This article discusses the steps required when embarking on an Enterprise Mobility Management (EMM) Project and is joint-contributed by Susan Smith, IT Pro Technical Evangelist at Microsoft and Andy Turner, Technical EMM Lead at Mitchells & Butlers.
Image Source: ‘Customers eating and drinking’ from Mitchells & Butlers.
Mitchells & Butlers – the largest operator of restaurants, pubs and bars in the UK – share their EMM project experiences, highlighting gotchas, best practices and other useful advice on how they implemented System Center Configuration Manager 2012 R2 and Windows Intune to manage over 20,000 devices, all in-house with two System Administrators.
About the Author: Susan recently became an IT Pro Technical Evangelist, focusing on Cloud Technologies. Previously, she was a Windows Intune Technical Solutions Professional, specialising in working closely with Customers and Partners to provide the in-depth technical knowledge to strategise their Enterprise Mobility Management endeavours. Some Admins may baulk at the idea of adding 8,500 iOS and Android devices to their existing 12,000 Windows PC management estate, across 1,600 sites. With careful planning, an eye for detail and exceptional technical and collaboration skills, this is certainly achievable with the added bonus (for the boss) of no increase of the two-man headcount. Let us enter the world of Enterprise Mobility Management (EMM). The increased popularity of Smartphones and Tablet devices in the Enterprise is the main driver for EMM. Enterprises need to stay ahead of the curve for technology trends. Plus the Systems Administrators (SysAdmins) get a range of great new toys to configure.
This graph illustrates the growth in this hardware market and how this is an upward trend. Enterprises are now including non-PC devices as part of their Corporate purchases and also introducing Bring Your Own Device (BYOD) as part of their IT Strategy.
BYOD increases employee productivity, morale and convenience by using their own devices.
The task of Device management poses a few challenges (headaches) for the IT Pro in terms of Security and Compliance. What is Enterprise Mobility Management?The elements of EMM are described in the table below. EMM is regarded as a maturity model, moving from left to right, using MDM as a starting point, optimising to reach MCM. The key is to ensure Security and Compliance is upheld along the way, without compromising the user experience.
Mobile Device Management (MDM)
Mobile Application Management (MAM)
Mobile Information Management (MIM)
Mobile Content Management (MCM)
IT Policies applied and profiles provisioned to mobile devices
Cross-platform Support (Windows, iOS, Android)
Jailbreak and rooted device detection
IT controlled delivery of apps from a corporate app catalog
IT Policies applied directly to data wherever it flows or resides
Data Loss prevention
Secure distribution and mobile access to employee data
Data at rest encryption
Dynamic Access Control
Who is responsible for Enterprise Mobility Management?With the introduction of Exchange ActiveSync, MDM typically became the responsibility of the Exchange team. However, now there are a number of different platforms and vendors offering detailed management solutions to deal with the increased demands of the business and their users, this support model is changing. Microsoft has declared that success with Enterprise Mobility comes from Empowering System Center Configuration Manage Admins. Where do you start?An EMM initiative will drive many business benefits, such as lower IT Support costs, a highly productive mobile workforce, happy employees, using the latest, greatest technologies. EMM also increase collaboration and connectivity. It is tempting to jump in feet first and buy a handful of devices and pilot a small number of EMM solutions. STOP! Before embarking on an EMM project, you need to break it down into smaller, manageable chunks:
1. Requirements AnalysisDo not dive straight into the different solutions available - this may overwhelm you and can also cloud your judgment. You need to identify the needs and goals of your business. What are your drivers? What ROI is required? Who are your customers? What are you trying to achieve?
2. Define Mobility PoliciesThis requires extensive research and user participation. As with all great projects, customer buy-in from the outset will ensure successful adoption. Determine your company’s needs, such as increasing employee morale and providing the ability to work from home &/or across different locations. Determine employees’ needs, such as favoured devices and an apps policy. This also requires sponsorship for business leads, covering all bases with both a top-down and bottom-up approach. Then you can start to create security policies such as a BYOD policy.
3. Create a Security StrategySecurity plays a large part in EMM and should be thoroughly researched. Buy-in from your Security and Compliance team for the outset will ensure you do not encounter showstoppers when the project is at a more advanced stage. Create water-tight strategies which eliminate the possibility of human error. The general rule of thumb is this: if a user (internal or malicious) can find a loophole, they will exploit it. The Security Strategy ensures there are no holes. Process is important and strategies in place such a remote-wipe are a must if a device has been lost or stolen, to prevent corporate data leakage.
4. Create awareness and set expectationsThis project will affect most if not all of your users so it is very important to continue the great work done in Step 1 to raise awareness, which in turn will have a positive effect on user acceptance and the success of this project. Choosing the right EMM toolsThere are many vendors in this space all offering a similar feature-set. Some have extras to make their product stand out from the crowd. It is easy to fall into the trap of reading all of the Marketing paraphernalia and then assuming one solution is perfect for you, disregarding all of the great research you have. Each business is different and you need to decide which one is right for YOU. Now and in the future. Typically a requirements list will be drawn up and a long list of vendors will be selected for a Request for Proposal (RFP) process. A shortlist will then be piloted. These are measured objectively to ensure a fair trial. The RFP panel agrees on the successful candidate who not only ticks all of the boxes but also goes beyond the call of duty to demonstrate why they should be the EMM tool of choice. Windows IntuneWindows Intune is Microsoft’s Cloud-based EMM Solution offering MDM, MAM, MIM and MCM. Windows Intune comes in two ‘flavours’ – Cloud-only and Unified. Cloud-only is Software as a Service (SaaS), where no on-premise infrastructure is required and the administration console is accessed via a browser. Unified is a hybrid model, integrating the Windows Intune Cloud service with your System Center Configuration Manager (ConfigMgr) on-premise infrastructure. Unified gives the organisation the ability to view and manage users’ PCs and mobile devices – both corporate-connected and cloud-based, within a single console. An integrated approach allows you to apply policies and offer software to your users without having to create duplicate infrastructures, separate consoles and new processes. The diagram below highlights typical usage scenarios. If you already have a ConfigMgr infrastructure, it makes sense to build on your existing infrastructure and expertise by integrating with Windows Intune to extend the capabilities and platform support. Windows Intune offers an extensive feature-set, with highlights such as Cross-platform Support for Windows, iOS and Android Devices, Selective Wipe, Granular Device Settings, Corporate App Store, Certificate, VPN, Wi-Fi, and Email Provisioning. For a detailed comparison, here are links to the Service Descriptions:
· Windows Intune Service Description· Mobile Device Management Capabilities in Windows Intune· Compliance Settings for Mobile Devices in Configuration Manager
EMM in Practice Revisiting my earlier claim of two ConfigMgr Admins extending their 12,000 Windows PC management estate to include 8,500 iOS and Android Devices, Andrew Turner - Mobile Device Management Technical Lead at Mitchells & Butlers - will talk you through their approach to Enterprise Mobility Management.
Case study: Mitchells and Butlers: Pub and Restaurant Company Boosts Service, Satisfaction with Managed Mobile Platform
About the Author: Andy Turner is the Technical Lead for the EMM project at Mitchells & Butlers. Previously he has been the technical lead on Corporate Application Remediation, Application Virtualisation and Enterprise Management projects for the same organisation. He is part of a small team that is responsible for the day to day management of a mixed estate of over 20000 devices.
Mitchells & Butlers - the largest operator of restaurants, pubs and bars in the UK – wanted to move away from pen and paper systems by deploying mobile devices that run service-enhancing apps to its retail teams at 1,600 establishments. Before doing so, it needed a way to remotely manage the devices. The company subscribed to Windows Intune, connecting it to their ConfigMgr infrastructure, with the goal of improved customer service, increasing site managers’ efficiency, and reducing costs. The ‘How’Mitchells & Butlers selected Windows Intune due to consolidation of their management platform of System Center Configuration Manager. The flexibility of the hybrid model – where you can update cloud features without ConfigMgr server downtime kept the business happy.
The implementation was straightforward and speedy. We upgraded from ConfigMgr 2012 to R2 and integrated Windows Intune within 2 days. All of this work was done in-house which saved time and money. The in-house implementation was performed by myself and a colleague, Ben Mathews, which increased our knowledge of the product and allowed control of our environment, which in turn meant we understood where there could be points of failure, which was mitigated. We didn’t need to carry out any additional training, as we were using familiar ConfigMgr tools and consoles that we were already using on a daily basis.
Linear Deployment Strategy
Upgrade existing SCCM 2012 R1 Infrastructure to R2
Acquisition of Apple Enterprise Developer Agreement (for APNS and App signing purposes)
Implement firewall change requirements for Windows Intune
Implement APNS firewall exceptions to allow communication between iOS devices and Apple Push Notifications Services (essential for enrolment & App installation).
Configure Windows Intune Connector in SCCM 2012 R2
Bottom out security requirements for baseline policy with internal governance.
Bottom out security requirements for baseline policy with internal governance
Configure Company Portal (Colour Scheme, company branding, Service Desk Contact details)
App functionality testing
ADFS Dirsync of Active Directory users to Windows Intune Cloud service.
Configure Import/Sync users/devices into SCCM 2012 R2. Automate collection assignment based on device type query.
App push/pull deployment testing. Including a fresh install and an upgrade install.
Deploy baseline policies to devices.
Engage Service Desk, prepare call scripting.
Make app available to end users.
GotchasWe currently outsource our Mobile App development to third party developers and we worked closely with them to ensure a smooth go-live across all of our outlets. The ConfigMgr and Windows Intune configuration was a straightforward process, however I’d like to share with you a few gotchas which may save you time when you embark on a similar endeavour.
· If an app is developed by a third-party, it needs to be signed by your own in-house certificates, otherwise it contravenes your Apple agreement. Extra time was required in obtaining an Apple developer Certificate to carry out this step. By working closely with our third-party software suppliers we overcame this initial problem.
· An OEM shipped devices directly to our retail outlets with instructions for user-enrolment. On a small amount of devices, the date and time settings were wrong so Kerberos authentication failed. This necessitated a local site visit to ascertain the source of the problem and the issue was immediately identified, resolved and added to the Service Desk Team’s core script to increase first-level call resolution. N.B. if devices are stored in a cupboard for a few weeks untouched, it may revert to an earlier date and this will cause Kerberos authentication failure (and some head-scratching), especially if the device isn’t able to collect its time settings from an internet time server.
· Understanding of the Apple Push Notification Service (APNS) and the ports that need to be opened up to facilitate this. Full connectivity to APNS is mandatory for iOS device enrolment and app installation functionality. Working closely with the Network and Security team ensured a swift resolution.
· Help your Service Desk to help you – detailed training on the range of devices they will be supporting and hands on time with the devices is crucial if they have not had previous exposure. A good understanding of the device enrolment, app installation process, and how to use the app once installed are key.
· Thorough deployment testing is a must, where possible visit external sites and prove the deployment process in a real end user environment. Poor communications speeds and other environmental factors (competing WiFi networks etc.) can raise awareness of potential problems that aren’t necessarily visible in a test lab environment. Best Practice· Having access to a Mac is invaluable for packaging iOS apps and troubleshooting problems with iOS devices. With Xcode you can interrogate the manifest data for the app and extract useful information such as the version and bundle identifier. This ensures the app creation and deployment process run smoothly. Using the Xcode console with an iOS device tethered to the Mac also allows you to view real time logging data from the device, which can be a useful diagnostic tool for troubleshooting app installation and enrolment issues.
· When shipping devices from the manufacturers straight to site, it is essential to create clear concise step by step instructions including screen captures, together with high-level troubleshooting advice. Remember, your information workers may never have used a device like this before.
· Create internal awareness. Mitchells & Butlers used bulletins to all outlets to ensure everyone was aware of the progress of this project and the expectations of them, such as end user enrolment of the device, which worked successfully with only a small proportion of Service Desk calls regarding the hardware date and time configuration being out of sync.
· Early and continuous engagement with the Service Desk is essential. Creating a call script for the Service Desk and making on-going enhancements when unforeseen issues came to light.
· Providing the full range of sample devices to the Service Desk, to walk-through issues with callers to ensure swift resolution.
· Engage with the Security and Compliance Management team at the start of the project and sustain engagement throughout the project. This ensured Security Policies were signed off because they were fully involved in the whole process. In ConclusionMitchells & Butlers are happy and confident with the platform. They did the unthinkable by increasing their hardware and OS platform support by 40% without increasing Admin headcount (and staying sane throughout the deployment). They have met their goals of removing pen and paper systems, improved customer service, increased site managers’ efficiency, and reduced costs.
In addition the employees love their new devices and find them a vast improvement to the old system. Their involvement from the start was key in the success of this project.
The aggressive timescales of the Windows Intune feature-set gives Mitchells & Butlers the ability to plan their EMM roadmap. Help from the Microsoft Windows Intune Product Group was invaluable. It was really useful having the insight of this deeply technical team and speedy turnaround of challenges.
Links· Mitchells and Butlers: Pub and Restaurant Company Boosts Service, Satisfaction with Managed Mobile Platform· Windows Intune· System Center Configuration Manager· Enterprise Mobility Suite
Technical links· Publishing LOB app for iOS devices · Well known TCP and UDP ports used by Apple software products (2195/2196 are used by APNS)· Firewall and Proxy Server Settings for Windows Intune Client Computers Are you thinking of rolling out a large project soon, perhaps you’re already mid-way through? Let us know what you thought of this article at @TechNetUK.