a hybrid deployment. Each product, as shown below, has different but

complementary reporting capabilities. It’s important to explore the nuances of the reporting

capabilities of each mobile device management solution to help make sure you choose a

solution that has the reports that you need.


https://technet.microsoft.com/library/faa7d8e5-645d-4d59-839c-c8d4c1869e4a(v=technet.10).aspx



Figure 5 – Integrated mobile device monitoring and reporting

The answers you gave to the questions in Task 2 can help you determine your monitoring and

reporting needs for your mobile devices. Table 8 below shows the advantages and

disadvantages of the monitoring and reporting features in each MDM solution.

Table 8

Monitoring options Advantages Disadvantages

Intune (standalone) Monitoring overview/dashboard

Alerts when errors are detected

on direct managed network

devices

An Intune service RSS feed can

notify you about problems with

the service and upcoming

maintenance

Three levels of alerts (critical,

warning, Informational) with

thresholds and email alert

notifications

Can filter alerts by device type

Can review the status of any

managed device

Can monitor details in the

following areas:

o System

o OS

o Storage

o Exchange ActiveSync

o System enclosure

o Network

o Service

Email alerts only, no text-

based or voice alerts

MDM for Office 365 Monitoring overview/dashboard

Three levels of alerts (critical,

warning, Informational) with

thresholds and email alert

notifications

Can filter alerts by device type

Can review the status of any

managed device

Mobile device compliance

status reports only

Hybrid (Intune with

ConfigMgr)

All the monitoring and

reporting features of Intune


Requires additional



o Comprehensive, threshold-

based, consolidated

monitoring and reporting

for all your organization’s

devices, including non-

mobile and non-Intune

enrolled devices

o Advanced reporting

capabilities of SQL Server

Reporting Services (SSRS)

and the rich authoring

experience provided by

Reporting Services Report

Builder







installed and configured

prior to integrating with

Intune

Explore the details about mobile device monitoring options by reviewing the following:

Intune: How to monitor mobile devices and Manage reporting

ConfigMgr: Monitoring mobile devices and Manage reporting

MDM for Office 365: Overview and device management tasks

Task 4e: Email management options The main reason for implementing a mobile device management solution is usually to provide

managed access to corporate email from mobile devices. For example, in MDM for Office 365,

you can create a security policy that provide basic managed access to email mailboxes hosted in

Exchange Online or access through Office apps (on iOS and Android). This policy enforces basic

mobile device compliance settings, such as requiring a device password and device encryption,

before the device is allowed to connect to a user mailbox.

You follow a similar process to configure email management options in Intune, and hybrid

Intune and ConfigMgr deployments. The primary difference is that you can implement more

advanced email management options than you can in MDM for Office 365. For example, using

Intune standalone, you can configure conditional email access to allow access mailboxes hosted

on both Exchange Online and Exchange on-premises, as well as configure customized email

profiles. Intune enables these features by using configuration and compliance policies. Hybrid

Intune and ConfigMgr deployments also supports conditional email access, but only for

mailboxes hosted on Exchange Online.

In the scenario shown below in Figure 6, the user has enrolled their device in Intune and is now

trying to access their corporate email using Office 365 or Exchange on-premises. Based on the

settings defined by the IT administrator at their company, Intune runs a policy verification






https://technet.microsoft.com/library/ms.o365.cc.newdevicepolicy.aspx




process. In this scenario, the user’s access is granted if the device is encrypted, a passcode is set,

and the device isn’t jail broken or rooted. If a user tries to access corporate email and their

device is not enrolled, or not compliant based upon settings defined by the IT admin, the user

will receive an email explaining why their access has been blocked along with steps for how to

resolve the issue.

Figure 6 – Conditional email access

Your answers to the questions in Task 1 can help you determine how you want devices to be

managed in the mobile device management solution. Table 9 below lists the advantages and

disadvantages of email management in each MDM solution.

Table 9

Email management

options


Intune (standalone) Supports email management

for all major mobile device

operating systems (Android,

iOS, Windows 10, Windows 8.x,

and Windows Phone)

Can leverage native mobile

device email applications via

integration with Exchange

ActiveSync

Integration with Exchange

Online via the Service-to-

Service connector to allow

Email profiles aren’t

supported for Android-

based mobile devices


cross-platform monitoring and

reporting between Intune and

Office 365

Supports configuration of email

profiles for managing Exchange

ActiveSync-based settings on

mobile devices

Conditional email access to

resources

MDM for Office 365 Allows Exchange ActiveSync

support for password,

encryption, rooted device

compliance

Allows device management

policies and requiring device

enrollment before access is

granted to Office and OneDrive

for Business apps (iOS and

Android)

Conditional email access to

resources

Some advanced email

management options aren’t

supported

Deploying email profiles

isn’t supported (except iOS)

Hybrid (Intune with

ConfigMgr) Intune on-premises connector

for hybrid connectivity with

Exchange Online

Integration with Exchange

Active Sync (most strict policy

setting is enforced)

Email profiles

Conditional access to restrict

email access to Exchange

Online

Compliance policies to define

the rules and settings the

device must comply with in

order to be allowed access to

the services

Conditional access policies for

each service, define rules for

security groups, Intune groups,

or how unenrolled devices are

managed

Managed access to email

only available for mailboxes

hosted on Exchange Online,

not mailboxes hosted on

Exchange on-premises

Configuring the service-to-

service connector should

not be configured if you

enable conditional access

for both Exchange Online

and Exchange on-premises


Explore the details about mobile device email configuration management options by reviewing

the following:

Intune: How to enable email profiles and conditional email access

ConfigMgr: Enabling email profiles and conditional email access

MDM for Office 365: Capabilities of mobile device management

Task 4f: Network connectivity management options Depending on your infrastructure, mobile devices might be able to connect to corporate

resources from a variety of Internet connectivity services, which are often secured by VPN-

protected endpoints.

By using Intune or a hybrid deployment with ConfigMgr, you can deploy Wi-Fi profiles to

provision Wi-Fi networks, so a device can auto-connect to the network when it is in range. For

example, mobile devices can be configured to connect to a Wi-Fi network segmented to a

conference room, but then switch to connect to a Wi-Fi network segment when roaming to a

different location. Users don’t have to enter passwords or choose a network; the connection

works automatically.

Intune and ConfigMgr can also deploy VPN profiles directly to mobile devices, to let user access

internal corporate resources without extra configuration or manual work. Additionally, Intune

can configure mobile devices to automatically start a VPN connection that is based on the type

resource or method of access. Be aware, however, that there are different configuration

requirements for doing this for different types of mobile device operating systems.

Your answers to the questions in Task 3 can help you determine how you want devices to be

connect to corporate resources. Be aware that currently, MDM for Office 365 doesn’t support

managing wireless and VPN network resources for mobile devices.

Table 10 below lists the advantages and disadvantages of managing wireless and VPN networks

using Intune standalone and hybrid Intune with ConfigMgr.

Table 10

Network

management

options


Intune (standalone) Supports wireless and VPN

profiles on all major mobile




Phone)

Supports industry leading VPN

connection types, including

To support VPN profiles,

you’ll need to deploy and

maintain an on-premises

VPN infrastructure






https://technet.microsoft.com/library/dn818903.aspxv





Cisco, Juniper, Dell SonicWall,

Checkpoint, and others

Wireless and VPN profiles can

be integrated with SCEP

certificate profiles for increased

security

Supports configuring

customized wireless and VPN

profiles for different types of

users, devices, device operating

systems, or user groups and

roles

DNS name-based initiation

support for Windows 10,

Windows 8.1, Windows Phone

8.1, and iOS

Application ID based initiation

support for Windows 10 and

Windows 8.1

MDM for Office 365 Not available Not available

Hybrid (Intune with

ConfigMgr) All the advantages of Intune


o VPN profiles are supported

by your existing on-

premises enterprise VPN

infrastructure

To support VPN profiles,

you’ll need to deploy and

maintain an on-premises

VPN infrastructure

Specific security permissions

must be granted to manage

Wi-Fi profiles and VPN

profiles in ConfigMgr

Explore the details about mobile device email configuration management options by reviewing

the following:

Intune: Enable wireless and VPN profiles

ConfigMgr: Enabling wireless and VPN profiles

Task 4g: Certificate management options Using digital certificate management and certificate profiles is supported both by Intune

standalone and hybrid Intune and ConfigMgr deployment scenarios. These features allow you to

deploy trusted root certificates to mobile devices, as well as Simple Certificate Enrollment

Protocol (SCEP) based profiles that instruct mobile devices to get additional certificates from a

NDES server in your organization.











Since SCEP is natively supported by iOS, Windows 10 and 8.1, and Windows Phone 10 and 8.1,

and is also supported through the Windows Intune Company Portal app for Android, using this

enrollment protocol has the advantage of having the private key generated directly on the

mobile device. The private key is never generated, cached, or stored by either ConfigMgr or by

Intune - which helps to keep the mobile device secure.

Figure 7 shows how Intune and ConfigMgr use the NDES to provide secure certificate

provisioning to mobile devices using SCEP:

Figure 7 – Secure certificate provisioning

1. A policy that includes the properties of the certificate for SCEP enrollment is created on the

Intune service.

2. Intune converts the policy to a platform mobile device management protocol (like OMA-DM

for Windows 10 and Windows 8.1) and sends it to the device

3. The mobile device receives the policy and initiates an enrollment request from NDES

4. NDES forwards the request to ConfigMgr.

5. ConfigMgr compares the request attributes of the SCEP request for an authentication match

and sends confirmation back to NDES.

6. NDES sends a certificate issuance request to the CA and it sends the certificate to the NDES

role.

7. NDES role sends the certificate to the device.


you want certificates managed in the mobile device management solution. Currently, MDM for

Office 365 doesn’t support managing certificate profiles for mobile devices.

Table 11 below will help you understand the advantages and disadvantages of the certificate

profile management for Intune and the hybrid Intune with ConfigMgr deployment scenario:


Table 11

Certificate

management

options


Intune (standalone) Supports certificate profiles on

all major mobile device

operating systems (Android,

iOS, Windows 10, Windows 8.x,

and Windows Phone)

Platform supports the Simple

Certificate Enrollment Protocol

(SCEP)

Certificate profiles can

automatically configure mobile

devices so that company

resources can be accessed

without having to install

certificates manually or use a

non-approved security process

Certificates can be automatically

revoked when the device is

retired from management,

selectively wiped, or block from

the management hierarchy

To use certificate profiles,

some existing on-premises

infrastructure must be in place.

You must integrate the

following on-premises

infrastructure with Microsoft

Intune:

A server that runs the

Network Device

Enrollment Service

An Enterprise

Certification Authority

The Intune NDES

Connector, which

installs on the server

that runs NDES

MDM for Office 365 Not available Not available

Hybrid (Intune with



o Also supports managing

certificates for non-mobile

devices

To use certificate profiles,

some existing on-premises

infrastructure must be in place.

You must integrate the

following on-premises

infrastructure with Microsoft

Intune:

A server that runs the

Network Device

Enrollment Service

An Enterprise

Certification Authority

The Intune NDES

Connector, which

installs on the server

that runs NDES


For more details about mobile device certificate management options, read how to enable

certificate profiles in Intune and compare these requirements and procedures to enabling

certificate profiles in System Center 2012.

Step 3 - Plan for enhancing mobile devices protection While on-premises and remote users can be more productive by accessing company resources

on their mobile devices, letting them to do also increases security threats that you’ll need to

mitigate in order to help protect your company’s data and maintain user privacy. Your company

might have specific requirements about how to balance these needs. Compliance rules can vary

depending on the industry in which your company operates, for example, which may lead to

different design decisions.

However, there are some general aspects of security in mobile device management to explore

and conform to, regardless of the industry. These are shown in Figure 8.

Figure 8 – Security capabilities in a MDM solution

This diagram shows the core security capabilities required in any MDM solution. The key areas

to consider are the following:

1. Considerations for data protection at the mobile device level:

Data encryption

Data classification

Client privacy

Containerization

Policy enforcement

Hardening






2. Considerations for data protection while in transit:

Data encryption

Authentication

Authorization

3. Considerations for data protection while at rest in your on-premises organization:

Data encryption

Authentication

Authorization

4. Considerations for data protection while at rest in the cloud:

Data encryption

Authentication

Authorization

The following tasks can help you understand how your specific security needs will influence your

decision about the best MDM solution for your business requirements.

Task 1: Gather your data protection requirements To help define your organization’s data protection requirements for mobile devices, it helps to

first think about data protection requirements that your organization already has in place. For

example, perhaps your company has to comply with specific regulations, or you might already

have a policy regarding data protection.

Make note of these high-level requirements first, and then you’ll have a basis for asking more

granular questions that will help lead you to better design decisions for your MDM solution.

When defining these requirements, consider the following:

Data encryption at rest: As shown in Figure 8, company data will be stored on the

user’s mobile device. Consider if the following is important to your company:

o Does the MDM solution support encrypting the entire mobile device disk and SD

cards?

If yes, for which operating systems?

o Does the MDM solution support app data encryption?


If yes, for which apps?

Data encryption in transit: Regardless who owns the data, at some point during data

communication, the data is in transit between the mobile device and a company server

(or web service). You must understand what capabilities the MDM solution has in order

to protect data in transit. Consider if the following is important to your company:

o Does the MDM solution support data encryption in transit?



If yes, which capabilities are available?

o What options does the MDM solution have to protect data while in transit?

Data segregation: It’s also important to understand if your company’s data should be

treated differently from the user’s data. Segregation, separation, or isolation are some

terms that can be used to describe this capability. When designing your MDM solution,

consider:

o Does the MDM solution support data separation?

If yes, is it possible to erase your company’s data, while preserving the

mobile device user’s data?

o Does the MDM data separation capability ensure that only trusted apps can

access data located on the mobile device?

o Does the MDM solutions support data separation according to the user’s

identity?

o Does the MDM solution support containerization?

If so, is it possible to encrypt data located in a particular container?

Hardening mobile devices: Since there might be different mobile device platforms used

in your organization, you should understand what hardening capabilities are available in

each mobile device platform. Each mobile device platform may control and harden

devices using different methods and at different levels of granularity. If one set of mobile

devices has a more granular set of configuration than others, you’ll need a common set

of options to harden the devices while using custom policies to enhance the security for

each mobile device platform that your organization supports.

The list below includes common options that should be supported by the MDM solution

to harden mobile devices:

o Requiring a password to unlock mobile devices

o Requiring a password type – minimum number of characters and character types

o Minimum password length

o Number of repeated sign-in failures to allow before the mobile device is wiped

o Minutes of inactivity before the device screen turns off

o Remembering password history – preventing the reuse of previous passwords

o Password expiration (days)

o Requiring encryption on the mobile device

o Requiring encryption on storage cards

o Allowing idle return without a password

Note

In Windows Phone 8.1, the policy Allow idle return without password can be configured

using Windows Phone 8.1 Enterprise Device Management Protocol.

http://download.microsoft.com/download/C/A/0/CA091018-1A43-4063-B70B-20B9901F4D10/Windows%20Phone%208.1%20MDM%20Protocol.pdf


Task 2: Specify your privacy requirements While Task 1 focused on data protection and how to enhance the overall security of mobile

devices to help keep company data protected, the second task of this step focuses on

understanding your organizational requirements for privacy.

In the previous step, you defined device management tasks, including device management and

content distribution management. In this task, the goal is to define the privacy requirements for

company content that will reside on the mobile device.

Note

Read the solution Streamlined management for mobile devices and computers in a

hybrid environment for more information about content distribution for mobile devices

An organization’s privacy requirements will vary according to the industry, applicable

regulations, and type of business. For example, you may want your MDM solution to allow you

to perform basic hardware inventories, software inventories, file collections, and software

distribution on mobile devices. Hardware inventory and software distribution are usually

supported by default.

Keep in mind that privacy concerns that apply to your client computers for inventory and

software distribution also apply to mobile devices.

Before choosing a mobile device management solution, consider your unique privacy

requirements. For example, consider the following:

Client Privacy: Allowing users to use their mobile devices to connect to and use

company resources also means that they must understand your organization’s privacy

policy and how this will affect their privacy.

o Are you required to provide users with your company privacy policy, and what

should it include?

If yes, does the MDM solution include the ability to easily provide a

privacy policy to users?

o Does the MDM solution store user’s mobile device information or data in the

cloud?

If yes, how is user’s privacy maintained in the cloud?

Who has access to their data?

How is their data kept private?

Data Classification: It’s important to define what constitutes company data, and how it

will be protected. Having policies and mechanisms in place to classify data should be

part of the plan to ensure privacy when managing mobile devices.

o Can you identify or classify company documents or data that will reside on the

mobile device?

If yes, what type of data or document rights or permissions are

supported?




o Will this classification travel with the data or document, regardless of the mobile

device that the user is using?

o What type of data or documents can (or can’t) be classified?

Tip

Read the Microsoft Online Services Privacy Statement to better understand how Microsoft

Cloud services, including Intune will maintain user’s privacy

Task 3: Specify your access requirements A mobile device that can’t use apps or access company data that is needed to perform work

isn’t useful for your employees. So it’s critical to understand how the data will travel from the

source location (on-premises or cloud) to the mobile device.

Look back at Figure 8 to see the potential paths that the data will travel to and from mobile

devices, and the considerations that should be in place for each path. Many companies that

have security policies in place haven’t considered how mobile devices can increase the

likelihood that corporate data might be leaked. So review your current company policies to

ensure that the requirements you develop for authentication, authorization, and access control

are aligned with your business requirements.

Answer the following questions to help determine the access requirements for mobile devices:

Authentication and authorization: As part of the strategy to allow your users to access

to company data from mobile devices, you must identify which users are eligible for

access. Some companies decide to initially allow data access for just a portion of their

users, and then grant access to other employees as they request it, based on business

need. To restrict access, your solution must authenticate (identify that the user is who

they claim to be) and authorize (evaluate if the user should have access to the data that

they are requesting) according to your company’s policy.

When designing your MDM solution, consider the following:

o Does your organization have a current directory service that is used for

authentication and authorization?

If yes, does the MDM solution integrate with your directory service to

authenticate and authorize access to resources?

o Does your organization need to have centralized authentication, or can it be

hybrid?

o Does your organization plan to have multi-factor authentication for mobile users?

o Does your organization use an on-premises Public Key Infrastructure (PKI) to

issue certificates?

If yes, does the MDM solution have the capability to perform

authentication using digital certificates?

If yes, does the MDM solution have the capability to integrate with

an existing on-premises PKI?

o Does your organization need to use the current directory services to authenticate

users accessing third party apps?

http://www.microsoft.com/server-cloud/products/intune-trust-center/privacy.aspx


If yes, does the MDM solution allow users to use single sign-on (SSO) to

authenticate against third party apps?

Access Control: Once a user is authenticated and authorized, requests for access to a

resource must be validated with the level of access for the user. The requested resource

can be data or an app. When designing your solution, consider the following:

o Does your company need to have different level of control for you to manage the

mobile devices and the MDM solution?

If yes, does the MDM solution support Role Based Access Control (RBAC)?

o Does your company need to have different levels of access according to the

user’s location?

If yes, does the MDM solution allow you to create access control

restrictions according to the user’s location?

o Does your company need to control access to apps?

If yes, does the MDM solution allow you to control access to apps

installed at the mobile device?

o Does your company need to control access according to a set of conditions?

If yes, does the MDM solution allow you to have conditional access

control?

If yes, does the MDM solution allow you to enable/disable application’s

feature according to the user’s identity?

Tip

Read the Secure access to company resources from any location on any device to better

understand how to leverage built in Windows Server 2012 R2 capabilities in conjunction with

ConfigMgr to provide access to your company resources.

Task 4: Develop your incident response requirements While many organizations already have an incident response (IR) plan in place, you should check

to make sure the plan includes mobile devices and what steps should be taken if an incident is

reported on those devices. If your company is just now adding a mobility solution, it’s likely the

current IR plan doesn’t cover mobile devices.

If your organization doesn’t have an IR plan, it is important to work closely with your security

team to understand the requirements as you develop one, so you’ll know the right questions to

ask when you’re choosing the best MDM solution for your needs.

Tip

Read Responding to IT Security Incidents to better understand the minimum requirements

for an IR plan.

When designing your MDM solution, make sure you ask the following questions so you can

make sure mobile devices can be managed if there’s an incident.

Does your organization have an existing Incident Response Plan?

o If yes, does it include processes and procedures for handling compromised

mobile devices?

https://technet.microsoft.com/library/dn550982



Does the incident response policy cover scenarios where an end user reports that they’ve

lost their mobile device?

o Is it permissible to erase the entire device to avoid data leakage?

If it is, does your company have backup policy in place for data that

resides on mobile devices?

Does your organization have different procedures for company-owned devices and

personally-owned devices in case they are lost?

o If yes, what are those procedures?

o Will those procedures affect the selection of the MDM solution?

If a user loses their personally-owned mobile device but they don’t authorize your

company to erase the entire device, does the MDM solution allow selective device

wipes?

When a mobile device is compromised and you need to prevent that device from

spreading malicious apps to the corporate network, does the MDM solution allow you to

enforce policies that can rapidly contain the compromised device?

Does the MDM solution allow you to plan for potential attacks so you can take proactive

actions to address problems?

Does the MDM solution allow you to identify when a file is infected with malware, by

using a management console?

Task 5: Plan your mobile device security strategy In this task, you will define the mobile device management security strategy to meet the

business requirements that you defined in Tasks 1-4.

Task 5a: Data encryption Now that you’ve answered the questions in Task 1 regarding the requirements for data

encryption at rest and in transit, next you’ll evaluate the options that are available to address

each requirement. Even when the data is at rest, it can be encrypted in different ways, as shown

in Figure 9.

Figure 9 – Different levels of encryption


You can use full disk encryption or encryption based on the data handled by an app. ConfigMgr

allows you to enforce policies that will perform file encryption on mobile devices. Although

some mobile devices, like Windows Phone 8, are automatically encrypted, others only encrypt

data if another option is enabled. For example, on iOS devices, the encryption takes place

automatically only after you configure the setting to require a password on the device.

Note

For more information about the mobile devices that can have encryption enabled using

ConfigMgr, read Compliance Settings for Mobile Devices in Configuration Manager.

For apps that are associated with an Intune mobile application management policy, encryption

is provided by Microsoft. Data is encrypted synchronously during file I/O operations according

to the setting in the mobile application management policy. On Android devices, managed apps

use AES-128 encryption in Cipher Block Chaining (CBC) mode utilizing the platform

cryptography libraries, which is not FIPS 140-2 certified.

This option allows you to specify that all data associated with a particular app will be encrypted,

including data stored on external media, such as SD cards. The same capability is also available

with MDM for Office 365.

Public cloud storage services, such as OneDrive for Business, can also be integrated with Intune

Standalone and also with System Center 2012 R2 Configuration Manager SP1. You can deploy

the OneDrive for Business app to the user’s device and then all documents in the user’s

OneDrive for Business account will be encrypted.

Most MDM solutions use SSL to protect data in transit, so you’ll just need to decide if you will

be using an existing PKI to issue certificates or if you will be using a third-party vendor

certificate authority (CA). The advantage of using a third party CA is that users using their own

device to access company’s resources will automatically trust a well-recognized public CA.

Table 12 compares the encryption features of the MDM solutions so you can see which one best

fits your organization’s security requirements.

Table 12


Intune (standalone) Encrypt data associated with

apps controlled by Intune

management policy

Does not include native

encryption for mobile

device storage

No integration with current

on-premises MDM platform

means an additional

management interface for

you to use




https://technet.microsoft.com/library/mt131422.aspx


MDM for Office 365 Encrypt data based on the

mobile device platform

capability



means an additional


you to use

Hybrid (Intune with

ConfigMgr) Encrypt data associated with

apps controlled by Intune

management policy

Encrypt mobile device storage

Provides more granular control

of what can be encrypted on

mobile devices and how the

encryption is done, including

selection of the encryption

algorithm

Centralized management for

mobile device configuration

settings for cloud-based and

on-premises devices



ConfigMgr infrastructure, it

will require to plan, install



Note

For more information about how to combine Intune and ConfigMgr’s capabilities to

increase data protection and configure encryption, read Managing Encryption on Mobile

Devices with Configuration Manager and Intune.

Task 5b: Data segregation Data segregation is important, not only for your organization, but also to keep your user’s

personal information private. Data segregation helps you to remove all company apps and data

from a device that belongs to a user, without affecting the user’s personal data (see Figure 10).

http://blogs.technet.com/b/pauljones/archive/2014/08/04/managing-encryption-on-mobile-devices-with-configuration-manager-and-intune.aspx

http://blogs.technet.com/b/pauljones/archive/2014/08/04/managing-encryption-on-mobile-devices-with-configuration-manager-and-intune.aspx


Figure 10 – User’s personal data is isolated from company’s data

By keeping separate all apps, company data, and policies that were deployed by the MDM

solution, those can be removed from the device if necessary without affecting a user’s personal

content and apps by using selective wipe.

Tip

Read Help protect your data with remote wipe, remote lock, or passcode reset using

Microsoft Intune for more about how remote wipe will behave in other platforms like iOS

and Android

Selective wipe for mobile device data management is included in Windows Server 2012 R2 and

Windows 8.1. It works by linking resources that help Exchange Server and Microsoft Intune

administrators to manage enterprise data on devices and to develop apps that can use Windows

Selective Wipe capabilities. Windows Phone 8 and later supports separating data in the internal

storage.

https://technet.microsoft.com/en-us/library/jj676679.aspx

https://technet.microsoft.com/en-us/library/jj676679.aspx




Figure 11 – Core architecture of Windows Phone 8.x

Tip

Read more about Windows Phone 8.1 security capabilities by downloading the Windows

Phone 8.1 Security Overview

Data segregation can be challenging if users switch between personal accounts and corporate

accounts on their mobile devices. In a BYOD scenario, it’s common for users to use multiple

credentials to perform different tasks on their device.

When a user installs and signs in to an app that supports multiple identities (multi-identity) on

an Intune-managed device, such as Outlook, Intune checks to see if the account they’re using

matches the managed account on the device. If the account is managed, and there is also a

policy for the app and the user, then the policy settings protect data in that account. When the

user adds personal accounts to the app, those accounts are outside of Intune management and

protection. This allows personal use of the application without compromising corporate

protection. Read Protect data using mobile application management policies with Microsoft

Intune for more information about multi-identity capability in Intune.

Table 13 compares selective wipe features available with different MDM solutions to help you

choose the MDM solution that best fits your organization’s data segregation requirements.

Table 13


Intune

(standalone)

Allows you to perform selective

wipes to remove only company

data located on mobile devices

Does not include native

encryption for mobile

device storage

http://www.microsoft.com/download/details.aspx?id=42509


https://technet.microsoft.com/en-us/dn878026.aspx

https://technet.microsoft.com/en-us/dn878026.aspx


Allows you to perform factory

resets and fully wipe mobile

devices

Support for multi-identity apps



means an additional


you to use

Office 365 with

MDM


resets and fully wipe Android,

Windows Phone, and iOS

devices


wipes on Android, Windows

Phone, and iOS devices to

remove only company data

from mobile devices



means an additional


you to use

Hybrid (Intune

with ConfigMgr)


wipes to remove only company

data from mobile devices


resets and fully wipe mobile

devices

Support for multi-identity apps

Single management console to

manage cloud based and on-

premises mobile devices







Make sure to read the article Help protect your data with remote wipe, remote lock, or passcode

reset using Microsoft Intune to understand how data is removed and retained after a selective

wipe for each mobile device platform. If you have a hybrid environment, consult the article How

to remote wipe mobile devices using Configuration Manager to understand how ConfigMgr can

be used to accomplish this task.

Task 5c: Hardening mobile devices When creating a configuration baseline for mobile devices to harden its capabilities according to

your business needs, make sure that you are balancing usability with security. A very strict

hardening template can cause usability and access problems for your employees, which defeats

the purpose of helping users be productive by accessing company resources with their devices.

Also, keep in mind that not all security policies are available for all mobile device platforms. You

may need to balance priorities for allowing mobile device platforms in your organization with

your security compliance requirements for hardening devices.

https://technet.microsoft.com/library/jj676679.aspx#bkmk_wipe





One way to approach mobile device hardening is by having different layers of security. The

settings that are available for each layer can also vary, depending on your MDM solution. Figure

12 shows an example of how this layered approach be set up.

Figure 12 – Different areas of mobile device hardening

Each layer can be used to group areas that must be compliant with your business security

requirements. For example, you can configure Intune to deploy security policies for devices that

are specifically for hardening system settings and enable encryption. The policies can also help

ensure that only compliant apps are available to be installed on mobile devices by creating an

access white list.

Another area that should be controlled is users’ mobile browsing experience. A managed

browser policy includes an allow or block list that restricts the websites that users of the

managed browser can visit. Read Manage Internet access using managed browser policies with

Microsoft Intune for more information on how to configure these policies in Intune.

In a hybrid environment with ConfigMgr on-premises, you can create a configuration baseline to

set a basic hardening state for managed mobile devices. You can customize this baseline to

include all required settings, and then deploy it to your mobile devices. Compliance settings

options vary according to the mobile device platform, so read Compliance Settings for Mobile

Devices in Configuration Manager for more information about the options available for each

device.

MDM for Office 365 also has a set of capabilities to assist you in hardening mobile devices for

the following categories:

Security

Encryption

Jailbroken

Managed email profile

Read the article Capabilities of built-in Mobile Device Management for Office 365 for more

information on how to set up security policies for enforcing these options.











Hardening the mobile device platform plays an important role in keeping your company data

protected while allowing users to use their mobile device without compromising security. Use

Table 14 as a reference to assist you choosing the MDM option that best fits your organization’s

data hardening requirements.

Table 14


Intune (standalone) Allows you to enforce policies

for enrolled devices:

o Encryption

o Malware

o Apps

o Emails

o Email Profile

o Jailbroken

o System

o Security

Supports policy deployment for

major mobile device platforms,

including (Android, iOS,

Windows 10, Windows 8.x, and

Windows Phone)

Lacks integration with

current on-premises MDM

platform, will introduce an




devices

Some policies may not be

available for some mobile

platforms

MDM for Office 365 Allows you to enforce policies


o Encryption

o Apps

o Jailbroken

o Security

Supports policy deployment for




Windows Phone)

Lacks integration with


platform, will introduce an




devices



platforms

Doesn’t allow as much

granularity as Intune

Hybrid (Intune with

ConfigMgr) Allows you to enforce policies


o Encryption

o Malware

o Apps

o Emails

o System

o Security

o Jailbroken

If your company doesn’t



will require resources to

plan, install and configure

ConfigMgr prior to

integration


Support policy deployment for




Windows Phone)

Single management console for

mobile devices registered from

the cloud and on-premises

devices

Tip

Read more about mobile device management settings that you can configure in a Microsoft

Intune mobile device security policy at Mobile device management policy settings for

Microsoft Intune.

Task 5d: Client privacy When your company rolls out mobile device management, it’s important to be aware of the

boundaries between user privacy and organization privacy. Ideally, your organization should

already have a clear privacy policy stating what’s expected from users regarding data privacy.

Since mobile devices might store company data and these devices will be traveling around with

the user, it’s important that boundaries are well defined, and that your users know upfront what

their role is to maintain privacy for your organization.

Another consideration is how you will make sure users are aware of what to expect when they

enroll their devices in your organization’s MDM solution. Using Microsoft Intune Company

Portal, you can customize your company’s privacy statement to include a URL that has the

description of what will be collected from users when they use managed devices.

You can also publish terms and conditions that your users will see when they first use the

company portal from their devices, whether or not the device is enrolled in the MDM solution.

Users must accept the terms before they can access the company portal. When you update the

terms and conditions and want users to see and accept the new terms, you can mark the new

terms and conditions as a new version, and users will go through the same acceptance process

the next time they visit the company portal.

The same capability for requiring acceptance of terms and conditions is also available when you

have a hybrid environment with ConfigMgr connected with Intune. In addition, ConfigMgr can

use compliance settings to determine whether devices comply with configuration items that you

deployed using configuration baselines. Some settings can be automatically fixed if they’re out

of compliance.

Compliance information is sent to the site server by the management point and stored in the

site database. This information is encrypted when devices send it to the management point, but






it’s not stored in an encrypted format in the site database. Information is retained in the

database until the site maintenance task Delete Aged Configuration Management Data deletes it

every 90 days. You also have the capability to configure the deletion interval. This compliance

information is not sent to Microsoft.

Since Intune and Office 365 are cloud-based services, users might also want to be aware of how

Microsoft handles user privacy for these services. You can provide pointers to privacy

information about these services, such as the following:

Office 365 Trust Center

Microsoft Intune Trust Center

Privacy is important for both users and your organization, and the MDM solution that you use

must appropriately balance privacy needs as well as inform users about your organization’s

privacy policy and expectations. Table 15 compares options for assisting with privacy

requirements in different MDM solutions to assist you choosing the MDM option that best fits

your organization’s privacy requirements.

Table 15


Intune

(standalone)

Uses the Intune Company Portal

to publish your organization’s

privacy statement

It doesn’t have a template

for a privacy policy. There is

an assumption that your

organization has a privacy

policy in place and the

Company Portal is only

going to advertise this

policy that is stored in

another location

Office 365 with

MDM

No features for publishing

privacy statements

No features for publishing

privacy statements

Hybrid (Intune

with ConfigMgr)

Uses the Intune Company Portal

to publish your organization’s

privacy statement

Single management console for

mobile devices registered from

the cloud and on-premises

devices







Task 5e: Data classification Most companies already have a data classification policy in place, and you’ll need to understand

how deploying a mobile device management solution will affect this policy. If your company

https://products.office.com/business/office-365-trust-center-cloud-computing-security?tab=ce9e8dfe-592a-91b5-3af1-2820b1d0ce1f

http://www.microsoft.com/server-cloud/products/intune-trust-center/privacy.aspx

http://blogs.microsoft.com/cybertrust/2014/01/28/the-importance-of-data-classification/


does not have a current data classification policy, you should introduce this capability in

conjunction with planning your mobile device management solution. Some organizations

perform on-premises data classification at the file server level using Active Directory Rights

Management Services (ADRMS). Another tool some companies use is the Microsoft Data

Classification Toolkit, helping organizations to identify, classify, and protect data on their file

servers.

Office 365 provides some automatic data classification of email that can help surface sensitive

information that should be protected. Office 365 uses transport rules, incorporated into mail

flow processing, to detect sensitive information. Then the DLP feature performs deep content

analysis through keyword matches, dictionary matches, regular expression evaluation, internal

functions such as validate checksum on credit card numbers, and other content examination to

detect specific content types within the message body or attachments.

Intune and ConfigMgr don’t have data classification built in, so they rely on cloud-based

classification using Azure RMS or on-premises using ADRMS. Another option is to use the

Enterprise Mobility Suite (EMS) as your MDM solution. With EMS, you’ll have access to Azure AD

Premium and Azure RMS, which can be used to classify data. Data classification using Azure

RMS can be integrated with an on-premises management solution in a hybrid environment.

Use Table 16 as a reference to assist you choosing the MDM option that best fits your

organization’s data classification requirements.

Table 16


Intune (standalone) Not available Not available

MDM for Office 365 Exchange Transport rules can

be used to detect sensitive

information

Data classification is not

carried with the file itself.

Once the file is located at

the mobile device, it can be

used without restrictions

Hybrid (Intune with

ConfigMgr) Not available Not available

Enterprise

Mobility Suite

Leverages Azure RMS to

perform data classification

Azure RMS subscription is

included with EMS

Doesn’t require an on-premises

infrastructure for data

classification

Can be integrated with existing

on-premises AD RMS solution

Not available for customers

that are not adopting

cloud-based solution

https://technet.microsoft.com/windowsserver/dd448611.aspx

https://technet.microsoft.com/windowsserver/dd448611.aspx



http://blogs.office.com/2013/10/28/office-365-compliance-controls-data-loss-prevention/

http://www.microsoft.com/server-cloud/enterprise-mobility/overview.aspx

https://msdn.microsoft.com/library/azure/dn532272.aspx




Protection is located in the file

itself, which means that the file

will keep its classification even if

it was saved in a different

location

Task 5f: Authentication and authorization Before you can properly protect your company data, you must identify who your users are, and

then you can verify that they’re authorized to access the resource that they’re requesting.

Organizations that already have on-premises Active Directory services should leverage it to

authenticate and authorize mobile users. All Microsoft mobile device management solutions can

use an existing Active Directory infrastructure to do this.

Another decision point for authentication and authorization is where the directory services will

be located. While most organizations have on-premises Active Directory services, some

organizations might be considering extending their on-premises directory services with a cloud-

based directory service such as Azure AD.

For a hybrid scenario, integrating both directories is a good alternative to leverage Azure AD

capabilities, such as the following:

Self-service group management: Allows users to create groups, request access to other

groups, delegate group ownership so others can approve requests, and maintain their

group memberships.

Enterprise SLA of 99.9%: Microsoft guarantees at least 99.9% availability of the Azure

Active Directory Premium service.

Password reset with write-back: Self-service password reset can be written back to on-

premises directories.

Read more about the different options and capabilities at Azure Active Directory.

Requiring two types of authentication (multi-factor authentication, or MFA) is another strategy

to consider including when planning a mobile device management solution. Intune can

integrate directory services with multi-factor authentication (MFA), which adds another layer of

security for the authentication process.

If your organization has an on-premises IT infrastructure that includes an Active Directory

domain with Active Directory Federation Services (AD FS), you can configure MFA on your

federation server and then enable MFA for enrollment in Intune. If you configure MFA on your

federation server, but you don’t enable MFA for enrollment in Intune, users will need to use MFA

each time that they access corporate resources from any device.

http://azure.microsoft.com/documentation/articles/active-directory-whatis/




You can also use Azure AD MFA to require MFA each time that users access your corporate

resources, enabled on a per-user basis. Azure AD MFA is a cloud service that doesn’t require any

on-premises IT infrastructure.


organization’s authentication and authorization requirements.

Table 17


Intune (standalone) Can use on-premises directory

services, such as Active

Directory for authentication

Can use cloud-based directory

services, such as Azure AD for

authentication

Can integrate with multi-factor

authentication

Azure AD cloud service is

not included when you

purchase an Intune

subscription

MDM for Office 365 Can use on-premises directory,

such as Active Directory for

authentication

Can use cloud based directory,

such as Azure AD for

authentication


authentication



purchase an Office 365

subscription

Hybrid (Intune with

ConfigMgr) Can use on-premises directory,

such as Active Directory for

authentication

Can use cloud based directory,

such as Azure AD for

authentication


authentication



purchase an Intune

subscription

Enterprise

Mobility Suite

Leverages Azure AD Premium

to provide access control

Azure AD Premium license is

already included with EMS

Does not required on-premises

directory services

Can synchronize with on-

premises Active Directory

services

Not available for customers

that are not adopting a

cloud-based solution


MFA is natively available with

EMS

Task 5g: Access control to resources Organizations that already use Active Directory to authenticate and authorize users already

manage access control to specific resources, by using groups in Active Directory to segment and

control access to resources.

To manage control to specific resources, you first authenticate and authorize access for the user,

and then validate the type of control the user has on the target resource. In Figure 13, this is

shown for user Bob accessing a folder.

Figure 13 – Basic authentication and authorization flow

The traditional Access Control List (ACL) is very limited and doesn’t take into consideration other

aspects of the user’s state, such as where he is located when trying to access this resource. If

your organization needs to include more variables before granting access to a resource, you can

use Dynamic Access Control, which is natively available in Windows Server 2012.

With many companies acting as a cloud provider themselves by using technologies that allow

them to have a private cloud, another option is to use Role Based Access Control (RBAC). Azure

AD allows IT to use RBAC to control access to resources. And since Azure AD can be integrated

with your Active Directory on-premises, you can use them together to determine how users

access resources.

A resource can also be an app, which means that to implement access control to resources, your

MDM solution must also be able to control how apps are installed and accessed. Mobile

application management policies in Intune let you modify the functionality of apps that you

deploy to help make sure that they comply with your company compliance and security policies.


organization’s access control requirements.

Table 18


http://azure.microsoft.com/documentation/articles/role-based-access-control-configure/

http://azure.microsoft.com/documentation/articles/role-based-access-control-configure/





Intune (standalone) Access control (installation and

management) for apps



platform will introduce an





platforms

MDM for Office 365 Access control to email, Office

Mobile, Office apps, and

OneDrive for Business

Only allows a small subset

of access control to

resources








platforms

Hybrid (Intune with

ConfigMgr) Access control (installation and




purchase Intune

subscription

Enterprise Mobility

Suite Access control (installation and


Leverages Azure AD Premium

to provide RBAC based access

control







Task 5h: Incident responses A good mobile device management solution must be able to allow you to rapidly respond to an

incident, such as a lost mobile device, by taking actions to help mitigate the potential threat for

a security issue. The MDM system is the tool that allows the procedures that were established in

the incident response plan to be executed.

Privacy is always important to consider as well when there has been an incident, especially in a

BYOD scenario. When the user owns the mobile device, you must maintain a balance between

keeping your company data secure and preserving the user’s privacy.


There are many levels of response in a scenario where a user has lost their device, for example,

as shown in Figure 14. Your company’s security policy will dictate what should be done,

including, in some circumstances, completely wiping the device.

Figure 14 – Incident response process for a compromised device

Intune provides selective wipe, full wipe, remote lock, and passcode reset capabilities. If a mobile

device is lost or stolen, you can issue a remote device wipe command from the Intune

administrator console. Intune also lets users issue remote device wipe commands from the

Intune company portal themselves.

If you have only ConfigMgr, you can only do a selective wipe to remove company content. In a

hybrid scenario that includes Intune, you can use both options.

MDM for Office 365 also allows you to perform both options: A selective wipe to remove only

organizational data or a full wipe to delete all information from a device and restore it to its

factory settings.

Policies can also be used to take actions to mitigate a threat. You can use ConfigMgr to create

compliance policies that enforce restrictions for the device that was compromised. For example,

if the mobile device that was compromised is an iOS 7 or iOS 8 device, you can use a security

settings extension to require a fingerprint to unlock the device. (This specific capability is also

available with Intune.) As you design your MDM solution to comply with your incident response







plan, ensure that all of the mobile device platforms that your company uses are covered, since

they don’t all include the same options.

Other important aspects of incident response will be how you will proactively take action based

on trends, and how you will react to an incident that was not reported, that you detected with

your MDM monitoring system. To help you with these, Intune allows you to identify the recent

detection paths in devices that have Microsoft Intune Endpoint Protection. With this capability,

you can identify the most recently detected instances of malware on a device. Read Help secure

computers with Endpoint Protection for Microsoft Intune to see how to access this capability

using Microsoft Intune administration console.

Tip

For more information about incident responses, see the Determine incident response

requirements task.


organization’s incident response requirements.

Table 19


Intune (standalone) Allows you to remotely wipe,

remote lock, and password lock

a mobile device

Allows you to create restrictive

security policies to mitigate

threats

Allows you to create alerts and

custom notifications based on

those alerts

Allows you to identify files (and

paths) infected by malware








platforms

MDM for Office 365 Allows you to remotely wipe

and remote lock a mobile

device

Only allows a small subset

of security policies



means an additional


you to use



platforms

https://technet.microsoft.com/en-us/library/dn646970.aspx

https://technet.microsoft.com/en-us/library/dn646970.aspx


Hybrid (Intune with

ConfigMgr) Allows you to remote wipe,


a mobile device



threats

Single management for cloud

and on-premises devices

Easier





purchase Intune

subscription

Enterprise Mobility

Suite Allows you to remote wipe,


a device



threats

Allows you to track user’s

behavior by leveraging Azure

AD Reports

Allows you to track user rights

assignment that can be used in

some incident response

scenarios










platforms

Step 4 - Plan for Software as a Service (SaaS) mobile device management The last step in designing a complete mobile device management strategy is to determine the

requirements for the Software as a Service (SasS) device management solution that you’ll use to

support mobile devices in your organization. In this step, we’ll examine SaaS platform types,

characteristics such as scalability and accessibility, mobile device management connectivity, and

integration with your on-premises infrastructure.

More and more, organizations are starting to take advantage of the features and power of cloud

computing infrastructure solutions to deliver services and applications to users. Software as a

Service (SaaS) allows user and device services, applications, and activities to be centrally

managed from a single location, regardless of the location of the user or device. If your

organization is currently using (or planning to implement) SaaS services, it’s important to define

how the solution will deliver these services to mobile devices in your organization and integrate

with (or even replace) your on-premises mobile device management platform. In some cases,

SaaS solution decisions may be completely separate or just a small part of how mobile devices


will be managed in your organization. However, understanding the overall impact of the SaaS

solution as it relates to managing mobile devices is an important part deploying a complete

mobile device management solution.

You need to go over these key aspects of the SaaS solution to understand what it is a current

requirement and what your organization plans for the future. If you don’t have the vision to

define a long-term strategy for managing mobile devices and integration with cloud services

adoption, your mobile device management solution may not be scalable as your organization’s

business needs change.

Task 1: Identify your SaaS requirements Each SaaS solution will have different requirements, mobile device management features, and

levels of integration with on-premises networks and platforms. Many SaaS solutions offer trial

tenants or services for you to evaluate their features and functionality, which is an important

part of determining which solution actually meets your needs. However, many SaaS solutions

may have subtle differences in features and functionality, depending on the platform type.

The majority of SaaS solutions are based on three types of cloud types:

Multi-tenant (public)

Private (dedicated)

Hybrid

Before making decisions on how you’ll use a SaaS solution to manage your mobile devices,

you’ll also need to examine the differences between these types of cloud platform architectures

and choose the one that best fits the overall needs of your organization. Individual SaaS

solutions have differing levels of support for areas such as customization, feature configuration,

integration, and collaborative functionality.

SaaS cloud types Multi-tenant SaaS solutions are what are typically called “public” cloud infrastructures. This is

when the software architecture of the service is in a single instance, but serves multiple tenants

or organizations. The solution is designed to provide every tenant a reserved share of its

services, such as user or device management, configuration, and data support. The tenant

accounts and services are separated virtually, with each tenant accessing the platform

infrastructure in separate instances. Multi-tenant SaaS solutions also typically offer cost-savings

earned from sharing the infrastructure and distributing the overhead costs amongst multiple

tenants. Most mobile device management platforms are offered in a multi-tenant SaaS platform

infrastructure.

Private, or dedicated cloud services are instances of SaaS solutions that are operated for a

single organization or tenant. These can either be private cloud services hosted by the

organization or private cloud services hosted by a 3rd party provider. Private cloud solutions also

typically offer greater opportunities for customization, both in the areas of services and security.

https://technet.microsoft.com/library/office-365-platform-service-description.aspx

https://technet.microsoft.com/library/office-365-platform-service-description.aspx



Some dedicated SaaS solutions offer mobile device management services as a part of larger

private cloud tenant options.

Hybrid SaaS solutions can offer a combination of either multi-tenant and private cloud

infrastructures, or a combination of hosted (either multi-tenant or private) and on-premises

cloud infrastructures. A hybrid infrastructure may also include leveraging an external cloud SaaS

solution for delivering certain types of services (such as applications), but leveraging internal

resources for other types of services. Most SaaS solutions offer the ability to support a hybrid

cloud configuration, but may vary significantly on the depth and completeness of integration

with on-premises or other hosted cloud platforms.

SaaS cloud type questions: As part of SaaS management lifecycle planning, you’ll want to

answer the following planning questions about cloud types:

What level of security do I need for mobile device data stored in my SaaS solution?

How does the SaaS solution address intrusion detection and data loss prevention for

mobile devices?

Does your organization have to comply with any regulatory, certification, or compliance

requirements for mobile devices or data stored on mobile devices? If so, do these

require a specific level of security, customization, scalability, or resiliency? How is

compliance audited and reported?

Does the SaaS solution need connectivity with other cloud services or platforms that will

manage mobile devices? If so, is this connectivity:

o Pre-configured or standardized?

o Customizable?

o Supported by the platforms you need to connect to?

Do you need to connect your SaaS solution with an existing on-premises device

management infrastructure? If so, is this connectivity:

o Supported by your on-premises device management platform?

o Supported by the SaaS solution?

o Supported without the need for additional on-premises physical resources?

Will your cloud-based services, applications, and processes for mobile devices require

different levels of security, customization, scalability, and resiliency?

Scalability Ease of scalability is one of the primary reasons for considering or deploying a SaaS solution for

managing mobile devices in your organization. By definition, public SaaS solutions typically offer

a virtually limitless ability to support any amount of users or mobile devices. Private and hybrid

SaaS solutions may be subject to scaling limits, based of available organization resources.

Scaling increases or decreases to support greater or lesser number of users or devices usually

depends on a specific licensing model or per user/device pricing package for public clouds.

https://technet.microsoft.com/library/jj200581(v=exchg.150).aspx


Scalability questions: As part of SaaS management lifecycle planning, you’ll want to answer the

following planning questions about cloud scalability:

What type of short and long-term plans does your organization have for growth or

contraction in mobile device and application support infrastructure?

How rapidly will your organization need to scale mobile device management support

services upward or downward?

What are the initial number of mobile devices and/or users that need support in the SaaS

solution? How likely is this number to change in the next year? The next 3 years? The

next 5 years?

Does the number of mobile devices needing SaaS solution support change on a regular

pattern (such as seasonally)? Does it change according to the number of active or

inactive organization projects?

Does SaaS solution performance change depending on the scale of supported mobile

device and users? If so, in what areas? (nodes, data, processing, etc.) How is the scaling

performance measured, reported, and audited?

Accessibility Easy access to the SaaS solution is another key component of the SaaS architecture. Because the

SaaS solution is hosted on a cloud-based infrastructure, it’s accessible by administrators, users,

and devices from any location that has access to the Internet. Administration of mobile devices

is done via a browser. Because many SaaS solution providers operate geographically diverse

datacenters, users and devices can access the platform “locally”, often avoiding latency and

delays that can be associated with connecting to geographically distant endpoints. Accessibility

can also typically be expanded by integrating the SaaS solution with on-premises device

management platforms.

Accessibility questions: As part of SaaS management lifecycle planning, you’ll want to answer

the following planning questions about cloud accessibility:

Are there specific mobile device browser requirements in your organization? If so, does

the SaaS solution support the required browser(s)?

Do mobile device users need any special accessibility requirements for applications or

services?

Does your organization need to access the SaaS infrastructure located in the same

geographic as the user devices or your on-premises infrastructure? Are there legal

ramifications if mobile device data is stored or moved across international borders?

Resiliency Since the SaaS infrastructure is cloud-based and hosted across multiple datacenters, resiliency is

typically subject to less instability or outages than traditional on-premises hosted services.

Multi-location service hosts offer protection against geographic-based outages and service

interruptions by using fail-over infrastructure and processes to replicate data across multiple


datacenter nodes. Depending on the SaaS solution, access to the service may or may not remain

in the original geographic area during a fail-over.

Resiliency questions: As part of SaaS management lifecycle planning, you’ll want to answer the

following planning questions about cloud resiliency:

In the event of primary SaaS solution fail-over, how will mobile device management

services be impacted?

How will mobile device data stored on the SaaS solution be shared in the cloud-based

infrastructure?

If the primary mobile device SaaS datacenter isn’t available, are the fail-over datacenters

in the same geographic region as the primary datacenter? Is it OK for fail-over

datacenters to be located outside the international borders from which the mobile

devices are operating?

Does the SaaS solution have a defined service level agreement (SLA) outlining support

for mobile device management?

Up-to-date services SaaS solutions also are able to keep the applications and services up-to-date with the latest

application version, features, security updates, and bug fixes. Often these updates are published

very quickly, sometimes even on a daily basis. Depending on the SaaS solution, updates may be

instantly available to all customers or released in a phased approach to smaller groups of

customers. One of the biggest benefits is that when a bug is fixed for one customer, the fix can

be easily applied to all customers using the service.

Services questions: As part of SaaS management lifecycle planning, you’ll want to answer the

following planning questions about cloud services:

How often are mobile device management features and functionality updated in the

SaaS service?

What impact will feature and functionality updates have on your mission-critical mobile

device applications and services?

Are SaaS solution feature and functionality updates deployed to customers on an ad hoc

or planned schedule?

Does the SaaS solution support exemptions from service-wide updates for individual

organizations?

Does the SaaS solution have different service update schedules for mobile device

application and mobile device management features and functionality?

Task 2: Identify your SaaS solution / on-premises infrastructure integration needs One of the primary decisions that need to be made when considering managing mobile devices

with a SaaS solution are:


How will your existing user and device on-premises directory accounts integrate with the

SaaS solution?

Do you need to integrate the SaaS solution with existing on-premises client

management platforms?

The decisions you make in these two areas will significantly impact the overall deployment,

administration, and end-user experiences for your mobile device management solution.

Identity and directory connectivity Connecting and synchronizing your on-premises user and device account directory with the

SaaS solution is really the glue that truly connects users, mobile devices, mobile applications,

and mobile device management. Knowing who a user is (identity) and associating the identity to

specific mobile devices is critical in managing access to company resources and data from the

mobile device. In many ways, maximizing how these areas are connected to the SaaS solution

determines the overall value to both you and your mobile device users. Ubiquitous connectivity

means that people and devices can use devices and applications anywhere, and it’s essential

that user identity management keeps pace with the demands of this connectivity. It can’t be

stressed enough that how you manage identity and user authentication is critical to the success

of your mobile device management solution.

Synchronizing on-premises directory services to the SaaS solution is another key area to

consider when defining your mobile device management strategy. Most organizations prefer to

maintain an on-premises user and device directory infrastructure, but need to extend these

accounts to a variety of cloud-based services. This may include only a SaaS-based mobile device

management solution, but in most scenarios organizations need to integrate user and device

accounts into several different types of cloud-based services. This may include cloud-based

applications, data, or 3rd party web services. Keeping your user and device directory accounts

synchronized is the cornerstone of a well-designed identity management solution. Once you

integrate your on-premises directory with cloud directory, you can also enable single sign-on

(SSO) to allow users to sign into all services using their on-premises credentials. Both Intune and

Office 365 can take advantage of this integration to enable SSO with SaaS apps that the

organization might want to use.

Identity and directory connectivity questions: As part of SaaS management lifecycle planning,

you’ll want to answer the following planning questions about identity management and

directory connectivity:

Does the SaaS solution support integrated user authentication services? If so, does it

support the type of directory services you’re using in your on-premises infrastructure?

Do you need to support user and mobile device authentication for on-premises and/or

internal applications or services?

Does the SaaS solution support user and mobile device authentication for 3rd party or

other external SaaS-based applications or services?


http://azure.microsoft.com/marketplace/active-directory/


How does the SaaS solution manage identity-related threats and abnormalities?

Does the SaaS solution support implementing and managing multi-factor authentication

(MFA)?

What types of directory services objects do you need to extend to the SaaS solution?

Does the SaaS solution have any restrictions for certain object types?

What on-premises requirements are needed to extend your directory services to the

SaaS solution?

Once connected to the SaaS solution, how are user and mobile device directory objects

replicated or synchronized with the cloud service? Are synchronization settings

customizable or fixed?

Are all directory object attributes synchronized with the SaaS solution? Do you need to

synchronize custom directory object attributes?

Are on-premises directory services hosted in a single location or logical grouping? If not,

does the SaaS solution support synchronizing multiple directory services from multiple

locations and logical groupings?

Connecting with existing client management platforms Most organizations have an existing on-premises client management platform to manage

desktop computers and servers. How you integrate the management of mobile devices into this

system is likely to have a substantial impact on IT infrastructure costs, device management

administration processes, device inventory and reporting support, and overall integration with

other business-critical applications and services. By connecting these two platforms,

organizations are able to leverage the economies of scale of a single, unified management

platform.

Connecting existing client management platforms questions: As part of SaaS management

lifecycle planning, you’ll want to answer the following planning questions about connecting the

SaaS solution with existing client management platforms:

Does your on-premises client management platform support integration with SaaS

solution? If so, are there:

o Limitations on the type of SaaS solution?

o Limitations on the types of supported devices?

What are the requirements to connect your on-premises client management platform to

the SaaS solution? Specifically, are there:

o Physical server or device requirements?

o Directory services or directory schema requirements?

o Domain Name Services (DNS) requirements?

o Identity requirements?

o Client management platform upgrades or configuration requirements?

o Network connectivity and/or network security configuration requirements?


Can existing client or device configuration information (policies, profiles, and settings)

be shared or leveraged in the SaaS solution? Will this information have to be recreated?

After the two platforms are connected, how are clients managed? Are different types of

clients managed in a unified administration system or are they managed separately?

How are updates and changes in the SaaS solution integrated with the on-premises

client management platform? Is this an automatic or manual configuration process?

Task 3: Develop your SaaS mobile device management adoption strategy In this task you will define the mobile device management SaaS strategy to meet the

requirements that you defined in Tasks 1 and 2.

Task 3a: Identify your SaaS solution requirements Depending on how you answered the questions in Task 1, you should be able to determine what

the SaaS solution needs to support in your mobile device management solution. Table 20 below

will help you understand the advantages and disadvantages of each SaaS solution scenario:

Table 20

MDM options Advantages Disadvantages

Intune (standalone) Offered as a multi-tenant,

public cloud architecture

Scales to support up to 50,000

mobile devices

Doesn’t require any additional

investments in on-premises

infrastructure, hardware or

software

Updates and feature

improvements are made on a

daily basis. Major feature and

functionality enhancements

made on a monthly basis

Services can be assigned to

datacenters in specific

geographic locations

Datacenter fail-overs can be

restricted to specific geographic

locations

Certified and compliant with the

most industry and

governmental standards

Service Level Agreement (SLA)

is financially-backed, if the

service or features aren’t

Private cloud instances aren’t

supported

If you need to support more

than 50,000 mobile devices,

you’ll need to connect Intune

to System Center 2012 R2

Configuration Manager

(ConfigMgr) to manage the

additional devices


available, monthly charges are

waived

MDM for Office 365 Tightly integrated with Office

365 commercial tenants,

providing a single management

console for mobile devices and

Office 365 tenant services

(Exchange Online, SharePoint

Online, and Skype for Business

Online)

Offered in Office 365 multi-

tenant (public) or private

(dedicated) platform types

No additional user or device

licensing costs, included by

default in Office 365

commercial (Business,

Enterprise, Education, and

Government) plans

Doesn’t support managing

non-mobile operating

systems






devices

Hybrid (Intune with



o Native integration between

Intune (cloud-based device

management service) with

System Center 2012 and

System Center 2012 R2

Configuration Manager (on-

premises device

management platforms)

o Supports advanced device

provisioning options for

mobile devices via Intune

connectivity

o New Intune service features

and functionality extended

to the on-premises

ConfigMgr infrastructure via

platform extensions, either

automatically or customized.

Requires additional

configuration requirements to

connect Intune with the on-

premises ConfigMgr

infrastructure







Make sure to read the article Help protect your data with remote wipe, remote lock, or passcode

reset using Microsoft Intune to understand what data is removed and the effect on data that




remains on the device after a selective wipe per platform. If you have a hybrid environment,

consult the article How to remote wipe mobile devices using Configuration Manager to

understand how ConfigMgr can be used to accomplish this task.

For more details about SaaS solution functionality and requirements, make sure to review the

service description for Microsoft Intune to understand the differences in SaaS support versus

MDM for Office 365 and in a hybrid Intune and ConfigMgr infrastructure.

Task 3b: Identify your SaaS solution connectivity requirements How you connect your on-premises infrastructure will impact how user and device identity is

managed with all MDM solutions: Intune, MDM for Office 365, and hybrid Intune and ConfigMgr

deployments. Both Intune and MDM for Office 365 leverage the directory services architecture

provided by Azure Active Directory Services. This integration with Azure gives you a lot of

flexibility when you’re designing identity management support in your mobile device

management solution.

As shown in the Figure 15 below, connecting your on-premises directory services with Azure is

the key requirement for enabling single sign-on and unified directory account management.

Single sign-on makes it much easier for your users to connect to company resources that are

on-premises and in the cloud. Having a single place to manage accounts makes it easier for

administrators. For mobile access, synchronizing directory account attributes and credentials

between Azure and on-premises directory services allows users to authenticate on their mobile

devices for accessing resources that are managed by either MDM for Office 365 or Intune.

Figure 15 – Overview of integrated identity management


the SaaS solution needs to connect to your on-premises client management platform for your



https://technet.microsoft.com/library/faa7d8e5-645d-4d59-839c-c8d4c1869e4a(v=technet.10).aspx


https://technet.microsoft.com/en-us/library/hh852466.aspx



mobile device management solution. Table 21 below will help you understand the advantages

and disadvantages of connecting your on-premises infrastructure with a SaaS solution:

Table 21:

Connectivity

options


Intune (standalone) Tightly integrated with Azure

Active Directory for managing

user and device identity and

authentication

Supports user credential self-

management and single sign-

on experiences that can

leverage existing on-premises

account credentials

Supports single sign-on access

to thousands of pre-integrated

SaaS applications

Supports application access

security by enforcing rules-

based multifactor authentication

(MFA) for both on-premises and

cloud applications

Advanced directory services

connectivity features and

functionality require pairing

with Azure Active Directory

Premium


tenants, which use the Azure

Active Directory backbone for

managing user and device

identity and authentication

On-premises directory services

can be connected as a part of

connecting services with Office

365

Supports user self-management

and single sign-on experiences

that can leverage existing on-

premises account credentials

Doesn’t support mobile

application management

integration with other SaaS

solutions or applications

Doesn’t support multi-factor

authentication

Hybrid (Intune with



o Direct integration with on-

premises directory services

through ConfigMgr

infrastructure








Requires additional on-

premises deployment

requirements and

configuration changes for

organizations with ConfigMgr

Next steps and resources Now that you’ve completed defining your requirements and examining all the options for your

mobile device management solution, you’re ready to take the next steps for deploying the

supporting infrastructure that’s right for you and your organization.

Mobile device management solutions Leveraging specific solution scenarios that fit your needs is a great way to review and plan for

the details of deploying a mobile device management infrastructure. The following solutions

outline several of the most common mobile device management scenarios:

The manage mobile devices and PCs in enterprise environments solution helps you

manage mobile devices by extending your on-premises System Center 2012 R2

Configuration Manager infrastructure into the cloud with Microsoft Intune. This hybrid

infrastructure helps medium and large companies enable BYOD and remote access while

reducing administration complexity.

The managing mobile devices for Configuration Manager 2007 solution helps you

manage mobile devices when your infrastructure rests on System Center Configuration

Manager 2007. This solution shows you how to set up a single server running System

Center 2012 R2 Configuration Manager so you can then run Microsoft Intune and take

advantage of its MDM capabilities.

The managing mobile devices in small environments solution is intended for small

businesses that need to support MDM. It explains how to use Microsoft Intune to extend

your current infrastructure to support mobile device management and BYOD. This

solution describes the simplest scenario supported for using Microsoft Intune in a

standalone, cloud-only configuration without local servers.

Mobile device management documentation Conceptual and procedural planning, deployment, and administration content are useful when

implementing your mobile device management solution:

Microsoft System Center solutions can help you capture and aggregate knowledge

about your infrastructure, policies, processes, and best practices so that your IT staff can

build manageable systems and automate operations.

Microsoft Intune is a cloud-based device management service that helps you to manage

your computers and mobile devices and to secure your company’s information.

MDM for Office 365 allows you to manage and secure mobile devices when they're

connected to your Office 365 organization. You can use MDM for Office 365 to set








device security policies and access rules, and to wipe mobile devices if they’re lost or

stolen. Get an overview of the features and setup steps for MDM in Office 365 in Explore

the built-in Mobile Device Management (MDM) feature for Office 365.

Mobile device management resources Monitoring the following resources provides the latest news and updates on our mobile device

management solutions:

Microsoft Enterprise Mobility blog

Microsoft In The Cloud blog

Microsoft Intune blog

Microsoft System Center Configuration Manager blog

Microsoft System Center Configuration Manager Team blog

Microsoft Office 365 blog

https://blogs.office.com/2015/07/21/explore-the-built-in-mobile-device-management-mdm-feature-for-office-365/

https://blogs.office.com/2015/07/21/explore-the-built-in-mobile-device-management-mdm-feature-for-office-365/

http://blogs.technet.com/b/enterprisemobility/

http://blogs.technet.com/b/in_the_cloud/

http://blogs.technet.com/b/microsoftintune/

http://blogs.technet.com/b/configurationmgr/

http://blogs.technet.com/b/configmgrteam/

http://blogs.office.com/office365forbusiness/

mobile device management design considerations guide

Documents