This post is a part of the nine-part “What’s New in Windows Server & System Center 2012 R2” series that is featured on Brad Anderson’s In the Cloud blog.  Today’s blog post covers how System Center 2012 R2 Configuration Manager and Windows Intune provide the ability to product corporate data on mobile devices and how it applies to Brad’s larger topic of “People-centric IT.”  To read that post and see the other technologies discussed, read today’s post:  “Making Device Users Productive and Protecting Corporate Information.”


With the increasing use of mobile devices, enterprises are seeing improved productivity by allowing their users to access corporate data from their mobile devices. But this productivity gain comes at the cost of increased risks due to limited IT controls that an enterprise can have on a user’s personal device. These risks are increased because of the following factors:

  • Mobile devices are more likely to be lost or stolen than PCs or laptops.
  • Users upgrade their mobile devices frequently and might not be careful about removing sensitive corporate data from those devices before selling or disposing of them.

In this blog post, we’ll take a look at how System Center Configuration Manager and Windows Intune help organizations to protect their sensitive corporate data that is stored on mobile devices.

Device Security and Encryption

Every mobile device connecting to your corporate network should be configured to meet your organization’s passcode and data encryption policies. We recommend that you configure the following settings by creating a mobile device configuration item:

  • Require password
  • Password complexity (preferably alpha numeric & optionally requiring special characters)
  • Disallow simple passwords that containing repeating characters or strings, such as 1111 or 1234, etc
  • Password length (minimum 4 characters)
  • Enable file encryption on mobile device

Because end users frequently use external applications, such as iCloud, to store data on their device, their devices become a possible source of corporate data leakage. Depending on your organization’s tolerance level for risk, you could take advantage of new settings in System Center 2012 R2 Configuration Manager to restrict the ability to backup information to the iCloud service.

For a complete list of settings that are supported in the System Center 2012 R2 Configuration Manager release, see this blog posting  http://blogs.technet.com/b/configmgrteam/archive/2013/07/10/compliance-settings-and-company-resource-access.aspx.

Full Wipe

When a user reports that a device has been lost or stolen, one of the options that is available to you as an IT administrator, is to completely reset that mobile device back to factory defaults. We refer to this action as a “full wipe”. All the data on the device is completely deleted and this includes any personal data like photos, videos, personal emails, and applications installed from the public store by the end user, etc. Because this action can have a severe impact on a user’s personal data, you need to ensure that your users provide consent to this action in order to get access to corporate data.

To initiate a wipe remotely from the Configuration Manager console, navigate to the Devices node in the Assets and Compliance workspace, select and then right-click the device. As shown in the following screenshot, you will see an option to Retire/Wipe the device. The ability to support full wipe is available on most mobile operating system platforms. If a specific platform does not support full wipe, this option is unavailable for the device in the Configuration Manager console.

 

 Removing Corporate Data by using Selective Wipe

In some scenarios, such as a user leaving the organization, a full wipe is very intrusive operation, because all the personal data on the device is also deleted. System Center 2012 R2 Configuration Manager and  Windows Intune helps in the separation of corporate and personal data on the device by now supporting a “selective wipe” action that removes only the corporate data and applications that are deployed by using Configuration Manager. All photos, videos and other personal files on the user’s device are left intact. An IT administrator can initiate a selective wipe by using the same Retire/Wipe option as shown previously. However, as the following screenshot shows, System Center 2012 R2 Configuration Manager provides you with  a new option to Wipe company content, which is the action we referred to as “selective wipe”’.

 

The exact implementation of selective wipe depends on the capabilities of the underlying mobile operating system platform. The following table provides a description of selective wipe operations on each of the major mobile operating system platforms.

Content removed when retiring a device

Windows 8.1 Preview

Windows 8 RT

Windows Phone 8

iOS

Android

Company apps and associated data installed by using Configuration Manager and Windows Intune

Uninstalled and sideloading keys are removed.

In addition any apps using Windows Selective Wipe will have the encryption key revoked and data will no longer be accessible.

Sideloading keys removed but remain installed.

Uninstalled and data removed.

Uninstalled and data removed.

Apps and data remain installed.

VPN and Wi-Fi profiles

Removed.

Not applicable.

Not applicable.

Removed.

VPN: Not applicable.

Wi-Fi: Not removed.

Certificates

Removed and revoked.

Not applicable.

Not applicable.

Removed and revoked.

Revoked.

Settings

Requirements removed.

Requirements removed.

Requirements removed.

Requirements removed.

Requirements removed.

Management Client

Not applicable. Management agent is built-in.

Not applicable. Management agent is built-in.

Not applicable. Management agent is built-in.

Management profile is removed.

Device Administrator privilege is revoked.

 

End User Initiated Wipe

There are a couple of scenarios where the end user might need to initiate the wipe operation:

  • The user lost a device or it was stolen, and cannot get in touch with the IT department to wipe the device for her.
  • The user is using her tablet to connect to and access corporate resources in addition to her personal use. She then purchases a newer model and wants to give her older tablet to her children.

In both of these scenarios, the end user can initiate the wipe operation by using the company portal, which is available on various operating system platforms, including Windows 8, Windows RT, Windows Phone 8, iOS, and Android.

From the company portal, the user can view the list of their devices, in addition to viewing the list of applications available to her, and see information about how to contact the IT department for support. The following screenshot shows an example of how the company portal might look to a user.

 

When the user clicks on any of the devices, she has a few options as shown in the following screenshot:

  • Remove – This initiates a selective wipe on the device.
  • Factory Reset – This sets the device back to the operating system default state, which is a full wipe on platforms that support it.

 

Summary

System Center 2012 Configuration Manager provides excellent capabilities for mobile device management in addition to PC management. Newly introduced options, such as selective wipe, provide IT administrators with more granular control over these devices while at the same time, keeping end users happy by focusing device management on corporate data only and not on their personal data.

-- Dilip Radhakrishnan

To see all of the posts in this series, check out the What’s New in Windows Server & System Center 2012 R2 archive.

This posting is provided "AS IS" with no warranties and confers no rights.