Tuesday, December 9, 2014

Did You Know: Securing Mobile Devices with Microsoft Intune & Configuration Manager #MSExchange, #Intune

The consumerization of IT in the recent years have led many companies to allow employees to utilize their own mobile devices (BYOD) in lieu of corporate-issued assets. Typically, the thought is that increased productivity can be gained by allowing employees to use devices and software that they are most familiar and comfortable with. As you would expect from the “Mobile first – Cloud first” mantra, Microsoft has been working hard to deliver a feature-rich mobile device management solution (MDM) for the enterprise.

Back in late march of this year, Microsoft unveiled the Enterprise Mobility Suite (EMS), which allows customers to protect mobile devices and data by embracing cloud technologies. EMS is a comprehensive suite of tools that bundles several Microsoft cloud offerings to mange mobile devices, address BYOD concerns, identity management, and data protection.

The EMS suite allows enterprise customers to mange iPhones, iPads, Windows devices and Android phones from a central management console. The suite includes licensing for Microsoft Azure Active Directory Premium, Microsoft Intune and Microsoft Azure Rights Management.

Microsoft has even recently announced that Microsoft Intune capabilities will be included in Office 365. If you have an Office 365 commercial subscription, than sometime in early 2015 you will have MDM capabilities introduced into your tenant. This is yet another great feature to consider when evaluating Office 365!

Over the last couple of months, I have become keenly interested in the Microsoft Intune offering. I’ve spent some time running the Microsoft Intune product through the paces and have formed a positive opinion of the product. I’ve even configured the solution for a customer, but found the documentation to be lacking once I got deep into the implementation.

First, at this point in the Microsoft Intune lifecycle, the product still does need to catch up to competitors MobileIron and Airwatch. Microsoft is releasing new features for Microsoft Intune on a seemingly monthly basis and I have no doubt the product will have feature parity with it’s competitors early on in 2015.

What makes Microsoft Intune so attractive to me though is that it can leverage an on-premise instance of System Center Configuration Manager (SCCM). This type of configuration provides the conduit to deliver applications, reporting, and remotely manage mobile devices. The SCCM product is already an industry leader in the pc management arena and owns the majority of the market share in this category. Leveraging existing assets and business workflows makes great sense.

I also like that Microsoft Intune does not present one monolithic application or container, like some other competitors, for productivity software on a managed device. MDM capabilities are already built into many applications that enterprises will want to distribute to employees, like the Microsoft Office suite.

Microsoft Intune is built on a solid foundation that is already comfortably housed in most enterprise data centers. This gives Microsoft Intune a great leg up on the competition and warrant’s a very close look for customers that are shopping MDM solutions.

Some may argue that Exchange Server 2013 provides the ability to protect and manage devices within an on-premise infrastructure and do not require a full-blown MDM solution. It is true, the on-premise instance of Exchange Server 2013 provides some out-of-the-box protection and security.

The savvy administrator can use several different methods to secure mobile devices such as:
  1.  Set-ActiveSyncOrganizationSettings – set the default access for quarantine and add an administrative contact.
  2.  New-ActiveSyncDeviceAccessRule – block specific mobile device types.
  3.  New-ActiveSyncMailboxPolicy – configure passwords and password length, allow non-provisioned devices, and turn the camera on or off for some devices.

While these methods certainly provide a layer of protection, they do not come close to providing a comprehensive MDM solution required in the enterprise. Microsoft Intune, however, does provide advanced protection for mobile devices while providing flexibility in how you configure the service.

At the heart of the product, Microsoft Intune can be setup to be either directly managed via the cloud offering or by leveraging an on-premise instance of SCCM.

Microsoft Intune can directly manage a wide variety of mobile devices via the cloud offering or through SCCM. For instance, the following devices can be managed via Microsoft Intune:
  •        Windows Phone 8, 8.1
  •        Windows RT, RT 8.1
  •        Windows 8.1(Yes, the desktop software! You can lightly manage desktops)
  •        iOS 6,7 and 8
  •        Android 2.3.4 and later

I am going to focus a series of articles over the next several weeks on the MDM portion of the EMS suite – Microsoft Intune. Specifically, I’m going to walk through fully integrating SCCM with Microsoft Intune, Microsoft SQL Server, and Exchange Server 2013.

The end state will result in an on-premise instance of SCCM and Exchange Server 2013 that utilizes Microsoft Intune to manage and deliver applications to mobile devices (iOS) from SCCM.

In the next article, I’m going to discuss the prerequisites that need to be configured before Microsoft Intune can manage mobile devices.


  1. Really cool post, highly informative and professionally written and I am glad to be a visitor of this perfect blog, thank you for this rare info! , Regards , informatica mdm training in hyderabad,

  2. I have been reading out a lot of your articles.
    I will certainly bookmark your Blog.
    Free Devops Training
    Hybris Training
    Emc San Training