Over the next few days, I’ll be writing a series of blog posts about mobile device management (MDM). Microsoft’s focus is on providing best-in-class mobile and cloud services.
Today, everyone has a mobile device, whether it’s a tablet, convertible, laptop, or smartphone. Users are never out of touch with one another and their information. But how can we manage devices that are never in one place for long? Well, because mobile devices mostly use cloud services, the best way to manage these devices is through a cloud service.
Enter Microsoft System Center 2012 R2 Configuration Manager and Windows Intune. These products provide user-centric management for devices that are mobile or at your offices. Over the next few posts, I’ll be focusing on how to use System Center 2012 R2 Configuration Manager and Windows Intune to manage your mobile devices and reduce the level of effort (and worry) you spend doing so.
Watch this video to see Microsoft mobile device management in action.
Now that we've seen how Microsoft mobile device management works, let's talk more about the products that are used and how they work together.
I’ll start off by talking about the products in a Microsoft MDM solution: Microsoft System Center 2012 R2 Configuration Manager and Windows Intune. Why do you need both products? The short answer is that you don’t. For example, many organizations are using System Center 2012 R2 Configuration Manager and Microsoft Exchange Server to manage their mobile devices through Microsoft Exchange ActiveSync. Other organizations use only Windows Intune to manage their on-premises and mobile devices.
So, why use both System Center 2012 R2 Configuration Manager and Windows Intune? To be able to manage all of your devices and users in one place. When you integrate these two products, you can manage users and devices regardless of whether they are in your office or out in the field, and you can do so from one management console: the Configuration Manager console. This integration allows you to manage all phases of the device life cycle, too, from device enrollment through device retirement and all phases in between.
In fact, when you enable System Center 2012 R2 Configuration Manager and Windows Intune integration, Windows Intune becomes transparent for the most part. You manage devices through System Center 2012 R2 Configuration Manager, which communicates with Windows Intune through the Windows Intune Connector in System Center 2012 R2 Configuration Manger. Windows Intune communicates with your mobile devices. Conceptually, after you set up the System Center 2012 R2 Configuration Manager–Windows Intune integration, Windows Intune appears as a logical extension of System Center 2012 R2 Configuration Manager.
So, let’s look at how to prepare for MDM by examining the prerequisites.
Mobile device management prerequisites
How do you go about creating an enterprise-class MDM solution? You need:
For more information about these prerequisites, see Prerequisites in How to Manage Mobile Devices by Using Configuration Manager and Windows Intune.
That’s all you need as far as prerequisites. When these elements are in place, you’re ready to configure integration between System Center 2012 R2 Configuration Manager and Windows Intune.
Synchronize on-premises Active Directory with Microsoft Azure Active Directory
In most cases, you’ll have an on-premises Active Directory Domain Services (AD DS) infrastructure, which is where your user accounts are managed. Ideally, you want to provide a single sign-on experience for your users so that they can use the same credentials to access on-premises and Windows Intune services.
To do this, install and configure the Microsoft Azure Active Directory Sync Tool. This tool synchronizes the user and group accounts in your on-premises AD DS forest with Azure Active Directory (which Windows Intune uses). You install the tool on an on-premises server (virtual or physical). The installation process is wizard-driven and simple.
Configure the Azure Active Directory Sync Tool by providing:
After you have configured the Azure Active Directory Sync Tool, it automatically starts the synchronization process. Depending on the number of users in your AD DS forest, synchronization can take a few minutes or a couple of hours. The tool continues to run and keeps both directory services in sync with each other, which helps ensure that users need to remember only one set of credentials.
You can also use Active Directory Federation Services (AD FS) with Windows Intune to enable single sign-on. Implementing single sign-on with AD FS means that password hashes do not have to be synchronized between your on-premises AD DS cloud and Azure Active Directory.
For more information about how to install and configure the Azure Active Directory Sync Tool, see Set up your directory sync computer and Directory integration. For more information about implementing Windows Intune sign-on with AD FS, see Checklist: Use AD FS to implement and manage single sign-on.
Configure the Windows Intune subscription
With the user accounts synchronized, you’re ready to configure the Windows Intune subscription in System Center 2012 R2 Configuration Manager. Windows Intune subscriptions that are:
Note You configure a Windows Intune subscription for integration with System Center 2012 R2 Configuration Manager only once. The process cannot be reversed for that subscription.
You configure the Windows Intune subscription by completing the Add Windows Intune Subscription Wizard. In that wizard, you provide the following information:
You can also configure some of these settings after you have added the Windows Intune subscription in the Configuration Manager console.
Add the Windows Intune Connector site system role
Adding the Windows Intune Connector site system role in System Center 2012 R2 Configuration Manager is like adding any other System Center 2012 R2 Configuration Manager site system role: you use the Add Site System Roles Wizard in the Configuration Manager console. You don’t have to provide configuration settings; just ensure that you select the Windows Intune Connector site system role on the System Role Selection wizard page. For more information about adding the Windows Intune Connector site system role in System Center 2012 R2 Configuration Manager, see The Windows Intune Connector Site System Role.
Enable Windows Intune extensions
Windows Intune has Configuration Manager console extensions that allow the Configuration Manager console to be aware of new capabilities. You can find these extensions in the Extensions for Windows Intune node in the Administration workspace.
For example, the iOS 7 Security Settings extension adds support for the new iOS 7 security configuration settings; the Windows Phone 8.1 Extension adds support for Windows Phone 8.1 features and management. Depending on the devices you’re managing, you may need to enable some or all of the extensions.
After you enable the Windows Intune extensions for the Configuration Manager console, close the console, and then reopen it to complete the process. When you restart the Configuration Manager console, the new features and configuration options appear.
For more information about Windows Intune extensions in System Center 2012 R2 Configuration Manager, see Planning to Use Extensions in Configuration Manager.
Now you’ve seen how easy it is to prepare for MDM by using System Center 2012 R2 Configuration Manager and Windows Intune. You can try out these steps by downloading the evaluation copy of System Center 2012 R2 Configuration Manager and signing up for a trial version of Windows Intune. In my next blog post, I’ll walk through the process of enrolling different types of devices.
NEXT BLOG POST IN THIS SERIES: How-to perform device enrollment for mobile devices
Comments in this blog are open and monitored for each post for a period of one week after the posting date. If you have a specific question about a blog post that is older than one week, please submit your question via our Twitter handle @MSFTMobility